c1aff3b06ec8161b2c3a39de925070a3dba8a7e02b02f5affd0918e2bd88434c

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
Size

197KB
MD5

fccceb2d47639ed83a2a01f7b8ec3a6d
SHA1

c5f43c141a2f1d75962f6a58ab89f9525322ccfc
SHA256

c1aff3b06ec8161b2c3a39de925070a3dba8a7e02b02f5affd0918e2bd88434c
SHA512

973b35449e57bc49bded826afd9a6703c6edbeea7ca0dc376bbe9fddfa70854264b6294b4a2e9ef1dd8e487b051d461ac1baff20c9a6b6833459572295f83959
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGxlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012256-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122e6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000155a0-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0002000000010f1d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000800000000b1f7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}\stubpath = "C:\\Windows\\{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}.exe"	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}\stubpath = "C:\\Windows\\{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}.exe"	{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}\stubpath = "C:\\Windows\\{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe"	{1A17B143-9F34-4275-BC89-25329A48847E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44866232-BFDA-4c01-B4C1-55CE78B38038}	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}\stubpath = "C:\\Windows\\{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe"	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A5DCB82-383A-4e92-B70B-04F5B5574399}\stubpath = "C:\\Windows\\{3A5DCB82-383A-4e92-B70B-04F5B5574399}.exe"	{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92AB12AE-26A1-4151-861C-F017921A1B67}	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F00EB89-1005-4b5a-9162-1F2843D3D16B}\stubpath = "C:\\Windows\\{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe"	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}	{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F00EB89-1005-4b5a-9162-1F2843D3D16B}	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}\stubpath = "C:\\Windows\\{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe"	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E3AC97D-E02B-4a49-BAF4-9AE0DCEEE1B5}	{3A5DCB82-383A-4e92-B70B-04F5B5574399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A17B143-9F34-4275-BC89-25329A48847E}	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}	{1A17B143-9F34-4275-BC89-25329A48847E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92AB12AE-26A1-4151-861C-F017921A1B67}\stubpath = "C:\\Windows\\{92AB12AE-26A1-4151-861C-F017921A1B67}.exe"	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}	{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}\stubpath = "C:\\Windows\\{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}.exe"	{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A5DCB82-383A-4e92-B70B-04F5B5574399}	{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E3AC97D-E02B-4a49-BAF4-9AE0DCEEE1B5}\stubpath = "C:\\Windows\\{1E3AC97D-E02B-4a49-BAF4-9AE0DCEEE1B5}.exe"	{3A5DCB82-383A-4e92-B70B-04F5B5574399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A17B143-9F34-4275-BC89-25329A48847E}\stubpath = "C:\\Windows\\{1A17B143-9F34-4275-BC89-25329A48847E}.exe"	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44866232-BFDA-4c01-B4C1-55CE78B38038}\stubpath = "C:\\Windows\\{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe"	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2360	{1A17B143-9F34-4275-BC89-25329A48847E}.exe
2576	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe
2640	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe
1684	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe
2784	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe
1568	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe
380	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe
2864	{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}.exe
1376	{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}.exe
3048	{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}.exe
572	{3A5DCB82-383A-4e92-B70B-04F5B5574399}.exe
1996	{1E3AC97D-E02B-4a49-BAF4-9AE0DCEEE1B5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe
File created	C:\Windows\{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe
File created	C:\Windows\{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}.exe	{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}.exe
File created	C:\Windows\{3A5DCB82-383A-4e92-B70B-04F5B5574399}.exe	{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}.exe
File created	C:\Windows\{1A17B143-9F34-4275-BC89-25329A48847E}.exe	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
File created	C:\Windows\{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe
File created	C:\Windows\{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe
File created	C:\Windows\{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}.exe	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe
File created	C:\Windows\{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}.exe	{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}.exe
File created	C:\Windows\{1E3AC97D-E02B-4a49-BAF4-9AE0DCEEE1B5}.exe	{3A5DCB82-383A-4e92-B70B-04F5B5574399}.exe
File created	C:\Windows\{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe	{1A17B143-9F34-4275-BC89-25329A48847E}.exe
File created	C:\Windows\{92AB12AE-26A1-4151-861C-F017921A1B67}.exe	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2088	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2360	{1A17B143-9F34-4275-BC89-25329A48847E}.exe
Token: SeIncBasePriorityPrivilege	2576	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe
Token: SeIncBasePriorityPrivilege	2640	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe
Token: SeIncBasePriorityPrivilege	1684	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe
Token: SeIncBasePriorityPrivilege	2784	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe
Token: SeIncBasePriorityPrivilege	1568	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe
Token: SeIncBasePriorityPrivilege	380	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe
Token: SeIncBasePriorityPrivilege	2864	{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}.exe
Token: SeIncBasePriorityPrivilege	1376	{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}.exe
Token: SeIncBasePriorityPrivilege	3048	{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}.exe
Token: SeIncBasePriorityPrivilege	572	{3A5DCB82-383A-4e92-B70B-04F5B5574399}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2360	2088	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	28
PID 2088 wrote to memory of 2360	2088	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	28
PID 2088 wrote to memory of 2360	2088	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	28
PID 2088 wrote to memory of 2360	2088	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	28
PID 2088 wrote to memory of 2828	2088	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	29
PID 2088 wrote to memory of 2828	2088	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	29
PID 2088 wrote to memory of 2828	2088	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	29
PID 2088 wrote to memory of 2828	2088	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	29
PID 2360 wrote to memory of 2576	2360	{1A17B143-9F34-4275-BC89-25329A48847E}.exe	30
PID 2360 wrote to memory of 2576	2360	{1A17B143-9F34-4275-BC89-25329A48847E}.exe	30
PID 2360 wrote to memory of 2576	2360	{1A17B143-9F34-4275-BC89-25329A48847E}.exe	30
PID 2360 wrote to memory of 2576	2360	{1A17B143-9F34-4275-BC89-25329A48847E}.exe	30
PID 2360 wrote to memory of 2684	2360	{1A17B143-9F34-4275-BC89-25329A48847E}.exe	31
PID 2360 wrote to memory of 2684	2360	{1A17B143-9F34-4275-BC89-25329A48847E}.exe	31
PID 2360 wrote to memory of 2684	2360	{1A17B143-9F34-4275-BC89-25329A48847E}.exe	31
PID 2360 wrote to memory of 2684	2360	{1A17B143-9F34-4275-BC89-25329A48847E}.exe	31
PID 2576 wrote to memory of 2640	2576	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe	35
PID 2576 wrote to memory of 2640	2576	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe	35
PID 2576 wrote to memory of 2640	2576	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe	35
PID 2576 wrote to memory of 2640	2576	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe	35
PID 2576 wrote to memory of 2176	2576	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe	34
PID 2576 wrote to memory of 2176	2576	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe	34
PID 2576 wrote to memory of 2176	2576	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe	34
PID 2576 wrote to memory of 2176	2576	{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe	34
PID 2640 wrote to memory of 1684	2640	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe	37
PID 2640 wrote to memory of 1684	2640	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe	37
PID 2640 wrote to memory of 1684	2640	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe	37
PID 2640 wrote to memory of 1684	2640	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe	37
PID 2640 wrote to memory of 2928	2640	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe	36
PID 2640 wrote to memory of 2928	2640	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe	36
PID 2640 wrote to memory of 2928	2640	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe	36
PID 2640 wrote to memory of 2928	2640	{92AB12AE-26A1-4151-861C-F017921A1B67}.exe	36
PID 1684 wrote to memory of 2784	1684	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe	38
PID 1684 wrote to memory of 2784	1684	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe	38
PID 1684 wrote to memory of 2784	1684	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe	38
PID 1684 wrote to memory of 2784	1684	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe	38
PID 1684 wrote to memory of 1180	1684	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe	39
PID 1684 wrote to memory of 1180	1684	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe	39
PID 1684 wrote to memory of 1180	1684	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe	39
PID 1684 wrote to memory of 1180	1684	{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe	39
PID 2784 wrote to memory of 1568	2784	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe	40
PID 2784 wrote to memory of 1568	2784	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe	40
PID 2784 wrote to memory of 1568	2784	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe	40
PID 2784 wrote to memory of 1568	2784	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe	40
PID 2784 wrote to memory of 392	2784	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe	41
PID 2784 wrote to memory of 392	2784	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe	41
PID 2784 wrote to memory of 392	2784	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe	41
PID 2784 wrote to memory of 392	2784	{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe	41
PID 1568 wrote to memory of 380	1568	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe	43
PID 1568 wrote to memory of 380	1568	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe	43
PID 1568 wrote to memory of 380	1568	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe	43
PID 1568 wrote to memory of 380	1568	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe	43
PID 1568 wrote to memory of 980	1568	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe	42
PID 1568 wrote to memory of 980	1568	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe	42
PID 1568 wrote to memory of 980	1568	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe	42
PID 1568 wrote to memory of 980	1568	{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe	42
PID 380 wrote to memory of 2864	380	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe	45
PID 380 wrote to memory of 2864	380	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe	45
PID 380 wrote to memory of 2864	380	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe	45
PID 380 wrote to memory of 2864	380	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe	45
PID 380 wrote to memory of 2788	380	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe	44
PID 380 wrote to memory of 2788	380	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe	44
PID 380 wrote to memory of 2788	380	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe	44
PID 380 wrote to memory of 2788	380	{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\{1A17B143-9F34-4275-BC89-25329A48847E}.exe
  C:\Windows\{1A17B143-9F34-4275-BC89-25329A48847E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe
    C:\Windows\{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6DB0B~1.EXE > nul
      4⤵
      PID:2176
  - - C:\Windows\{92AB12AE-26A1-4151-861C-F017921A1B67}.exe
      C:\Windows\{92AB12AE-26A1-4151-861C-F017921A1B67}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92AB1~1.EXE > nul
        5⤵
        
        PID:2928
    - - C:\Windows\{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe
        
        C:\Windows\{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe
        
        C:\Windows\{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe
        
        C:\Windows\{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5B7F~1.EXE > nul
        8⤵
        
        PID:980
        
        C:\Windows\{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe
        
        C:\Windows\{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{853B5~1.EXE > nul
        9⤵
        
        PID:2788
        
        C:\Windows\{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}.exe
        
        C:\Windows\{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}.exe
        
        C:\Windows\{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}.exe
        
        C:\Windows\{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E6E5~1.EXE > nul
        12⤵
        
        PID:1736
        
        C:\Windows\{3A5DCB82-383A-4e92-B70B-04F5B5574399}.exe
        
        C:\Windows\{3A5DCB82-383A-4e92-B70B-04F5B5574399}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{1E3AC97D-E02B-4a49-BAF4-9AE0DCEEE1B5}.exe
        
        C:\Windows\{1E3AC97D-E02B-4a49-BAF4-9AE0DCEEE1B5}.exe
        13⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A5DC~1.EXE > nul
        13⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD4D8~1.EXE > nul
        11⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3B7E~1.EXE > nul
        10⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44866~1.EXE > nul
        7⤵
        
        PID:392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F00E~1.EXE > nul
        6⤵
        
        PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1A17B~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A17B143-9F34-4275-BC89-25329A48847E}.exe

Filesize
197KB

MD5
414cd904cf3dfe8ce9c1ff5841b88ae1

SHA1
1c74090c642d059a967fe3090a2c600593eb835d

SHA256
0bd54d4f8472a6e0d28375d5477764751715f46027386eaf4fe72687093573e6

SHA512
ba23f5e4e6b6ff3c7e4e6dff66ed86df89d76baecc9a2836bc605375ead4dd21e86d8a90b2e98f6d1f6a9a749d64aca990d6d6663b7842d2933c7ce222df34ec

Download Submit
C:\Windows\{1E3AC97D-E02B-4a49-BAF4-9AE0DCEEE1B5}.exe

Filesize
197KB

MD5
89888107255513b9ded0cf92c9011762

SHA1
881b3aff9e09bf39aaffce7c8ab2bcc852bd13d3

SHA256
c12fa494936487e617d2ea68275ec6ded8d55a8f8da6b95d1f0713ae2f234745

SHA512
5d2352edc92857cdd496549229ac1af0a202d7c84cda660fec0110e130876cd6b8eb26af76c38d5cdb7a232e5182458f417eed5c1d2aeb77b2422084cd906152

Download Submit
C:\Windows\{1E6E5B48-A58D-4ac8-B2EC-C77E94389BAF}.exe

Filesize
197KB

MD5
df1910117aa695fb5fe5a55f9a96c045

SHA1
116cdc662ecf825f6564c1112693db959219a4fa

SHA256
18b9e6a0d93bda9ebd8d3e781de3525cf02d57a76667f4bfa7f637aa02aa38ac

SHA512
0d5e5f94a28ac7c671b0df4851a7e82586d1a72e506e21873652a542eeb7335d020de96892e2de9b68aaefece0fdc95b43fec9519783ef30bc732fdea3b9e07d

Download Submit
C:\Windows\{3A5DCB82-383A-4e92-B70B-04F5B5574399}.exe

Filesize
197KB

MD5
54a990c03c015e75a267c4d9e78ce6dd

SHA1
eaa41e93bfd234a05b573c52dc50b49962c30a08

SHA256
a082afac7e2b75d570db7171a633ffd9383239a8a083fb1dd8b7eb2fe650203b

SHA512
4d9946878dcb1453c39f59574f9366219fdd1f0a12830e53e0d7df6687419e126e78ba006bd61fc9212486ea6e58ee65da0ad9dbd1908c82c7d2a2bdbf25c4d5

Download Submit
C:\Windows\{44866232-BFDA-4c01-B4C1-55CE78B38038}.exe

Filesize
197KB

MD5
74be9f9e9446a33d21c0a6c6a2aca644

SHA1
17004f8b7a994f11a84c3324dbec12babf6144ab

SHA256
1f011750862637e9e188e4ea10701410f87003379b018d2360f84e2170c9a764

SHA512
0a3ba2bd1b835000d6ba855aedd2fccad6c33115fe9ad75f44866795354f8e2040a70138430651558e6537adfd7e892bbc349c4042719d255ed5b2a4b38c36c6

Download Submit
C:\Windows\{6DB0BF96-BEBF-49e1-9F98-3642C8D912DC}.exe

Filesize
197KB

MD5
6f924aa4c97ca265513609c973f5211c

SHA1
f2e11483c23f743cf8e1d5d7e58f59d6ff3465c0

SHA256
ff39c8f1650b66194f39cc7fa005085b681b50339d4584183bc16c2e43f0296a

SHA512
36c00fad567908502909193b904e59736bd5299179f2a0a88ba28f8a17ea62e4fca36958aca49298c52d779198ec7ef6b0b35924fbedea3930cb68dcde7c498f

Download Submit
C:\Windows\{7F00EB89-1005-4b5a-9162-1F2843D3D16B}.exe

Filesize
197KB

MD5
b3d0a28cd8b568a8fdd00e462997f478

SHA1
30aaebf5b10c0048e179adabd4ef5abaddb18a46

SHA256
c65ddb9a96f9d252f4a6d9d6877dddb2047bf19e87ecaa8085c1f6efa15f249d

SHA512
34a558a09aa5d8fa1a794448da6802e80874eb3455d93fe5180db687277328e9dc7498282bf7c7302a45eff9e54440adeb66c1db0af7d5a6f4059beccf4398ea

Download Submit
C:\Windows\{853B5A4C-A3DE-4f81-A4D8-0C5DDE6EB128}.exe

Filesize
197KB

MD5
ed41f3c72fdaa2021d9469c409f47846

SHA1
f73687bee7f0095cd0bd4ad64ec07a29926360af

SHA256
ffbd8f8f737bb68320247942a5f1756037a7ee2196068e2e9bd5b000cf32ea5d

SHA512
c2c83bacad94468d609dbf94d5cb8c273bf9b6f53e46980f21686638dcf14e243f8ad40859de429748489b74c416b75ee7773a30cac66d45755a2339711f7264

Download Submit
C:\Windows\{92AB12AE-26A1-4151-861C-F017921A1B67}.exe

Filesize
197KB

MD5
3b8bafbc93ca37dcb41b18b6561d92b8

SHA1
594ae08a6d9980e1e05907794516b8ca90faff87

SHA256
57fd7397b543af943debe6b0f66de1b88c48b66fccd8f7592b80d3955915a942

SHA512
22e783813946708d37b32133616fd0f072705ca20fba6316764db88d539fc721f8ee7cea8eb8a8b28cf98f16fa27b2d6b6d0d61e2bee03e80f8a1e96cda9c0e8

Download Submit
C:\Windows\{A3B7EDFE-E977-43a6-B5AF-8BEC9A090E66}.exe

Filesize
197KB

MD5
afd6edcd6d00e5c6cee5ca07cf751b4e

SHA1
b5a1f4558a2c5c20ed5c3830ab77d9447d7e1878

SHA256
17bc8d911c4aeecb480e5fd89728e89a4e731b118d6c6dc896433b65753aab4e

SHA512
cafcce9c7e6185a6b592b1c63421b0ccb8acc2783ea7d6376f39cc07ee08afc830d7dfefa2ff3be46d59e97e30737e798d487990a1a7e19c8d52d9190d025d72

Download Submit
C:\Windows\{C5B7F689-F148-42a1-AA3A-E79FA16B7A32}.exe

Filesize
197KB

MD5
e522b868834d06660708d0c88fee8323

SHA1
87c4acf8445281a4c613d2bb7ed52d1b6490a500

SHA256
acb8e7d37706c05beff1800f27ecf9fdb283799472e81c4c3c9cf225a3ecc920

SHA512
ee9cff4a58b1ecc36edcd50de6006eeae8176f17b6769e315a0073aa3abeba51e6e4eda0181aa334ad294ac3dfd8251251787b8006298e5ad3734cca4870adef

Download Submit
C:\Windows\{CD4D8E59-A44D-488b-A4DA-0F859CCB8CA7}.exe

Filesize
197KB

MD5
bdd087274669ed7205f7608aa0214613

SHA1
670c6d6b0c161b568baa78defc7e800610adf257

SHA256
77746b6383c7adc8635cbbdef0810b11eb4d44dcf297966453cba8f0ce116a3d

SHA512
c9bf30e6cc58cc8a2764ab5b11387b195b139f6e315b58fa4c3453b9c2d954478fef980df6ee35a30fab014cef473b7929bad39bcc199a462aceaebc70a68fd8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads