5563384b2a376a8d2599c41848198f4c7847fbc37711f65b0f9bf16de4d87f79

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe
Size

168KB
MD5

ce080d7ec34664896f059c69063afd74
SHA1

eeb93257d28374130d94b3898d0036dbab979c3f
SHA256

5563384b2a376a8d2599c41848198f4c7847fbc37711f65b0f9bf16de4d87f79
SHA512

3921eaf84bd8235c739b8aba6e743716b72e606f0b8538ec00987c398f062e870ee0fd19e57219000eb7a4797b298cfc8540d8ee4915dbb23df405ca182b4b91
SSDEEP

1536:1EGh0oKlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{020AAC94-B47C-42d4-8200-A28554922097}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{CF21179D-6960-49e0-A4E0-817758E31886}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D508B87F-48D1-4478-84E4-C5BF3096D7E3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe{CF21179D-6960-49e0-A4E0-817758E31886}.exe{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe{020AAC94-B47C-42d4-8200-A28554922097}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{020AAC94-B47C-42d4-8200-A28554922097}	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B25E1C70-A256-416d-B78D-FC5CB820EE8B}\stubpath = "C:\\Windows\\{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe"	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF21179D-6960-49e0-A4E0-817758E31886}	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D508B87F-48D1-4478-84E4-C5BF3096D7E3}\stubpath = "C:\\Windows\\{D508B87F-48D1-4478-84E4-C5BF3096D7E3}.exe"	{CF21179D-6960-49e0-A4E0-817758E31886}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56EF6004-0466-4e06-BBF9-840824D2E3C0}\stubpath = "C:\\Windows\\{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe"	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}\stubpath = "C:\\Windows\\{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe"	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBF450A9-5437-4897-BE34-9459CEA203AE}	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBF450A9-5437-4897-BE34-9459CEA203AE}\stubpath = "C:\\Windows\\{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe"	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B25E1C70-A256-416d-B78D-FC5CB820EE8B}	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DABB7863-87DD-4148-838C-B63C0FF7BA3E}	2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DABB7863-87DD-4148-838C-B63C0FF7BA3E}\stubpath = "C:\\Windows\\{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe"	2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56EF6004-0466-4e06-BBF9-840824D2E3C0}	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF21179D-6960-49e0-A4E0-817758E31886}\stubpath = "C:\\Windows\\{CF21179D-6960-49e0-A4E0-817758E31886}.exe"	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D508B87F-48D1-4478-84E4-C5BF3096D7E3}	{CF21179D-6960-49e0-A4E0-817758E31886}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3CA48F6-1E64-41c8-940C-1BE7E9851019}	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3CA48F6-1E64-41c8-940C-1BE7E9851019}\stubpath = "C:\\Windows\\{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe"	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}\stubpath = "C:\\Windows\\{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe"	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE002E4F-9747-4a9d-8853-495E62AFA9C6}	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE002E4F-9747-4a9d-8853-495E62AFA9C6}\stubpath = "C:\\Windows\\{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe"	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{020AAC94-B47C-42d4-8200-A28554922097}\stubpath = "C:\\Windows\\{020AAC94-B47C-42d4-8200-A28554922097}.exe"	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A36425CB-DB19-41ad-B048-774FB202CA3F}	{020AAC94-B47C-42d4-8200-A28554922097}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A36425CB-DB19-41ad-B048-774FB202CA3F}\stubpath = "C:\\Windows\\{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe"	{020AAC94-B47C-42d4-8200-A28554922097}.exe

Executes dropped EXE 12 IoCs

Processes:

{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe{020AAC94-B47C-42d4-8200-A28554922097}.exe{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe{CF21179D-6960-49e0-A4E0-817758E31886}.exe{D508B87F-48D1-4478-84E4-C5BF3096D7E3}.exe

pid	process
2364	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe
1948	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe
1972	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe
1656	{020AAC94-B47C-42d4-8200-A28554922097}.exe
4528	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe
1548	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe
5112	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe
1632	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe
2252	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe
1616	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe
3416	{CF21179D-6960-49e0-A4E0-817758E31886}.exe
1652	{D508B87F-48D1-4478-84E4-C5BF3096D7E3}.exe

Drops file in Windows directory 12 IoCs

Processes:

{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe{CF21179D-6960-49e0-A4E0-817758E31886}.exe2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe{020AAC94-B47C-42d4-8200-A28554922097}.exe{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe

description	ioc	process
File created	C:\Windows\{CF21179D-6960-49e0-A4E0-817758E31886}.exe	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe
File created	C:\Windows\{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe
File created	C:\Windows\{020AAC94-B47C-42d4-8200-A28554922097}.exe	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe
File created	C:\Windows\{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe
File created	C:\Windows\{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe
File created	C:\Windows\{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe
File created	C:\Windows\{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe
File created	C:\Windows\{D508B87F-48D1-4478-84E4-C5BF3096D7E3}.exe	{CF21179D-6960-49e0-A4E0-817758E31886}.exe
File created	C:\Windows\{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe	2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe
File created	C:\Windows\{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe
File created	C:\Windows\{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe	{020AAC94-B47C-42d4-8200-A28554922097}.exe
File created	C:\Windows\{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe{020AAC94-B47C-42d4-8200-A28554922097}.exe{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe{CF21179D-6960-49e0-A4E0-817758E31886}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2504	2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2364	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe
Token: SeIncBasePriorityPrivilege	1948	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe
Token: SeIncBasePriorityPrivilege	1972	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe
Token: SeIncBasePriorityPrivilege	1656	{020AAC94-B47C-42d4-8200-A28554922097}.exe
Token: SeIncBasePriorityPrivilege	4528	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe
Token: SeIncBasePriorityPrivilege	1548	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe
Token: SeIncBasePriorityPrivilege	5112	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe
Token: SeIncBasePriorityPrivilege	1632	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe
Token: SeIncBasePriorityPrivilege	2252	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe
Token: SeIncBasePriorityPrivilege	1616	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe
Token: SeIncBasePriorityPrivilege	3416	{CF21179D-6960-49e0-A4E0-817758E31886}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2504 wrote to memory of 2364	2504	2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe
PID 2504 wrote to memory of 2364	2504	2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe
PID 2504 wrote to memory of 2364	2504	2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe
PID 2504 wrote to memory of 2992	2504	2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe	cmd.exe
PID 2504 wrote to memory of 2992	2504	2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe	cmd.exe
PID 2504 wrote to memory of 2992	2504	2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe	cmd.exe
PID 2364 wrote to memory of 1948	2364	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe
PID 2364 wrote to memory of 1948	2364	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe
PID 2364 wrote to memory of 1948	2364	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe
PID 2364 wrote to memory of 1944	2364	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe	cmd.exe
PID 2364 wrote to memory of 1944	2364	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe	cmd.exe
PID 2364 wrote to memory of 1944	2364	{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe	cmd.exe
PID 1948 wrote to memory of 1972	1948	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe
PID 1948 wrote to memory of 1972	1948	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe
PID 1948 wrote to memory of 1972	1948	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe
PID 1948 wrote to memory of 4544	1948	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe	cmd.exe
PID 1948 wrote to memory of 4544	1948	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe	cmd.exe
PID 1948 wrote to memory of 4544	1948	{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe	cmd.exe
PID 1972 wrote to memory of 1656	1972	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe	{020AAC94-B47C-42d4-8200-A28554922097}.exe
PID 1972 wrote to memory of 1656	1972	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe	{020AAC94-B47C-42d4-8200-A28554922097}.exe
PID 1972 wrote to memory of 1656	1972	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe	{020AAC94-B47C-42d4-8200-A28554922097}.exe
PID 1972 wrote to memory of 380	1972	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe	cmd.exe
PID 1972 wrote to memory of 380	1972	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe	cmd.exe
PID 1972 wrote to memory of 380	1972	{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe	cmd.exe
PID 1656 wrote to memory of 4528	1656	{020AAC94-B47C-42d4-8200-A28554922097}.exe	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe
PID 1656 wrote to memory of 4528	1656	{020AAC94-B47C-42d4-8200-A28554922097}.exe	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe
PID 1656 wrote to memory of 4528	1656	{020AAC94-B47C-42d4-8200-A28554922097}.exe	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe
PID 1656 wrote to memory of 3272	1656	{020AAC94-B47C-42d4-8200-A28554922097}.exe	cmd.exe
PID 1656 wrote to memory of 3272	1656	{020AAC94-B47C-42d4-8200-A28554922097}.exe	cmd.exe
PID 1656 wrote to memory of 3272	1656	{020AAC94-B47C-42d4-8200-A28554922097}.exe	cmd.exe
PID 4528 wrote to memory of 1548	4528	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe
PID 4528 wrote to memory of 1548	4528	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe
PID 4528 wrote to memory of 1548	4528	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe
PID 4528 wrote to memory of 1040	4528	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe	cmd.exe
PID 4528 wrote to memory of 1040	4528	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe	cmd.exe
PID 4528 wrote to memory of 1040	4528	{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe	cmd.exe
PID 1548 wrote to memory of 5112	1548	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe
PID 1548 wrote to memory of 5112	1548	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe
PID 1548 wrote to memory of 5112	1548	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe
PID 1548 wrote to memory of 2872	1548	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe	cmd.exe
PID 1548 wrote to memory of 2872	1548	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe	cmd.exe
PID 1548 wrote to memory of 2872	1548	{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe	cmd.exe
PID 5112 wrote to memory of 1632	5112	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe
PID 5112 wrote to memory of 1632	5112	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe
PID 5112 wrote to memory of 1632	5112	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe
PID 5112 wrote to memory of 3988	5112	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe	cmd.exe
PID 5112 wrote to memory of 3988	5112	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe	cmd.exe
PID 5112 wrote to memory of 3988	5112	{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe	cmd.exe
PID 1632 wrote to memory of 2252	1632	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe
PID 1632 wrote to memory of 2252	1632	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe
PID 1632 wrote to memory of 2252	1632	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe
PID 1632 wrote to memory of 3644	1632	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe	cmd.exe
PID 1632 wrote to memory of 3644	1632	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe	cmd.exe
PID 1632 wrote to memory of 3644	1632	{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe	cmd.exe
PID 2252 wrote to memory of 1616	2252	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe
PID 2252 wrote to memory of 1616	2252	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe
PID 2252 wrote to memory of 1616	2252	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe
PID 2252 wrote to memory of 3620	2252	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe	cmd.exe
PID 2252 wrote to memory of 3620	2252	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe	cmd.exe
PID 2252 wrote to memory of 3620	2252	{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe	cmd.exe
PID 1616 wrote to memory of 3416	1616	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe	{CF21179D-6960-49e0-A4E0-817758E31886}.exe
PID 1616 wrote to memory of 3416	1616	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe	{CF21179D-6960-49e0-A4E0-817758E31886}.exe
PID 1616 wrote to memory of 3416	1616	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe	{CF21179D-6960-49e0-A4E0-817758E31886}.exe
PID 1616 wrote to memory of 960	1616	{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_ce080d7ec34664896f059c69063afd74_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe
C:\Windows\{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe
C:\Windows\{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe
C:\Windows\{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\{020AAC94-B47C-42d4-8200-A28554922097}.exe
C:\Windows\{020AAC94-B47C-42d4-8200-A28554922097}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe
C:\Windows\{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe
C:\Windows\{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe
C:\Windows\{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe
C:\Windows\{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe
C:\Windows\{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe
C:\Windows\{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\{CF21179D-6960-49e0-A4E0-817758E31886}.exe
C:\Windows\{CF21179D-6960-49e0-A4E0-817758E31886}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\{D508B87F-48D1-4478-84E4-C5BF3096D7E3}.exe
C:\Windows\{D508B87F-48D1-4478-84E4-C5BF3096D7E3}.exe
13⤵
- Executes dropped EXE
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CF211~1.EXE > nul
13⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AE002~1.EXE > nul
12⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B25E1~1.EXE > nul
11⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FBF45~1.EXE > nul
10⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7C77F~1.EXE > nul
9⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E3CA4~1.EXE > nul
8⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A3642~1.EXE > nul
7⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{020AA~1.EXE > nul
6⤵
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{428CE~1.EXE > nul
5⤵
PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{56EF6~1.EXE > nul
4⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DABB7~1.EXE > nul
3⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{020AAC94-B47C-42d4-8200-A28554922097}.exe

Filesize
168KB

MD5
84f476fef6c5e073ca01e64f0d920a4f

SHA1
119802a9fdb6a63b3f39f32d1decc85a8ed9effd

SHA256
1e14bd013ef77f73c43856d4783d682ee4c5c2dd71f0294d7216a4c0fda81144

SHA512
e9094608f0c5812ad33634b4283e0ecf49d4111ecd9399d83bac27dcdfa78fcf47224f3e0d9f38c0cbba8171ad6a1172f626656ed754665d8cda727bb3f9b979

Download Submit
C:\Windows\{428CE5AB-5B9E-4a71-B824-D40AA7357BA6}.exe

Filesize
168KB

MD5
a829a1edd818316f65fe263ff9ccf905

SHA1
7cef3b98aa77f925f4540e6f8a3c4973ae4d0062

SHA256
a39765b6aec7799b27b298d6f41cddf9f2b390523601b4a5090a2f336d7b2ab2

SHA512
6e3a4306bd8497ca8ca4e6eb7ad502c226c72b41a43a0367bc7eb75c8a53e017b7caed45ae2a8934d62b988d289ccdf6aa5c6f83196872a2ffa8dbf8d1623cf3

Download Submit
C:\Windows\{56EF6004-0466-4e06-BBF9-840824D2E3C0}.exe

Filesize
168KB

MD5
1eb0554b713d85a7d39c55df3d1a36b3

SHA1
f05f0cda6b7f1f9e23c6a83ab5fa9bbf6a55b1e2

SHA256
059ee86e888f2cf346b3ab106b5d2c652c1fcd45bc9b81798ca83e3e96200d88

SHA512
c8ba03d8ebbd687493b587534f70f9b28b1f4be6757b49b7c97af458e768c0b10c07da035e3a34430c484ea9f74a4bdf2d65c4ecf49a9220860220a306c3ef6b

Download Submit
C:\Windows\{7C77F4E1-3232-4da4-B5D1-47D17B7BA80E}.exe

Filesize
168KB

MD5
c63cbf6ac2e52870a8679a4abbf1df93

SHA1
4069d1996312214ba5593c5d5140525936178ec4

SHA256
15d1232c4be26cdc68dc06a4809fc3245b60388f2eb611bc138060e259d0d33b

SHA512
1284cdaa7f99dc6911300829e22e45bd4c17790d1accabeffbdbb5c2e72509f6b24fc032f9c0e8d24eb1c64c90786f2a3a1b0bd73f8330bdb42e998abee3e83f

Download Submit
C:\Windows\{A36425CB-DB19-41ad-B048-774FB202CA3F}.exe

Filesize
168KB

MD5
33bf2d2e62043a7b025c6f3ec48b5647

SHA1
4d97edd154d0bc591dfd8032238074fa8d8b5aa0

SHA256
9a8be784f95aa56974c985fef26f4dee9852429afff957330a6102a931701e2c

SHA512
4fed1f8333ebbd01258def02072fd44a136a82ad2dadf8c004998ca6f7ac2f2b2bc28fa0bf35aa5221c58349a2bc5706b3086e465a3ea2bcfbf95588d20ebf41

Download Submit
C:\Windows\{AE002E4F-9747-4a9d-8853-495E62AFA9C6}.exe

Filesize
168KB

MD5
c2b1dc2187772d347d5acf77f5cac8a7

SHA1
fb8893ebe81b8bee93b95f35a43d91530f6d7f11

SHA256
bd631fdb8549a6a8e14b91c30ecd8dad67881206b8523c7cab170e31818055d1

SHA512
3e0f084a49b255b4c91115041564cb5c3e78e1bbea95425855ace2ec86257badd01c7deb6be081b804e5fc8afe8426cdca726fdbf1113e40a2b0350e5407a47b

