42ce85f9d05ea1ef4f8679053217fa684af0f466a68da1a517649ae5e0ee952b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe
Size

180KB
MD5

3480295d4e449a8897d32a9760a2c882
SHA1

0e37af742a4d29d767527f2f267b82e2af391e99
SHA256

42ce85f9d05ea1ef4f8679053217fa684af0f466a68da1a517649ae5e0ee952b
SHA512

0b13da85699c3d910df00a298e460a1803a84c03aac726914c21190ac09f71c59b0a609f79cce1e61ab4ba1e18a6bd4731910c02a674e8515a7b0f9a3615c897
SSDEEP

3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGJl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{C81D9165-5047-4af2-A90A-644377912C9F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E82669CE-7122-4854-9985-CC409D0AAC10}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{476AFACB-449A-4919-B9FC-545D31BFBF46}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe{C81D9165-5047-4af2-A90A-644377912C9F}.exe{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe{E82669CE-7122-4854-9985-CC409D0AAC10}.exe{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4180DEB3-7A40-4c81-9B60-BC3934AA9149}	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4180DEB3-7A40-4c81-9B60-BC3934AA9149}\stubpath = "C:\\Windows\\{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe"	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}\stubpath = "C:\\Windows\\{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe"	{C81D9165-5047-4af2-A90A-644377912C9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81A6B338-E07E-4dbe-803F-8315F064E03F}	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81A6B338-E07E-4dbe-803F-8315F064E03F}\stubpath = "C:\\Windows\\{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe"	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A74B22F5-1781-4f25-B82E-4FE797EF69BC}	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E82669CE-7122-4854-9985-CC409D0AAC10}	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1660835C-3F17-4f3f-A2BA-81133AB619BA}\stubpath = "C:\\Windows\\{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe"	2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}\stubpath = "C:\\Windows\\{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe"	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}\stubpath = "C:\\Windows\\{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe"	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A9D35F0-1913-448c-BF58-89FD4E4035E6}\stubpath = "C:\\Windows\\{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe"	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39E1F2CF-7139-4e8e-99AC-C34DD0575385}	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C81D9165-5047-4af2-A90A-644377912C9F}\stubpath = "C:\\Windows\\{C81D9165-5047-4af2-A90A-644377912C9F}.exe"	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39E1F2CF-7139-4e8e-99AC-C34DD0575385}\stubpath = "C:\\Windows\\{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe"	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{476AFACB-449A-4919-B9FC-545D31BFBF46}\stubpath = "C:\\Windows\\{476AFACB-449A-4919-B9FC-545D31BFBF46}.exe"	{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1660835C-3F17-4f3f-A2BA-81133AB619BA}	2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}	{C81D9165-5047-4af2-A90A-644377912C9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A74B22F5-1781-4f25-B82E-4FE797EF69BC}\stubpath = "C:\\Windows\\{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe"	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E82669CE-7122-4854-9985-CC409D0AAC10}\stubpath = "C:\\Windows\\{E82669CE-7122-4854-9985-CC409D0AAC10}.exe"	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A9D35F0-1913-448c-BF58-89FD4E4035E6}	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{476AFACB-449A-4919-B9FC-545D31BFBF46}	{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C81D9165-5047-4af2-A90A-644377912C9F}	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe

Executes dropped EXE 12 IoCs

Processes:

{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe{C81D9165-5047-4af2-A90A-644377912C9F}.exe{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe{E82669CE-7122-4854-9985-CC409D0AAC10}.exe{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe{476AFACB-449A-4919-B9FC-545D31BFBF46}.exe

pid	process
2716	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe
3448	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe
4180	{C81D9165-5047-4af2-A90A-644377912C9F}.exe
2104	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe
4452	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe
444	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe
4620	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe
2944	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe
1652	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe
4596	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe
2168	{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe
3816	{476AFACB-449A-4919-B9FC-545D31BFBF46}.exe

