6efa5377b05d8c30e3f99e578f23615bea098710f52964feb1085a3e278cecd3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe
Size

192KB
MD5

e5cd53dfd9d4625865b52742347b996a
SHA1

30304db75841d5fa303c8f84e345780985ff4c83
SHA256

6efa5377b05d8c30e3f99e578f23615bea098710f52964feb1085a3e278cecd3
SHA512

c668afab0cb5b6ab095cba079b81c8571d5cb987d88a62b33ac692c1677884980d472340ec10c19c6a9aa3446db5b25bd586a85a680795046a65659c79f20fb8
SSDEEP

1536:1EGh0owl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0owl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3D889581-7927-4131-AEEB-C65F3F615325}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{370E67B4-22AB-4be7-A938-1827B43E067D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{63795012-D76E-43e6-8491-EE3A8431FF38}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit
C:\Windows\{0A558660-8BF5-45fc-ACC5-F856CB418A40}.exe	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe{3D889581-7927-4131-AEEB-C65F3F615325}.exe{63795012-D76E-43e6-8491-EE3A8431FF38}.exe{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe{370E67B4-22AB-4be7-A938-1827B43E067D}.exe{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E25FB80-6E4F-4765-821F-34CF32924E4E}	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}\stubpath = "C:\\Windows\\{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe"	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{370E67B4-22AB-4be7-A938-1827B43E067D}	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{370E67B4-22AB-4be7-A938-1827B43E067D}\stubpath = "C:\\Windows\\{370E67B4-22AB-4be7-A938-1827B43E067D}.exe"	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}\stubpath = "C:\\Windows\\{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe"	{3D889581-7927-4131-AEEB-C65F3F615325}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}\stubpath = "C:\\Windows\\{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe"	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F764B86-85B5-40c8-A584-C1E33E8C449C}	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}\stubpath = "C:\\Windows\\{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe"	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E25FB80-6E4F-4765-821F-34CF32924E4E}\stubpath = "C:\\Windows\\{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe"	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D889581-7927-4131-AEEB-C65F3F615325}\stubpath = "C:\\Windows\\{3D889581-7927-4131-AEEB-C65F3F615325}.exe"	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}	{3D889581-7927-4131-AEEB-C65F3F615325}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63795012-D76E-43e6-8491-EE3A8431FF38}\stubpath = "C:\\Windows\\{63795012-D76E-43e6-8491-EE3A8431FF38}.exe"	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F764B86-85B5-40c8-A584-C1E33E8C449C}\stubpath = "C:\\Windows\\{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe"	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}\stubpath = "C:\\Windows\\{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe"	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D889581-7927-4131-AEEB-C65F3F615325}	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63795012-D76E-43e6-8491-EE3A8431FF38}	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}\stubpath = "C:\\Windows\\{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe"	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A558660-8BF5-45fc-ACC5-F856CB418A40}	{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A558660-8BF5-45fc-ACC5-F856CB418A40}\stubpath = "C:\\Windows\\{0A558660-8BF5-45fc-ACC5-F856CB418A40}.exe"	{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe

Executes dropped EXE 12 IoCs

Processes:

{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe{3D889581-7927-4131-AEEB-C65F3F615325}.exe{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe{370E67B4-22AB-4be7-A938-1827B43E067D}.exe{63795012-D76E-43e6-8491-EE3A8431FF38}.exe{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe{0A558660-8BF5-45fc-ACC5-F856CB418A40}.exe

pid	process
1444	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe
2380	{3D889581-7927-4131-AEEB-C65F3F615325}.exe
4456	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe
2444	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe
3976	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe
4244	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe
1796	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe
836	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe
4852	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe
3844	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe
1956	{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe
3440	{0A558660-8BF5-45fc-ACC5-F856CB418A40}.exe

Drops file in Windows directory 12 IoCs

Processes:

{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe{63795012-D76E-43e6-8491-EE3A8431FF38}.exe{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe{3D889581-7927-4131-AEEB-C65F3F615325}.exe{370E67B4-22AB-4be7-A938-1827B43E067D}.exe

description	ioc	process
File created	C:\Windows\{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe
File created	C:\Windows\{370E67B4-22AB-4be7-A938-1827B43E067D}.exe	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe
File created	C:\Windows\{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe
File created	C:\Windows\{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe
File created	C:\Windows\{0A558660-8BF5-45fc-ACC5-F856CB418A40}.exe	{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe
File created	C:\Windows\{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe
File created	C:\Windows\{3D889581-7927-4131-AEEB-C65F3F615325}.exe	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe
File created	C:\Windows\{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe
File created	C:\Windows\{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe
File created	C:\Windows\{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe
File created	C:\Windows\{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe	{3D889581-7927-4131-AEEB-C65F3F615325}.exe
File created	C:\Windows\{63795012-D76E-43e6-8491-EE3A8431FF38}.exe	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe{3D889581-7927-4131-AEEB-C65F3F615325}.exe{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe{370E67B4-22AB-4be7-A938-1827B43E067D}.exe{63795012-D76E-43e6-8491-EE3A8431FF38}.exe{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3952	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1444	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe
Token: SeIncBasePriorityPrivilege	2380	{3D889581-7927-4131-AEEB-C65F3F615325}.exe
Token: SeIncBasePriorityPrivilege	4456	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe
Token: SeIncBasePriorityPrivilege	2444	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe
Token: SeIncBasePriorityPrivilege	3976	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe
Token: SeIncBasePriorityPrivilege	4244	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe
Token: SeIncBasePriorityPrivilege	1796	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe
Token: SeIncBasePriorityPrivilege	836	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe
Token: SeIncBasePriorityPrivilege	4852	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe
Token: SeIncBasePriorityPrivilege	3844	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe
Token: SeIncBasePriorityPrivilege	1956	{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3952 wrote to memory of 1444	3952	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe
PID 3952 wrote to memory of 1444	3952	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe
PID 3952 wrote to memory of 1444	3952	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe
PID 3952 wrote to memory of 1612	3952	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	cmd.exe
PID 3952 wrote to memory of 1612	3952	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	cmd.exe
PID 3952 wrote to memory of 1612	3952	2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe	cmd.exe
PID 1444 wrote to memory of 2380	1444	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe	{3D889581-7927-4131-AEEB-C65F3F615325}.exe
PID 1444 wrote to memory of 2380	1444	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe	{3D889581-7927-4131-AEEB-C65F3F615325}.exe
PID 1444 wrote to memory of 2380	1444	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe	{3D889581-7927-4131-AEEB-C65F3F615325}.exe
PID 1444 wrote to memory of 4776	1444	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe	cmd.exe
PID 1444 wrote to memory of 4776	1444	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe	cmd.exe
PID 1444 wrote to memory of 4776	1444	{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe	cmd.exe
PID 2380 wrote to memory of 4456	2380	{3D889581-7927-4131-AEEB-C65F3F615325}.exe	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe
PID 2380 wrote to memory of 4456	2380	{3D889581-7927-4131-AEEB-C65F3F615325}.exe	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe
PID 2380 wrote to memory of 4456	2380	{3D889581-7927-4131-AEEB-C65F3F615325}.exe	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe
PID 2380 wrote to memory of 2100	2380	{3D889581-7927-4131-AEEB-C65F3F615325}.exe	cmd.exe
PID 2380 wrote to memory of 2100	2380	{3D889581-7927-4131-AEEB-C65F3F615325}.exe	cmd.exe
PID 2380 wrote to memory of 2100	2380	{3D889581-7927-4131-AEEB-C65F3F615325}.exe	cmd.exe
PID 4456 wrote to memory of 2444	4456	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe
PID 4456 wrote to memory of 2444	4456	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe
PID 4456 wrote to memory of 2444	4456	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe
PID 4456 wrote to memory of 2580	4456	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe	cmd.exe
PID 4456 wrote to memory of 2580	4456	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe	cmd.exe
PID 4456 wrote to memory of 2580	4456	{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe	cmd.exe
PID 2444 wrote to memory of 3976	2444	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe
PID 2444 wrote to memory of 3976	2444	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe
PID 2444 wrote to memory of 3976	2444	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe
PID 2444 wrote to memory of 3468	2444	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe	cmd.exe
PID 2444 wrote to memory of 3468	2444	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe	cmd.exe
PID 2444 wrote to memory of 3468	2444	{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe	cmd.exe
PID 3976 wrote to memory of 4244	3976	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe
PID 3976 wrote to memory of 4244	3976	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe
PID 3976 wrote to memory of 4244	3976	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe
PID 3976 wrote to memory of 1020	3976	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe	cmd.exe
PID 3976 wrote to memory of 1020	3976	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe	cmd.exe
PID 3976 wrote to memory of 1020	3976	{370E67B4-22AB-4be7-A938-1827B43E067D}.exe	cmd.exe
PID 4244 wrote to memory of 1796	4244	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe
PID 4244 wrote to memory of 1796	4244	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe
PID 4244 wrote to memory of 1796	4244	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe
PID 4244 wrote to memory of 4032	4244	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe	cmd.exe
PID 4244 wrote to memory of 4032	4244	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe	cmd.exe
PID 4244 wrote to memory of 4032	4244	{63795012-D76E-43e6-8491-EE3A8431FF38}.exe	cmd.exe
PID 1796 wrote to memory of 836	1796	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe
PID 1796 wrote to memory of 836	1796	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe
PID 1796 wrote to memory of 836	1796	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe
PID 1796 wrote to memory of 3320	1796	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe	cmd.exe
PID 1796 wrote to memory of 3320	1796	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe	cmd.exe
PID 1796 wrote to memory of 3320	1796	{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe	cmd.exe
PID 836 wrote to memory of 4852	836	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe
PID 836 wrote to memory of 4852	836	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe
PID 836 wrote to memory of 4852	836	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe
PID 836 wrote to memory of 3664	836	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe	cmd.exe
PID 836 wrote to memory of 3664	836	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe	cmd.exe
PID 836 wrote to memory of 3664	836	{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe	cmd.exe
PID 4852 wrote to memory of 3844	4852	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe
PID 4852 wrote to memory of 3844	4852	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe
PID 4852 wrote to memory of 3844	4852	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe
PID 4852 wrote to memory of 4940	4852	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe	cmd.exe
PID 4852 wrote to memory of 4940	4852	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe	cmd.exe
PID 4852 wrote to memory of 4940	4852	{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe	cmd.exe
PID 3844 wrote to memory of 1956	3844	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe	{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe
PID 3844 wrote to memory of 1956	3844	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe	{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe
PID 3844 wrote to memory of 1956	3844	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe	{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe
PID 3844 wrote to memory of 1560	3844	{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_e5cd53dfd9d4625865b52742347b996a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe
C:\Windows\{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\{3D889581-7927-4131-AEEB-C65F3F615325}.exe
C:\Windows\{3D889581-7927-4131-AEEB-C65F3F615325}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe
C:\Windows\{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe
C:\Windows\{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\{370E67B4-22AB-4be7-A938-1827B43E067D}.exe
C:\Windows\{370E67B4-22AB-4be7-A938-1827B43E067D}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\{63795012-D76E-43e6-8491-EE3A8431FF38}.exe
C:\Windows\{63795012-D76E-43e6-8491-EE3A8431FF38}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe
C:\Windows\{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe
C:\Windows\{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe
C:\Windows\{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe
C:\Windows\{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe
C:\Windows\{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\{0A558660-8BF5-45fc-ACC5-F856CB418A40}.exe
C:\Windows\{0A558660-8BF5-45fc-ACC5-F856CB418A40}.exe
13⤵
- Executes dropped EXE
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2BAB1~1.EXE > nul
13⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0ACCA~1.EXE > nul
12⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3CAF4~1.EXE > nul
11⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4F764~1.EXE > nul
10⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D1D56~1.EXE > nul
9⤵
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{63795~1.EXE > nul
8⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{370E6~1.EXE > nul
7⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FBAA0~1.EXE > nul
6⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2E914~1.EXE > nul
5⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3D889~1.EXE > nul
4⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7E25F~1.EXE > nul
3⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
2⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A558660-8BF5-45fc-ACC5-F856CB418A40}.exe

Filesize
192KB

MD5
7d7dd7ffcdb04102df08a2d8ed6c4b6c

SHA1
7d1201a3af9160a6921f246bd1409e66ad06472f

SHA256
f502066dfb1e538f9a171a90db6fa101ea2ac29c4d8d9bb9920360930c2a67a0

SHA512
831df49cb5c28d65896b17ef16465458e5d093124022234a24a91a0d08c8271b751a75c5c2582fdaa4ed87021a5eee2c1172dca4aaf5273004ec21becd9a4574

Download Submit
C:\Windows\{0ACCA9AC-89D5-49e1-B6E2-0C4402B39E4D}.exe

Filesize
192KB

MD5
ee4d91dea9cba1b8b6eed7c366be642d

SHA1
be0c5387aeb996cbfcf4179f5a53da316d4e01c6

SHA256
877a8ca1fec06ec68365d38070da99cf1e82126b9be6b5ab08b3efc68058526c

SHA512
bca6ba13090d54aec6b6bab3f5eccc2339166ef669b65f71591716d33a35513f907346e1be7c7cb5a4b3ed256c16af2ede25e297da01f3c52907ce44836af365

Download Submit
C:\Windows\{2BAB16AC-9064-40f6-BF5D-9DE7A1EE4C30}.exe

Filesize
192KB

MD5
f706890650ab63c5c2ca4f5d4118ed4c

SHA1
457a3412a6880917a49ca6f01bb77baff71ab36e

SHA256
af2ab30c86307ffb9642d8ca729c4ed5ea76c5f447ddf6d4aaa651f4f14fbc78

SHA512
a0bdf87dde57a4786fdc4460d98838fb52714ace31f1abf4220706e074d7012be78a308970fb1c01bfa2eb8c4a71f72e235b49beaa99bab3ec47870de279bc6e

Download Submit
C:\Windows\{2E9142F8-7B65-4c8f-AB98-231371DD0C6A}.exe

Filesize
192KB

MD5
3c53199ee077cb30fdb653af75df2743

SHA1
182fe3b883a2b0ce1e484e326e8a44b4bc33bbab

SHA256
33d4b6ced083bb646ea288523a79c0a259c744ba8e5cf857125551182e74a162

SHA512
ac9388da50b1a58a3f08e60141c60500e490dc7d33f70cae9d571ef0bc6c91d247fed9b59f7c800a19155511e2311134eb78aaf5dea46cd159d906cc77026518

Download Submit
C:\Windows\{370E67B4-22AB-4be7-A938-1827B43E067D}.exe

Filesize
192KB

MD5
5c341d7e97de96c26cf25a99615cd543

SHA1
5b8af8d8347611b4b2aee5b749f2814e573a22b9

SHA256
8bbce74b887852a5c6a6e50e920b2dd6af6da96ee6dcc3480ec7e1af67059479

SHA512
b9f05ae34dbb8575669f8ea8c964f9ad0b3ad72d27d9326eb06435d8cd9d7fec5e95953e2b349d653aa15d7ffcf0b6dea74014aa57c1b64c716bb97585d01f19

Download Submit
C:\Windows\{3CAF4C98-87C6-4d85-BA9B-D74FE0AFF727}.exe

Filesize
192KB

MD5
da5e8c4ee4c4d0c1bf3c3e58076d7ead

SHA1
6218150a7f713b53102d4ec0194de32885864441

SHA256
dc221beb123f17f524a23edc355e405e17444235fceabf836981e06af0119c2c

SHA512
9e72485c3ff3a0eef5fe7953e2e1457ee997cc612f4cff81f2ceafe7200c763b0f53adc906bd856108716c282fc12cf6834832b024c7b569ae09b5122b667eac

Download Submit
C:\Windows\{3D889581-7927-4131-AEEB-C65F3F615325}.exe

Filesize
192KB

MD5
371369f197ae4aeff4ac085b247f5b6f

SHA1
796c18d15990e487e51454882ff65ce032bb82d3

SHA256
2124fd051df5a7fa40d96621a36a297af64df96189ca5fc3003eae4cf1acf1c5

SHA512
068e19d6c40da99357ada0a451adad0db34e527baac258c48c62c7e183322a9288061fb852f9c58ed63866fd426d8d7de6f8874db0a7d97b28330ba3cc55c3b2

Download Submit
C:\Windows\{4F764B86-85B5-40c8-A584-C1E33E8C449C}.exe

Filesize
192KB

MD5
233df8eee8c24fcffecf4ebd01021176

SHA1
365005b086ec4f88e993ecb1c7578f71d55b47db

SHA256
2fdac1cb452b98f9a183439fba934bbf7aab4ac3364528b0adcf89a214d76ceb

SHA512
40d203d1f7db588b6e86b6b76781d216491d704867e2dc80ffcf2f7172b3374a4f2d3e53eef61f46284388aecd96bbbf4389d099cb5774db64d8ed7176001b94

Download Submit
C:\Windows\{63795012-D76E-43e6-8491-EE3A8431FF38}.exe

Filesize
192KB

MD5
705577b7a48dbad4cbcf929a6fbdbc6f

SHA1
a62d2e5c126721bd0cbffc59e8f7ad707e0e4d76

SHA256
fe202f84d93545b92dcae7f43127d2c669afbe7abf2666e923b5ce96ed6e1fa0

SHA512
69033385c95e710b3be0518bb919dd08127245d03deab01431748e511826bcd3246aab6fcee91826f644a0422aa1bdd31348f9f8bc7add55bc93f93d8eb0fbb9

Download Submit
C:\Windows\{7E25FB80-6E4F-4765-821F-34CF32924E4E}.exe

Filesize
192KB

MD5
0d93582f2d0dd48fc6b2075d44e5b85b

SHA1
11a3b06b065f98d29a32db00f5cb21fbaafddf48

SHA256
0074be94753b2237d543048ab0ad5c51e191deca98d530dfdcbe3f58a6194e8d

SHA512
1642897e681dda487cb0dbe06d925695537fd3b000e5326e50e509519fffe30abcbe6eb9d13ec5f4818d63eebd59567402b6e3683df67b40742bb85eed410b9b

Download Submit
C:\Windows\{D1D564DF-6F9B-4bb5-8EEB-A5233ED79AB9}.exe

Filesize
192KB

MD5
f1ba3f2553ea05b54580eb6b58c3a5ad

SHA1
91430c48ff6c18a9c530a5785f119c723333409d

SHA256
684f738d758b30b5c26e0b61d7779a68e1a4b85bab0971e762119acb360eadc7

SHA512
24e4d25064b0ca0d837bb72037a83b8c983ba399b6deb2f3febdb3203d702271ba575d0663d47d8dc76f9c3c8c080d6dcaeebe6bb314dcf4d03843fc2ad1db49

Download Submit
C:\Windows\{FBAA0C5D-E4C7-4bfd-B9E2-76C007173222}.exe

Filesize
192KB

MD5
cb1b90d7188e4f18433975b6384e9003

SHA1
721fbc0dadeb8c5511c65c812910976ac4127892

SHA256
9dafcd5f915c584225c8cbfe6e33c2901f9416b0237a6a2bfae1d059efdaa2b0

SHA512
03d1621541cdee833e01fe30d0cabb992d463e06f00a9bb3681ce1eb80fc6382bdb4966e6e783d3afd656cf63b8b38bb9805d9080346fed0b6d7bbaa728b97c7

Download Submit