Download Submit
C:\Windows\{B25E1C70-A256-416d-B78D-FC5CB820EE8B}.exe

Filesize
168KB

MD5
f668df6b53e1b878c551d0de55d27d50

SHA1
3a13f895a8f66a177e4aef569bc242667a189edf

SHA256
9458ac8377c91aa14984db2b2d54dca452b177eba14f05d4a1b000a972dda3b9

SHA512
a9851af3ebb1fcca4aeb4245057927a88cea6432bef89f8c695e8ab133b85438c050aeea623f8a9dbc801d430fa6e04c8cd8580bed1365d39b31429ff141c91d

Download Submit
C:\Windows\{CF21179D-6960-49e0-A4E0-817758E31886}.exe

Filesize
168KB

MD5
10531e8d83c02e7c92879f7474135e8f

SHA1
3d41845b52ceebcc7bfbb2dfbb838f7aa6bf845d

SHA256
d02a45a60b507f6b546842688b711c3a63cd308d8655337ccc79b5d7913397c4

SHA512
637edbea56b46f8302fb47d747b87d13a2874849e8bed2d7cdd9e4a6d7b546c27b3e0d97143ce30b3079d675b7daecbe3da82dae1ced5d78dc439908a57a478e

Download Submit
C:\Windows\{D508B87F-48D1-4478-84E4-C5BF3096D7E3}.exe

Filesize
168KB

MD5
5728c1f753ad9e2405c5216936589a59

SHA1
55920734d8540e7b9251bd54fd08fa316b8c0241

SHA256
2f2cbd89adede119ecf6595db5ef0977e32758ae59f14903d6557598642eca8a

SHA512
e16278039e2f36266a5b2448c3e6d58cdc8aafab5455fde187707162009b0f08ea7163cb708bba8efb5162ae4e5d2689c29089f259c1b47a9fe77607848fc846

Download Submit
C:\Windows\{DABB7863-87DD-4148-838C-B63C0FF7BA3E}.exe

Filesize
168KB

MD5
a08aafa48bfbb887ce067eae50a0ce0f

SHA1
e251d2a8082ae17d6b8d885ce390886fac5ccaaf

SHA256
4e7a8737b3c5313ade7d5b86d736c052d51626df4f67171a4fdc0d031b691e13

SHA512
80f3cb149320cb6799cb545381755c715ee111df2d6b7c676d93f508bd12679505c38222c0d77bf69a0cd182c188ff86f34da6002cfc0dcd72176807b3660094

Download Submit
C:\Windows\{E3CA48F6-1E64-41c8-940C-1BE7E9851019}.exe

Filesize
168KB

MD5
1a054bae2cae4b271740d02f98f18dd3

SHA1
b02793d66acfbad24f280c9b28204d46b6662e08

SHA256
31b7add17b6cd469337b1df777630f01ea82bfdddb4aa80eafd9dd2346a510ff

SHA512
90c16810907b7a27e72d4ccd2fe9ba7bb89cf35c5658e54016cae0a742ba498bba9786f4a0fc838eda917415250e6fe061ed512e0398d8a429c0a49a5e52fd3e

Download Submit
C:\Windows\{FBF450A9-5437-4897-BE34-9459CEA203AE}.exe

Filesize
168KB

MD5
3a8a50579350699d13d53e5c0a086e65

SHA1
202ee25e82395fb2f8a6094b34ecac74c7eba785

SHA256
d5c22bbf7953634c83c250b1aceec5b43262220501e36fd086bb992bca2d9e95

SHA512
d3f0d23ba3ffcb01e4e7a710c34b289d685aa90ba9a58aa791d00b3d30729c5d72877b1a26eb6288e3d2fd05df7703f896f559e793eb32eaeee083ba99225429

Download Submit