Drops file in Windows directory 12 IoCs

Processes:

{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe{C81D9165-5047-4af2-A90A-644377912C9F}.exe{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe{E82669CE-7122-4854-9985-CC409D0AAC10}.exe{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe

description	ioc	process
File created	C:\Windows\{476AFACB-449A-4919-B9FC-545D31BFBF46}.exe	{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe
File created	C:\Windows\{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe
File created	C:\Windows\{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe
File created	C:\Windows\{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe
File created	C:\Windows\{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe	{C81D9165-5047-4af2-A90A-644377912C9F}.exe
File created	C:\Windows\{E82669CE-7122-4854-9985-CC409D0AAC10}.exe	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe
File created	C:\Windows\{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe
File created	C:\Windows\{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe
File created	C:\Windows\{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe
File created	C:\Windows\{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe	2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe
File created	C:\Windows\{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe
File created	C:\Windows\{C81D9165-5047-4af2-A90A-644377912C9F}.exe	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe{C81D9165-5047-4af2-A90A-644377912C9F}.exe{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe{E82669CE-7122-4854-9985-CC409D0AAC10}.exe{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4016	2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2716	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe
Token: SeIncBasePriorityPrivilege	3448	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe
Token: SeIncBasePriorityPrivilege	4180	{C81D9165-5047-4af2-A90A-644377912C9F}.exe
Token: SeIncBasePriorityPrivilege	2104	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe
Token: SeIncBasePriorityPrivilege	4452	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe
Token: SeIncBasePriorityPrivilege	444	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe
Token: SeIncBasePriorityPrivilege	4620	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe
Token: SeIncBasePriorityPrivilege	2944	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe
Token: SeIncBasePriorityPrivilege	1652	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe
Token: SeIncBasePriorityPrivilege	4596	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe
Token: SeIncBasePriorityPrivilege	2168	{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4016 wrote to memory of 2716	4016	2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe
PID 4016 wrote to memory of 2716	4016	2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe
PID 4016 wrote to memory of 2716	4016	2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe
PID 4016 wrote to memory of 656	4016	2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe	cmd.exe
PID 4016 wrote to memory of 656	4016	2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe	cmd.exe
PID 4016 wrote to memory of 656	4016	2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe	cmd.exe
PID 2716 wrote to memory of 3448	2716	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe
PID 2716 wrote to memory of 3448	2716	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe
PID 2716 wrote to memory of 3448	2716	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe
PID 2716 wrote to memory of 556	2716	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe	cmd.exe
PID 2716 wrote to memory of 556	2716	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe	cmd.exe
PID 2716 wrote to memory of 556	2716	{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe	cmd.exe
PID 3448 wrote to memory of 4180	3448	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe	{C81D9165-5047-4af2-A90A-644377912C9F}.exe
PID 3448 wrote to memory of 4180	3448	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe	{C81D9165-5047-4af2-A90A-644377912C9F}.exe
PID 3448 wrote to memory of 4180	3448	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe	{C81D9165-5047-4af2-A90A-644377912C9F}.exe
PID 3448 wrote to memory of 3032	3448	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe	cmd.exe
PID 3448 wrote to memory of 3032	3448	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe	cmd.exe
PID 3448 wrote to memory of 3032	3448	{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe	cmd.exe
PID 4180 wrote to memory of 2104	4180	{C81D9165-5047-4af2-A90A-644377912C9F}.exe	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe
PID 4180 wrote to memory of 2104	4180	{C81D9165-5047-4af2-A90A-644377912C9F}.exe	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe
PID 4180 wrote to memory of 2104	4180	{C81D9165-5047-4af2-A90A-644377912C9F}.exe	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe
PID 4180 wrote to memory of 552	4180	{C81D9165-5047-4af2-A90A-644377912C9F}.exe	cmd.exe
PID 4180 wrote to memory of 552	4180	{C81D9165-5047-4af2-A90A-644377912C9F}.exe	cmd.exe
PID 4180 wrote to memory of 552	4180	{C81D9165-5047-4af2-A90A-644377912C9F}.exe	cmd.exe
PID 2104 wrote to memory of 4452	2104	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe
PID 2104 wrote to memory of 4452	2104	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe
PID 2104 wrote to memory of 4452	2104	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe
PID 2104 wrote to memory of 2364	2104	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe	cmd.exe
PID 2104 wrote to memory of 2364	2104	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe	cmd.exe
PID 2104 wrote to memory of 2364	2104	{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe	cmd.exe
PID 4452 wrote to memory of 444	4452	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe
PID 4452 wrote to memory of 444	4452	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe
PID 4452 wrote to memory of 444	4452	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe
PID 4452 wrote to memory of 1976	4452	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe	cmd.exe
PID 4452 wrote to memory of 1976	4452	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe	cmd.exe
PID 4452 wrote to memory of 1976	4452	{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe	cmd.exe
PID 444 wrote to memory of 4620	444	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe
PID 444 wrote to memory of 4620	444	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe
PID 444 wrote to memory of 4620	444	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe
PID 444 wrote to memory of 900	444	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe	cmd.exe
PID 444 wrote to memory of 900	444	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe	cmd.exe
PID 444 wrote to memory of 900	444	{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe	cmd.exe
PID 4620 wrote to memory of 2944	4620	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe
PID 4620 wrote to memory of 2944	4620	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe
PID 4620 wrote to memory of 2944	4620	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe
PID 4620 wrote to memory of 3984	4620	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe	cmd.exe
PID 4620 wrote to memory of 3984	4620	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe	cmd.exe
PID 4620 wrote to memory of 3984	4620	{E82669CE-7122-4854-9985-CC409D0AAC10}.exe	cmd.exe
PID 2944 wrote to memory of 1652	2944	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe
PID 2944 wrote to memory of 1652	2944	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe
PID 2944 wrote to memory of 1652	2944	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe
PID 2944 wrote to memory of 4804	2944	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe	cmd.exe
PID 2944 wrote to memory of 4804	2944	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe	cmd.exe
PID 2944 wrote to memory of 4804	2944	{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe	cmd.exe
PID 1652 wrote to memory of 4596	1652	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe
PID 1652 wrote to memory of 4596	1652	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe
PID 1652 wrote to memory of 4596	1652	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe
PID 1652 wrote to memory of 2236	1652	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe	cmd.exe
PID 1652 wrote to memory of 2236	1652	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe	cmd.exe
PID 1652 wrote to memory of 2236	1652	{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe	cmd.exe
PID 4596 wrote to memory of 2168	4596	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe	{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe
PID 4596 wrote to memory of 2168	4596	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe	{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe
PID 4596 wrote to memory of 2168	4596	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe	{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe
PID 4596 wrote to memory of 612	4596	{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_3480295d4e449a8897d32a9760a2c882_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe
C:\Windows\{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe
C:\Windows\{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\{C81D9165-5047-4af2-A90A-644377912C9F}.exe
C:\Windows\{C81D9165-5047-4af2-A90A-644377912C9F}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe
C:\Windows\{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe
C:\Windows\{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe
C:\Windows\{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\{E82669CE-7122-4854-9985-CC409D0AAC10}.exe
C:\Windows\{E82669CE-7122-4854-9985-CC409D0AAC10}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe
C:\Windows\{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe
C:\Windows\{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe
C:\Windows\{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe
C:\Windows\{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\{476AFACB-449A-4919-B9FC-545D31BFBF46}.exe
C:\Windows\{476AFACB-449A-4919-B9FC-545D31BFBF46}.exe
13⤵
- Executes dropped EXE
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5A9D3~1.EXE > nul
13⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{39340~1.EXE > nul
12⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{39E1F~1.EXE > nul
11⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4B21E~1.EXE > nul
10⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E8266~1.EXE > nul
9⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A74B2~1.EXE > nul
8⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{81A6B~1.EXE > nul
7⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{264B8~1.EXE > nul
6⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C81D9~1.EXE > nul
5⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4180D~1.EXE > nul
4⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{16608~1.EXE > nul
3⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1660835C-3F17-4f3f-A2BA-81133AB619BA}.exe
Filesize
180KB

MD5
1447b80f8459525ecb478e5a002fc939

SHA1
98093da976c046a0deee6273265524fe0c7a1db4

SHA256
4efd2271d314472320b5be533573d86f53474eca9cb7b85490293c8fc903171e

SHA512
e927f359f106364e4b86781becc3d5b4d4401acc256e8edf9b28809763c52cb53eeb6df0c5eb1bee73ce5de7003ea5fa073e17a6db703c7a03ccd191f25db366

Download Submit
C:\Windows\{264B8913-2DAD-4d6c-BDA1-D671CC7DCACC}.exe
Filesize
180KB

MD5
058407fe43811aadd8d15e5178572bac

SHA1
00616a61d2f8ea0e37b6e73431f0e60c5198cdeb

SHA256
9d4f429df342bc244d369cc25f52dd61c644006d126ce1e0691362866bc9bbb2

SHA512
2b1d85bd6be66db20ca1285208f3a6bead96a91e3e7c84cebc84da5c4161a10d28134829b4d1a6e480370729d6e54c9add90511dc99b7bcf74cdb295fa495ebe

Download Submit
C:\Windows\{39340979-D4F2-4c4e-8DEA-77FAEDC53A24}.exe
Filesize
180KB

MD5
24eb9b7d5af1d889a799c12150c9e6bb

SHA1
bd53000478aa34e44e23dc38e5f1b760da62e21c

SHA256
1851bdbf72ac2d0344f5a1c19f51d4bb0f626ba217ff9f7b89da2a1c82722718

SHA512
15cae659a0d97747b573ebd2181867b4da118572b916b77f035d5c210e6e252ede8fa1e528c5551ffb081100b6349f7db16995cb872d910131cc989df1c27139

Download Submit
C:\Windows\{39E1F2CF-7139-4e8e-99AC-C34DD0575385}.exe
Filesize
180KB

MD5
b98ec67bbbe3961c1186a97e8b98881e

SHA1
ed8a46b1b581e4990c263f2b28283946c7dd8b0e

SHA256
356192458c42313b91536da80890fcc2fc2681e0fe480fc2cabad33d8aa96347

SHA512
0cb74b047fb7117ef77f9b02f27b20a80040fa534213a56dd962cf41b5ce4be1f23bd7b7695c3a1ee55037eb59bafa711b49f42e73300adb5a281143d74bbedd

Download Submit
C:\Windows\{4180DEB3-7A40-4c81-9B60-BC3934AA9149}.exe
Filesize
180KB

MD5
c07d7bb79740fe1022e4c8f29c2ee9fe

SHA1
def022b12713ea7d0e15a6f87a811a7995dcdb46

SHA256
4aadb80fa2a3c08ce82f3497f47d85a430c34b43f11e12708867a17a8d8b013d

SHA512
fcf1c20ef30551449e3759adb01b6e7bef889682f1daa2ab5237e9d1bb7bde6b69c8055d955425896587250ce94727c6d6788f9bd063eebca5e0d45c8c2dc0c2

Download Submit
C:\Windows\{476AFACB-449A-4919-B9FC-545D31BFBF46}.exe
Filesize
180KB

MD5
9494d83ef7b3356f27c2056d3eea4511

SHA1
348d6222fa67928ac226e5efdbb5ebb042d0768b

SHA256
107ba26f6a4335fe0bbe8fe1f6d6bf134d88fbad17361df9b6ad9202168a9a09

SHA512
c4e56d2b988c4352bb2a2d859e3199b4286de62c01c9fc701b9836d4624dbbe4a7cea8268afe4b9ac364f83af6d4f7dafc8977ae159f6b1d2d54fb67e5714d22

Download Submit
C:\Windows\{4B21E2B5-F7CF-4264-92E8-2B6B9BC46159}.exe
Filesize
180KB

MD5
9f941d1385d4e09079e6c3a778de27d2

SHA1
2ce07d1636c0b74e087c0c3765ce5fbae0842cff

SHA256
3149a7a03ee24c9487388d60b0b9fee595d399dc1c586f3b2596336ee6ca55b4

SHA512
e87bede64ac34b6817e12b2e09a56439fdd3fa008d9ec0ea62aec2bc58a1c2f7d16822b8bb6f87360da6a86df5befe5b7437a43102b6a10cf5a0286a94e86dcd

Download Submit
C:\Windows\{5A9D35F0-1913-448c-BF58-89FD4E4035E6}.exe
Filesize
180KB

MD5
3f9e33dfe9a0b121d2b9171cd303fd6d

SHA1
616c578d6b9e0eadf7dd6bbe9544fd24c96d6da2

SHA256
13fdf0579e10789892210101c781ce91bd01be19aae6755c00310788c651548b

SHA512
b862201003d2620d2cc6fe5879cd99db8f3763dd2d57fcd75335c397e5f95a78cc35480589cbb279c1834e435574dd24ea7e40b7949652ed4ba0808a8933876c

Download Submit
C:\Windows\{81A6B338-E07E-4dbe-803F-8315F064E03F}.exe
Filesize
180KB

MD5
97e112b3b0db85e4d2abac09e24c5d96

SHA1
28afa36556c10586e05b8ae1eaf4cc4174b5ea32

SHA256
7ab2f30d379e57004d0e08c017904a69270c6e0c1085c28fe63001563a857533

SHA512
6a4ad9eb76eaaa10dda1d3633b9a9e239cbeeabf11db129b85198ebf9a0d2cfb5c3951dcd5803d2a6f592ab9ad1cfcb4d4be794f81a443f22234358f7c370cb1

Download Submit
C:\Windows\{A74B22F5-1781-4f25-B82E-4FE797EF69BC}.exe
Filesize
180KB

MD5
1e75ac423dc8e9732a7fa79472b6b1a7

SHA1
83611c01391805f8af26dfb55b8bd2e0a7eb9edc

SHA256
9f9d4afc24e9801ccb4dc1d0e150028531f48d135fde105a4e3094435a6bb1b8

SHA512
44420f23dd2b6ec9ceed6e1b79367f8a8b4a44eeff2f2f5175bee6a27bba37e95d99687d7a3dcccf898e13b506a73b80007f864eca21b7d5852825676c1e7d90

Download Submit
C:\Windows\{C81D9165-5047-4af2-A90A-644377912C9F}.exe
Filesize
180KB

MD5
d2c1becfd7d4132775152abf00f3de4e

SHA1
7346f46fc23a82bba6ca905866ce359ee294b265

SHA256
e89a988072edee66d8d81d643a0ea579e7b893d35cf0dbf167a0a7841ca100da

SHA512
666e5bb63495d006843c443758ce43c7dc393ce288e843cd31d62bb8a4016bc9d914f476d886e83044d4e611becefc5299f695e37ba8c88ee1fb62f29d98fbec

Download Submit
C:\Windows\{E82669CE-7122-4854-9985-CC409D0AAC10}.exe
Filesize
180KB

MD5
53ce2a04414c9de7485f850c274c0dee

SHA1
93a08d8d3348cf6962237b5bf0b711b5ae09f384

SHA256
b876afa811ebeaaa1fcfb00ec1b65754ce4056e747023ee817dcd511c716ca18

SHA512
74c738409000b5d093311d954f3329e109e218fb57668cdbc705b843147c40d3eb6ea02c391c002a1c10bce4eaac9c205edfa9830bffd5edfbc667d02abb8527

Download Submit