08e17fb8c4ad78d79d50fdda2d4415a7a62a07545ce92bf7125d0ab04676788d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
Size

180KB
MD5

309589c06a00682b259f27c71d503ada
SHA1

11f79ffc3e7c67c6380a7bdf397ccdaf0c273179
SHA256

08e17fb8c4ad78d79d50fdda2d4415a7a62a07545ce92bf7125d0ab04676788d
SHA512

6fd1adce8a1a12e66f69661ecdc6249b29317295a58fdf19f4bc9ad3d5027c4c4bd2a49e65be1c7dd432c6aca962cee086b289304beab6bd03755a208ed4f34f
SSDEEP

3072:jEGh0oIlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGql5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 18 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023229-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002322f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016928-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016928-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016928-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e5eb-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e5eb-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000016928-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e401-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002339b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002339b-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e401-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e401-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e587-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e587-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233bc-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000234cd-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000234d1-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}\stubpath = "C:\\Windows\\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe"	{81B51771-D818-4501-8392-A5476E623B96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F62878-60C6-477a-89D2-07806B89CEC9}	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F62878-60C6-477a-89D2-07806B89CEC9}\stubpath = "C:\\Windows\\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe"	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D394FAF6-63E8-4056-9761-B002A0ECE352}	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D394FAF6-63E8-4056-9761-B002A0ECE352}\stubpath = "C:\\Windows\\{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe"	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B51771-D818-4501-8392-A5476E623B96}	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC992634-4FF5-4c42-871D-51902B17C887}\stubpath = "C:\\Windows\\{BC992634-4FF5-4c42-871D-51902B17C887}.exe"	{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}\stubpath = "C:\\Windows\\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe"	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC992634-4FF5-4c42-871D-51902B17C887}	{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}	{81B51771-D818-4501-8392-A5476E623B96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22BAE551-4089-4421-B53A-64B9D1A3842C}	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22BAE551-4089-4421-B53A-64B9D1A3842C}\stubpath = "C:\\Windows\\{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe"	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}\stubpath = "C:\\Windows\\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe"	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81B51771-D818-4501-8392-A5476E623B96}\stubpath = "C:\\Windows\\{81B51771-D818-4501-8392-A5476E623B96}.exe"	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}\stubpath = "C:\\Windows\\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe"	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29E3B258-C471-4579-9B86-3DEB29BA8451}\stubpath = "C:\\Windows\\{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe"	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}\stubpath = "C:\\Windows\\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe"	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}\stubpath = "C:\\Windows\\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe"	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29E3B258-C471-4579-9B86-3DEB29BA8451}	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe

Executes dropped EXE 12 IoCs

pid	Process
4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
944	{81B51771-D818-4501-8392-A5476E623B96}.exe
3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
4484	{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
4028	{BC992634-4FF5-4c42-871D-51902B17C887}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
File created	C:\Windows\{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
File created	C:\Windows\{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
File created	C:\Windows\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
File created	C:\Windows\{81B51771-D818-4501-8392-A5476E623B96}.exe	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
File created	C:\Windows\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	{81B51771-D818-4501-8392-A5476E623B96}.exe
File created	C:\Windows\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
File created	C:\Windows\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
File created	C:\Windows\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
File created	C:\Windows\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
File created	C:\Windows\{BC992634-4FF5-4c42-871D-51902B17C887}.exe	{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
File created	C:\Windows\{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
Token: SeIncBasePriorityPrivilege	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
Token: SeIncBasePriorityPrivilege	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
Token: SeIncBasePriorityPrivilege	944	{81B51771-D818-4501-8392-A5476E623B96}.exe
Token: SeIncBasePriorityPrivilege	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
Token: SeIncBasePriorityPrivilege	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
Token: SeIncBasePriorityPrivilege	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
Token: SeIncBasePriorityPrivilege	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
Token: SeIncBasePriorityPrivilege	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
Token: SeIncBasePriorityPrivilege	1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
Token: SeIncBasePriorityPrivilege	4484	{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 4244	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	99
PID 3412 wrote to memory of 4244	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	99
PID 3412 wrote to memory of 4244	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	99
PID 3412 wrote to memory of 3648	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	98
PID 3412 wrote to memory of 3648	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	98
PID 3412 wrote to memory of 3648	3412	2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe	98
PID 4244 wrote to memory of 2336	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	100
PID 4244 wrote to memory of 2336	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	100
PID 4244 wrote to memory of 2336	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	100
PID 4244 wrote to memory of 3360	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	101
PID 4244 wrote to memory of 3360	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	101
PID 4244 wrote to memory of 3360	4244	{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe	101
PID 2336 wrote to memory of 4088	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	106
PID 2336 wrote to memory of 4088	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	106
PID 2336 wrote to memory of 4088	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	106
PID 2336 wrote to memory of 1452	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	105
PID 2336 wrote to memory of 1452	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	105
PID 2336 wrote to memory of 1452	2336	{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe	105
PID 4088 wrote to memory of 944	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	108
PID 4088 wrote to memory of 944	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	108
PID 4088 wrote to memory of 944	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	108
PID 4088 wrote to memory of 4244	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	107
PID 4088 wrote to memory of 4244	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	107
PID 4088 wrote to memory of 4244	4088	{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe	107
PID 944 wrote to memory of 3772	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	110
PID 944 wrote to memory of 3772	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	110
PID 944 wrote to memory of 3772	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	110
PID 944 wrote to memory of 528	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	109
PID 944 wrote to memory of 528	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	109
PID 944 wrote to memory of 528	944	{81B51771-D818-4501-8392-A5476E623B96}.exe	109
PID 3772 wrote to memory of 3136	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	113
PID 3772 wrote to memory of 3136	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	113
PID 3772 wrote to memory of 3136	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	113
PID 3772 wrote to memory of 4340	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	112
PID 3772 wrote to memory of 4340	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	112
PID 3772 wrote to memory of 4340	3772	{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe	112
PID 3136 wrote to memory of 4776	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	115
PID 3136 wrote to memory of 4776	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	115
PID 3136 wrote to memory of 4776	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	115
PID 3136 wrote to memory of 4756	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	114
PID 3136 wrote to memory of 4756	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	114
PID 3136 wrote to memory of 4756	3136	{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe	114
PID 4776 wrote to memory of 3188	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	118
PID 4776 wrote to memory of 3188	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	118
PID 4776 wrote to memory of 3188	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	118
PID 4776 wrote to memory of 2760	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	117
PID 4776 wrote to memory of 2760	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	117
PID 4776 wrote to memory of 2760	4776	{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe	117
PID 3188 wrote to memory of 2460	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	123
PID 3188 wrote to memory of 2460	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	123
PID 3188 wrote to memory of 2460	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	123
PID 3188 wrote to memory of 5044	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	122
PID 3188 wrote to memory of 5044	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	122
PID 3188 wrote to memory of 5044	3188	{69F62878-60C6-477a-89D2-07806B89CEC9}.exe	122
PID 2460 wrote to memory of 1256	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	127
PID 2460 wrote to memory of 1256	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	127
PID 2460 wrote to memory of 1256	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	127
PID 2460 wrote to memory of 3048	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	128
PID 2460 wrote to memory of 3048	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	128
PID 2460 wrote to memory of 3048	2460	{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe	128
PID 1256 wrote to memory of 4484	1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe	130
PID 1256 wrote to memory of 4484	1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe	130
PID 1256 wrote to memory of 4484	1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe	130
PID 1256 wrote to memory of 4892	1256	{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_309589c06a00682b259f27c71d503ada_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3648
- C:\Windows\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
  C:\Windows\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
    C:\Windows\{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D394F~1.EXE > nul
      4⤵
      PID:1452
  - - C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
      C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2D23~1.EXE > nul
        5⤵
        
        PID:4244
    - - C:\Windows\{81B51771-D818-4501-8392-A5476E623B96}.exe
        
        C:\Windows\{81B51771-D818-4501-8392-A5476E623B96}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81B51~1.EXE > nul
        6⤵
        
        PID:528
      - C:\Windows\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
        
        C:\Windows\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D28C~1.EXE > nul
        7⤵
        
        PID:4340
        
        C:\Windows\{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
        
        C:\Windows\{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22BAE~1.EXE > nul
        8⤵
        
        PID:4756
        
        C:\Windows\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
        
        C:\Windows\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD8C3~1.EXE > nul
        9⤵
        
        PID:2760
        
        C:\Windows\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
        
        C:\Windows\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69F62~1.EXE > nul
        10⤵
        
        PID:5044
        
        C:\Windows\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
        
        C:\Windows\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
        
        C:\Windows\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2454F~1.EXE > nul
        12⤵
        
        PID:4892
        
        C:\Windows\{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
        
        C:\Windows\{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\{BC992634-4FF5-4c42-871D-51902B17C887}.exe
        
        C:\Windows\{BC992634-4FF5-4c42-871D-51902B17C887}.exe
        13⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29E3B~1.EXE > nul
        13⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52BD0~1.EXE > nul
        11⤵
        
        PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{71E5F~1.EXE > nul
    3⤵
    PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22BAE551-4089-4421-B53A-64B9D1A3842C}.exe

Filesize
180KB

MD5
efe1b0f061bcaab8be5a40b94794806c

SHA1
a800386437940256ff347fae242d544d6004f2b2

SHA256
ccfdb3b7ae720a180adc92bb5129c67b6f731852409b95dedb7eff1483041d2d

SHA512
05012c736a0cb8c6948c7ae55c0585d2125c388ab50280df805aaf483a77475d539b6923279032633b6da8685b63c4b41a21c4dcf9a6ff0f58c2541fa136b408

Download Submit
C:\Windows\{2454F229-CCB8-425f-B3EE-BC957C87BBAF}.exe

Filesize
180KB

MD5
f3d4b38575b8a3bb19125f9b071a67be

SHA1
b36d2a36bd1bfd1878d44d2e5c6b7c431b6e67e2

SHA256
88045c4432b4fa6967a851d97b35eae9e706edbd1cdd203d97de27defad35957

SHA512
a695f12fe3399a9a24b5832060aacf724ff33682a6513f3e814355ea930992cd8cd393807b3f1ee34201203e3ab832d72909a9d73b19e91114acc9ceacacd27a

Download Submit
C:\Windows\{29E3B258-C471-4579-9B86-3DEB29BA8451}.exe

Filesize
180KB

MD5
bbdc7aa551238e1949f28b4864701f0b

SHA1
d83d012703f6c3f21188ae6eeb4c7f92ddd1545c

SHA256
e5a3fc0767b79950c78fa31b6a90a67ab5f57900c0f81fd050b6ab402a839e6c

SHA512
baad9de7452fd0a86cf87e673cfe72fe2ddb28b00889b8e23faa0ea79bdd7b10aa62c153c0fac2e0a9a3af436db363960fb1446c61215dcad807c31c5a680e42

Download Submit
C:\Windows\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe

Filesize
50KB

MD5
6c17d24497eecf9a8a3c49924fcccc32

SHA1
ae98dd006c1db54ee30ef2cf306bca6ea62ef595

SHA256
93a1d586d71afb9b1b5597c7435fb97f95591adade4e2343c607070093374819

SHA512
049634d70938cd503b6467cd9094b2c1065d2f6ee2c955794b94f78518e31e611d778604e2249d4aeb109706472c7c73de477b676153d26caedd77663ff44e71

Download Submit
C:\Windows\{52BD0DBF-B87F-40f7-81C9-FB6981A2A401}.exe

Filesize
76KB

MD5
47f0046362df05e50050f9a1d8d6ec73

SHA1
5143335dda2aa4d2ebc8787747a1377ff85df95f

SHA256
6e6cc59c56c7df3e8c50867e5058225b80da3551e4352a416270b18dd3501675

SHA512
c1de8b43d5d68e540a61e5e35b23bf2b94223144fc9c12ecb7c4bd5593014a8cfed8844082ad75c60dc7edd6bfc7feabce6602c593b9e14821a59283151e6bcf

Download Submit
C:\Windows\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe

Filesize
79KB

MD5
151bd51414080f20132e457d2f2bc6d9

SHA1
a3d398287be1646afac2d80ac299b6530719b26f

SHA256
e0bc5868a55ad61297c49b069a971326807b25be5bee8728dfd15c9192ebd4c3

SHA512
8279d1563edd3d0a12b99f359b67e5e4e8c8c7b76e37580ed6ff4561c2b9d3e5b367010c7cfbed234611d02e492837d321faceedcffa014224714fac98279c55

Download Submit
C:\Windows\{69F62878-60C6-477a-89D2-07806B89CEC9}.exe

Filesize
122KB

MD5
8af89a0dbc081ae9f4664bb3b8d87f11

SHA1
8c454be53ff27ff1123c85f6d01b2c1a7091dd46

SHA256
f85e946e3121806f403804bd43ed9c39162a97a95c84ccceece146a115326efa

SHA512
fffdefc60325a53d824f13bad870a6a70f375d61b3b862ead04f0a2b1c80ea5cc5f8b19839769a9d2d0e13a40e43d11462dd9b0256859c3b39db8271994b5352

Download Submit
C:\Windows\{71E5FD01-8684-4aed-9BAF-66E318E7A2D7}.exe

Filesize
180KB

MD5
78feba3b0aa616f92deb86dd7b72a6bb

SHA1
cb8884f560e95694fdf3e6a903f4df32e42a8c27

SHA256
8c95169a54d9aae6f46e2abec159ac195c08068adfdb593d9b0a19a8f7655731

SHA512
c6b7007859d5b90e376b24481d4f559439d4c08f4e4198d0f65610d910c8b0625fa1dcc8b0a82ad23632f2789aa28de0fa9ddaf9bb18ae3b01f1f87c91e99b6a

Download Submit
C:\Windows\{81B51771-D818-4501-8392-A5476E623B96}.exe

Filesize
27KB

MD5
dd6309a73fc5ff9016456083fda42736

SHA1
901d29243324f3976463a8cc438038ea58c72e07

SHA256
86e9f3bbe7da6586a45b27f02f64e0d3e658e4feedce04545150fbe8616d2462

SHA512
bca87176cdc552545d45da9e8040a19f7d4a94582e1c20c408b8737b0f5d90bf1396311932b910ddabe01f8d2d303e6fc952a65b16c4fe79feb6c503c392ab02

Download Submit
C:\Windows\{81B51771-D818-4501-8392-A5476E623B96}.exe

Filesize
20KB

MD5
2f51cda59b50790a8ae46077e60fc6ed

SHA1
cbc14f66b8ac6e71dd6c4f3142ed83f1608ed5a8

SHA256
ad334b8927d0c2c923e83f2a36cafa9f618ea09bddc2be0b59a636851fa8f285

SHA512
1e8dae6d3c56ac8cb69eecd1899961f3a2dcaa775883793ba18d65a22252b188bc97ad7cc96aac91814e658796296f7b1875f41e1ddbe51eb9c165cf7e4a7f12

Download Submit
C:\Windows\{8D28CE9B-DE3E-4540-BFF9-231EECDCB1A7}.exe

Filesize
180KB

MD5
73c730682ad3a648e4194e7a2abce090

SHA1
2e4412098c0838bd56e47b93c732f2cc673e7ae3

SHA256
20de5e371a4ea59d66832d9b0175c725a082702a38fc5cfd3ce873247c27b5e0

SHA512
a50a17c81efc086a8357a513d9bae7dcda47ba42b565d890622ccfb501289721583333f0e97fe0c17bc0c14d7b7b31fc2ce560db677e112ddbedd42e4518d9f0

Download Submit
C:\Windows\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe

Filesize
177KB

MD5
2faaa0ba226dbe1d6b2f981131cc908e

SHA1
e74b5eec63d89a871cf3a4ed1cab2b98de9e6dc6

SHA256
a2ab0bc8a942a4ea14df2da705170b97ce1e842ebc183e259442e0f01843d88f

SHA512
ed2a1ffb737480dbf1b88608ec0a65307498829199708502ce8e446fd121ce8fee09164fbb9e12b64c2d7c35af80c7bd097c1c235147a3622f59f12b7c5921ea

Download Submit
C:\Windows\{AD8C3720-6BB7-4dda-BDF3-8FE75D61F733}.exe

Filesize
180KB

MD5
5b3744f2221d3ecf5a58fab1c8ed10ef

SHA1
9ae1cde4deb4c54655ce6e2a6e08dbc98b247c09

SHA256
bd0aa00a5acd0dd50c4cb88e65e6a7aca260814bf44e5492d70ccecf1f7dab5a

SHA512
be932cc522340a757eea936c83ce803db663bf4d3d2744b8850c937b3719dd4b0aa2b8a5bcbff8680715092c3f204d6278c0e7bbe2adbaedc710dc73bc77055a

Download Submit
C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe

Filesize
174KB

MD5
a283cea5a60057526de255bd1a86202d

SHA1
69735e13d7e0e4679929877de35c12e23cb7afe2

SHA256
61cb2856ab311e99dbc1f81b1502373c11b49b4b15588023df404d03424214e8

SHA512
24fb6d2a9a6785c56e6ab20ff14ec9b1388ec4a64c690ce663bc0179b802e00ea351cc4cb70a6cf31bb982b96b4fa8439bba93a1d822e705e84cc5da76431c44

Download Submit
C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe

Filesize
64KB

MD5
ae075957f46952c33c9fb8440424edd6

SHA1
765118e7727b0547bcf5a1017b8e42335e91b9b6

SHA256
cc655139a24afc95dbef36db24b0fd398535d9ab20499df773eb56ceee67afae

SHA512
666c508ef7cbd804855fba985a16dccebe1c137b89c0986f0a774a6ee8ce49523b8d2924b34bbe810843381c08b589821ab4f1e9b37201bb99cbdfde27503624

Download Submit
C:\Windows\{B2D23FA1-0D44-43cc-9C22-89DD7D343CB1}.exe

Filesize
180KB

MD5
07173987ceef1bbc82138c329be0b2d9

SHA1
55831f248982fe1a9cf6c75ea0ab3c4ffaf8dda7

SHA256
03ca1491380c0179fa7d8957979e9ef74aeef311d3212f2a5b809db51d5dd659

SHA512
ccafca1329a56545b0e0464c7c0308513e3ab1c2a9a6dd9f0c017e26eafdc95096ee81c6088ec7b326b16a651beb3286ee112a9f13ed260064a9d1540c99aa40

Download Submit
C:\Windows\{BC992634-4FF5-4c42-871D-51902B17C887}.exe

Filesize
180KB

MD5
faebd5fe9996644feda600da63b3c8da

SHA1
8518f0d8426edfdf28fabbbef9687eb74873cd0d

SHA256
68b97b3385f2c3966e26265ad60035872456d0082a94c367fa73655f4bb93164

SHA512
391c51dd089720fd3d5e0a424225abb5c76c7847d93c893943c9b7b2f30051e0519594b165a60c784a455629973e174137fb79b133f50742480b8952e4b778a5

Download Submit
C:\Windows\{D394FAF6-63E8-4056-9761-B002A0ECE352}.exe

Filesize
180KB

MD5
e226b5415c479c0564d834c124090e3e

SHA1
bc9eab827f9c7b19406963096c121d61241b0b75

SHA256
9021b7231aa42b5c7969170cc8b742b376e0744df8553dc064846b2914042118

SHA512
39cd9ff9089b3d53e9bf096da6a5c3da8f65aef3e246fe98dc156bd78d650eeab3fbc6261a723e06c1de06a3f7cec708dccc0165055d68ba2c02000d47cca5c1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads