62cd6866193905ba7615c62a89c649792867976636822cfe3db07c5f3dd25442

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe
Size

168KB
MD5

de2fc918cceb98699d3f15fa118cce3b
SHA1

74a5c3b7e9b16302e8130019b49d742815bd5110
SHA256

62cd6866193905ba7615c62a89c649792867976636822cfe3db07c5f3dd25442
SHA512

73b2b797dbe9d744eb1d22773e900872fcdaa1c1caa5daa3c419e194715a67fd751ed578c5053322da8f13d244f986aae29de665bc1799172c19c54fe0df3fd8
SSDEEP

1536:1EGh0oplq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oplqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{764F17BA-373A-4a53-A438-C4C1575F2598}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{937F4A65-0EE8-45e2-B237-64E27831E928}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{65824847-8009-49d1-95FD-87718ED5FBC3}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe{937F4A65-0EE8-45e2-B237-64E27831E928}.exe{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe{764F17BA-373A-4a53-A438-C4C1575F2598}.exe{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}\stubpath = "C:\\Windows\\{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe"	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC27D1A-D800-4090-861B-63251C83E7ED}	{937F4A65-0EE8-45e2-B237-64E27831E928}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A01A12E-6F56-44fe-924F-84CBA3484C1F}	{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65824847-8009-49d1-95FD-87718ED5FBC3}	{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3298AF5B-E95A-4f34-BD07-3CDC1C974211}	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3298AF5B-E95A-4f34-BD07-3CDC1C974211}\stubpath = "C:\\Windows\\{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe"	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71C3DE24-83E6-486c-8061-3D34509B2A7E}\stubpath = "C:\\Windows\\{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe"	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{764F17BA-373A-4a53-A438-C4C1575F2598}\stubpath = "C:\\Windows\\{764F17BA-373A-4a53-A438-C4C1575F2598}.exe"	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71C3DE24-83E6-486c-8061-3D34509B2A7E}	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937F4A65-0EE8-45e2-B237-64E27831E928}	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A01A12E-6F56-44fe-924F-84CBA3484C1F}\stubpath = "C:\\Windows\\{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe"	{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061E5094-8495-4ac0-B5F9-D7DB2553E514}	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}\stubpath = "C:\\Windows\\{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe"	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{937F4A65-0EE8-45e2-B237-64E27831E928}\stubpath = "C:\\Windows\\{937F4A65-0EE8-45e2-B237-64E27831E928}.exe"	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC27D1A-D800-4090-861B-63251C83E7ED}\stubpath = "C:\\Windows\\{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe"	{937F4A65-0EE8-45e2-B237-64E27831E928}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{764F17BA-373A-4a53-A438-C4C1575F2598}	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02D6E290-E341-40a7-A8F0-6A30ED4F3022}	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02D6E290-E341-40a7-A8F0-6A30ED4F3022}\stubpath = "C:\\Windows\\{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe"	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061E5094-8495-4ac0-B5F9-D7DB2553E514}\stubpath = "C:\\Windows\\{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe"	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65824847-8009-49d1-95FD-87718ED5FBC3}\stubpath = "C:\\Windows\\{65824847-8009-49d1-95FD-87718ED5FBC3}.exe"	{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2840 cmd.exe

pid	process
2840	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe{764F17BA-373A-4a53-A438-C4C1575F2598}.exe{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe{937F4A65-0EE8-45e2-B237-64E27831E928}.exe{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe{65824847-8009-49d1-95FD-87718ED5FBC3}.exe

pid	process
1268	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe
2784	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe
2668	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe
2556	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe
1616	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe
1092	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe
2772	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe
556	{937F4A65-0EE8-45e2-B237-64E27831E928}.exe
2296	{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe
2388	{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe
1972	{65824847-8009-49d1-95FD-87718ED5FBC3}.exe

Drops file in Windows directory 11 IoCs

Processes:

{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe{764F17BA-373A-4a53-A438-C4C1575F2598}.exe{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe{937F4A65-0EE8-45e2-B237-64E27831E928}.exe

