124c54a56eb0a69be4b06daaba4400ec84af1aabec10bf4ffc72286ab40e7580

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 23:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe
Size

408KB
MD5

e2943c3c0ba3f317bf5cad2bfea901e1
SHA1

10dfb5ccc57047c316a14b31a36c7a73560fdb7b
SHA256

124c54a56eb0a69be4b06daaba4400ec84af1aabec10bf4ffc72286ab40e7580
SHA512

493d5ebb1b6e6b33248cddee2618adb94af8a83d93516c9b1ba25a924a2cd2cd269a27710d9dd6710d3021e8ecb559a5eaec94bd6cc265ce82d243330eadfdee
SSDEEP

3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral1/files/0x000300000000b1f7-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000004ed5-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FE868BE-A714-4901-A64A-30F44553F451}\stubpath = "C:\\Windows\\{4FE868BE-A714-4901-A64A-30F44553F451}.exe"	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F726799D-AC47-4ffc-ADCF-62A23438C14D}\stubpath = "C:\\Windows\\{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe"	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}\stubpath = "C:\\Windows\\{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe"	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36B1912E-5F7E-4606-BECE-223F9C5582FC}\stubpath = "C:\\Windows\\{36B1912E-5F7E-4606-BECE-223F9C5582FC}.exe"	{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90BEA0E8-B95B-433e-841E-A73F08FE98CF}\stubpath = "C:\\Windows\\{90BEA0E8-B95B-433e-841E-A73F08FE98CF}.exe"	{36B1912E-5F7E-4606-BECE-223F9C5582FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{736A4D21-76EE-494d-B45A-12259D444CB5}	{90BEA0E8-B95B-433e-841E-A73F08FE98CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{736A4D21-76EE-494d-B45A-12259D444CB5}\stubpath = "C:\\Windows\\{736A4D21-76EE-494d-B45A-12259D444CB5}.exe"	{90BEA0E8-B95B-433e-841E-A73F08FE98CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF18586D-0C3B-407b-85A8-A2B866E1DB21}\stubpath = "C:\\Windows\\{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe"	{4FE868BE-A714-4901-A64A-30F44553F451}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15DC1936-9E90-4126-806B-CCB07623105E}	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15DC1936-9E90-4126-806B-CCB07623105E}\stubpath = "C:\\Windows\\{15DC1936-9E90-4126-806B-CCB07623105E}.exe"	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}\stubpath = "C:\\Windows\\{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe"	{15DC1936-9E90-4126-806B-CCB07623105E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}\stubpath = "C:\\Windows\\{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}.exe"	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36B1912E-5F7E-4606-BECE-223F9C5582FC}	{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}\stubpath = "C:\\Windows\\{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}.exe"	{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF18586D-0C3B-407b-85A8-A2B866E1DB21}	{4FE868BE-A714-4901-A64A-30F44553F451}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}	{15DC1936-9E90-4126-806B-CCB07623105E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F726799D-AC47-4ffc-ADCF-62A23438C14D}	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{989DCD7F-A9F8-41d6-8386-C920D97BAC75}	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}	{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FE868BE-A714-4901-A64A-30F44553F451}	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{989DCD7F-A9F8-41d6-8386-C920D97BAC75}\stubpath = "C:\\Windows\\{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe"	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90BEA0E8-B95B-433e-841E-A73F08FE98CF}	{36B1912E-5F7E-4606-BECE-223F9C5582FC}.exe

Deletes itself 1 IoCs

pid	Process
2460	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2712	{4FE868BE-A714-4901-A64A-30F44553F451}.exe
2724	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe
3004	{15DC1936-9E90-4126-806B-CCB07623105E}.exe
1520	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe
1900	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe
1596	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe
1416	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe
1460	{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}.exe
1216	{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}.exe
2764	{36B1912E-5F7E-4606-BECE-223F9C5582FC}.exe
1728	{90BEA0E8-B95B-433e-841E-A73F08FE98CF}.exe
2424	{736A4D21-76EE-494d-B45A-12259D444CB5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe
File created	C:\Windows\{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe
File created	C:\Windows\{36B1912E-5F7E-4606-BECE-223F9C5582FC}.exe	{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}.exe
File created	C:\Windows\{90BEA0E8-B95B-433e-841E-A73F08FE98CF}.exe	{36B1912E-5F7E-4606-BECE-223F9C5582FC}.exe
File created	C:\Windows\{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}.exe	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe
File created	C:\Windows\{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}.exe	{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}.exe
File created	C:\Windows\{736A4D21-76EE-494d-B45A-12259D444CB5}.exe	{90BEA0E8-B95B-433e-841E-A73F08FE98CF}.exe
File created	C:\Windows\{4FE868BE-A714-4901-A64A-30F44553F451}.exe	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe
File created	C:\Windows\{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe	{4FE868BE-A714-4901-A64A-30F44553F451}.exe
File created	C:\Windows\{15DC1936-9E90-4126-806B-CCB07623105E}.exe	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe
File created	C:\Windows\{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe	{15DC1936-9E90-4126-806B-CCB07623105E}.exe
File created	C:\Windows\{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2712	{4FE868BE-A714-4901-A64A-30F44553F451}.exe
Token: SeIncBasePriorityPrivilege	2724	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe
Token: SeIncBasePriorityPrivilege	3004	{15DC1936-9E90-4126-806B-CCB07623105E}.exe
Token: SeIncBasePriorityPrivilege	1520	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe
Token: SeIncBasePriorityPrivilege	1900	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe
Token: SeIncBasePriorityPrivilege	1596	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe
Token: SeIncBasePriorityPrivilege	1416	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe
Token: SeIncBasePriorityPrivilege	1460	{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}.exe
Token: SeIncBasePriorityPrivilege	1216	{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}.exe
Token: SeIncBasePriorityPrivilege	2764	{36B1912E-5F7E-4606-BECE-223F9C5582FC}.exe
Token: SeIncBasePriorityPrivilege	1728	{90BEA0E8-B95B-433e-841E-A73F08FE98CF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2712	2664	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe	30
PID 2664 wrote to memory of 2712	2664	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe	30
PID 2664 wrote to memory of 2712	2664	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe	30
PID 2664 wrote to memory of 2712	2664	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe	30
PID 2664 wrote to memory of 2460	2664	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe	31
PID 2664 wrote to memory of 2460	2664	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe	31
PID 2664 wrote to memory of 2460	2664	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe	31
PID 2664 wrote to memory of 2460	2664	2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe	31
PID 2712 wrote to memory of 2724	2712	{4FE868BE-A714-4901-A64A-30F44553F451}.exe	32
PID 2712 wrote to memory of 2724	2712	{4FE868BE-A714-4901-A64A-30F44553F451}.exe	32
PID 2712 wrote to memory of 2724	2712	{4FE868BE-A714-4901-A64A-30F44553F451}.exe	32
PID 2712 wrote to memory of 2724	2712	{4FE868BE-A714-4901-A64A-30F44553F451}.exe	32
PID 2712 wrote to memory of 2632	2712	{4FE868BE-A714-4901-A64A-30F44553F451}.exe	33
PID 2712 wrote to memory of 2632	2712	{4FE868BE-A714-4901-A64A-30F44553F451}.exe	33
PID 2712 wrote to memory of 2632	2712	{4FE868BE-A714-4901-A64A-30F44553F451}.exe	33
PID 2712 wrote to memory of 2632	2712	{4FE868BE-A714-4901-A64A-30F44553F451}.exe	33
PID 2724 wrote to memory of 3004	2724	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe	34
PID 2724 wrote to memory of 3004	2724	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe	34
PID 2724 wrote to memory of 3004	2724	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe	34
PID 2724 wrote to memory of 3004	2724	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe	34
PID 2724 wrote to memory of 2300	2724	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe	35
PID 2724 wrote to memory of 2300	2724	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe	35
PID 2724 wrote to memory of 2300	2724	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe	35
PID 2724 wrote to memory of 2300	2724	{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe	35
PID 3004 wrote to memory of 1520	3004	{15DC1936-9E90-4126-806B-CCB07623105E}.exe	36
PID 3004 wrote to memory of 1520	3004	{15DC1936-9E90-4126-806B-CCB07623105E}.exe	36
PID 3004 wrote to memory of 1520	3004	{15DC1936-9E90-4126-806B-CCB07623105E}.exe	36
PID 3004 wrote to memory of 1520	3004	{15DC1936-9E90-4126-806B-CCB07623105E}.exe	36
PID 3004 wrote to memory of 2572	3004	{15DC1936-9E90-4126-806B-CCB07623105E}.exe	37
PID 3004 wrote to memory of 2572	3004	{15DC1936-9E90-4126-806B-CCB07623105E}.exe	37
PID 3004 wrote to memory of 2572	3004	{15DC1936-9E90-4126-806B-CCB07623105E}.exe	37
PID 3004 wrote to memory of 2572	3004	{15DC1936-9E90-4126-806B-CCB07623105E}.exe	37
PID 1520 wrote to memory of 1900	1520	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe	38
PID 1520 wrote to memory of 1900	1520	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe	38
PID 1520 wrote to memory of 1900	1520	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe	38
PID 1520 wrote to memory of 1900	1520	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe	38
PID 1520 wrote to memory of 1988	1520	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe	39
PID 1520 wrote to memory of 1988	1520	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe	39
PID 1520 wrote to memory of 1988	1520	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe	39
PID 1520 wrote to memory of 1988	1520	{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe	39
PID 1900 wrote to memory of 1596	1900	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe	41
PID 1900 wrote to memory of 1596	1900	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe	41
PID 1900 wrote to memory of 1596	1900	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe	41
PID 1900 wrote to memory of 1596	1900	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe	41
PID 1900 wrote to memory of 1088	1900	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe	40
PID 1900 wrote to memory of 1088	1900	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe	40
PID 1900 wrote to memory of 1088	1900	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe	40
PID 1900 wrote to memory of 1088	1900	{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe	40
PID 1596 wrote to memory of 1416	1596	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe	42
PID 1596 wrote to memory of 1416	1596	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe	42
PID 1596 wrote to memory of 1416	1596	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe	42
PID 1596 wrote to memory of 1416	1596	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe	42
PID 1596 wrote to memory of 2496	1596	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe	43
PID 1596 wrote to memory of 2496	1596	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe	43
PID 1596 wrote to memory of 2496	1596	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe	43
PID 1596 wrote to memory of 2496	1596	{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe	43
PID 1416 wrote to memory of 1460	1416	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe	44
PID 1416 wrote to memory of 1460	1416	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe	44
PID 1416 wrote to memory of 1460	1416	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe	44
PID 1416 wrote to memory of 1460	1416	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe	44
PID 1416 wrote to memory of 1656	1416	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe	45
PID 1416 wrote to memory of 1656	1416	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe	45
PID 1416 wrote to memory of 1656	1416	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe	45
PID 1416 wrote to memory of 1656	1416	{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_e2943c3c0ba3f317bf5cad2bfea901e1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\{4FE868BE-A714-4901-A64A-30F44553F451}.exe
  C:\Windows\{4FE868BE-A714-4901-A64A-30F44553F451}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe
    C:\Windows\{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\{15DC1936-9E90-4126-806B-CCB07623105E}.exe
      C:\Windows\{15DC1936-9E90-4126-806B-CCB07623105E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe
        
        C:\Windows\{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\Windows\{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe
        
        C:\Windows\{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7267~1.EXE > nul
        7⤵
        
        PID:1088
        
        C:\Windows\{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe
        
        C:\Windows\{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe
        
        C:\Windows\{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}.exe
        
        C:\Windows\{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}.exe
        
        C:\Windows\{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4711~1.EXE > nul
        11⤵
        
        PID:2556
        
        C:\Windows\{36B1912E-5F7E-4606-BECE-223F9C5582FC}.exe
        
        C:\Windows\{36B1912E-5F7E-4606-BECE-223F9C5582FC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{90BEA0E8-B95B-433e-841E-A73F08FE98CF}.exe
        
        C:\Windows\{90BEA0E8-B95B-433e-841E-A73F08FE98CF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90BEA~1.EXE > nul
        13⤵
        
        PID:2420
        
        C:\Windows\{736A4D21-76EE-494d-B45A-12259D444CB5}.exe
        
        C:\Windows\{736A4D21-76EE-494d-B45A-12259D444CB5}.exe
        13⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36B19~1.EXE > nul
        12⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C6EB~1.EXE > nul
        10⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADEB7~1.EXE > nul
        9⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{989DC~1.EXE > nul
        8⤵
        
        PID:2496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E81E~1.EXE > nul
        6⤵
        
        PID:1988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15DC1~1.EXE > nul
        5⤵
        
        PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CF185~1.EXE > nul
      4⤵
      PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4FE86~1.EXE > nul
    3⤵
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15DC1936-9E90-4126-806B-CCB07623105E}.exe

Filesize
408KB

MD5
68e39bb2de1a80482710b33238f3470e

SHA1
7a1bab69d78898f100be246a23cd5c2abe53650f

SHA256
d08496833ccf7e35ea5c5a474dd6d61386bf93698f12b8640407a3f42e6c49d2

SHA512
8cdc35846e00d1df6b72c4a13832ffea86cc20a9992bbd3c96fbf8b420be2ccb4c263840855d4cf54aa3446a719730c49a0d939c59fda5ca0cb129100dd43059

Download Submit
C:\Windows\{1C6EBD3E-0F7E-4ed3-8455-379CF6873739}.exe

Filesize
408KB

MD5
f1fb04c00482fe39945b7e717061dd8a

SHA1
f35f17b5a6381ec75b07e3771c913934d720c0f4

SHA256
09969693ac228bb30d45657c566a70dbb6a5b6e12fb2a117a51af0ba4335f7bb

SHA512
b5a80e5a5f16955d680116116d2bff6605934e573dedc9f3572895895f8cf1521ff937a7fa9bf65b963bdc031afe5afb6eb9d95a87e7d8cdb59d2d24ba89b9bf

Download Submit
C:\Windows\{36B1912E-5F7E-4606-BECE-223F9C5582FC}.exe

Filesize
408KB

MD5
b82ef82b7378baca1d9fddfc0fe0b056

SHA1
9c02e45c5578506e6a8df316ef75ab452227739b

SHA256
1115a3266b7b18713265ec5aef76750fe0bb99ac1b89bfa5c853b234661194c8

SHA512
58f75c9c2b14a7d989c64290bae732f2df77c37fd8eb36691ab94f496fd466340786dab82ffabe7f51a5ded7ed7ff77825f56e186f4571b7c17a12f7eef05c1e

Download Submit
C:\Windows\{4FE868BE-A714-4901-A64A-30F44553F451}.exe

Filesize
408KB

MD5
d4554286997ab51ae977ae606d010b5d

SHA1
cf8becf7ea98e0fe46667a374160a45d251fd719

SHA256
5f604a3de24728570ecbab52e3b257142f15ba3a432d1cb1b55713a10db91468

SHA512
f56af3c729efc2c5438782f693f5a860e30ddc9ee61c353cb5b6f337280c6b3b7445e4d5b52040c119280ae970770eddbe5ccb1462208872c490438d7bfaad5e

Download Submit
C:\Windows\{736A4D21-76EE-494d-B45A-12259D444CB5}.exe

Filesize
408KB

MD5
9e6dde68b40263b61b451d1f6fabbeeb

SHA1
b84ed2cf9a80815c0a18b5dc6144c57c318a93f6

SHA256
783b25e14d66276c3568a2469ad1681504b7f730290fc429f260b1b5c0e123fb

SHA512
1bf9004857506be5b6c29474b4cb2496046ea88eeda230e57a32965883bf29b00c36007831456e97b2c085e4e20a55f2d2f565d09ac847b53923a7f7e0a5358a

Download Submit
C:\Windows\{8E81EFB1-EF29-400b-818A-01B84ADCE8DD}.exe

Filesize
408KB

MD5
5de90df52c17dc14134ba9c8c56d7771

SHA1
63cdc5d21ff97cc453531fc894313ce187139e0e

SHA256
b6a00bb478c1f4b5992d18bd699023a15be8019c8f27e1f37c882dbb0cce0854

SHA512
0de64454cb7785d64e21e6dc6a1a9bfa8f084fe0d1e3d2cd26f19ae2315c7ca6574d70907b1df4572afd5092ad4cdbb4fc1f016cf668b5c0f9b18eb8674fa4f7

Download Submit
C:\Windows\{90BEA0E8-B95B-433e-841E-A73F08FE98CF}.exe

Filesize
408KB

MD5
7d8c89435e06614041424e0fa9606c53

SHA1
113069f950726c8fcabcdec7e6499cee2bceee2a

SHA256
217cb0baa31fe430e92c0eef956164f345213eafb27ca0f797e4a180c54e2608

SHA512
41b5824e990a671b6129802f423793e9e53f4f25d465ce7b0a5327ae3040926e8d378abd56d1bfe33ba95d887cad01b9943c501f29e24fc2e749eec8c1645f2e

Download Submit
C:\Windows\{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe

Filesize
280KB

MD5
90e2007de2722c1e3cbc61d12e11a13d

SHA1
da7230180698d1f55a318cd2c98f163844b8dcab

SHA256
ed8a9ea151d76e3f4a5a7d306ed602a250ea9a19c8000048bce9dc5951c730c2

SHA512
43c4bf768ba321a9940e9a922028cf71a39c1ca86385b370ad308b958b4044f072320a572685c55f079f41972bcf63dc39a11ef0cf35f84aba76e5e1d2388854

Download Submit
C:\Windows\{989DCD7F-A9F8-41d6-8386-C920D97BAC75}.exe

Filesize
408KB

MD5
c849206521a9d89868e56cf40faa27ca

SHA1
2a8cb8034cfd4027d45711f9ae379d5a2957879f

SHA256
d93c52ea6699d053ed3feb1a265e72a97cb2d0d379a7b265038271a8d6e8604a

SHA512
650ccadb740259bf48adb2029a276873db66dd6e5787304d7b8870b9ac7d15942de01cd06a607a65003463c7aaf8e18761a933b00f2e73a5dacb5b6d8167b015

Download Submit
C:\Windows\{ADEB7C71-1C7F-4862-86EC-C76FE32C7EEA}.exe

Filesize
408KB

MD5
bd39465aff8574b99a6759e8c8ed57bb

SHA1
6d0b2c663b398be1b42934a3cf4d0bddcdc2695e

SHA256
b6cac553d4b49cf98b3709fe7e102ec16a806c172ce64fccd0879a669a04f55a

SHA512
8726ade6a75bccc59abf431be5c878ccf5187d4f5048f007034eae6ad7853a9d88feef08025fb439972b9a89ac3d74f331bf3b6b0027354bf9813ba162bdae43

Download Submit
C:\Windows\{CF18586D-0C3B-407b-85A8-A2B866E1DB21}.exe

Filesize
408KB

MD5
ff7808736687981ab23525b2e7d07780

SHA1
1258ac9e795d8f46853d561f2596cf6d63b233eb

SHA256
25ce1834769d2848912524a0f99245dbcacce666c1b0c734ef51787a6e40030b

SHA512
3be26b0368873dd6d3cb6102f0687a01894d2cd595a5c5247205ecfb1b7c08e1bf6a50b189daa265add7137ab8c83feebfd6028220ff0b115e6d23bce060a6a8

Download Submit
C:\Windows\{E4711012-F7C2-44a8-9C11-FE7AF4BF359A}.exe

Filesize
408KB

MD5
a400b7473baf4bce0c1d036bd217fe7d

SHA1
654b4fc0627a93ac23d57ce25da3b8783225538f

SHA256
bb7daec3f7201df229ebbbdddce41f50d50fa9ff7b17fc823ed14760337ebf3b

SHA512
ad2ff231ef8c965366b99538d79f41a830844294e0acd9a717fddf61507d8f93c174a787332e6f269a0844fed2ae72c9118315246cc4d72e95321976577a57dc

Download Submit
C:\Windows\{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe

Filesize
408KB

MD5
5e7fadf03ca0d8aa0c3a741daed4bef3

SHA1
9cf6a010cec446ed7bcd5f531d2628ff0d5125b5

SHA256
3825c3aa9e5a21d57b0af133bfdea37309a1dd5bcf6ebf714e46f4a8625919ea

SHA512
bfa20bf13f8625c1561e12fc206b6355c331692948d2b069b066833ae831f9984a4814d7b1d11b506bada50117c451c866830b01f21eea31776c1b7b209eb255

Download Submit
C:\Windows\{F726799D-AC47-4ffc-ADCF-62A23438C14D}.exe

Filesize
314KB

MD5
6a050123a8f103fc016d1d57e6aecb74

SHA1
c54b61195706829a6a886af543c3d4b26d6fc692

SHA256
d8a9ddd880050cc241df284f394c07324e1a09b1feaf375adbaeb6971690a9ea

SHA512
3be776059a4d0693c5bd3357f04df01c4a73f7e495ef4e80eb44b8374092479a6192ab01a5b5d19ad3ed6ec9b8d92347021374e63d0bbd7ab43dc16e2d74e443

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads