4a30a93c0e2f23d037dfcdc297630f75fc6a68a82474a545746153e82f86bae2

Analysis

max time kernel
174s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
Size

168KB
MD5

e9c6200c1c6475a57578d300c0d0ae67
SHA1

041fdae48a8f53670a5aa6e3af6845ef1e2d0b3a
SHA256

4a30a93c0e2f23d037dfcdc297630f75fc6a68a82474a545746153e82f86bae2
SHA512

26f2a72385d8181a8e6ec7b9aea0e8a78ef8f3154dcc3109f23b51e7cf2d7bbb488f54323b016738ace2ca3d73c7b9c8b8dace0bc0b9a30de111a26a179c93c6
SSDEEP

1536:1EGh0ollq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ollqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023130-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002322e-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023130-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002322f-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023130-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006e5-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000000070f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}\stubpath = "C:\\Windows\\{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe"	{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}\stubpath = "C:\\Windows\\{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe"	{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}	{E0529376-127B-4f83-9348-743F7526DF1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0529376-127B-4f83-9348-743F7526DF1C}\stubpath = "C:\\Windows\\{E0529376-127B-4f83-9348-743F7526DF1C}.exe"	{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A81FFF1-3329-4a30-8AEB-A3D3B054FDAE}\stubpath = "C:\\Windows\\{8A81FFF1-3329-4a30-8AEB-A3D3B054FDAE}.exe"	{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}	{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}\stubpath = "C:\\Windows\\{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe"	{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C358E3-30D6-4312-BF5E-574F7A79B11E}	{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{096657E3-ACC8-4503-8A0B-00D80F656930}\stubpath = "C:\\Windows\\{096657E3-ACC8-4503-8A0B-00D80F656930}.exe"	{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}\stubpath = "C:\\Windows\\{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe"	{096657E3-ACC8-4503-8A0B-00D80F656930}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96F1EEA7-3654-40f7-A265-B503DE1A30CC}\stubpath = "C:\\Windows\\{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe"	{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}\stubpath = "C:\\Windows\\{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}.exe"	{E0529376-127B-4f83-9348-743F7526DF1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A81FFF1-3329-4a30-8AEB-A3D3B054FDAE}	{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}\stubpath = "C:\\Windows\\{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe"	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8758EF8A-62FF-4022-A136-963D9E2619E8}\stubpath = "C:\\Windows\\{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe"	{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84C358E3-30D6-4312-BF5E-574F7A79B11E}\stubpath = "C:\\Windows\\{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe"	{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{096657E3-ACC8-4503-8A0B-00D80F656930}	{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}	{096657E3-ACC8-4503-8A0B-00D80F656930}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96F1EEA7-3654-40f7-A265-B503DE1A30CC}	{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}	{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8758EF8A-62FF-4022-A136-963D9E2619E8}	{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}	{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0529376-127B-4f83-9348-743F7526DF1C}	{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe

Executes dropped EXE 12 IoCs

pid	Process
4748	{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe
3640	{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe
664	{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe
540	{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe
4496	{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe
4560	{096657E3-ACC8-4503-8A0B-00D80F656930}.exe
1084	{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe
2540	{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe
4928	{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe
4460	{E0529376-127B-4f83-9348-743F7526DF1C}.exe
4268	{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}.exe
4632	{8A81FFF1-3329-4a30-8AEB-A3D3B054FDAE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
File created	C:\Windows\{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe	{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe
File created	C:\Windows\{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe	{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe
File created	C:\Windows\{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe	{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe
File created	C:\Windows\{8A81FFF1-3329-4a30-8AEB-A3D3B054FDAE}.exe	{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}.exe
File created	C:\Windows\{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}.exe	{E0529376-127B-4f83-9348-743F7526DF1C}.exe
File created	C:\Windows\{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe	{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe
File created	C:\Windows\{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe	{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe
File created	C:\Windows\{096657E3-ACC8-4503-8A0B-00D80F656930}.exe	{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe
File created	C:\Windows\{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe	{096657E3-ACC8-4503-8A0B-00D80F656930}.exe
File created	C:\Windows\{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe	{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe
File created	C:\Windows\{E0529376-127B-4f83-9348-743F7526DF1C}.exe	{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3976	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4748	{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe
Token: SeIncBasePriorityPrivilege	3640	{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe
Token: SeIncBasePriorityPrivilege	664	{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe
Token: SeIncBasePriorityPrivilege	540	{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe
Token: SeIncBasePriorityPrivilege	4496	{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe
Token: SeIncBasePriorityPrivilege	4560	{096657E3-ACC8-4503-8A0B-00D80F656930}.exe
Token: SeIncBasePriorityPrivilege	1084	{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe
Token: SeIncBasePriorityPrivilege	2540	{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe
Token: SeIncBasePriorityPrivilege	4928	{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe
Token: SeIncBasePriorityPrivilege	4460	{E0529376-127B-4f83-9348-743F7526DF1C}.exe
Token: SeIncBasePriorityPrivilege	4268	{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 4748	3976	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	94
PID 3976 wrote to memory of 4748	3976	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	94
PID 3976 wrote to memory of 4748	3976	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	94
PID 3976 wrote to memory of 3008	3976	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	95
PID 3976 wrote to memory of 3008	3976	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	95
PID 3976 wrote to memory of 3008	3976	2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe	95
PID 4748 wrote to memory of 3640	4748	{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe	98
PID 4748 wrote to memory of 3640	4748	{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe	98
PID 4748 wrote to memory of 3640	4748	{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe	98
PID 4748 wrote to memory of 504	4748	{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe	99
PID 4748 wrote to memory of 504	4748	{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe	99
PID 4748 wrote to memory of 504	4748	{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe	99
PID 3640 wrote to memory of 664	3640	{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe	101
PID 3640 wrote to memory of 664	3640	{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe	101
PID 3640 wrote to memory of 664	3640	{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe	101
PID 3640 wrote to memory of 4656	3640	{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe	100
PID 3640 wrote to memory of 4656	3640	{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe	100
PID 3640 wrote to memory of 4656	3640	{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe	100
PID 664 wrote to memory of 540	664	{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe	102
PID 664 wrote to memory of 540	664	{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe	102
PID 664 wrote to memory of 540	664	{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe	102
PID 664 wrote to memory of 3280	664	{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe	103
PID 664 wrote to memory of 3280	664	{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe	103
PID 664 wrote to memory of 3280	664	{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe	103
PID 540 wrote to memory of 4496	540	{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe	104
PID 540 wrote to memory of 4496	540	{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe	104
PID 540 wrote to memory of 4496	540	{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe	104
PID 540 wrote to memory of 1852	540	{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe	105
PID 540 wrote to memory of 1852	540	{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe	105
PID 540 wrote to memory of 1852	540	{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe	105
PID 4496 wrote to memory of 4560	4496	{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe	106
PID 4496 wrote to memory of 4560	4496	{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe	106
PID 4496 wrote to memory of 4560	4496	{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe	106
PID 4496 wrote to memory of 2288	4496	{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe	107
PID 4496 wrote to memory of 2288	4496	{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe	107
PID 4496 wrote to memory of 2288	4496	{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe	107
PID 4560 wrote to memory of 1084	4560	{096657E3-ACC8-4503-8A0B-00D80F656930}.exe	108
PID 4560 wrote to memory of 1084	4560	{096657E3-ACC8-4503-8A0B-00D80F656930}.exe	108
PID 4560 wrote to memory of 1084	4560	{096657E3-ACC8-4503-8A0B-00D80F656930}.exe	108
PID 4560 wrote to memory of 5100	4560	{096657E3-ACC8-4503-8A0B-00D80F656930}.exe	109
PID 4560 wrote to memory of 5100	4560	{096657E3-ACC8-4503-8A0B-00D80F656930}.exe	109
PID 4560 wrote to memory of 5100	4560	{096657E3-ACC8-4503-8A0B-00D80F656930}.exe	109
PID 1084 wrote to memory of 2540	1084	{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe	110
PID 1084 wrote to memory of 2540	1084	{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe	110
PID 1084 wrote to memory of 2540	1084	{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe	110
PID 1084 wrote to memory of 2720	1084	{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe	111
PID 1084 wrote to memory of 2720	1084	{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe	111
PID 1084 wrote to memory of 2720	1084	{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe	111
PID 2540 wrote to memory of 4928	2540	{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe	112
PID 2540 wrote to memory of 4928	2540	{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe	112
PID 2540 wrote to memory of 4928	2540	{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe	112
PID 2540 wrote to memory of 340	2540	{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe	113
PID 2540 wrote to memory of 340	2540	{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe	113
PID 2540 wrote to memory of 340	2540	{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe	113
PID 4928 wrote to memory of 4460	4928	{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe	114
PID 4928 wrote to memory of 4460	4928	{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe	114
PID 4928 wrote to memory of 4460	4928	{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe	114
PID 4928 wrote to memory of 3936	4928	{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe	115
PID 4928 wrote to memory of 3936	4928	{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe	115
PID 4928 wrote to memory of 3936	4928	{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe	115
PID 4460 wrote to memory of 4268	4460	{E0529376-127B-4f83-9348-743F7526DF1C}.exe	116
PID 4460 wrote to memory of 4268	4460	{E0529376-127B-4f83-9348-743F7526DF1C}.exe	116
PID 4460 wrote to memory of 4268	4460	{E0529376-127B-4f83-9348-743F7526DF1C}.exe	116
PID 4460 wrote to memory of 5064	4460	{E0529376-127B-4f83-9348-743F7526DF1C}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_e9c6200c1c6475a57578d300c0d0ae67_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe
  C:\Windows\{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe
    C:\Windows\{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{35BD6~1.EXE > nul
      4⤵
      PID:4656
  - - C:\Windows\{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe
      C:\Windows\{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Windows\{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe
        
        C:\Windows\{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Windows\{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe
        
        C:\Windows\{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\{096657E3-ACC8-4503-8A0B-00D80F656930}.exe
        
        C:\Windows\{096657E3-ACC8-4503-8A0B-00D80F656930}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe
        
        C:\Windows\{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe
        
        C:\Windows\{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe
        
        C:\Windows\{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\{E0529376-127B-4f83-9348-743F7526DF1C}.exe
        
        C:\Windows\{E0529376-127B-4f83-9348-743F7526DF1C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}.exe
        
        C:\Windows\{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
        
        C:\Windows\{8A81FFF1-3329-4a30-8AEB-A3D3B054FDAE}.exe
        
        C:\Windows\{8A81FFF1-3329-4a30-8AEB-A3D3B054FDAE}.exe
        13⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4790~1.EXE > nul
        13⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0529~1.EXE > nul
        12⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18C4C~1.EXE > nul
        11⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96F1E~1.EXE > nul
        10⤵
        
        PID:340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2832D~1.EXE > nul
        9⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09665~1.EXE > nul
        8⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84C35~1.EXE > nul
        7⤵
        
        PID:2288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8758E~1.EXE > nul
        6⤵
        
        PID:1852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7D61~1.EXE > nul
        5⤵
        
        PID:3280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{83EB1~1.EXE > nul
    3⤵
    PID:504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{096657E3-ACC8-4503-8A0B-00D80F656930}.exe

Filesize
168KB

MD5
b73f5ebd56f2964897994116874a4cda

SHA1
58069d1c31c6a55e881e982f1782d7713ee7981c

SHA256
84e5a682dba0e07064ce46efb117a95439fc8eaf7b9191154d5aa1f63eaf2c49

SHA512
157d51c9ee591b505419d5f33efc194d23360724bcb74ae7007acbe7f3942e3ddaed8fde810e301d92fe877782c839fcac2b993acacb4d968c6dee990b682cf7

Download Submit
C:\Windows\{18C4C5FB-CB4B-4123-85D3-81738B73EAEA}.exe

Filesize
168KB

MD5
ad458802a513d4376f0893be2dc3fce0

SHA1
9faa7e901c526198aac7a5cfb91ab148d4a8e3e9

SHA256
68c18ff1c315a2581130e7e2c43c1447b18a031035cec514288d1483040915b8

SHA512
12bb665b9bca2ac4a60b6c33e63d8756291e68b12ee6726a734198f1100d5f10c9cf57a586712ae8ca49b406e5fcc9fd340264cf5ca427b601b342e9c2aad323

Download Submit
C:\Windows\{2832DCA0-C5AE-4f6e-8517-0B0D3CF6BE76}.exe

Filesize
168KB

MD5
5960be3c5ad41d36cc8fd879d9465eaf

SHA1
a2fd21337f9838ac46c2695b57b2712536aee974

SHA256
aabf675f9936c5a077f9556499437bdd7b5e26695c1926eca0e014099e21a185

SHA512
8e855ab523b11be6fd984e4a0d785e7c22b0bcf5d4edba67b23660a024dd4ec39ecbbaa5a91d257959f7f9245bc9dc3544e70f8571adab743812a831f40f52ce

Download Submit
C:\Windows\{35BD619A-A526-4095-BEDC-3DAFA1E4ED53}.exe

Filesize
168KB

MD5
442f97619e40c992286b552c3571411b

SHA1
000a0ee68db69a12a442b9cf89bb1352a7bed49a

SHA256
d0417c7b5295b3e0612758a473ab7894c8814a42e8e3b67a4889975af39e3717

SHA512
76d4ae14c6886e8332cf368818a9f438450305431620e38f36fb08caa86b2a98193dc9291d8443e4f1222e5588d71f61650f50644f6159f2ac57ce900187edce

Download Submit
C:\Windows\{83EB1FA7-88A9-476a-91D2-EDB3F0CF16DB}.exe

Filesize
168KB

MD5
306b5ebe0dc099726eb135cc373be73e

SHA1
7b933d06571da7f71425fc75141e33bbb2aafe43

SHA256
beef6bbb873122450b9c3660fd6bfac338643b793972d28ff02963200f04a942

SHA512
189542d78982b877fb044080ab218d4dd1be142513303b690513e2aff9f2a7c9998c73a13c6a191f8e05dc27f6dbada7434755b9bd606f0dc7008709116a62cc

Download Submit
C:\Windows\{84C358E3-30D6-4312-BF5E-574F7A79B11E}.exe

Filesize
168KB

MD5
61a384c56d45857cc4b33ec34569e16b

SHA1
c4e9617162b3188c9c99a999fa8faf20cec7f7e7

SHA256
c917cc685498d6fc3bae3c17f1f86794460c71acb3ce30ceb06954ac5f9d3eff

SHA512
9e832a3944eff8b76f8809fa56e44cd14dc27cc10ee2381031ba8c6c5a3d53da6188a59b4707019c01f46bcaae3d073fa3261dbb02be05257ee42b81cab75291

Download Submit
C:\Windows\{8758EF8A-62FF-4022-A136-963D9E2619E8}.exe

Filesize
168KB

MD5
4a8a9cd4a58225281ae2ac4f42cf207e

SHA1
f5ea830a9c467c3547cb00da08029234fcebfb5d

SHA256
21ca3007f98e0eac298669bd86e1704991f0c2b1a5b3d47469f650badb63d7e8

SHA512
a18c2cf971b9e4b76c9fb94f58aebcb0eb7c2dcea9015fe290adb435321bf1eedc510e26cf8929b9f9fb70aac11ee565be3c8d9e488c9354200405f3987fa83b

Download Submit
C:\Windows\{8A81FFF1-3329-4a30-8AEB-A3D3B054FDAE}.exe

Filesize
168KB

MD5
4e3c826ea807e0bfca5d16a8b17a5a38

SHA1
e1cd6fce805b056d996d425aebb0f06b44fc8b72

SHA256
5b5e9af21124b25575043dbf90a24837e9955065a5fe009f81c032be535ae521

SHA512
4a48b1e8db0055656ed77f148c551a8aa7c913a0ba9cd7b521278058244dabab0f6dba141d1bb571955e7dcc8baead73f3d62763ab56d5e448f85025415d7468

Download Submit
C:\Windows\{96F1EEA7-3654-40f7-A265-B503DE1A30CC}.exe

Filesize
168KB

MD5
f7d65c806e910b37a85a5987745513ab

SHA1
6a15d93a8f20143a811a571492eb53a7661cd289

SHA256
d16e333c959af028c47d91c6034087dda2d729db91796999c0247eabf98017a2

SHA512
09ba2eaa3b2b7ec4e49646553767721b3dda384fe808bc0ea4e1047545e8e779ba7fd2a917ebff0266eda82fa38386c9818f84c6ab002aa531d22b89da0e3a09

Download Submit
C:\Windows\{B7D61E75-5A9C-46f0-AE8A-D6C72A0F09F2}.exe

Filesize
168KB

MD5
06959b2cf124925783b4351c03bd9375

SHA1
9f3e698ddc21e5fecc1291ffc93e15f35685aa7a

SHA256
6c6ff5c709d9750e3f5d7144d4e4a226b79ba1ae5b8ef8dc6ee4a2a16631b203

SHA512
d4bcf58ba1e3c3cd4a6d373e6a1c90df9cba9753a10f761dc3887d552862f8680fc4eed2715c1a14dfce162bfb0f417f70db88d27253665ff63245ab946f7915

Download Submit
C:\Windows\{E0529376-127B-4f83-9348-743F7526DF1C}.exe

Filesize
168KB

MD5
656b72e8729927fb578be0980bf987ca

SHA1
944625271e9bcdf2f042bb056effdc731d1cbef3

SHA256
a684ca6f25f076156b643454181adb1ca5d13191937670e583239443d8e1f4b8

SHA512
aaff8ee6447f109c680c90e541457794bfb9b6d315a9fb23700a8ede530d57866c9ae2e64f78d89f51aa95efc88b7a2421aca679353877a78f719d8b36c813cc

Download Submit
C:\Windows\{F4790FCA-C2BE-41c7-AFCA-845A1DA5E07B}.exe

Filesize
168KB

MD5
f33192ea359f4b9938bc8bd46a4b8119

SHA1
3dacbb6bb0b286ff8d645219a9d1132d56c0a4a1

SHA256
70ebbb1c9fa4a2effb175945b497546cb838b70ec4fcd32346ee7154be3efaf9

SHA512
c18bf9ef8e4c78c601157b63436cf600c91e2bb5fc6215e7d93c694bddc7e3807fffec3e1920d9442559d4df1f7f5915615fac9065b7caf74ad766cff0a6352d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads