54678880728f19cf94891aeb0a57dc2c622f5782ec0a5285bb32e8cdf2797221

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
Size

180KB
MD5

85281ba2da493641c6535ece62c3b1c2
SHA1

03ef27f511debe16b7f98850065b49a5e193d2d8
SHA256

54678880728f19cf94891aeb0a57dc2c622f5782ec0a5285bb32e8cdf2797221
SHA512

7001488519c674324380d4289283152dda980c983de880e119029b51331e95658c2e2d455299fc7926f1cfc97b00241400c2dcb4cd76a9a44f7a8fd6d7340e6a
SSDEEP

3072:jEGh0oGlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGsl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00280000000167c9-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000f6f8-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000f6f8-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000f6f8-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000000f6f8-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001224a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00290000000167c9-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000001224a-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C44F83-4F45-45df-BE59-42DFC2E9D93B}	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}	{41E707FB-11D9-42ae-BF9C-0E413455CB47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A068043D-FA5C-439d-BE56-23D47858B3DC}\stubpath = "C:\\Windows\\{A068043D-FA5C-439d-BE56-23D47858B3DC}.exe"	{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}	{A068043D-FA5C-439d-BE56-23D47858B3DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}\stubpath = "C:\\Windows\\{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe"	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}\stubpath = "C:\\Windows\\{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe"	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C687633C-246C-4920-8EBB-ED99E2F26A5E}\stubpath = "C:\\Windows\\{C687633C-246C-4920-8EBB-ED99E2F26A5E}.exe"	{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41E707FB-11D9-42ae-BF9C-0E413455CB47}	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A068043D-FA5C-439d-BE56-23D47858B3DC}	{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}\stubpath = "C:\\Windows\\{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}.exe"	{41E707FB-11D9-42ae-BF9C-0E413455CB47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}\stubpath = "C:\\Windows\\{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}.exe"	{A068043D-FA5C-439d-BE56-23D47858B3DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C687633C-246C-4920-8EBB-ED99E2F26A5E}	{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}\stubpath = "C:\\Windows\\{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe"	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}\stubpath = "C:\\Windows\\{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe"	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C44F83-4F45-45df-BE59-42DFC2E9D93B}\stubpath = "C:\\Windows\\{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe"	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}\stubpath = "C:\\Windows\\{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe"	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41E707FB-11D9-42ae-BF9C-0E413455CB47}\stubpath = "C:\\Windows\\{41E707FB-11D9-42ae-BF9C-0E413455CB47}.exe"	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74B9551A-EBFF-42d4-AA1C-B796DEB67048}	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74B9551A-EBFF-42d4-AA1C-B796DEB67048}\stubpath = "C:\\Windows\\{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe"	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe

Deletes itself 1 IoCs

pid	Process
2168	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2080	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe
2708	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe
2736	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe
2600	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe
2012	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe
2884	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe
1448	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe
952	{41E707FB-11D9-42ae-BF9C-0E413455CB47}.exe
2304	{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}.exe
2328	{A068043D-FA5C-439d-BE56-23D47858B3DC}.exe
1324	{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}.exe
2176	{C687633C-246C-4920-8EBB-ED99E2F26A5E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe
File created	C:\Windows\{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe
File created	C:\Windows\{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe
File created	C:\Windows\{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe
File created	C:\Windows\{41E707FB-11D9-42ae-BF9C-0E413455CB47}.exe	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe
File created	C:\Windows\{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}.exe	{41E707FB-11D9-42ae-BF9C-0E413455CB47}.exe
File created	C:\Windows\{A068043D-FA5C-439d-BE56-23D47858B3DC}.exe	{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}.exe
File created	C:\Windows\{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
File created	C:\Windows\{C687633C-246C-4920-8EBB-ED99E2F26A5E}.exe	{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}.exe
File created	C:\Windows\{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe
File created	C:\Windows\{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}.exe	{A068043D-FA5C-439d-BE56-23D47858B3DC}.exe
File created	C:\Windows\{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1720	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2080	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe
Token: SeIncBasePriorityPrivilege	2708	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe
Token: SeIncBasePriorityPrivilege	2736	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe
Token: SeIncBasePriorityPrivilege	2600	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe
Token: SeIncBasePriorityPrivilege	2012	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe
Token: SeIncBasePriorityPrivilege	2884	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe
Token: SeIncBasePriorityPrivilege	1448	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe
Token: SeIncBasePriorityPrivilege	952	{41E707FB-11D9-42ae-BF9C-0E413455CB47}.exe
Token: SeIncBasePriorityPrivilege	2304	{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}.exe
Token: SeIncBasePriorityPrivilege	2328	{A068043D-FA5C-439d-BE56-23D47858B3DC}.exe
Token: SeIncBasePriorityPrivilege	1324	{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2080	1720	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	28
PID 1720 wrote to memory of 2080	1720	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	28
PID 1720 wrote to memory of 2080	1720	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	28
PID 1720 wrote to memory of 2080	1720	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	28
PID 1720 wrote to memory of 2168	1720	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	29
PID 1720 wrote to memory of 2168	1720	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	29
PID 1720 wrote to memory of 2168	1720	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	29
PID 1720 wrote to memory of 2168	1720	2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe	29
PID 2080 wrote to memory of 2708	2080	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe	32
PID 2080 wrote to memory of 2708	2080	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe	32
PID 2080 wrote to memory of 2708	2080	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe	32
PID 2080 wrote to memory of 2708	2080	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe	32
PID 2080 wrote to memory of 2692	2080	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe	33
PID 2080 wrote to memory of 2692	2080	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe	33
PID 2080 wrote to memory of 2692	2080	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe	33
PID 2080 wrote to memory of 2692	2080	{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe	33
PID 2708 wrote to memory of 2736	2708	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe	34
PID 2708 wrote to memory of 2736	2708	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe	34
PID 2708 wrote to memory of 2736	2708	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe	34
PID 2708 wrote to memory of 2736	2708	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe	34
PID 2708 wrote to memory of 3044	2708	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe	35
PID 2708 wrote to memory of 3044	2708	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe	35
PID 2708 wrote to memory of 3044	2708	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe	35
PID 2708 wrote to memory of 3044	2708	{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe	35
PID 2736 wrote to memory of 2600	2736	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe	36
PID 2736 wrote to memory of 2600	2736	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe	36
PID 2736 wrote to memory of 2600	2736	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe	36
PID 2736 wrote to memory of 2600	2736	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe	36
PID 2736 wrote to memory of 2208	2736	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe	37
PID 2736 wrote to memory of 2208	2736	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe	37
PID 2736 wrote to memory of 2208	2736	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe	37
PID 2736 wrote to memory of 2208	2736	{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe	37
PID 2600 wrote to memory of 2012	2600	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe	38
PID 2600 wrote to memory of 2012	2600	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe	38
PID 2600 wrote to memory of 2012	2600	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe	38
PID 2600 wrote to memory of 2012	2600	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe	38
PID 2600 wrote to memory of 1772	2600	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe	39
PID 2600 wrote to memory of 1772	2600	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe	39
PID 2600 wrote to memory of 1772	2600	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe	39
PID 2600 wrote to memory of 1772	2600	{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe	39
PID 2012 wrote to memory of 2884	2012	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe	41
PID 2012 wrote to memory of 2884	2012	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe	41
PID 2012 wrote to memory of 2884	2012	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe	41
PID 2012 wrote to memory of 2884	2012	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe	41
PID 2012 wrote to memory of 2596	2012	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe	40
PID 2012 wrote to memory of 2596	2012	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe	40
PID 2012 wrote to memory of 2596	2012	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe	40
PID 2012 wrote to memory of 2596	2012	{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe	40
PID 2884 wrote to memory of 1448	2884	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe	42
PID 2884 wrote to memory of 1448	2884	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe	42
PID 2884 wrote to memory of 1448	2884	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe	42
PID 2884 wrote to memory of 1448	2884	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe	42
PID 2884 wrote to memory of 2284	2884	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe	43
PID 2884 wrote to memory of 2284	2884	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe	43
PID 2884 wrote to memory of 2284	2884	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe	43
PID 2884 wrote to memory of 2284	2884	{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe	43
PID 1448 wrote to memory of 952	1448	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe	44
PID 1448 wrote to memory of 952	1448	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe	44
PID 1448 wrote to memory of 952	1448	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe	44
PID 1448 wrote to memory of 952	1448	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe	44
PID 1448 wrote to memory of 2148	1448	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe	45
PID 1448 wrote to memory of 2148	1448	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe	45
PID 1448 wrote to memory of 2148	1448	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe	45
PID 1448 wrote to memory of 2148	1448	{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_85281ba2da493641c6535ece62c3b1c2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe
  C:\Windows\{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe
    C:\Windows\{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe
      C:\Windows\{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe
        
        C:\Windows\{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe
        
        C:\Windows\{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE733~1.EXE > nul
        7⤵
        
        PID:2596
        
        C:\Windows\{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe
        
        C:\Windows\{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe
        
        C:\Windows\{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\{41E707FB-11D9-42ae-BF9C-0E413455CB47}.exe
        
        C:\Windows\{41E707FB-11D9-42ae-BF9C-0E413455CB47}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}.exe
        
        C:\Windows\{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\{A068043D-FA5C-439d-BE56-23D47858B3DC}.exe
        
        C:\Windows\{A068043D-FA5C-439d-BE56-23D47858B3DC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}.exe
        
        C:\Windows\{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\{C687633C-246C-4920-8EBB-ED99E2F26A5E}.exe
        
        C:\Windows\{C687633C-246C-4920-8EBB-ED99E2F26A5E}.exe
        13⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10BB5~1.EXE > nul
        13⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0680~1.EXE > nul
        12⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ED79~1.EXE > nul
        11⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41E70~1.EXE > nul
        10⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1EF7~1.EXE > nul
        9⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57C44~1.EXE > nul
        8⤵
        
        PID:2284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9D1C~1.EXE > nul
        6⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9110D~1.EXE > nul
        5⤵
        
        PID:2208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0C0D2~1.EXE > nul
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{74B95~1.EXE > nul
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C0D20F9-2DA6-451c-B61E-A64742ED61CE}.exe

Filesize
180KB

MD5
5bc4d18d2e3461057bee826a79b451d5

SHA1
ca8e1b3e232674fca3f947d1846b37057d458599

SHA256
575e74999a5632ca9cc7ed89cb2664a86650e6400f69fc6fe36b3bdaa1bbe15b

SHA512
8f3e7cfcda1e040ac4f2e0a2f8e3bbaa82eaf27b12e574dd83674ac0f6f686c7f38decc9120087287e908c3300480a6a8219dcb6f32089b1df72943a5a4d9461

Download Submit
C:\Windows\{0ED79B4D-1CDC-4e8d-BACF-4DDDE3F912FC}.exe

Filesize
180KB

MD5
e5d8d60a3ccb936cf99dc76fc70a8b2f

SHA1
5bb7d6b7966e47213a46bb7c22491538b2bebf61

SHA256
25baccd68eb1ee8f04bc9437aa0d629d23bd3e5c29f44206b5926287aad4f16a

SHA512
539eadef8287a8cac1c28e2aef4cbdc9a2eaa2b4e6ffae10b9d82b5dbb9f51c0c0e54ff9f4f688facb859d865bd3fa46e16d945e380cab67be972d258a04d231

Download Submit
C:\Windows\{10BB5F59-DE6A-4e42-AADC-01ACCD6D7774}.exe

Filesize
180KB

MD5
ab3eae87b8299ed05252426ed0d0f740

SHA1
6562d7c9711fbc045df1cb4c53d8e2367bc9fe3e

SHA256
a6282029c14afc5984aa3e585997dbec97a46c54a5c043989abdab3fe0bf0f24

SHA512
31db23f9d1d2e4d130e236f12cdce351b4ee01d4ef6304af658f8a5848982020137d3e75d9fe9de1b2a1b3e6a6c44d80dfa2202cfe027f24d5caf81a36b298e3

Download Submit
C:\Windows\{41E707FB-11D9-42ae-BF9C-0E413455CB47}.exe

Filesize
180KB

MD5
c26c71cb5805e5db4548b0e1023a6d7b

SHA1
7adee6909df05e90a414a4a869c751742400d535

SHA256
d1d529f7ce9c7a74556a3079b5f771ab819facd3715e4117b9f64c97aba0cede

SHA512
640c789f2ddf2f7ef04fed2d08be66cb49944e70c0a4f79a6bffa680cdac90f0982fc47d02648961c2182e22773f3178df82d4f64c354f8641d7bfdaa1ba9945

Download Submit
C:\Windows\{57C44F83-4F45-45df-BE59-42DFC2E9D93B}.exe

Filesize
180KB

MD5
0dad8f41359e1e4e21332877b86944fa

SHA1
4a642f24ccc41f6631fbc66aed11d00e543cf362

SHA256
408f9becd69010a5c027fcc05d24055a0572cefd7ca6df3c836d346696ab10bb

SHA512
491b585030d919435157321765e809ccd528e2e05031a0092ffc38f872af781b1230d42da6208025fcc7a6ecc4b839a35a0b2560689ac5ada3353a60b503a772

Download Submit
C:\Windows\{74B9551A-EBFF-42d4-AA1C-B796DEB67048}.exe

Filesize
180KB

MD5
64184ce777f0379eb209d5b1a1306602

SHA1
7a0161e2e9c0cd6518155e66dee992f91f98d226

SHA256
2808b73ef52563ab8942a2d193ac1793222902d11083e835ad5aa40b06ce054d

SHA512
120b0c0d3420894074fee2e4bc119960c07d83c6a4a82be8b35e8823dfbbde9163cc4fca83d7a54550f25be8bb0d637bc515b87db7b765c98bc2c4d7122e267f

Download Submit
C:\Windows\{9110D123-AEBC-4a2a-9D88-6E7A1E87BAAB}.exe

Filesize
180KB

MD5
e719909586a28b126cca33684b370880

SHA1
27fb10378299bcb6717e1593a101744c8fcd488e

SHA256
480e049ec4cb407e48112d91c181b8c76eca668a3babfceef2ea1ac08bad84a0

SHA512
9b2c5d479341c387b884559bf85d0623c9b2727054cafad190f27bdf9d08adfe338573f45c837bbf3eb0f2b310bb46984eacd8f7d48967f6631e1465455ccea2

Download Submit
C:\Windows\{A068043D-FA5C-439d-BE56-23D47858B3DC}.exe

Filesize
180KB

MD5
4b5a4a845b6e919f5ac79e9024b08bdd

SHA1
cf20aa72d6ac591739067034ae6ac5017e8e671e

SHA256
d684052029d2edc65e10f0b06fda5f092cd77acbe2418e997cff2f4f357e558c

SHA512
c2b670556af55f5f115c68e5202367274d23a39c57181c9935f9c4301230f007708e968e0f331b24d86a6e25929ee95478d1ccb4c7be47520be58f31402f664a

Download Submit
C:\Windows\{C687633C-246C-4920-8EBB-ED99E2F26A5E}.exe

Filesize
180KB

MD5
81c5168dcca4c5415d30cede7b7de8c3

SHA1
1cf09c1cf4eae3883abd8cb7b4d0f05a1cf7a8d3

SHA256
27b82f9f4818c39b2994a0faf002fb27e7a7ddf0476748cb8af7d8d26b4e92b7

SHA512
e91aa02511faac0670ce4fe5c256b75c6fe1f0689f3013c7bc8bfd7e20d2de839f77f8d4fa493ba51f31d09193a10c00ee344e79471390ed040d3a207435c5f7

Download Submit
C:\Windows\{E9D1C8C0-B21B-43d3-BF97-A2B33F5955E7}.exe

Filesize
180KB

MD5
ec2564ff8438b84e355e2c5a8b51860a

SHA1
827e6a944d2632e11b105c52f08fedd09dc43651

SHA256
2556b3273e0a2ff91f114b9ac05326a307d73114c592c6df20997f13cbb863b0

SHA512
26f2f2a5bb4b5e0fa2d0cfe03ac07ecb62dbc74803373f1e967007d9ede688363338acd3ca6a235fee9e136f5499f76db197ca5817ca0b1ca11934cd295a2fd5

Download Submit
C:\Windows\{EE7333C2-2B20-477c-AB2A-9EF9BBBC6DB5}.exe

Filesize
180KB

MD5
f6418fdc682409f81f2421a9128b3373

SHA1
1bac52b8031f54b92cd1be02d7b1fe3f968a02c5

SHA256
78c5f07e46c55a301eb032b4421a7fca3c2f7d1c7a61852f0f7ee11a18f2b9b5

SHA512
70ca30c1980fea3a1699c6d150e1511ccd8565c9aaf6092553c984ed021ba0dcdef24d54125cae0405488787d36ffc2246d08ab20e6ce4f6d398ad4190d27eb3

Download Submit
C:\Windows\{F1EF7915-6F46-46b0-A952-EAD2BAFF424C}.exe

Filesize
180KB

MD5
021a53d600b776ea52e2128eb2ef0658

SHA1
e8b0d821365ad6c03d75c78559b011de074bba29

SHA256
5d386e75374a7ef2d53c066497837bcd50b138421f17946f66ba9ff6ac96b1e1

SHA512
9ab5ea5799fd58ded8873360a0c7105f395a9e353f377dccf1f62d97c2e0fc7b40978700ba9e36fbe13d4d20a760e5bcf318022ccd3d6c1c454c4477873fad07

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads