4c5ee60c02ad880dbf12c26592d9c32d2d337976879c783d8558950279719087

Analysis

max time kernel
151s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe
Size

344KB
MD5

0bab0f9bb21d8a1dba2d3c636ae6a634
SHA1

05f1f902402957ecef08710717995b12b72e472b
SHA256

4c5ee60c02ad880dbf12c26592d9c32d2d337976879c783d8558950279719087
SHA512

ba1f2568dfae2eb9a0f496a6d9b3fec8335688f4b211ecbcfe2aaa2280ed0f365f0e9c75b65f75ffd37d019a483b49ae71a49e4dbfa60f099abffbc2a69f2031
SSDEEP

3072:mEGh0o0lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGalqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012257-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122f6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012257-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08EF988E-9527-450a-A152-1A9EC11CBCA1}	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C099E81-27B8-44d1-AEDE-D8FDFA385980}	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}	{947289B0-0658-45d1-B453-D941B746BE47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{221DF652-24A0-40a4-8BD0-7DF233A6ED74}	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16783AD9-AED6-492b-A6BC-BF02A325A58B}	{56650E14-0C92-483d-B9DD-A0B0629FF9BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}\stubpath = "C:\\Windows\\{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}.exe"	{16783AD9-AED6-492b-A6BC-BF02A325A58B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08EF988E-9527-450a-A152-1A9EC11CBCA1}\stubpath = "C:\\Windows\\{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe"	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{034ADDDA-D523-456c-961F-6335D78A2771}\stubpath = "C:\\Windows\\{034ADDDA-D523-456c-961F-6335D78A2771}.exe"	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}\stubpath = "C:\\Windows\\{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe"	{034ADDDA-D523-456c-961F-6335D78A2771}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{947289B0-0658-45d1-B453-D941B746BE47}	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56650E14-0C92-483d-B9DD-A0B0629FF9BC}\stubpath = "C:\\Windows\\{56650E14-0C92-483d-B9DD-A0B0629FF9BC}.exe"	{221DF652-24A0-40a4-8BD0-7DF233A6ED74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB7E68C3-99F3-42e6-AC19-1998FDA42727}	{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C099E81-27B8-44d1-AEDE-D8FDFA385980}\stubpath = "C:\\Windows\\{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe"	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}	{034ADDDA-D523-456c-961F-6335D78A2771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}\stubpath = "C:\\Windows\\{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe"	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}\stubpath = "C:\\Windows\\{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe"	{947289B0-0658-45d1-B453-D941B746BE47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{221DF652-24A0-40a4-8BD0-7DF233A6ED74}\stubpath = "C:\\Windows\\{221DF652-24A0-40a4-8BD0-7DF233A6ED74}.exe"	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56650E14-0C92-483d-B9DD-A0B0629FF9BC}	{221DF652-24A0-40a4-8BD0-7DF233A6ED74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{034ADDDA-D523-456c-961F-6335D78A2771}	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{947289B0-0658-45d1-B453-D941B746BE47}\stubpath = "C:\\Windows\\{947289B0-0658-45d1-B453-D941B746BE47}.exe"	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16783AD9-AED6-492b-A6BC-BF02A325A58B}\stubpath = "C:\\Windows\\{16783AD9-AED6-492b-A6BC-BF02A325A58B}.exe"	{56650E14-0C92-483d-B9DD-A0B0629FF9BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}	{16783AD9-AED6-492b-A6BC-BF02A325A58B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB7E68C3-99F3-42e6-AC19-1998FDA42727}\stubpath = "C:\\Windows\\{FB7E68C3-99F3-42e6-AC19-1998FDA42727}.exe"	{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}.exe

Deletes itself 1 IoCs

pid	Process
2348	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2924	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe
2728	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe
2616	{034ADDDA-D523-456c-961F-6335D78A2771}.exe
2556	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe
2848	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe
288	{947289B0-0658-45d1-B453-D941B746BE47}.exe
532	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe
1508	{221DF652-24A0-40a4-8BD0-7DF233A6ED74}.exe
1620	{56650E14-0C92-483d-B9DD-A0B0629FF9BC}.exe
2076	{16783AD9-AED6-492b-A6BC-BF02A325A58B}.exe
2344	{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}.exe
1536	{FB7E68C3-99F3-42e6-AC19-1998FDA42727}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe
File created	C:\Windows\{034ADDDA-D523-456c-961F-6335D78A2771}.exe	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe
File created	C:\Windows\{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe	{034ADDDA-D523-456c-961F-6335D78A2771}.exe
File created	C:\Windows\{221DF652-24A0-40a4-8BD0-7DF233A6ED74}.exe	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe
File created	C:\Windows\{16783AD9-AED6-492b-A6BC-BF02A325A58B}.exe	{56650E14-0C92-483d-B9DD-A0B0629FF9BC}.exe
File created	C:\Windows\{FB7E68C3-99F3-42e6-AC19-1998FDA42727}.exe	{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}.exe
File created	C:\Windows\{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe
File created	C:\Windows\{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe
File created	C:\Windows\{947289B0-0658-45d1-B453-D941B746BE47}.exe	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe
File created	C:\Windows\{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe	{947289B0-0658-45d1-B453-D941B746BE47}.exe
File created	C:\Windows\{56650E14-0C92-483d-B9DD-A0B0629FF9BC}.exe	{221DF652-24A0-40a4-8BD0-7DF233A6ED74}.exe
File created	C:\Windows\{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}.exe	{16783AD9-AED6-492b-A6BC-BF02A325A58B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1736	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2924	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe
Token: SeIncBasePriorityPrivilege	2728	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe
Token: SeIncBasePriorityPrivilege	2616	{034ADDDA-D523-456c-961F-6335D78A2771}.exe
Token: SeIncBasePriorityPrivilege	2556	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe
Token: SeIncBasePriorityPrivilege	2848	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe
Token: SeIncBasePriorityPrivilege	288	{947289B0-0658-45d1-B453-D941B746BE47}.exe
Token: SeIncBasePriorityPrivilege	532	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe
Token: SeIncBasePriorityPrivilege	1508	{221DF652-24A0-40a4-8BD0-7DF233A6ED74}.exe
Token: SeIncBasePriorityPrivilege	1620	{56650E14-0C92-483d-B9DD-A0B0629FF9BC}.exe
Token: SeIncBasePriorityPrivilege	2076	{16783AD9-AED6-492b-A6BC-BF02A325A58B}.exe
Token: SeIncBasePriorityPrivilege	2344	{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2924	1736	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe	28
PID 1736 wrote to memory of 2924	1736	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe	28
PID 1736 wrote to memory of 2924	1736	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe	28
PID 1736 wrote to memory of 2924	1736	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe	28
PID 1736 wrote to memory of 2348	1736	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe	29
PID 1736 wrote to memory of 2348	1736	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe	29
PID 1736 wrote to memory of 2348	1736	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe	29
PID 1736 wrote to memory of 2348	1736	2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe	29
PID 2924 wrote to memory of 2728	2924	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe	30
PID 2924 wrote to memory of 2728	2924	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe	30
PID 2924 wrote to memory of 2728	2924	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe	30
PID 2924 wrote to memory of 2728	2924	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe	30
PID 2924 wrote to memory of 2580	2924	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe	31
PID 2924 wrote to memory of 2580	2924	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe	31
PID 2924 wrote to memory of 2580	2924	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe	31
PID 2924 wrote to memory of 2580	2924	{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe	31
PID 2728 wrote to memory of 2616	2728	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe	33
PID 2728 wrote to memory of 2616	2728	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe	33
PID 2728 wrote to memory of 2616	2728	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe	33
PID 2728 wrote to memory of 2616	2728	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe	33
PID 2728 wrote to memory of 2572	2728	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe	34
PID 2728 wrote to memory of 2572	2728	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe	34
PID 2728 wrote to memory of 2572	2728	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe	34
PID 2728 wrote to memory of 2572	2728	{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe	34
PID 2616 wrote to memory of 2556	2616	{034ADDDA-D523-456c-961F-6335D78A2771}.exe	36
PID 2616 wrote to memory of 2556	2616	{034ADDDA-D523-456c-961F-6335D78A2771}.exe	36
PID 2616 wrote to memory of 2556	2616	{034ADDDA-D523-456c-961F-6335D78A2771}.exe	36
PID 2616 wrote to memory of 2556	2616	{034ADDDA-D523-456c-961F-6335D78A2771}.exe	36
PID 2616 wrote to memory of 1980	2616	{034ADDDA-D523-456c-961F-6335D78A2771}.exe	37
PID 2616 wrote to memory of 1980	2616	{034ADDDA-D523-456c-961F-6335D78A2771}.exe	37
PID 2616 wrote to memory of 1980	2616	{034ADDDA-D523-456c-961F-6335D78A2771}.exe	37
PID 2616 wrote to memory of 1980	2616	{034ADDDA-D523-456c-961F-6335D78A2771}.exe	37
PID 2556 wrote to memory of 2848	2556	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe	38
PID 2556 wrote to memory of 2848	2556	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe	38
PID 2556 wrote to memory of 2848	2556	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe	38
PID 2556 wrote to memory of 2848	2556	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe	38
PID 2556 wrote to memory of 2936	2556	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe	39
PID 2556 wrote to memory of 2936	2556	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe	39
PID 2556 wrote to memory of 2936	2556	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe	39
PID 2556 wrote to memory of 2936	2556	{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe	39
PID 2848 wrote to memory of 288	2848	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe	41
PID 2848 wrote to memory of 288	2848	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe	41
PID 2848 wrote to memory of 288	2848	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe	41
PID 2848 wrote to memory of 288	2848	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe	41
PID 2848 wrote to memory of 1476	2848	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe	40
PID 2848 wrote to memory of 1476	2848	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe	40
PID 2848 wrote to memory of 1476	2848	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe	40
PID 2848 wrote to memory of 1476	2848	{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe	40
PID 288 wrote to memory of 532	288	{947289B0-0658-45d1-B453-D941B746BE47}.exe	43
PID 288 wrote to memory of 532	288	{947289B0-0658-45d1-B453-D941B746BE47}.exe	43
PID 288 wrote to memory of 532	288	{947289B0-0658-45d1-B453-D941B746BE47}.exe	43
PID 288 wrote to memory of 532	288	{947289B0-0658-45d1-B453-D941B746BE47}.exe	43
PID 288 wrote to memory of 1580	288	{947289B0-0658-45d1-B453-D941B746BE47}.exe	42
PID 288 wrote to memory of 1580	288	{947289B0-0658-45d1-B453-D941B746BE47}.exe	42
PID 288 wrote to memory of 1580	288	{947289B0-0658-45d1-B453-D941B746BE47}.exe	42
PID 288 wrote to memory of 1580	288	{947289B0-0658-45d1-B453-D941B746BE47}.exe	42
PID 532 wrote to memory of 1508	532	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe	45
PID 532 wrote to memory of 1508	532	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe	45
PID 532 wrote to memory of 1508	532	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe	45
PID 532 wrote to memory of 1508	532	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe	45
PID 532 wrote to memory of 1664	532	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe	44
PID 532 wrote to memory of 1664	532	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe	44
PID 532 wrote to memory of 1664	532	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe	44
PID 532 wrote to memory of 1664	532	{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_0bab0f9bb21d8a1dba2d3c636ae6a634_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe
  C:\Windows\{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe
    C:\Windows\{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{034ADDDA-D523-456c-961F-6335D78A2771}.exe
      C:\Windows\{034ADDDA-D523-456c-961F-6335D78A2771}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe
        
        C:\Windows\{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe
        
        C:\Windows\{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88AE2~1.EXE > nul
        7⤵
        
        PID:1476
        
        C:\Windows\{947289B0-0658-45d1-B453-D941B746BE47}.exe
        
        C:\Windows\{947289B0-0658-45d1-B453-D941B746BE47}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94728~1.EXE > nul
        8⤵
        
        PID:1580
        
        C:\Windows\{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe
        
        C:\Windows\{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B220~1.EXE > nul
        9⤵
        
        PID:1664
        
        C:\Windows\{221DF652-24A0-40a4-8BD0-7DF233A6ED74}.exe
        
        C:\Windows\{221DF652-24A0-40a4-8BD0-7DF233A6ED74}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{221DF~1.EXE > nul
        10⤵
        
        PID:1500
        
        C:\Windows\{56650E14-0C92-483d-B9DD-A0B0629FF9BC}.exe
        
        C:\Windows\{56650E14-0C92-483d-B9DD-A0B0629FF9BC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56650~1.EXE > nul
        11⤵
        
        PID:2960
        
        C:\Windows\{16783AD9-AED6-492b-A6BC-BF02A325A58B}.exe
        
        C:\Windows\{16783AD9-AED6-492b-A6BC-BF02A325A58B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}.exe
        
        C:\Windows\{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\{FB7E68C3-99F3-42e6-AC19-1998FDA42727}.exe
        
        C:\Windows\{FB7E68C3-99F3-42e6-AC19-1998FDA42727}.exe
        13⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2692~1.EXE > nul
        13⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16783~1.EXE > nul
        12⤵
        
        PID:824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1509E~1.EXE > nul
        6⤵
        
        PID:2936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{034AD~1.EXE > nul
        5⤵
        
        PID:1980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7C099~1.EXE > nul
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{08EF9~1.EXE > nul
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{034ADDDA-D523-456c-961F-6335D78A2771}.exe

Filesize
344KB

MD5
b44cc6c4d6e71795d384f37ceb5eb36d

SHA1
25ef135df56b08152f4c827fc7cef195e14d3c52

SHA256
b59cff6184658b4b7336ee4de89a908fa51c52a421361a14f9bafd24c058e826

SHA512
86598d7125b41a9b2247ca91bd066acc844353ad87f09a50350da181b755d7ba819a4ee5f55e14dee250233361c57024d4308a5949e5acc21c0209fb2582fcdd

Download Submit
C:\Windows\{08EF988E-9527-450a-A152-1A9EC11CBCA1}.exe

Filesize
344KB

MD5
93b0db097c7d3b6dc276ed74fa4fdbf7

SHA1
04a29da69dbb9d349158c3d5e7266eba953bf4e1

SHA256
c70e73b52bb7abc83104f31de0b505896800f43fb136a9f36f0038c0572ba7a7

SHA512
d0418d31b54d6167392333baedc83a5ebfbdf6e1c415f5131dfdb1ed41231c29c9c0515de46a019d468e87038c2e5cae2a8ea7998af05b76e68f73ac9b95c63e

Download Submit
C:\Windows\{1509E6C3-6952-4bdd-9CA9-0B0ECB57749F}.exe

Filesize
344KB

MD5
5042766c1294359e46c3c3f951dd45e7

SHA1
4108693e46a3302e4b6b0efd7c413262bba0391d

SHA256
20f0e2d146e4f158d8edb64645bd1c551440de129a2ce164ff827e68105ceeb7

SHA512
33aa6023fd7f3daa9c10bd88421281c9d51db4879316b07dd7d9716ab30c0b3cd1aa80038b59a45f1f8a96c27a36062f0b4e2b5b937be29ddac964fd23515e47

Download Submit
C:\Windows\{16783AD9-AED6-492b-A6BC-BF02A325A58B}.exe

Filesize
344KB

MD5
f72dbf7de872540f619020fed2072eb2

SHA1
a9c0ba12c6db057d04865c279358641dc8c10f05

SHA256
b45486f2e7f0a2a8b7fb8574d26013893d93e659f7b66a4c85c776eaf07086c1

SHA512
44fd5857ceafdeb45a8c185eda7534bba2b1430730c2abfe1094e1c87bcc120ae1061e73bfb8c4344bc1bb3594e224a2c9bf4b49775171b26fa36a2f4c95dded

Download Submit
C:\Windows\{1B220668-FDC2-4ec3-B1D9-352337FBAEF6}.exe

Filesize
344KB

MD5
5196bce54a1dbc7bc7de467e6d282d6b

SHA1
fe9c7a1fddc4e57e59a687a174857e6366e4dc66

SHA256
8d758fbc4d53ac219e77232cb4227868ebe36871b1ee4b109af953aa42732f00

SHA512
3ece203cc5e4dec45ff2bad10c09fa73d81b8a00a0bc5f84ae32269cce7216d6a55cd112c7892b05e36436d88cd094e0b53212d8a7991289fb7b2f6b7533d7d4

Download Submit
C:\Windows\{221DF652-24A0-40a4-8BD0-7DF233A6ED74}.exe

Filesize
344KB

MD5
d92b5150660c9e2c99e61e76c11d5054

SHA1
536f21e090c5575ad165c64bacff208aed41b8c7

SHA256
e9eb3f53b3eea791993c6a0fbb3ede4fdcf2dd01ed0ec84fa3ec65823b59a07c

SHA512
e850dc31747be3721b83378badd088fede9751edbcf9e50c40d31d37c76a65ead82b5477cec5306c80f0078878fa99daeb07ff9839a44662a405a0cc4767a3ba

Download Submit
C:\Windows\{56650E14-0C92-483d-B9DD-A0B0629FF9BC}.exe

Filesize
344KB

MD5
024165d5ab983d57317c536e83611b0c

SHA1
f0bd45a199e455e8471e998763ea7eb2c047b37b

SHA256
d66a76209c3aef04bd5cbc6755caaf3e621e9237e016ac3e8d1abc331142a4bf

SHA512
0d650e6543262a06036b2d56e18de58e191963d3d7f9c2e9af9e8022e9ff0675cc91b9246f845dd004ad215f978a8dce9ef998a14c3695d98fae87c72d2bfa0c

Download Submit
C:\Windows\{7C099E81-27B8-44d1-AEDE-D8FDFA385980}.exe

Filesize
344KB

MD5
cc6999de208b08df93616d36682c9fac

SHA1
0f25a19bc0f5a7b1fbe8b8e1f9aef8dad3437709

SHA256
75fc394bf433c3a579779758c03a3fa1d900dfff0215e64899f005f47d10be83

SHA512
011505e37984bf1ddfe377c7b2f9e598844e6830e78acb4bedd8abff6bfa2dd1a6c48bf90aa6a8c409f991c616ab31836903825cdf66d1ab09af38958cb18d44

Download Submit
C:\Windows\{88AE2A9F-5D7F-4040-9DB4-61EC75BD6251}.exe

Filesize
344KB

MD5
b8366cd3162fc4bd8cf86333ff34a005

SHA1
2fd72d135b14665d11a1450a224f4f6e4fc19d66

SHA256
c1b976d7a3ab0b8cd29c0ad7f030a0d8acd265badf89dc522bb79941fcec21ce

SHA512
43a6b2ee5b84e902a36287184260670410d3306be7836edcb00b9d54684a1f2cd420e8720aba4b65df12cb6d6ff6b9ab775a39e7233f8eee0d42c06cc9443587

Download Submit
C:\Windows\{947289B0-0658-45d1-B453-D941B746BE47}.exe

Filesize
344KB

MD5
4c8aa92fd5656a86fdde0e0d20ec8590

SHA1
3ece1cba93afbff0f77356d32843929dd1b5d76f

SHA256
1e1aa423d9ca360dc6ed964fa2839c8b5df862ae1c3fa43f28ef8db5c9b899ee

SHA512
50a624fda286f10df271b9f6133935e882451663a72d9d39cce8af3f5d2ecfae0bd6f1f627556c5a570cd2b46b889894752baf50c4ff8e68ae89ae4fb55e07ac

Download Submit
C:\Windows\{B2692A1D-6B88-42ab-916D-57A8CAD6FD83}.exe

Filesize
344KB

MD5
98f6eedcf8b4302e76ebd53edaea4a88

SHA1
4b604f136075ae0cb4d465f0f1dda01b054259ab

SHA256
20b2c231d61a9e77888bcb1a455e2ab8a75a44eca57af36c6b875850c722eb08

SHA512
d381b66d3fbc6f7ce2084d6a743593c632b0ab0ee939f3a419ac4c92a55cc1abfb8f7260c3ba766f9282f19dfc9aa7452ae722ce78a3302dfc78a38d38174d6b

Download Submit
C:\Windows\{FB7E68C3-99F3-42e6-AC19-1998FDA42727}.exe

Filesize
344KB

MD5
91c495746cf4a778593bf8d9a99df266

SHA1
78bf02c4156147e682972672f074e92fbfc9a789

SHA256
c4131f3d81b4e02ed3c6647c33b9606a238c80d658c042d17d3236af3a14d510

SHA512
fb3d9e674b3ab07c7dc3a8a2b0cccfcee5f540820bb702638b4b0b0458af3b243065d56a4d01fde08af060b0da1d5222a93c12df04b17a7e59c4601bc9a6fa33

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads