6efa5377b05d8c30e3f99e578f23615bea098710f52964feb1085a3e278cecd3

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe
Size

192KB
MD5

e5cd53dfd9d4625865b52742347b996a
SHA1

30304db75841d5fa303c8f84e345780985ff4c83
SHA256

6efa5377b05d8c30e3f99e578f23615bea098710f52964feb1085a3e278cecd3
SHA512

c668afab0cb5b6ab095cba079b81c8571d5cb987d88a62b33ac692c1677884980d472340ec10c19c6a9aa3446db5b25bd586a85a680795046a65659c79f20fb8
SSDEEP

1536:1EGh0owl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0owl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{68993F54-6CA1-4927-B883-867DDB701B11}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1752B51E-B54A-4917-B562-99449F59C252}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{864DB085-9236-4382-A0C3-2085DABAE57D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FD004404-FC5E-4740-AE21-E411C91B6E60}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe{1752B51E-B54A-4917-B562-99449F59C252}.exe{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe{68993F54-6CA1-4927-B883-867DDB701B11}.exe{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe{864DB085-9236-4382-A0C3-2085DABAE57D}.exe2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1752B51E-B54A-4917-B562-99449F59C252}\stubpath = "C:\\Windows\\{1752B51E-B54A-4917-B562-99449F59C252}.exe"	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B1674AC-D97F-4d9e-9AC2-E310203F754E}\stubpath = "C:\\Windows\\{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe"	{1752B51E-B54A-4917-B562-99449F59C252}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864DB085-9236-4382-A0C3-2085DABAE57D}\stubpath = "C:\\Windows\\{864DB085-9236-4382-A0C3-2085DABAE57D}.exe"	{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85542EBA-1B76-47f4-9B61-2C85D20927C1}	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68993F54-6CA1-4927-B883-867DDB701B11}	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68993F54-6CA1-4927-B883-867DDB701B11}\stubpath = "C:\\Windows\\{68993F54-6CA1-4927-B883-867DDB701B11}.exe"	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1610A64D-6FEB-4c5a-8DC9-667022E87511}	{68993F54-6CA1-4927-B883-867DDB701B11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1610A64D-6FEB-4c5a-8DC9-667022E87511}\stubpath = "C:\\Windows\\{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe"	{68993F54-6CA1-4927-B883-867DDB701B11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85542EBA-1B76-47f4-9B61-2C85D20927C1}\stubpath = "C:\\Windows\\{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe"	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1752B51E-B54A-4917-B562-99449F59C252}	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B1674AC-D97F-4d9e-9AC2-E310203F754E}	{1752B51E-B54A-4917-B562-99449F59C252}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864DB085-9236-4382-A0C3-2085DABAE57D}	{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0725A0D-CFAD-4cee-9354-E383CD30F453}	{864DB085-9236-4382-A0C3-2085DABAE57D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0725A0D-CFAD-4cee-9354-E383CD30F453}\stubpath = "C:\\Windows\\{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe"	{864DB085-9236-4382-A0C3-2085DABAE57D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{727C8E66-6CFC-4584-9257-E9D2B874ABCA}	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{209204F7-0B0D-413d-B2B4-CDE22733B553}	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{209204F7-0B0D-413d-B2B4-CDE22733B553}\stubpath = "C:\\Windows\\{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe"	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}\stubpath = "C:\\Windows\\{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe"	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD004404-FC5E-4740-AE21-E411C91B6E60}	{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD004404-FC5E-4740-AE21-E411C91B6E60}\stubpath = "C:\\Windows\\{FD004404-FC5E-4740-AE21-E411C91B6E60}.exe"	{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{727C8E66-6CFC-4584-9257-E9D2B874ABCA}\stubpath = "C:\\Windows\\{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe"	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3056 cmd.exe

pid	process
3056	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe{68993F54-6CA1-4927-B883-867DDB701B11}.exe{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe{1752B51E-B54A-4917-B562-99449F59C252}.exe{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe{864DB085-9236-4382-A0C3-2085DABAE57D}.exe{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe{FD004404-FC5E-4740-AE21-E411C91B6E60}.exe

pid	process
3032	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe
2560	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe
2476	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe
884	{68993F54-6CA1-4927-B883-867DDB701B11}.exe
2556	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe
1776	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe
2240	{1752B51E-B54A-4917-B562-99449F59C252}.exe
2044	{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe
2856	{864DB085-9236-4382-A0C3-2085DABAE57D}.exe
2304	{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe
640	{FD004404-FC5E-4740-AE21-E411C91B6E60}.exe

Drops file in Windows directory 11 IoCs

Processes:

{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe{68993F54-6CA1-4927-B883-867DDB701B11}.exe{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe{864DB085-9236-4382-A0C3-2085DABAE57D}.exe{1752B51E-B54A-4917-B562-99449F59C252}.exe{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe

description	ioc	process
File created	C:\Windows\{FD004404-FC5E-4740-AE21-E411C91B6E60}.exe	{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe
File created	C:\Windows\{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe
File created	C:\Windows\{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe	{68993F54-6CA1-4927-B883-867DDB701B11}.exe
File created	C:\Windows\{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe
File created	C:\Windows\{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe	{864DB085-9236-4382-A0C3-2085DABAE57D}.exe
File created	C:\Windows\{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe	{1752B51E-B54A-4917-B562-99449F59C252}.exe
File created	C:\Windows\{864DB085-9236-4382-A0C3-2085DABAE57D}.exe	{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe
File created	C:\Windows\{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe
File created	C:\Windows\{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe
File created	C:\Windows\{68993F54-6CA1-4927-B883-867DDB701B11}.exe	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe
File created	C:\Windows\{1752B51E-B54A-4917-B562-99449F59C252}.exe	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe{68993F54-6CA1-4927-B883-867DDB701B11}.exe{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe{1752B51E-B54A-4917-B562-99449F59C252}.exe{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe{864DB085-9236-4382-A0C3-2085DABAE57D}.exe{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1732	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3032	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe
Token: SeIncBasePriorityPrivilege	2560	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe
Token: SeIncBasePriorityPrivilege	2476	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe
Token: SeIncBasePriorityPrivilege	884	{68993F54-6CA1-4927-B883-867DDB701B11}.exe
Token: SeIncBasePriorityPrivilege	2556	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe
Token: SeIncBasePriorityPrivilege	1776	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe
Token: SeIncBasePriorityPrivilege	2240	{1752B51E-B54A-4917-B562-99449F59C252}.exe
Token: SeIncBasePriorityPrivilege	2044	{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe
Token: SeIncBasePriorityPrivilege	2856	{864DB085-9236-4382-A0C3-2085DABAE57D}.exe
Token: SeIncBasePriorityPrivilege	2304	{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1732 wrote to memory of 3032	1732	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe
PID 1732 wrote to memory of 3032	1732	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe
PID 1732 wrote to memory of 3032	1732	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe
PID 1732 wrote to memory of 3032	1732	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe
PID 1732 wrote to memory of 3056	1732	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	cmd.exe
PID 1732 wrote to memory of 3056	1732	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	cmd.exe
PID 1732 wrote to memory of 3056	1732	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	cmd.exe
PID 1732 wrote to memory of 3056	1732	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	cmd.exe
PID 3032 wrote to memory of 2560	3032	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe
PID 3032 wrote to memory of 2560	3032	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe
PID 3032 wrote to memory of 2560	3032	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe
PID 3032 wrote to memory of 2560	3032	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe
PID 3032 wrote to memory of 2788	3032	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe	cmd.exe
PID 3032 wrote to memory of 2788	3032	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe	cmd.exe
PID 3032 wrote to memory of 2788	3032	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe	cmd.exe
PID 3032 wrote to memory of 2788	3032	{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe	cmd.exe
PID 2560 wrote to memory of 2476	2560	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe
PID 2560 wrote to memory of 2476	2560	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe
PID 2560 wrote to memory of 2476	2560	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe
PID 2560 wrote to memory of 2476	2560	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe
PID 2560 wrote to memory of 2496	2560	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe	cmd.exe
PID 2560 wrote to memory of 2496	2560	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe	cmd.exe
PID 2560 wrote to memory of 2496	2560	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe	cmd.exe
PID 2560 wrote to memory of 2496	2560	{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe	cmd.exe
PID 2476 wrote to memory of 884	2476	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe	{68993F54-6CA1-4927-B883-867DDB701B11}.exe
PID 2476 wrote to memory of 884	2476	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe	{68993F54-6CA1-4927-B883-867DDB701B11}.exe
PID 2476 wrote to memory of 884	2476	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe	{68993F54-6CA1-4927-B883-867DDB701B11}.exe
PID 2476 wrote to memory of 884	2476	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe	{68993F54-6CA1-4927-B883-867DDB701B11}.exe
PID 2476 wrote to memory of 1260	2476	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe	cmd.exe
PID 2476 wrote to memory of 1260	2476	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe	cmd.exe
PID 2476 wrote to memory of 1260	2476	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe	cmd.exe
PID 2476 wrote to memory of 1260	2476	{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe	cmd.exe
PID 884 wrote to memory of 2556	884	{68993F54-6CA1-4927-B883-867DDB701B11}.exe	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe
PID 884 wrote to memory of 2556	884	{68993F54-6CA1-4927-B883-867DDB701B11}.exe	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe
PID 884 wrote to memory of 2556	884	{68993F54-6CA1-4927-B883-867DDB701B11}.exe	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe
PID 884 wrote to memory of 2556	884	{68993F54-6CA1-4927-B883-867DDB701B11}.exe	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe
PID 884 wrote to memory of 2828	884	{68993F54-6CA1-4927-B883-867DDB701B11}.exe	cmd.exe
PID 884 wrote to memory of 2828	884	{68993F54-6CA1-4927-B883-867DDB701B11}.exe	cmd.exe
PID 884 wrote to memory of 2828	884	{68993F54-6CA1-4927-B883-867DDB701B11}.exe	cmd.exe
PID 884 wrote to memory of 2828	884	{68993F54-6CA1-4927-B883-867DDB701B11}.exe	cmd.exe
PID 2556 wrote to memory of 1776	2556	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe
PID 2556 wrote to memory of 1776	2556	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe
PID 2556 wrote to memory of 1776	2556	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe
PID 2556 wrote to memory of 1776	2556	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe
PID 2556 wrote to memory of 1764	2556	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe	cmd.exe
PID 2556 wrote to memory of 1764	2556	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe	cmd.exe
PID 2556 wrote to memory of 1764	2556	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe	cmd.exe
PID 2556 wrote to memory of 1764	2556	{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe	cmd.exe
PID 1776 wrote to memory of 2240	1776	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe	{1752B51E-B54A-4917-B562-99449F59C252}.exe
PID 1776 wrote to memory of 2240	1776	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe	{1752B51E-B54A-4917-B562-99449F59C252}.exe
PID 1776 wrote to memory of 2240	1776	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe	{1752B51E-B54A-4917-B562-99449F59C252}.exe
PID 1776 wrote to memory of 2240	1776	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe	{1752B51E-B54A-4917-B562-99449F59C252}.exe
PID 1776 wrote to memory of 2808	1776	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe	cmd.exe
PID 1776 wrote to memory of 2808	1776	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe	cmd.exe
PID 1776 wrote to memory of 2808	1776	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe	cmd.exe
PID 1776 wrote to memory of 2808	1776	{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe	cmd.exe
PID 2240 wrote to memory of 2044	2240	{1752B51E-B54A-4917-B562-99449F59C252}.exe	{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe
PID 2240 wrote to memory of 2044	2240	{1752B51E-B54A-4917-B562-99449F59C252}.exe	{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe
PID 2240 wrote to memory of 2044	2240	{1752B51E-B54A-4917-B562-99449F59C252}.exe	{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe
PID 2240 wrote to memory of 2044	2240	{1752B51E-B54A-4917-B562-99449F59C252}.exe	{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe
PID 2240 wrote to memory of 2024	2240	{1752B51E-B54A-4917-B562-99449F59C252}.exe	cmd.exe
PID 2240 wrote to memory of 2024	2240	{1752B51E-B54A-4917-B562-99449F59C252}.exe	cmd.exe
PID 2240 wrote to memory of 2024	2240	{1752B51E-B54A-4917-B562-99449F59C252}.exe	cmd.exe
PID 2240 wrote to memory of 2024	2240	{1752B51E-B54A-4917-B562-99449F59C252}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe
C:\Windows\{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe
C:\Windows\{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe
C:\Windows\{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\{68993F54-6CA1-4927-B883-867DDB701B11}.exe
C:\Windows\{68993F54-6CA1-4927-B883-867DDB701B11}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe
C:\Windows\{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe
C:\Windows\{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\{1752B51E-B54A-4917-B562-99449F59C252}.exe
C:\Windows\{1752B51E-B54A-4917-B562-99449F59C252}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe
C:\Windows\{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\{864DB085-9236-4382-A0C3-2085DABAE57D}.exe
C:\Windows\{864DB085-9236-4382-A0C3-2085DABAE57D}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe
C:\Windows\{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\{FD004404-FC5E-4740-AE21-E411C91B6E60}.exe
C:\Windows\{FD004404-FC5E-4740-AE21-E411C91B6E60}.exe
12⤵
- Executes dropped EXE
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D0725~1.EXE > nul
12⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{864DB~1.EXE > nul
11⤵
PID:664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1B167~1.EXE > nul
10⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1752B~1.EXE > nul
9⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{85542~1.EXE > nul
8⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1610A~1.EXE > nul
7⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{68993~1.EXE > nul
6⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9C096~1.EXE > nul
5⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{20920~1.EXE > nul
4⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{727C8~1.EXE > nul
3⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
- Deletes itself
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1610A64D-6FEB-4c5a-8DC9-667022E87511}.exe

Filesize
192KB

MD5
9813cc8dc77d4c18016a7c4582a27745

SHA1
e7f4994cff2ead97964deb894f3f2afd0ce09b9b

SHA256
a8b2139ed6530a7048cba863fdcb0fe65fdb6c729013edf81c244ac6e03e1bb6

SHA512
d5ed5da6e027eb5ae75f657b19f1f3966a62324483595fdcac74d43ef5ce383242756216b2b2769f28f023a8a7bcdff81714d139aca659684aaa62430f58bc37

Download Submit
C:\Windows\{1752B51E-B54A-4917-B562-99449F59C252}.exe

Filesize
192KB

MD5
0a408ececbdcbb9ca174c5128426a440

SHA1
50576f146930f575f1bafcf9fa42df45f6e9b82f

SHA256
fa8e315ad71a27d3ef9a6a1142c9093e4878f696a2f130fc025ebe97ab390d12

SHA512
d85eac66fbee8abca9b61741f11056efff2876c0237663111186bafc01c157a5eeab9c06709a90671c0cd560015b5f406d8dbe5313f8af807674916d16324eb6

Download Submit
C:\Windows\{1B1674AC-D97F-4d9e-9AC2-E310203F754E}.exe

Filesize
192KB

MD5
b3757937e2e8ee58d0846c8bb2971b72

SHA1
3840c6b76e97f044dd04cb294c94d5bf9b21da15

SHA256
a7e22297a860d2578a4cc8e9fc1f7749582629b9996a4de9ff3d1e75d1b66214

SHA512
d2ab8367935fe9a8493c41f1473c325ee69d5ad5e03101e3ebb8267dc9408a2e291d31655992f9ab67cdcdfad1235d6baccfeb9f662aa4db1ab788397d75b14a

Download Submit
C:\Windows\{209204F7-0B0D-413d-B2B4-CDE22733B553}.exe

Filesize
192KB

MD5
2596a250b3c62666bc68b55287ae400d

SHA1
3011ca86382fbb1f0a9a5f9236c61dce266dd7d0

SHA256
91dcc75593f45c5d2f469565d9621cbb2ce6cc36c52ea66c899dfd4760af72f9

SHA512
8e4a0c7b92e934b5184820ef644b4c3beedf2c6c50ef780e5fec3611ddb990ca08de0205741b7142d19e856a26e4fecd2ef20128364d1e0c27dc7b044d798afa

Download Submit
C:\Windows\{68993F54-6CA1-4927-B883-867DDB701B11}.exe

Filesize
192KB

MD5
cd73ca42ede536606dcaa7c85848981f

SHA1
f433c54fc466b7df2b9af920c3ca31e4ec247c02

SHA256
f2e2cc068269b9a15567d9a41be84ba2b951dea4cbfd3729e967764f5fb7fe05

SHA512
af8ee4a41262540683db03e7ab9f3299748a5777e57f244ce6c9272ec0513577be928cff4018aebdb759e2f76d096932873766536ed022e4cabae3b4bf524997

Download Submit
C:\Windows\{727C8E66-6CFC-4584-9257-E9D2B874ABCA}.exe

Filesize
192KB

MD5
2d86289208c91a347a206fe0f88e4d74

SHA1
c62a61471408cc22f448f95dd0229f43117fc6e6

SHA256
774e2e4a4e479797378b88b6d6e842640758b89d24b8219abb19cd547ca8f9db

SHA512
89e65ed84ad7663664df232705b72f6861767f21404ae32b80f49a322d727f3254e8aecc042d78e376ba93cb149ae4e9f6641c7872c4dc7300b5f1ae21c0e6b8

Download Submit
C:\Windows\{85542EBA-1B76-47f4-9B61-2C85D20927C1}.exe

Filesize
192KB

MD5
d838e9e7aabdc63d03eb8a8e5a422e64

SHA1
a810b36e1675e8baf7c4a18c547bbd9b7c175dfa

SHA256
331b521ba3d3afaee6d6da4c8470aa27f0ceac0bfcad01aefe8686b317e0a164

SHA512
ef2f973ec48cbf16b23ce27f19056f479fe55f6264eb869b8924239ed5f266a7f5570147fc60cd9515d9076b3102649f4b20f2b522f68a765a1e1e43da80a0f0

Download Submit
C:\Windows\{864DB085-9236-4382-A0C3-2085DABAE57D}.exe

Filesize
192KB

MD5
cd4943300084dd0a217c118196dacee4

SHA1
4510cbb1a65accccce7c914adcca9aaf051bc6fb

SHA256
498444ffd5424a1ef14c9d07d176797b8d6176d90ac83237cfeca7902cad6794

SHA512
7eb6a17a9c9fd5cc9abc940dbfab94fbbc7ba248feb8775dfa9ddbdf4447f292d887c00b5710a46efde3c30199ca4532016969f742b61b58dc336ef2a13b6ab8

Download Submit
C:\Windows\{9C096CD4-C5D9-4626-BFD9-2C643DBBDD7F}.exe

Filesize
192KB

MD5
a3e7eb33a52c90ea432f95cbb9589a4a

SHA1
c4c0b41ed00f2714734ff90603f195d31201802e

SHA256
601b62876c083c4a4d384df4cdff217082ccab6ef2f97256b4e75e6a09c086d6

SHA512
32d38761a35eb0e31da83758bacde0bf903ab7a8a0bd19933d29fa4b8570cc870827c24b674272fb23c757fec69baa49f5a605f467e19726ffd8948ae9c9fa52

Download Submit
C:\Windows\{D0725A0D-CFAD-4cee-9354-E383CD30F453}.exe

Filesize
192KB

MD5
0cccbdd05cdadf9468363c20e0b9d5c1

SHA1
232d5aa253054d77344d919e00e97ef38cce11e1

SHA256
4a119ebe591950c03688e2957dd87b9aca9c327bdbf62fde2c79ef47ad9f1fe4

SHA512
c879fcdc7664661e6d7c09e941a967ce8cdf45e5e27db3618d32a8b68f5928b7be7e4c33314bd7071831d885a661e63a20a01e924e3a258109a44dad1b184509

Download Submit
C:\Windows\{FD004404-FC5E-4740-AE21-E411C91B6E60}.exe

Filesize
192KB

MD5
3abb5f9063f395f0748dc0650a36239f

SHA1
7a108d71be66dd7c339b1a9e9596fa109e1c0871

SHA256
5278b7f4aa300e23ecdaffd1bffe41fa9b036debb3ca98012aa52e1e204df02c

SHA512
c4f72140d117094f8383ac4a2df006294a0c019a67d382f26c7c481249d3d7ad9be0fafb013311352925ea8be3fa05fbe3a72eddbb850935cc35c59ba19242b8

Download Submit