description	ioc	process
File created	C:\Windows\{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe	{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe
File created	C:\Windows\{65824847-8009-49d1-95FD-87718ED5FBC3}.exe	{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe
File created	C:\Windows\{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe
File created	C:\Windows\{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe
File created	C:\Windows\{764F17BA-373A-4a53-A438-C4C1575F2598}.exe	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe
File created	C:\Windows\{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe
File created	C:\Windows\{937F4A65-0EE8-45e2-B237-64E27831E928}.exe	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe
File created	C:\Windows\{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe
File created	C:\Windows\{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe
File created	C:\Windows\{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe
File created	C:\Windows\{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe	{937F4A65-0EE8-45e2-B237-64E27831E928}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe{764F17BA-373A-4a53-A438-C4C1575F2598}.exe{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe{937F4A65-0EE8-45e2-B237-64E27831E928}.exe{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1908	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1268	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe
Token: SeIncBasePriorityPrivilege	2784	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe
Token: SeIncBasePriorityPrivilege	2668	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe
Token: SeIncBasePriorityPrivilege	2556	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe
Token: SeIncBasePriorityPrivilege	1616	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe
Token: SeIncBasePriorityPrivilege	1092	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe
Token: SeIncBasePriorityPrivilege	2772	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe
Token: SeIncBasePriorityPrivilege	556	{937F4A65-0EE8-45e2-B237-64E27831E928}.exe
Token: SeIncBasePriorityPrivilege	2296	{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe
Token: SeIncBasePriorityPrivilege	2388	{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1908 wrote to memory of 1268	1908	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe
PID 1908 wrote to memory of 1268	1908	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe
PID 1908 wrote to memory of 1268	1908	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe
PID 1908 wrote to memory of 1268	1908	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe
PID 1908 wrote to memory of 2840	1908	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe	cmd.exe
PID 1908 wrote to memory of 2840	1908	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe	cmd.exe
PID 1908 wrote to memory of 2840	1908	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe	cmd.exe
PID 1908 wrote to memory of 2840	1908	2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe	cmd.exe
PID 1268 wrote to memory of 2784	1268	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe
PID 1268 wrote to memory of 2784	1268	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe
PID 1268 wrote to memory of 2784	1268	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe
PID 1268 wrote to memory of 2784	1268	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe
PID 1268 wrote to memory of 2640	1268	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe	cmd.exe
PID 1268 wrote to memory of 2640	1268	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe	cmd.exe
PID 1268 wrote to memory of 2640	1268	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe	cmd.exe
PID 1268 wrote to memory of 2640	1268	{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe	cmd.exe
PID 2784 wrote to memory of 2668	2784	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe
PID 2784 wrote to memory of 2668	2784	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe
PID 2784 wrote to memory of 2668	2784	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe
PID 2784 wrote to memory of 2668	2784	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe
PID 2784 wrote to memory of 3024	2784	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe	cmd.exe
PID 2784 wrote to memory of 3024	2784	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe	cmd.exe
PID 2784 wrote to memory of 3024	2784	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe	cmd.exe
PID 2784 wrote to memory of 3024	2784	{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe	cmd.exe
PID 2668 wrote to memory of 2556	2668	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe
PID 2668 wrote to memory of 2556	2668	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe
PID 2668 wrote to memory of 2556	2668	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe
PID 2668 wrote to memory of 2556	2668	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe
PID 2668 wrote to memory of 2948	2668	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe	cmd.exe
PID 2668 wrote to memory of 2948	2668	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe	cmd.exe
PID 2668 wrote to memory of 2948	2668	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe	cmd.exe
PID 2668 wrote to memory of 2948	2668	{764F17BA-373A-4a53-A438-C4C1575F2598}.exe	cmd.exe
PID 2556 wrote to memory of 1616	2556	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe
PID 2556 wrote to memory of 1616	2556	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe
PID 2556 wrote to memory of 1616	2556	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe
PID 2556 wrote to memory of 1616	2556	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe
PID 2556 wrote to memory of 1936	2556	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe	cmd.exe
PID 2556 wrote to memory of 1936	2556	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe	cmd.exe
PID 2556 wrote to memory of 1936	2556	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe	cmd.exe
PID 2556 wrote to memory of 1936	2556	{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe	cmd.exe
PID 1616 wrote to memory of 1092	1616	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe
PID 1616 wrote to memory of 1092	1616	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe
PID 1616 wrote to memory of 1092	1616	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe
PID 1616 wrote to memory of 1092	1616	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe
PID 1616 wrote to memory of 2732	1616	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe	cmd.exe
PID 1616 wrote to memory of 2732	1616	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe	cmd.exe
PID 1616 wrote to memory of 2732	1616	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe	cmd.exe
PID 1616 wrote to memory of 2732	1616	{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe	cmd.exe
PID 1092 wrote to memory of 2772	1092	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe
PID 1092 wrote to memory of 2772	1092	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe
PID 1092 wrote to memory of 2772	1092	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe
PID 1092 wrote to memory of 2772	1092	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe
PID 1092 wrote to memory of 2424	1092	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe	cmd.exe
PID 1092 wrote to memory of 2424	1092	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe	cmd.exe
PID 1092 wrote to memory of 2424	1092	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe	cmd.exe
PID 1092 wrote to memory of 2424	1092	{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe	cmd.exe
PID 2772 wrote to memory of 556	2772	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe	{937F4A65-0EE8-45e2-B237-64E27831E928}.exe
PID 2772 wrote to memory of 556	2772	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe	{937F4A65-0EE8-45e2-B237-64E27831E928}.exe
PID 2772 wrote to memory of 556	2772	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe	{937F4A65-0EE8-45e2-B237-64E27831E928}.exe
PID 2772 wrote to memory of 556	2772	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe	{937F4A65-0EE8-45e2-B237-64E27831E928}.exe
PID 2772 wrote to memory of 1088	2772	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe	cmd.exe
PID 2772 wrote to memory of 1088	2772	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe	cmd.exe
PID 2772 wrote to memory of 1088	2772	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe	cmd.exe
PID 2772 wrote to memory of 1088	2772	{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_de2fc918cceb98699d3f15fa118cce3b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe
  C:\Windows\{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe
    C:\Windows\{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\{764F17BA-373A-4a53-A438-C4C1575F2598}.exe
      C:\Windows\{764F17BA-373A-4a53-A438-C4C1575F2598}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe
        
        C:\Windows\{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe
        
        C:\Windows\{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe
        
        C:\Windows\{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe
        
        C:\Windows\{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{937F4A65-0EE8-45e2-B237-64E27831E928}.exe
        
        C:\Windows\{937F4A65-0EE8-45e2-B237-64E27831E928}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe
        
        C:\Windows\{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe
        
        C:\Windows\{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\{65824847-8009-49d1-95FD-87718ED5FBC3}.exe
        
        C:\Windows\{65824847-8009-49d1-95FD-87718ED5FBC3}.exe
        12⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A01A~1.EXE > nul
        12⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AC27~1.EXE > nul
        11⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{937F4~1.EXE > nul
        10⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDD45~1.EXE > nul
        9⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71C3D~1.EXE > nul
        8⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02D6E~1.EXE > nul
        7⤵
        
        PID:2732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3298A~1.EXE > nul
        6⤵
        
        PID:1936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{764F1~1.EXE > nul
        5⤵
        
        PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BCF90~1.EXE > nul
      4⤵
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{061E5~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02D6E290-E341-40a7-A8F0-6A30ED4F3022}.exe

Filesize
168KB

MD5
89d12916509e75496add3299bcafd995

SHA1
de26d9c828743687aeb45f9a29dc53e86bf6a8ff

SHA256
0934cc6c8560d055e0c253f01a005e4c7c92adb93e5eba4b09d152e3430827ec

SHA512
8e4d311a5b52adc362d30f1733f2c1ae24c05f0ec681f1d77cdfa0c93f9252411bf3a30530f6310421d3899965a005d9fc33f82bbab5406909277eba79138cfa

Download Submit
C:\Windows\{061E5094-8495-4ac0-B5F9-D7DB2553E514}.exe

Filesize
168KB

MD5
105e97db2f7b57c092da154943e93c70

SHA1
1cb3859cd064f8228543b7b9e1585b659449eb4e

SHA256
820b72cbc012f50aea676d16581508339f3f4cafd5961aa6e020a032a9d837c8

SHA512
a4a8bfee9f1bb05648b326d288fea61013ecd333b4ce5deae39b877551c1c8c0ed517bcc2c12e8c415d607061ecacff9c0af35b9acd1fe4a199c5ffdaebf1fae

Download Submit
C:\Windows\{0AC27D1A-D800-4090-861B-63251C83E7ED}.exe

Filesize
168KB

MD5
17b31331721bcc648ddd193648aa7e53

SHA1
81fac2a6c0564aa9d062425aa2752b734b9b7e08

SHA256
b13e3053253dd0f95a7a1eb4ef0f4d168b8e68298a3ce961435808f9883e4555

SHA512
5a6beaa70726d03bad1517ed669fd741ab3697aab718933cb7fa19bd93947dcd88da479688ca49b32a21ad329a24345541090984d0118423dfe9a5dd1910da81

Download Submit
C:\Windows\{3298AF5B-E95A-4f34-BD07-3CDC1C974211}.exe

Filesize
168KB

MD5
420fc7ced8107c86e8139b4a801bda15

SHA1
0e3f5ba7f8169a6c852082d59b22132357650950

SHA256
171e4f41704b612b2c0179d44b8643cd66609572b318954f613f1b22544a02f5

SHA512
4251a024db527067b510f4310f3c28ab075b5fbdf496b17d82a5cc88765c08a645e968aa55c1a372f9a735258909090a1eb4aebba75cf5167d9c93276055115d

Download Submit
C:\Windows\{65824847-8009-49d1-95FD-87718ED5FBC3}.exe

Filesize
168KB

MD5
38c186a553457d02e4254b26010a5c67

SHA1
890a2ab4a389bc4ed1263d055e0477c19f8358f4

SHA256
b8d7019648f941acb8481d4880d1945e4f7c5652e30ca15926b7d743954301e6

SHA512
24f664680ce2d29f75876abf63f4cd46950d0448cb2f6965a6dd0a997b7d45d5d8e4b7df6521cb727e22f44989909e344fe8151279efd7e5337d1d109a962c3b

Download Submit
C:\Windows\{71C3DE24-83E6-486c-8061-3D34509B2A7E}.exe

Filesize
168KB

MD5
32ef5fd0bde8d249d958fbbe6993c190

SHA1
e606fcfd8c044b89bb3afd83b18cff04947b05fc

SHA256
a477a79a8c7ba2def29c8ae042ee6d8623d4e7be43f7bba8f7c91aba68e8fe5b

SHA512
3a1fd3974899f2a66385443b3d58bec7efbc22bb76c869b70c9cb39202877794f5f8e6e6be37df4e9579fba9b5aaa6b42241ff9d947433c74027fc832e31f8a0

Download Submit
C:\Windows\{764F17BA-373A-4a53-A438-C4C1575F2598}.exe

Filesize
168KB

MD5
654654c9bbb4faabb15bf135bd396d6b

SHA1
16ed6feacaec87534636e578d6cd6e96c081164e

SHA256
c34d3596118d18c637624520ab0f3bc00943661b14efa630247e08a8cd0bcf59

SHA512
fb3e054ed4322886d1953bc98d03c3e9be1478e555ae1060b583b5b0c3fea7580cc5ac28f41eef2ce06e11d94cfea7b3b0a5e3ffecf39a0f510e9861862d6173

Download Submit
C:\Windows\{8A01A12E-6F56-44fe-924F-84CBA3484C1F}.exe

Filesize
168KB

MD5
e4da62aad8158304b8504802f9cd3499

SHA1
ece741ce26383d06f388a7ccb9e1446b4adfc920

SHA256
3f0467c6850a85658c14684cb8588ea12cbc5174353b85ff531fe76853321ee8

SHA512
d990ce5495ef5c7d4adda23b2f9fb919b149a20669363ef7ac946b810f9813c519ed7866606c20d5aceab8051b78f59d4b66e9f5f3da7c822c626bf00d082276

Download Submit
C:\Windows\{937F4A65-0EE8-45e2-B237-64E27831E928}.exe

Filesize
168KB

MD5
97756e8bb2154f84142695094f1e5979

SHA1
f66780a39f1331f2c64f310df7b014487764dbda

SHA256
02b6384348df3a4186ec7cdf121cb4c783b0b1f76cfd4f77f55aadeb0a3b5060

SHA512
60723a416c30fd93ea631188edf5196787cfe34c1a580cb618ef5aefd3ce58bc3dbbe21c4b8e8d1f79c37dcaa2a56b6408c1a781f7b70df47db21a54741320df

Download Submit
C:\Windows\{BCF9025C-BFDF-4c69-9A29-0AA72DB4C92A}.exe

Filesize
168KB

MD5
bfaff97b7ffa15d931abf9e256bbf87f

SHA1
69772de0948ea360fb6edc54db113571c3352fa5

SHA256
9706c70d14fb56fabb7ee98139a80a8a6c8dfa702ddb12f5936e7c14d600a430

SHA512
10eabf9221147954d2177f7b457f97cbf19c49a5af21b54cab95206347f2e0248395a7dc08d4176ec76a3206279fdf15215959824cd94b961f578c2e282b35c7

Download Submit
C:\Windows\{DDD45CFD-B1B0-46ae-BEC6-7E36B712DBBC}.exe

Filesize
168KB

MD5
703eb5937f8d631b931c49a58cf13acc

SHA1
982da8aa2c67bcc127f9579c983de46dc1d2d718

SHA256
fa591a629d9d1121427c2b995284b28f92989e209d496646c358c20ad5ff0606

SHA512
7e4161874c3749e8131be17ebde23110d7f15515f3bae9135b79c3e7bbf5a256469be0308c6bff10ba0e63fba6725de416c561d0cbad5f729240473fc51f7712

Download Submit