5a861468f261c6de09ec5e0836a607df7fecaa4252503b6ba15c90e91e4d7105

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
Size

380KB
MD5

18b5b21bd8f7dd6fab9e31343ca249b9
SHA1

d12421a811622b8015efa619419f5fd3ce4eb2bc
SHA256

5a861468f261c6de09ec5e0836a607df7fecaa4252503b6ba15c90e91e4d7105
SHA512

f9aa43c8f8e64627d4c2a215a6b2b43ee5b003be35b693f04e04b6f199c03ca8a5bb7e978fbbb0444e80e5e9435abc7032c61e98501738965d2424da08a783bd
SSDEEP

3072:mEGh0oRlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5721F822-1EC9-490d-BEE3-D647854D6989}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DE098086-CFED-42c6-9901-CB397676562D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{73E0A065-7A64-4bc6-AFC1-B120FC2D5B10}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe{DE098086-CFED-42c6-9901-CB397676562D}.exe{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe{5721F822-1EC9-490d-BEE3-D647854D6989}.exe{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C070204D-5A64-418f-B2F6-FA5B89127C63}\stubpath = "C:\\Windows\\{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe"	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{299556AA-CF46-446f-8357-AD6ABCD191EC}	{DE098086-CFED-42c6-9901-CB397676562D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B865C9F0-F8FB-40a1-A55C-569B706DAAED}\stubpath = "C:\\Windows\\{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe"	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5721F822-1EC9-490d-BEE3-D647854D6989}	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0603DEE-60F1-41eb-825A-CD615E795CF2}	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73E0A065-7A64-4bc6-AFC1-B120FC2D5B10}	{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6144F0AF-9604-441c-92ED-BE523E5C94B1}\stubpath = "C:\\Windows\\{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe"	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6144F0AF-9604-441c-92ED-BE523E5C94B1}	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}\stubpath = "C:\\Windows\\{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe"	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}\stubpath = "C:\\Windows\\{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe"	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE098086-CFED-42c6-9901-CB397676562D}\stubpath = "C:\\Windows\\{DE098086-CFED-42c6-9901-CB397676562D}.exe"	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{299556AA-CF46-446f-8357-AD6ABCD191EC}\stubpath = "C:\\Windows\\{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe"	{DE098086-CFED-42c6-9901-CB397676562D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B865C9F0-F8FB-40a1-A55C-569B706DAAED}	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5721F822-1EC9-490d-BEE3-D647854D6989}\stubpath = "C:\\Windows\\{5721F822-1EC9-490d-BEE3-D647854D6989}.exe"	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0603DEE-60F1-41eb-825A-CD615E795CF2}\stubpath = "C:\\Windows\\{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe"	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C070204D-5A64-418f-B2F6-FA5B89127C63}	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}\stubpath = "C:\\Windows\\{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe"	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE098086-CFED-42c6-9901-CB397676562D}	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73E0A065-7A64-4bc6-AFC1-B120FC2D5B10}\stubpath = "C:\\Windows\\{73E0A065-7A64-4bc6-AFC1-B120FC2D5B10}.exe"	{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}\stubpath = "C:\\Windows\\{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe"	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe

Executes dropped EXE 12 IoCs

Processes:

{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe{5721F822-1EC9-490d-BEE3-D647854D6989}.exe{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe{DE098086-CFED-42c6-9901-CB397676562D}.exe{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe{73E0A065-7A64-4bc6-AFC1-B120FC2D5B10}.exe

pid	process
4376	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe
5008	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe
2468	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe
4536	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe
3020	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe
1168	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe
2032	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe
4368	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe
3228	{DE098086-CFED-42c6-9901-CB397676562D}.exe
5080	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe
1368	{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe
3520	{73E0A065-7A64-4bc6-AFC1-B120FC2D5B10}.exe

Drops file in Windows directory 12 IoCs

Processes:

{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe{DE098086-CFED-42c6-9901-CB397676562D}.exe{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe{5721F822-1EC9-490d-BEE3-D647854D6989}.exe

description	ioc	process
File created	C:\Windows\{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe
File created	C:\Windows\{DE098086-CFED-42c6-9901-CB397676562D}.exe	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe
File created	C:\Windows\{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe
File created	C:\Windows\{5721F822-1EC9-490d-BEE3-D647854D6989}.exe	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe
File created	C:\Windows\{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe
File created	C:\Windows\{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe
File created	C:\Windows\{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe
File created	C:\Windows\{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe
File created	C:\Windows\{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe	{DE098086-CFED-42c6-9901-CB397676562D}.exe
File created	C:\Windows\{73E0A065-7A64-4bc6-AFC1-B120FC2D5B10}.exe	{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe
File created	C:\Windows\{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
File created	C:\Windows\{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe{5721F822-1EC9-490d-BEE3-D647854D6989}.exe{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe{DE098086-CFED-42c6-9901-CB397676562D}.exe{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4140	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4376	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe
Token: SeIncBasePriorityPrivilege	5008	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe
Token: SeIncBasePriorityPrivilege	2468	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe
Token: SeIncBasePriorityPrivilege	4536	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe
Token: SeIncBasePriorityPrivilege	3020	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe
Token: SeIncBasePriorityPrivilege	1168	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe
Token: SeIncBasePriorityPrivilege	2032	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe
Token: SeIncBasePriorityPrivilege	4368	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe
Token: SeIncBasePriorityPrivilege	3228	{DE098086-CFED-42c6-9901-CB397676562D}.exe
Token: SeIncBasePriorityPrivilege	5080	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe
Token: SeIncBasePriorityPrivilege	1368	{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4140 wrote to memory of 4376	4140	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe
PID 4140 wrote to memory of 4376	4140	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe
PID 4140 wrote to memory of 4376	4140	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe
PID 4140 wrote to memory of 1892	4140	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	cmd.exe
PID 4140 wrote to memory of 1892	4140	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	cmd.exe
PID 4140 wrote to memory of 1892	4140	2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe	cmd.exe
PID 4376 wrote to memory of 5008	4376	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe
PID 4376 wrote to memory of 5008	4376	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe
PID 4376 wrote to memory of 5008	4376	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe
PID 4376 wrote to memory of 3984	4376	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe	cmd.exe
PID 4376 wrote to memory of 3984	4376	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe	cmd.exe
PID 4376 wrote to memory of 3984	4376	{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe	cmd.exe
PID 5008 wrote to memory of 2468	5008	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe
PID 5008 wrote to memory of 2468	5008	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe
PID 5008 wrote to memory of 2468	5008	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe
PID 5008 wrote to memory of 568	5008	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe	cmd.exe
PID 5008 wrote to memory of 568	5008	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe	cmd.exe
PID 5008 wrote to memory of 568	5008	{5721F822-1EC9-490d-BEE3-D647854D6989}.exe	cmd.exe
PID 2468 wrote to memory of 4536	2468	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe
PID 2468 wrote to memory of 4536	2468	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe
PID 2468 wrote to memory of 4536	2468	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe
PID 2468 wrote to memory of 5080	2468	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe	cmd.exe
PID 2468 wrote to memory of 5080	2468	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe	cmd.exe
PID 2468 wrote to memory of 5080	2468	{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe	cmd.exe
PID 4536 wrote to memory of 3020	4536	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe
PID 4536 wrote to memory of 3020	4536	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe
PID 4536 wrote to memory of 3020	4536	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe
PID 4536 wrote to memory of 4316	4536	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe	cmd.exe
PID 4536 wrote to memory of 4316	4536	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe	cmd.exe
PID 4536 wrote to memory of 4316	4536	{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe	cmd.exe
PID 3020 wrote to memory of 1168	3020	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe
PID 3020 wrote to memory of 1168	3020	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe
PID 3020 wrote to memory of 1168	3020	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe
PID 3020 wrote to memory of 1180	3020	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe	cmd.exe
PID 3020 wrote to memory of 1180	3020	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe	cmd.exe
PID 3020 wrote to memory of 1180	3020	{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe	cmd.exe
PID 1168 wrote to memory of 2032	1168	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe
PID 1168 wrote to memory of 2032	1168	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe
PID 1168 wrote to memory of 2032	1168	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe
PID 1168 wrote to memory of 4952	1168	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe	cmd.exe
PID 1168 wrote to memory of 4952	1168	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe	cmd.exe
PID 1168 wrote to memory of 4952	1168	{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe	cmd.exe
PID 2032 wrote to memory of 4368	2032	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe
PID 2032 wrote to memory of 4368	2032	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe
PID 2032 wrote to memory of 4368	2032	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe
PID 2032 wrote to memory of 1104	2032	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe	cmd.exe
PID 2032 wrote to memory of 1104	2032	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe	cmd.exe
PID 2032 wrote to memory of 1104	2032	{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe	cmd.exe
PID 4368 wrote to memory of 3228	4368	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe	{DE098086-CFED-42c6-9901-CB397676562D}.exe
PID 4368 wrote to memory of 3228	4368	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe	{DE098086-CFED-42c6-9901-CB397676562D}.exe
PID 4368 wrote to memory of 3228	4368	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe	{DE098086-CFED-42c6-9901-CB397676562D}.exe
PID 4368 wrote to memory of 2820	4368	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe	cmd.exe
PID 4368 wrote to memory of 2820	4368	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe	cmd.exe
PID 4368 wrote to memory of 2820	4368	{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe	cmd.exe
PID 3228 wrote to memory of 5080	3228	{DE098086-CFED-42c6-9901-CB397676562D}.exe	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe
PID 3228 wrote to memory of 5080	3228	{DE098086-CFED-42c6-9901-CB397676562D}.exe	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe
PID 3228 wrote to memory of 5080	3228	{DE098086-CFED-42c6-9901-CB397676562D}.exe	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe
PID 3228 wrote to memory of 1292	3228	{DE098086-CFED-42c6-9901-CB397676562D}.exe	cmd.exe
PID 3228 wrote to memory of 1292	3228	{DE098086-CFED-42c6-9901-CB397676562D}.exe	cmd.exe
PID 3228 wrote to memory of 1292	3228	{DE098086-CFED-42c6-9901-CB397676562D}.exe	cmd.exe
PID 5080 wrote to memory of 1368	5080	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe	{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe
PID 5080 wrote to memory of 1368	5080	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe	{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe
PID 5080 wrote to memory of 1368	5080	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe	{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe
PID 5080 wrote to memory of 4352	5080	{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_18b5b21bd8f7dd6fab9e31343ca249b9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe
C:\Windows\{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\{5721F822-1EC9-490d-BEE3-D647854D6989}.exe
C:\Windows\{5721F822-1EC9-490d-BEE3-D647854D6989}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe
C:\Windows\{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe
C:\Windows\{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe
C:\Windows\{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe
C:\Windows\{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe
C:\Windows\{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe
C:\Windows\{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\{DE098086-CFED-42c6-9901-CB397676562D}.exe
C:\Windows\{DE098086-CFED-42c6-9901-CB397676562D}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe
C:\Windows\{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe
C:\Windows\{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\{73E0A065-7A64-4bc6-AFC1-B120FC2D5B10}.exe
C:\Windows\{73E0A065-7A64-4bc6-AFC1-B120FC2D5B10}.exe
13⤵
- Executes dropped EXE
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B865C~1.EXE > nul
13⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{29955~1.EXE > nul
12⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DE098~1.EXE > nul
11⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4F4D8~1.EXE > nul
10⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C0702~1.EXE > nul
9⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C0603~1.EXE > nul
8⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1AEC6~1.EXE > nul
7⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A1014~1.EXE > nul
6⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6144F~1.EXE > nul
5⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5721F~1.EXE > nul
4⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0B6D2~1.EXE > nul
3⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B6D25C7-92C8-4954-8FCC-92BFD6B990E3}.exe

Filesize
380KB

MD5
444152e4e26e8be3229ce32a3d2549d2

SHA1
ec4d878d18c7cf491f4f03c4917ae79254608585

SHA256
e17b083b2617adba79a5e018cd33445bf4940e0273c97dc713a394e85b1b0a6f

SHA512
88fade47a3698d55d3a5cf59c9eeae660cada894ff0e2dd92bf1bd75f93283c746f6d6089115d4e607b6142c921ebff5e6c13c7f1f73bcc5f5b63b3a80ad470e

Download Submit
C:\Windows\{1AEC6959-5E84-4a89-AF7F-0F9FFC5B92AD}.exe

Filesize
380KB

MD5
1021a5625b06f2a71498cdfa71c2f7c0

SHA1
eef299b8347bf9ee10ef8aa96826b73c9827670f

SHA256
c72dd1ff50095c02106fa8ec223134a30b85a4534670cc8a2e19455b97015385

SHA512
c75857e2298317634f6acf59b014755102fde169e557e0a52385a623f8246df07b49ea20a16b3a390ddafea68c45f1c7b35326942719b44c65d73aa61c5cc5b9

Download Submit
C:\Windows\{299556AA-CF46-446f-8357-AD6ABCD191EC}.exe

Filesize
380KB

MD5
5f4a7fe1ee1b9cc7f5d70fd2d7a4b50c

SHA1
eae4c5599d0f72db075d2e8b527319191e4c2afd

SHA256
2a9044f6b0c7c45fb65c81c698c6dba3838d5ca61392c16117293e77b39a0663

SHA512
4e4ba75c590755fef6c6134cc0e86adc49bca3b2fc93600a04469fad9ece292eab657b92988d50ca3179f1bcf1f8f2908c43ae8476ded94c5b515950e564a51e

Download Submit
C:\Windows\{4F4D8EA8-B58A-4101-8E2F-73179D7B93B9}.exe

Filesize
380KB

MD5
15d8403e1aa118c09bd3d11e736227fb

SHA1
e2bb9e8a3a2ec256c57cac9279ead895813c470f

SHA256
a8c9d5e71c0e25fc1de34c7adb27179e9cb295f29a8a9d6bc151da5897dec6e3

SHA512
2f277c5f78c3130574143ab6fedb8b2a6c522daf3eb016de28a5b33acdee74e8498ed1772fe4c0fd3107edcc49504376f1c758cd5401c7ca5cc4ddacc39d0c75

Download Submit
C:\Windows\{5721F822-1EC9-490d-BEE3-D647854D6989}.exe

Filesize
380KB

MD5
290d6642d8c92147fc37db8191a624e6

SHA1
485fde008fe9b19539d133c5ace3ca457f22671a

SHA256
dea3b6da4aff744f061389d13e7eb33975301fd26efe0544ef42c706b2665cd1

SHA512
509a9a259a903b4234d8f01d0018a45b0b42122166318b8c57d584cde7d3a2dce3c0715125a3ad270785be903e625aa5f77c291f4c9565dc536fe9263eac7d35

Download Submit
C:\Windows\{6144F0AF-9604-441c-92ED-BE523E5C94B1}.exe

Filesize
380KB

MD5
d565a7d0d6dfdffb54b6accbad561003

SHA1
031fb0f20a6ec1a5f83e8e63fe17534b715d03c4

SHA256
6d13f359aa4914bbdcb159de85ce3591ab5e98aa689d5f250c7fb62a0af99c4c

SHA512
c1e0d6d6f98046f5ec55d5f58a67471e7452ce0b5abcdc2e34c2eec1032073f41f4caf746c0f9532da99282bea75f3400f4fcd5fc4ae885c84dc04594fc85bb1

Download Submit
C:\Windows\{73E0A065-7A64-4bc6-AFC1-B120FC2D5B10}.exe

Filesize
380KB

MD5
248598c910bb37b004eb7ade196897da

SHA1
b6590a0b6393c8831463a29bfb23df8b37544b40

SHA256
f5ed3f11f92127f249a49dbb04a7f8d970439c30732d69d2c5055e62f8bfd4a5

SHA512
bdc7c0e0975682d4b3547e80b7533e66aa3e310d4f86689993c26f4664c4b67d1d5bf27acaa7b77011e74531d41ed2a72c0bf31ceed82e0525b241e0c449fff5

Download Submit
C:\Windows\{A1014D08-BC46-4d4f-AE87-B8AA89DF76CD}.exe

Filesize
380KB

MD5
dc40ec8e5c1d2fb29351e8a67f6f3eb8

SHA1
cc3c42872e744d0fb4ee12bf24afcaa6a5141d43

SHA256
ee27bfd30b73b1e3dd0536a01a97e9f33407b4ce6b040369c5dfdde9232417b9

SHA512
b67e8245bc43ba5592ea387392380dab71a35e3d584a2956b35e9975cb050f27ad5fc8acd81df091f458116d2c1a54b097babad2589f4137955f5f1db1b6e1bf

Download Submit
C:\Windows\{B865C9F0-F8FB-40a1-A55C-569B706DAAED}.exe

Filesize
380KB

MD5
3a010d86f4cd37a82b399a84cbd56dc5

SHA1
8f102118694df440a34c93abccda3b38020f757e

SHA256
3237abf27b2f5dee54b3518330b986649659143c01130ef875103dfccedec9e6

SHA512
03b245e3e3d5b6c2c7be4ece3eb030fa8f334d43ca94e42de4127a842c0c6768a8ff8c4a436cff0e0358ab616657acc221c6bf23c94b476e094341e7e22d8e77

Download Submit
C:\Windows\{C0603DEE-60F1-41eb-825A-CD615E795CF2}.exe

Filesize
380KB

MD5
655d45812220f49c57089d80c2bc4651

SHA1
a717988f1d89ee2e08f1de9b52291647aac386da

SHA256
2529a73b8a81cb6050d4d628248f84e6dd7dee1c4f250406654440748c977457

SHA512
a3731ec43ca7f5d576d8cb48c7cfeb32f84ce9676df9ef26db9e84eec72362b15c19185ed731eb99bb90750fef1572aac26cd3bc976dcba21fe599b010188857

Download Submit
C:\Windows\{C070204D-5A64-418f-B2F6-FA5B89127C63}.exe

Filesize
380KB

MD5
22201021b7e22e45012c034f713d8ebf

SHA1
19721f6b32453be7848097369efce5961964cb72

SHA256
7fb264f0a30bf8f030e0e90ce4020750551565e28426493923743fe127a74ad1

SHA512
1fcdd186400dcda840c978be305c74be392b81dcd1f8bdb7e8573f395c0780179a4780520849beeebcd725a825c0466e0a39d7952863bf398a52487e9824dc5e

Download Submit
C:\Windows\{DE098086-CFED-42c6-9901-CB397676562D}.exe

Filesize
380KB

MD5
fde91f562225128da726242b2e8125a2

SHA1
ab429aa6676ac0e5ff14c02738f6dc86683bcafe

SHA256
7e4be634a90cd0c0b8a662815fbdb33d234a420e62d044c7095236e44fb85da9

SHA512
2525466e33daea1025063cb832963753d24f258ef0805f197c2cec04477450c8b4a27cf3c7db41b7e5317d3b42b32e89fe7ade6da1c61cddd255e6790cce4d6c

Download Submit