63efae601c02303208faa5de329f051dd0ac4e2fd081f232a3df21733aea27ad

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe
Size

168KB
MD5

5f208f387c3fe70c261e333cc1be3e6e
SHA1

e2978e6eaae16cea813da6941ec90e8d8eea7fc8
SHA256

63efae601c02303208faa5de329f051dd0ac4e2fd081f232a3df21733aea27ad
SHA512

3b22be12675e214b935adaf3826caf248cd06b72696b7a9b2474d0fbd1bd8845d324ed63d60a43a1c1af9a30f6098774534762d1bb2713c8abb47c6c7b5190f1
SSDEEP

1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{960792B8-F07B-409a-8531-EE5B438713C6}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{7809B9D2-2357-48c3-9565-810027557ABE}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{50460187-0768-437a-9ACC-FBBDEE072042}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1174EAF5-4CCF-4b37-96F6-0B452FFB7874}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe{960792B8-F07B-409a-8531-EE5B438713C6}.exe{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe{50460187-0768-437a-9ACC-FBBDEE072042}.exe{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe{7809B9D2-2357-48c3-9565-810027557ABE}.exe{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{960792B8-F07B-409a-8531-EE5B438713C6}	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{960792B8-F07B-409a-8531-EE5B438713C6}\stubpath = "C:\\Windows\\{960792B8-F07B-409a-8531-EE5B438713C6}.exe"	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}	{960792B8-F07B-409a-8531-EE5B438713C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}\stubpath = "C:\\Windows\\{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe"	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{468FEC8B-AB12-4e03-8162-AA4B9F620183}\stubpath = "C:\\Windows\\{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe"	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEE2960E-21F9-4263-AE7A-AC72A76F5612}\stubpath = "C:\\Windows\\{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe"	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7809B9D2-2357-48c3-9565-810027557ABE}\stubpath = "C:\\Windows\\{7809B9D2-2357-48c3-9565-810027557ABE}.exe"	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}	{50460187-0768-437a-9ACC-FBBDEE072042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1174EAF5-4CCF-4b37-96F6-0B452FFB7874}	{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEE2960E-21F9-4263-AE7A-AC72A76F5612}	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}\stubpath = "C:\\Windows\\{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe"	{960792B8-F07B-409a-8531-EE5B438713C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7B62F07-11F0-4681-A345-FEFD50CB29FB}	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50460187-0768-437a-9ACC-FBBDEE072042}	{7809B9D2-2357-48c3-9565-810027557ABE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}\stubpath = "C:\\Windows\\{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe"	{50460187-0768-437a-9ACC-FBBDEE072042}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1174EAF5-4CCF-4b37-96F6-0B452FFB7874}\stubpath = "C:\\Windows\\{1174EAF5-4CCF-4b37-96F6-0B452FFB7874}.exe"	{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{468FEC8B-AB12-4e03-8162-AA4B9F620183}	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7809B9D2-2357-48c3-9565-810027557ABE}	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50460187-0768-437a-9ACC-FBBDEE072042}\stubpath = "C:\\Windows\\{50460187-0768-437a-9ACC-FBBDEE072042}.exe"	{7809B9D2-2357-48c3-9565-810027557ABE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}	{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}\stubpath = "C:\\Windows\\{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe"	{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7B62F07-11F0-4681-A345-FEFD50CB29FB}\stubpath = "C:\\Windows\\{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe"	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2968 cmd.exe

pid	process
2968	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe{960792B8-F07B-409a-8531-EE5B438713C6}.exe{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe{7809B9D2-2357-48c3-9565-810027557ABE}.exe{50460187-0768-437a-9ACC-FBBDEE072042}.exe{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe{1174EAF5-4CCF-4b37-96F6-0B452FFB7874}.exe

pid	process
2028	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe
2732	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe
2764	{960792B8-F07B-409a-8531-EE5B438713C6}.exe
2952	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe
2580	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe
1808	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe
2200	{7809B9D2-2357-48c3-9565-810027557ABE}.exe
1684	{50460187-0768-437a-9ACC-FBBDEE072042}.exe
856	{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe
896	{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe
2492	{1174EAF5-4CCF-4b37-96F6-0B452FFB7874}.exe

Drops file in Windows directory 11 IoCs

Processes:

{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe{960792B8-F07B-409a-8531-EE5B438713C6}.exe{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe{7809B9D2-2357-48c3-9565-810027557ABE}.exe{50460187-0768-437a-9ACC-FBBDEE072042}.exe

description	ioc	process
File created	C:\Windows\{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe
File created	C:\Windows\{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe	{960792B8-F07B-409a-8531-EE5B438713C6}.exe
File created	C:\Windows\{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe
File created	C:\Windows\{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe
File created	C:\Windows\{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe	{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe
File created	C:\Windows\{1174EAF5-4CCF-4b37-96F6-0B452FFB7874}.exe	{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe
File created	C:\Windows\{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe
File created	C:\Windows\{960792B8-F07B-409a-8531-EE5B438713C6}.exe	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe
File created	C:\Windows\{7809B9D2-2357-48c3-9565-810027557ABE}.exe	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe
File created	C:\Windows\{50460187-0768-437a-9ACC-FBBDEE072042}.exe	{7809B9D2-2357-48c3-9565-810027557ABE}.exe
File created	C:\Windows\{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe	{50460187-0768-437a-9ACC-FBBDEE072042}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe{960792B8-F07B-409a-8531-EE5B438713C6}.exe{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe{7809B9D2-2357-48c3-9565-810027557ABE}.exe{50460187-0768-437a-9ACC-FBBDEE072042}.exe{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2936	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2028	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe
Token: SeIncBasePriorityPrivilege	2732	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe
Token: SeIncBasePriorityPrivilege	2764	{960792B8-F07B-409a-8531-EE5B438713C6}.exe
Token: SeIncBasePriorityPrivilege	2952	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe
Token: SeIncBasePriorityPrivilege	2580	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe
Token: SeIncBasePriorityPrivilege	1808	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe
Token: SeIncBasePriorityPrivilege	2200	{7809B9D2-2357-48c3-9565-810027557ABE}.exe
Token: SeIncBasePriorityPrivilege	1684	{50460187-0768-437a-9ACC-FBBDEE072042}.exe
Token: SeIncBasePriorityPrivilege	856	{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe
Token: SeIncBasePriorityPrivilege	896	{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2936 wrote to memory of 2028	2936	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe
PID 2936 wrote to memory of 2028	2936	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe
PID 2936 wrote to memory of 2028	2936	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe
PID 2936 wrote to memory of 2028	2936	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe
PID 2936 wrote to memory of 2968	2936	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe	cmd.exe
PID 2936 wrote to memory of 2968	2936	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe	cmd.exe
PID 2936 wrote to memory of 2968	2936	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe	cmd.exe
PID 2936 wrote to memory of 2968	2936	2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe	cmd.exe
PID 2028 wrote to memory of 2732	2028	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe
PID 2028 wrote to memory of 2732	2028	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe
PID 2028 wrote to memory of 2732	2028	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe
PID 2028 wrote to memory of 2732	2028	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe
PID 2028 wrote to memory of 2664	2028	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe	cmd.exe
PID 2028 wrote to memory of 2664	2028	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe	cmd.exe
PID 2028 wrote to memory of 2664	2028	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe	cmd.exe
PID 2028 wrote to memory of 2664	2028	{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe	cmd.exe
PID 2732 wrote to memory of 2764	2732	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe	{960792B8-F07B-409a-8531-EE5B438713C6}.exe
PID 2732 wrote to memory of 2764	2732	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe	{960792B8-F07B-409a-8531-EE5B438713C6}.exe
PID 2732 wrote to memory of 2764	2732	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe	{960792B8-F07B-409a-8531-EE5B438713C6}.exe
PID 2732 wrote to memory of 2764	2732	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe	{960792B8-F07B-409a-8531-EE5B438713C6}.exe
PID 2732 wrote to memory of 2824	2732	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe	cmd.exe
PID 2732 wrote to memory of 2824	2732	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe	cmd.exe
PID 2732 wrote to memory of 2824	2732	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe	cmd.exe
PID 2732 wrote to memory of 2824	2732	{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe	cmd.exe
PID 2764 wrote to memory of 2952	2764	{960792B8-F07B-409a-8531-EE5B438713C6}.exe	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe
PID 2764 wrote to memory of 2952	2764	{960792B8-F07B-409a-8531-EE5B438713C6}.exe	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe
PID 2764 wrote to memory of 2952	2764	{960792B8-F07B-409a-8531-EE5B438713C6}.exe	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe
PID 2764 wrote to memory of 2952	2764	{960792B8-F07B-409a-8531-EE5B438713C6}.exe	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe
PID 2764 wrote to memory of 2528	2764	{960792B8-F07B-409a-8531-EE5B438713C6}.exe	cmd.exe
PID 2764 wrote to memory of 2528	2764	{960792B8-F07B-409a-8531-EE5B438713C6}.exe	cmd.exe
PID 2764 wrote to memory of 2528	2764	{960792B8-F07B-409a-8531-EE5B438713C6}.exe	cmd.exe
PID 2764 wrote to memory of 2528	2764	{960792B8-F07B-409a-8531-EE5B438713C6}.exe	cmd.exe
PID 2952 wrote to memory of 2580	2952	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe
PID 2952 wrote to memory of 2580	2952	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe
PID 2952 wrote to memory of 2580	2952	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe
PID 2952 wrote to memory of 2580	2952	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe
PID 2952 wrote to memory of 2816	2952	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe	cmd.exe
PID 2952 wrote to memory of 2816	2952	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe	cmd.exe
PID 2952 wrote to memory of 2816	2952	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe	cmd.exe
PID 2952 wrote to memory of 2816	2952	{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe	cmd.exe
PID 2580 wrote to memory of 1808	2580	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe
PID 2580 wrote to memory of 1808	2580	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe
PID 2580 wrote to memory of 1808	2580	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe
PID 2580 wrote to memory of 1808	2580	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe
PID 2580 wrote to memory of 1244	2580	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe	cmd.exe
PID 2580 wrote to memory of 1244	2580	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe	cmd.exe
PID 2580 wrote to memory of 1244	2580	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe	cmd.exe
PID 2580 wrote to memory of 1244	2580	{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe	cmd.exe
PID 1808 wrote to memory of 2200	1808	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe	{7809B9D2-2357-48c3-9565-810027557ABE}.exe
PID 1808 wrote to memory of 2200	1808	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe	{7809B9D2-2357-48c3-9565-810027557ABE}.exe
PID 1808 wrote to memory of 2200	1808	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe	{7809B9D2-2357-48c3-9565-810027557ABE}.exe
PID 1808 wrote to memory of 2200	1808	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe	{7809B9D2-2357-48c3-9565-810027557ABE}.exe
PID 1808 wrote to memory of 1740	1808	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe	cmd.exe
PID 1808 wrote to memory of 1740	1808	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe	cmd.exe
PID 1808 wrote to memory of 1740	1808	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe	cmd.exe
PID 1808 wrote to memory of 1740	1808	{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe	cmd.exe
PID 2200 wrote to memory of 1684	2200	{7809B9D2-2357-48c3-9565-810027557ABE}.exe	{50460187-0768-437a-9ACC-FBBDEE072042}.exe
PID 2200 wrote to memory of 1684	2200	{7809B9D2-2357-48c3-9565-810027557ABE}.exe	{50460187-0768-437a-9ACC-FBBDEE072042}.exe
PID 2200 wrote to memory of 1684	2200	{7809B9D2-2357-48c3-9565-810027557ABE}.exe	{50460187-0768-437a-9ACC-FBBDEE072042}.exe
PID 2200 wrote to memory of 1684	2200	{7809B9D2-2357-48c3-9565-810027557ABE}.exe	{50460187-0768-437a-9ACC-FBBDEE072042}.exe
PID 2200 wrote to memory of 668	2200	{7809B9D2-2357-48c3-9565-810027557ABE}.exe	cmd.exe
PID 2200 wrote to memory of 668	2200	{7809B9D2-2357-48c3-9565-810027557ABE}.exe	cmd.exe
PID 2200 wrote to memory of 668	2200	{7809B9D2-2357-48c3-9565-810027557ABE}.exe	cmd.exe
PID 2200 wrote to memory of 668	2200	{7809B9D2-2357-48c3-9565-810027557ABE}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_5f208f387c3fe70c261e333cc1be3e6e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe
  C:\Windows\{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe
    C:\Windows\{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\{960792B8-F07B-409a-8531-EE5B438713C6}.exe
      C:\Windows\{960792B8-F07B-409a-8531-EE5B438713C6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe
        
        C:\Windows\{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe
        
        C:\Windows\{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe
        
        C:\Windows\{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{7809B9D2-2357-48c3-9565-810027557ABE}.exe
        
        C:\Windows\{7809B9D2-2357-48c3-9565-810027557ABE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{50460187-0768-437a-9ACC-FBBDEE072042}.exe
        
        C:\Windows\{50460187-0768-437a-9ACC-FBBDEE072042}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe
        
        C:\Windows\{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe
        
        C:\Windows\{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\{1174EAF5-4CCF-4b37-96F6-0B452FFB7874}.exe
        
        C:\Windows\{1174EAF5-4CCF-4b37-96F6-0B452FFB7874}.exe
        12⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FF03~1.EXE > nul
        12⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E312~1.EXE > nul
        11⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50460~1.EXE > nul
        10⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7809B~1.EXE > nul
        9⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5A30~1.EXE > nul
        8⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7B62~1.EXE > nul
        7⤵
        
        PID:1244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F7A7~1.EXE > nul
        6⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96079~1.EXE > nul
        5⤵
        
        PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FEE29~1.EXE > nul
      4⤵
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{468FE~1.EXE > nul
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1174EAF5-4CCF-4b37-96F6-0B452FFB7874}.exe

Filesize
168KB

MD5
2af81fea141eebfbce0df26e872b40ad

SHA1
0237042800284358aafef1d1db6f1619511acfa0

SHA256
4b8f8eab1c42f24df5fd98227225bbe813770df9bd402871edb49eeec59f64cd

SHA512
6aba83a23e2304af7d195a29cf07f9687a99aa8216e123a88b5ed7028f1a9e08dd65c01e347a32bd5b9b51cc80008c240774824475f5e0c55bcf2b22afbbc84a

Download Submit
C:\Windows\{468FEC8B-AB12-4e03-8162-AA4B9F620183}.exe

Filesize
168KB

MD5
e15026d1121c92f4cbb3f3b9e3b47cb7

SHA1
fa72592d35eeea19855f8f4ef93ca8ccbedb2be3

SHA256
9fba6760365fc4a207a1c7b13f4f7a7053f9fa96cc010a6d4d14479cd89eabd7

SHA512
0c18bfc37d47ef6191f25dc89d8f5d90e6183bfd829265216922d28cb55749258b6121bf628a683f4473be02c32f463768abc0e2e3f0e9d0a6c4c103ac009ac1

Download Submit
C:\Windows\{50460187-0768-437a-9ACC-FBBDEE072042}.exe

Filesize
168KB

MD5
8a814e04d568cf2ce34561b80b1c50b6

SHA1
048873109af6f99e1dc56a01e62a6fbc2eba0bb7

SHA256
5c53c12de3e5419866dc6e0bcb637a5bed45f4825a330ab6b2d9adc2b5aeb772

SHA512
6e3751564830e53c6d5ba2700743925832737f68d64867da2ab8029f2dce722220b5ee1a55b0a21b3269ecc2d8c317f1612d4caf473adf9dcf98f43459724005

Download Submit
C:\Windows\{7809B9D2-2357-48c3-9565-810027557ABE}.exe

Filesize
168KB

MD5
c583bd2889a4647ab5ae5047ce6c9bc9

SHA1
f0dc0e03b616f8929be7710685ef18d67007c7f4

SHA256
83f1dc98540464f4ed3a97cf0240c40cd7a6c20c2a13f8f7dc74cc7472aeceaf

SHA512
31bbc3b0287a23c5192f1663249eedc903a8e106404003fb248aadc419a70d60b006bd8440c1b0eabcff85ecc965492a5482f23a737c9fa1cd3e8802b7d7cada

Download Submit
C:\Windows\{8E312CE4-F3CE-427e-9E91-DF0918DFCD76}.exe

Filesize
168KB

MD5
31a189dc9a29b7ddf355a9ef50437b97

SHA1
276878354b63070172c23c34a07cdc884ccb9b53

SHA256
b4617057995e4721b2ec2e571f29d1de9c3b760d61746515f8a62c6fdf54f1eb

SHA512
527e1f313f8cf9702cba847b541e935098d7743d3ba31234228cd5ec6903fe6ebe9da008d2898fd6de8788c0e15b5f196796709a77ac587cd9e7a16adba75ecc

Download Submit
C:\Windows\{8FF03EBA-F750-4f7a-8E7C-67E9AFF360CF}.exe

Filesize
168KB

MD5
f83524780a8904b7f170799883c537e8

SHA1
496c50ae4cd2ec46c0b18dee9c163b55a4e5f4cb

SHA256
7d1eef2419bca062b13859e3ea65683464d072f3ac6b8820fac03c4d48b0c24c

SHA512
ce32469eab44d916d33f3adbe714ef6646909208572973f2450c44037f6a8a79acdbaeb8ba309e4ebf7eab0ddf367a65e8bc0ccd8eedd643f018aadebed12845

Download Submit
C:\Windows\{960792B8-F07B-409a-8531-EE5B438713C6}.exe

Filesize
168KB

MD5
8f04a341e4ccdc305975317fb66900de

SHA1
0e918421340d71d8e39b025a4c84ba854830c61e

SHA256
2c6c4d9cbc8fa4a73e61b9a17b946d67800380298474d4b40f07175b16f94132

SHA512
8148d4953942780ff81158aadc892023b49e212fba4a15c54db7b5d0479c350ac6a7a14147be7ba1e8448fa48a7876ef22de1d51d1ac5688c7d8cfbb56f417c8

Download Submit
C:\Windows\{9F7A77A2-D1AC-4e5c-AC27-9BEAD961F9ED}.exe

Filesize
168KB

MD5
5c01170b9efb2e50363108cd87306ee4

SHA1
7d9bed92d66a1e091f7107f29e89f425898ef77e

SHA256
1792abb4442a77115f94549de1feb0fec5dab8b9fc778060186a61b31d372154

SHA512
0f64b1e051231ca2a295e7722983db6c99eb31326446f1bfaa8f0fb300d6ba63c639f99ad9331c969964e2cd3ffa641bd9ab6a98e1475d7017cefa0c492827de

Download Submit
C:\Windows\{D5A30CC5-B0FC-4474-9F16-BC4D86DC5A96}.exe

Filesize
168KB

MD5
f0c5a75ef96ef9a00864e3692f1dfc70

SHA1
0998c764f7d7e0af6d1ee2c3a8459f2397f53622

SHA256
1194acf7e2fd60e4aca113dc1d3d04461dd3e2a382280b1e8a085e6f51938a2e

SHA512
b6e7f71ff5a80b6f856e31a84ae0a768d812f184c0d8ae677411e55700834962b82e09c03fa09de47e3a977299a511f091c15a2f49afc414d7e942a6185a103f

Download Submit
C:\Windows\{F7B62F07-11F0-4681-A345-FEFD50CB29FB}.exe

Filesize
168KB

MD5
9612d53795dd68d810b92397f898165d

SHA1
e622c074669e9e50a38c670d1b677cb6484262f9

SHA256
61d0064972efd72b2b29917cb1958c6beff28a0c85ac52043071a6b89b40ad30

SHA512
1e13e909ca3fa096addf1d6c47728d2253d05543bb42bcc1adf79f466978c2eb92de5905dc53a34ab461696a7f6e23114bba65f34762b7deb7956e5bf4359c27

Download Submit
C:\Windows\{FEE2960E-21F9-4263-AE7A-AC72A76F5612}.exe

Filesize
168KB

MD5
cf41419ee63d29c38944b437553fd33b

SHA1
516525d5c31b5f34d613a0844286154e57a4f8a8

SHA256
a5672e9b198ae317cea55f0f8bdd8fcdadb0a78c3358bb8f90884590de8b2e37

SHA512
7be245e0799e4f3497996ac24e1445971cb08b249388ffb5ceae6a29ee8106268b86e7e7b79f535a1ef9b1111cbd2a55397a1de0ea102d0d98285dcb2a3fabd7

Download Submit