e9486c4885fa2d8bf53a63ccef1967ff15110843fb15143c9531ff3deed7203b

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
Size

408KB
MD5

46a214a0d9052a48ff8fd42eb3454a77
SHA1

84426da7dfee4a63a29defd912c172c2c2834dac
SHA256

e9486c4885fa2d8bf53a63ccef1967ff15110843fb15143c9531ff3deed7203b
SHA512

6669ead45e1ead872b8a762e87320a7d93b389d280d8c66f7b033893512e4ca5a1346dfc85773c0f2cca49a5f05c6b5429547b71de676657a4ce58873e69949d
SSDEEP

3072:CEGh0oql3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGUldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000700000002322d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023236-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002323f-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023236-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002167d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021681-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002167d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000739-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000073b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000739-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000073b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000073b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05DA8A6-8123-40ef-8310-5D79AC2645C9}	{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5302BDC6-9B14-4137-B54A-1D3184FA25E1}	{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}\stubpath = "C:\\Windows\\{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe"	{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}\stubpath = "C:\\Windows\\{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe"	{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F159C744-92B9-4413-A2C5-F8FEE1469991}	{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}	{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}\stubpath = "C:\\Windows\\{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe"	{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D88ACBA-355B-468a-8D67-230090AEC6D7}\stubpath = "C:\\Windows\\{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe"	{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}	{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E038687-F1E2-4081-BDC8-D91F8B40F038}	{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}	{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}	{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}\stubpath = "C:\\Windows\\{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe"	{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D88ACBA-355B-468a-8D67-230090AEC6D7}	{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F159C744-92B9-4413-A2C5-F8FEE1469991}\stubpath = "C:\\Windows\\{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe"	{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}	{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5302BDC6-9B14-4137-B54A-1D3184FA25E1}\stubpath = "C:\\Windows\\{5302BDC6-9B14-4137-B54A-1D3184FA25E1}.exe"	{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}\stubpath = "C:\\Windows\\{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}.exe"	{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}\stubpath = "C:\\Windows\\{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe"	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E038687-F1E2-4081-BDC8-D91F8B40F038}\stubpath = "C:\\Windows\\{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe"	{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05DA8A6-8123-40ef-8310-5D79AC2645C9}\stubpath = "C:\\Windows\\{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe"	{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22135E89-CEF4-4ae1-84C4-86F71688404C}	{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22135E89-CEF4-4ae1-84C4-86F71688404C}\stubpath = "C:\\Windows\\{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe"	{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe

Executes dropped EXE 12 IoCs

pid	Process
484	{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe
5076	{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe
2828	{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe
3700	{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe
4948	{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe
4904	{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe
4976	{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe
4020	{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe
4224	{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe
1200	{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe
4684	{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}.exe
3872	{5302BDC6-9B14-4137-B54A-1D3184FA25E1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe	{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe
File created	C:\Windows\{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe	{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe
File created	C:\Windows\{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe	{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe
File created	C:\Windows\{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe	{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe
File created	C:\Windows\{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe	{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe
File created	C:\Windows\{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe	{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe
File created	C:\Windows\{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe	{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe
File created	C:\Windows\{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
File created	C:\Windows\{5302BDC6-9B14-4137-B54A-1D3184FA25E1}.exe	{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}.exe
File created	C:\Windows\{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe	{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe
File created	C:\Windows\{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}.exe	{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe
File created	C:\Windows\{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe	{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4460	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
Token: SeIncBasePriorityPrivilege	484	{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe
Token: SeIncBasePriorityPrivilege	5076	{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe
Token: SeIncBasePriorityPrivilege	2828	{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe
Token: SeIncBasePriorityPrivilege	3700	{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe
Token: SeIncBasePriorityPrivilege	4948	{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe
Token: SeIncBasePriorityPrivilege	4904	{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe
Token: SeIncBasePriorityPrivilege	4976	{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe
Token: SeIncBasePriorityPrivilege	4020	{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe
Token: SeIncBasePriorityPrivilege	4224	{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe
Token: SeIncBasePriorityPrivilege	1200	{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe
Token: SeIncBasePriorityPrivilege	4684	{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 484	4460	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	95
PID 4460 wrote to memory of 484	4460	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	95
PID 4460 wrote to memory of 484	4460	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	95
PID 4460 wrote to memory of 4796	4460	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	96
PID 4460 wrote to memory of 4796	4460	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	96
PID 4460 wrote to memory of 4796	4460	2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe	96
PID 484 wrote to memory of 5076	484	{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe	97
PID 484 wrote to memory of 5076	484	{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe	97
PID 484 wrote to memory of 5076	484	{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe	97
PID 484 wrote to memory of 4720	484	{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe	98
PID 484 wrote to memory of 4720	484	{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe	98
PID 484 wrote to memory of 4720	484	{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe	98
PID 5076 wrote to memory of 2828	5076	{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe	101
PID 5076 wrote to memory of 2828	5076	{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe	101
PID 5076 wrote to memory of 2828	5076	{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe	101
PID 5076 wrote to memory of 1732	5076	{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe	100
PID 5076 wrote to memory of 1732	5076	{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe	100
PID 5076 wrote to memory of 1732	5076	{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe	100
PID 2828 wrote to memory of 3700	2828	{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe	102
PID 2828 wrote to memory of 3700	2828	{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe	102
PID 2828 wrote to memory of 3700	2828	{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe	102
PID 2828 wrote to memory of 2164	2828	{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe	103
PID 2828 wrote to memory of 2164	2828	{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe	103
PID 2828 wrote to memory of 2164	2828	{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe	103
PID 3700 wrote to memory of 4948	3700	{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe	104
PID 3700 wrote to memory of 4948	3700	{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe	104
PID 3700 wrote to memory of 4948	3700	{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe	104
PID 3700 wrote to memory of 4076	3700	{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe	105
PID 3700 wrote to memory of 4076	3700	{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe	105
PID 3700 wrote to memory of 4076	3700	{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe	105
PID 4948 wrote to memory of 4904	4948	{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe	106
PID 4948 wrote to memory of 4904	4948	{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe	106
PID 4948 wrote to memory of 4904	4948	{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe	106
PID 4948 wrote to memory of 3992	4948	{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe	107
PID 4948 wrote to memory of 3992	4948	{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe	107
PID 4948 wrote to memory of 3992	4948	{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe	107
PID 4904 wrote to memory of 4976	4904	{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe	108
PID 4904 wrote to memory of 4976	4904	{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe	108
PID 4904 wrote to memory of 4976	4904	{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe	108
PID 4904 wrote to memory of 3176	4904	{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe	109
PID 4904 wrote to memory of 3176	4904	{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe	109
PID 4904 wrote to memory of 3176	4904	{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe	109
PID 4976 wrote to memory of 4020	4976	{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe	110
PID 4976 wrote to memory of 4020	4976	{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe	110
PID 4976 wrote to memory of 4020	4976	{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe	110
PID 4976 wrote to memory of 4276	4976	{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe	111
PID 4976 wrote to memory of 4276	4976	{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe	111
PID 4976 wrote to memory of 4276	4976	{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe	111
PID 4020 wrote to memory of 4224	4020	{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe	112
PID 4020 wrote to memory of 4224	4020	{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe	112
PID 4020 wrote to memory of 4224	4020	{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe	112
PID 4020 wrote to memory of 2404	4020	{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe	113
PID 4020 wrote to memory of 2404	4020	{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe	113
PID 4020 wrote to memory of 2404	4020	{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe	113
PID 4224 wrote to memory of 1200	4224	{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe	114
PID 4224 wrote to memory of 1200	4224	{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe	114
PID 4224 wrote to memory of 1200	4224	{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe	114
PID 4224 wrote to memory of 2420	4224	{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe	115
PID 4224 wrote to memory of 2420	4224	{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe	115
PID 4224 wrote to memory of 2420	4224	{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe	115
PID 1200 wrote to memory of 4684	1200	{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe	116
PID 1200 wrote to memory of 4684	1200	{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe	116
PID 1200 wrote to memory of 4684	1200	{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe	116
PID 1200 wrote to memory of 3712	1200	{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_46a214a0d9052a48ff8fd42eb3454a77_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe
  C:\Windows\{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe
    C:\Windows\{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51DF3~1.EXE > nul
      4⤵
      PID:1732
  - - C:\Windows\{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe
      C:\Windows\{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe
        
        C:\Windows\{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
      - C:\Windows\{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe
        
        C:\Windows\{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe
        
        C:\Windows\{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe
        
        C:\Windows\{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe
        
        C:\Windows\{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe
        
        C:\Windows\{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe
        
        C:\Windows\{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}.exe
        
        C:\Windows\{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
        
        C:\Windows\{5302BDC6-9B14-4137-B54A-1D3184FA25E1}.exe
        
        C:\Windows\{5302BDC6-9B14-4137-B54A-1D3184FA25E1}.exe
        13⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2012D~1.EXE > nul
        13⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22135~1.EXE > nul
        12⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F05DA~1.EXE > nul
        11⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FD21~1.EXE > nul
        10⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F159C~1.EXE > nul
        9⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D88A~1.EXE > nul
        8⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ABC1~1.EXE > nul
        7⤵
        
        PID:3992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{577AD~1.EXE > nul
        6⤵
        
        PID:4076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E038~1.EXE > nul
        5⤵
        
        PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3EE56~1.EXE > nul
    3⤵
    PID:4720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}.exe

Filesize
129KB

MD5
16c431a233185621d9824b7649ecdd70

SHA1
d8fac5ec95758cd8d4e389d01106f9731d5809ca

SHA256
6836e684238dc94594d099eab368dbbd11a4ab05e2acb16ab2d31122c9c1ea71

SHA512
c437c941d41509cf11897725e103a2764fff3841f9fdeaf7dc25dc87fd2dca9efdbddec8d09b0fe3be5f21e60d45ecfd72a0de1fc95b03047a277c55a8310a2e

Download Submit
C:\Windows\{2012D038-B78F-42ef-AB6A-55E1E5FE15A7}.exe

Filesize
408KB

MD5
432deaf06270b85fa7eb666d801678dc

SHA1
d3e85decbdef14fdaa35638e5e73acb8c2cf4176

SHA256
cc90c51a90f217ab587a6bef2c31d98db20d00110e86edf0902a0f0362704289

SHA512
51fa66b034540b1d22cbd18491b3bf82a1bf80bb716a8168b1748199c87ecda4ecb9bb27a6b683770a37c3e46524f997a469c16a885ba6097f58030e5db93125

Download Submit
C:\Windows\{22135E89-CEF4-4ae1-84C4-86F71688404C}.exe

Filesize
408KB

MD5
492f10cf65988807c12a13bc1acec157

SHA1
77d777eeb95d7cedb0ddf648b11ece7735e97a66

SHA256
8e624ea632491a3b1990a9a7b7b252c4238a6c8f7d008a5c70b0a2d6d2699e58

SHA512
05e8cd6ba49b48b73be03f23b92389e7c00ae2eb123bb04f460b8c647ede9fe9e39c64eec4616e66e3e5a06c13690137af9778c4c143da4edf8064cfac5327a5

Download Submit
C:\Windows\{2FD21CAE-0788-49e0-9ECF-2C5FD86B3FF4}.exe

Filesize
408KB

MD5
ba58cdb0f2fe515349f406aade7334e5

SHA1
1f59dbe7e0f0b461096fa13bd90df403bc9304c0

SHA256
7856bdc337d209812f37920b308ac0b4a622edc7bb7ee4cc4b4a7813ac7e044a

SHA512
6152320cb3a691100b6b1044a41544cb2fa1eac4a0b6ef105e341f191481d24daf609427681749ac18b9343febcf9689e5a9945946751bc6bbca8b76bfb80f1c

Download Submit
C:\Windows\{3EE56ED5-FCD3-4c34-88F7-3C8089016EF1}.exe

Filesize
408KB

MD5
7a9c6a51f39b9338e30878ee5fb33d03

SHA1
b9f120800244feb35c443a35ebf3e25f2f589a6b

SHA256
c3c29198e30f0e4012a7c5d3379f8ca7f969d2b3c364cb0d7e3efb053167ea02

SHA512
4ea4bf0b01271038e1404ce9c1a5a98bde380ce97869444d831f677ffe2ac9a766576970ae20c49b3ead6c0131dfd1c78b7ff05ad3e6a684a8e2f1fb45a43306

Download Submit
C:\Windows\{51DF3E57-26CF-4ddc-B054-D3B1E09F2595}.exe

Filesize
408KB

MD5
cf67dcc4e36d7c1eeb3d99a3a622b66b

SHA1
aa5bc344d9a4c28f138c64705b6b54bd15ed6f5d

SHA256
b692b22a863a6e29b73e1c5bdff18f4656b30c527acc942a5cb95176a9493bef

SHA512
d8e548a8f5300fe9df104ace61341671dbaa7917c44d83e10315de176b86f9e6b3ceb77463d93bdeb72371ad408fb2fb88fa0a02eac92cdce99e681685146d3a

Download Submit
C:\Windows\{5302BDC6-9B14-4137-B54A-1D3184FA25E1}.exe

Filesize
408KB

MD5
51fee003883ffcc018c665f2664e6821

SHA1
e6331c11c106f27762bd949a09278d965caac43f

SHA256
bd3373b1d0f451c513553631b3a23f0b21ad0ed81e0a8a6f479db5776f05f84e

SHA512
9d4f2e9bf04f9e407cb0b782b2ad051c5b52105c3bf94d8fab8dc3c57964e5fda8754920822a12fc9292706b6ebdab37f506cc4549f6b042e44c638c5a610195

Download Submit
C:\Windows\{577AD1A1-F309-4ba0-9C22-08B7BB0A8A1E}.exe

Filesize
408KB

MD5
1b21d2c6183ff418f046546e3e143b04

SHA1
06bee23c9e90ad26c6184ca64c32bf8c4211868a

SHA256
a032c4f192756651aaeea0dcd854c0bd515d9b5609421d7fb5e72e3d4d69bf58

SHA512
23091b5b258024a6e2190c35c04068128754322f6964b32cd6ca857854eff65134f518748b64f1951d37aaf6ad0f0f102bcc854e853c04217ae25e332d720e1c

Download Submit
C:\Windows\{6ABC16B4-61DB-47d2-9E94-0EFD9BF924C0}.exe

Filesize
408KB

MD5
0276edf9c674902429c4e6ad6840c3c2

SHA1
7117e7e99bb82b78dfbb4669a5e9bb7183a1baca

SHA256
64e9f198fd14c837adbb1c1872345f99cdfe94a70bc1d884de5ba04cebc5be1b

SHA512
a14c4bf39e5740f42aeb715a332825bd9453ec5d59c3ad9692dbf3c30250786f3fa10c388e5f502f3990da2d725d3faba5afd7322891f296f5db3cd47347584f

Download Submit
C:\Windows\{7E038687-F1E2-4081-BDC8-D91F8B40F038}.exe

Filesize
408KB

MD5
5edbdf241ed0636a5ed003b8a9f77a7d

SHA1
a8cab1d2f9e40635b6b812f6998b42ef12b34654

SHA256
abe34c84a28b8e35e9ecba5100df4f60cd7e53e98a5a0bf087efee20b8a22b9c

SHA512
4ceeca9794617e50bb6b223d89dba2ec3ad9137e36a2843454e7fc1b2cc3eb5af92ac38e336fc88d4623fb6ecdac6d8a85e9dd3b30bbbbbd64122d1a595d7f10

Download Submit
C:\Windows\{8D88ACBA-355B-468a-8D67-230090AEC6D7}.exe

Filesize
408KB

MD5
f20470230b2c79345ae82b3808b0877c

SHA1
8bce00dff7cf4ec05a208bd657e70627477184d8

SHA256
80ccfd65a9a1609331014da3cb48db872ee5dab71fa43a2b0cb98acdefd1e44b

SHA512
b640e440e15b7ef03e3d13b89e04e545715bae2c30afc03d41fd619db4004cf53d5805509a3114c979a0a87244f38e5d4392c75f8b2842fe15f72f84c7a040be

Download Submit
C:\Windows\{F05DA8A6-8123-40ef-8310-5D79AC2645C9}.exe

Filesize
408KB

MD5
d1c9bcf5dcef105f30cc6f4b28299800

SHA1
71187e6c553ac994371c015dc96b0acd23c3be3f

SHA256
832601746b732239b79a792aaaedd08aff96645977be67ee208e4237be8b4b46

SHA512
544fbe8058ac8e0218b993f817e04aa01c71c92961ad4587084e4053d7f115d7bf3edeedf71b5fcb5d709650f308df2616103cbb81ee08cb818c64d31210b639

Download Submit
C:\Windows\{F159C744-92B9-4413-A2C5-F8FEE1469991}.exe

Filesize
408KB

MD5
68a5de7acbb5529835ef654e9eed57f4

SHA1
854a3d0b57ec05f129761042faae1a6c21fb4f86

SHA256
a81d4ca2235ce6f70ea9bda10501c1168bb54b574b1f4b5d45f366456e47929e

SHA512
35421f82b01016c53dafeab19cdd8013c22170d28438277de31a62c77d4b82ca1b1c4815b42b71f7795b784d5ba6cc1dda8f6e494768da1170502041e87d6905

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads