cb747a1fc2b48c8385e3eb9185750ceb85814495d89ca4078ad4b22a932aa907

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe
Size

168KB
MD5

fe300a177c3f42cd87ecb62db8e8dab7
SHA1

95ee75af74599d29d7c4c0022edc36e8a7da1c14
SHA256

cb747a1fc2b48c8385e3eb9185750ceb85814495d89ca4078ad4b22a932aa907
SHA512

b0708c6643225ba860bc3f3fa0e153889166627a8df9bf8a9a2ad48f5398a931dc6718994c0a1c891657558c3052d45ee0f5384e8a9f774ae59d2b160d1d8fb7
SSDEEP

1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023239-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023240-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023247-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023240-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000215d0-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e7-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}\stubpath = "C:\\Windows\\{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe"	{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}	{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8592835-FA64-443e-8167-DCE9C23C881B}	2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}	{E8592835-FA64-443e-8167-DCE9C23C881B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}\stubpath = "C:\\Windows\\{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe"	{E8592835-FA64-443e-8167-DCE9C23C881B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}\stubpath = "C:\\Windows\\{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe"	{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}	{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{892C998A-9AFC-4c51-84C9-A3C68F40CB59}	{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E697D10-06CF-4a15-953F-A14A6B4AB78F}	{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}\stubpath = "C:\\Windows\\{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe"	{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}	{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF54F76E-7383-4d9c-90AF-78DB3C2831B8}\stubpath = "C:\\Windows\\{AF54F76E-7383-4d9c-90AF-78DB3C2831B8}.exe"	{E86AB1E7-403D-403f-BC7F-694E698C3E16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05B845EA-73CF-461f-AEA4-BEFBDFF95042}\stubpath = "C:\\Windows\\{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe"	{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E86AB1E7-403D-403f-BC7F-694E698C3E16}	{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8592835-FA64-443e-8167-DCE9C23C881B}\stubpath = "C:\\Windows\\{E8592835-FA64-443e-8167-DCE9C23C881B}.exe"	2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{892C998A-9AFC-4c51-84C9-A3C68F40CB59}\stubpath = "C:\\Windows\\{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe"	{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEC9409C-D325-4d80-B413-23AA1A6633C0}\stubpath = "C:\\Windows\\{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe"	{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}\stubpath = "C:\\Windows\\{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe"	{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05B845EA-73CF-461f-AEA4-BEFBDFF95042}	{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}	{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEC9409C-D325-4d80-B413-23AA1A6633C0}	{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E697D10-06CF-4a15-953F-A14A6B4AB78F}\stubpath = "C:\\Windows\\{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe"	{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E86AB1E7-403D-403f-BC7F-694E698C3E16}\stubpath = "C:\\Windows\\{E86AB1E7-403D-403f-BC7F-694E698C3E16}.exe"	{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF54F76E-7383-4d9c-90AF-78DB3C2831B8}	{E86AB1E7-403D-403f-BC7F-694E698C3E16}.exe

Executes dropped EXE 12 IoCs

pid	Process
4716	{E8592835-FA64-443e-8167-DCE9C23C881B}.exe
3920	{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe
1480	{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe
4696	{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe
3280	{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe
376	{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe
920	{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe
2760	{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe
3972	{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe
728	{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe
2616	{E86AB1E7-403D-403f-BC7F-694E698C3E16}.exe
1424	{AF54F76E-7383-4d9c-90AF-78DB3C2831B8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AF54F76E-7383-4d9c-90AF-78DB3C2831B8}.exe	{E86AB1E7-403D-403f-BC7F-694E698C3E16}.exe
File created	C:\Windows\{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe	{E8592835-FA64-443e-8167-DCE9C23C881B}.exe
File created	C:\Windows\{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe	{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe
File created	C:\Windows\{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe	{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe
File created	C:\Windows\{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe	{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe
File created	C:\Windows\{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe	{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe
File created	C:\Windows\{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe	{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe
File created	C:\Windows\{E86AB1E7-403D-403f-BC7F-694E698C3E16}.exe	{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe
File created	C:\Windows\{E8592835-FA64-443e-8167-DCE9C23C881B}.exe	2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe
File created	C:\Windows\{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe	{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe
File created	C:\Windows\{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe	{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe
File created	C:\Windows\{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe	{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4340	2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4716	{E8592835-FA64-443e-8167-DCE9C23C881B}.exe
Token: SeIncBasePriorityPrivilege	3920	{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe
Token: SeIncBasePriorityPrivilege	1480	{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe
Token: SeIncBasePriorityPrivilege	4696	{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe
Token: SeIncBasePriorityPrivilege	3280	{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe
Token: SeIncBasePriorityPrivilege	376	{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe
Token: SeIncBasePriorityPrivilege	920	{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe
Token: SeIncBasePriorityPrivilege	2760	{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe
Token: SeIncBasePriorityPrivilege	3972	{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe
Token: SeIncBasePriorityPrivilege	728	{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe
Token: SeIncBasePriorityPrivilege	2616	{E86AB1E7-403D-403f-BC7F-694E698C3E16}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 4716	4340	2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe	95
PID 4340 wrote to memory of 4716	4340	2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe	95
PID 4340 wrote to memory of 4716	4340	2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe	95
PID 4340 wrote to memory of 1752	4340	2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe	96
PID 4340 wrote to memory of 1752	4340	2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe	96
PID 4340 wrote to memory of 1752	4340	2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe	96
PID 4716 wrote to memory of 3920	4716	{E8592835-FA64-443e-8167-DCE9C23C881B}.exe	97
PID 4716 wrote to memory of 3920	4716	{E8592835-FA64-443e-8167-DCE9C23C881B}.exe	97
PID 4716 wrote to memory of 3920	4716	{E8592835-FA64-443e-8167-DCE9C23C881B}.exe	97
PID 4716 wrote to memory of 512	4716	{E8592835-FA64-443e-8167-DCE9C23C881B}.exe	98
PID 4716 wrote to memory of 512	4716	{E8592835-FA64-443e-8167-DCE9C23C881B}.exe	98
PID 4716 wrote to memory of 512	4716	{E8592835-FA64-443e-8167-DCE9C23C881B}.exe	98
PID 3920 wrote to memory of 1480	3920	{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe	100
PID 3920 wrote to memory of 1480	3920	{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe	100
PID 3920 wrote to memory of 1480	3920	{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe	100
PID 3920 wrote to memory of 2124	3920	{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe	101
PID 3920 wrote to memory of 2124	3920	{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe	101
PID 3920 wrote to memory of 2124	3920	{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe	101
PID 1480 wrote to memory of 4696	1480	{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe	102
PID 1480 wrote to memory of 4696	1480	{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe	102
PID 1480 wrote to memory of 4696	1480	{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe	102
PID 1480 wrote to memory of 4520	1480	{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe	103
PID 1480 wrote to memory of 4520	1480	{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe	103
PID 1480 wrote to memory of 4520	1480	{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe	103
PID 4696 wrote to memory of 3280	4696	{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe	104
PID 4696 wrote to memory of 3280	4696	{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe	104
PID 4696 wrote to memory of 3280	4696	{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe	104
PID 4696 wrote to memory of 3020	4696	{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe	105
PID 4696 wrote to memory of 3020	4696	{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe	105
PID 4696 wrote to memory of 3020	4696	{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe	105
PID 3280 wrote to memory of 376	3280	{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe	106
PID 3280 wrote to memory of 376	3280	{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe	106
PID 3280 wrote to memory of 376	3280	{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe	106
PID 3280 wrote to memory of 3172	3280	{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe	107
PID 3280 wrote to memory of 3172	3280	{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe	107
PID 3280 wrote to memory of 3172	3280	{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe	107
PID 376 wrote to memory of 920	376	{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe	109
PID 376 wrote to memory of 920	376	{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe	109
PID 376 wrote to memory of 920	376	{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe	109
PID 376 wrote to memory of 1628	376	{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe	108
PID 376 wrote to memory of 1628	376	{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe	108
PID 376 wrote to memory of 1628	376	{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe	108
PID 920 wrote to memory of 2760	920	{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe	110
PID 920 wrote to memory of 2760	920	{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe	110
PID 920 wrote to memory of 2760	920	{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe	110
PID 920 wrote to memory of 4264	920	{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe	111
PID 920 wrote to memory of 4264	920	{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe	111
PID 920 wrote to memory of 4264	920	{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe	111
PID 2760 wrote to memory of 3972	2760	{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe	112
PID 2760 wrote to memory of 3972	2760	{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe	112
PID 2760 wrote to memory of 3972	2760	{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe	112
PID 2760 wrote to memory of 4204	2760	{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe	113
PID 2760 wrote to memory of 4204	2760	{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe	113
PID 2760 wrote to memory of 4204	2760	{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe	113
PID 3972 wrote to memory of 728	3972	{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe	114
PID 3972 wrote to memory of 728	3972	{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe	114
PID 3972 wrote to memory of 728	3972	{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe	114
PID 3972 wrote to memory of 2292	3972	{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe	115
PID 3972 wrote to memory of 2292	3972	{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe	115
PID 3972 wrote to memory of 2292	3972	{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe	115
PID 728 wrote to memory of 2616	728	{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe	116
PID 728 wrote to memory of 2616	728	{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe	116
PID 728 wrote to memory of 2616	728	{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe	116
PID 728 wrote to memory of 4008	728	{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_fe300a177c3f42cd87ecb62db8e8dab7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\{E8592835-FA64-443e-8167-DCE9C23C881B}.exe
  C:\Windows\{E8592835-FA64-443e-8167-DCE9C23C881B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe
    C:\Windows\{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe
      C:\Windows\{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe
        
        C:\Windows\{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Windows\{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe
        
        C:\Windows\{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe
        
        C:\Windows\{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E697~1.EXE > nul
        8⤵
        
        PID:1628
        
        C:\Windows\{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe
        
        C:\Windows\{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe
        
        C:\Windows\{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe
        
        C:\Windows\{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe
        
        C:\Windows\{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\{E86AB1E7-403D-403f-BC7F-694E698C3E16}.exe
        
        C:\Windows\{E86AB1E7-403D-403f-BC7F-694E698C3E16}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\{AF54F76E-7383-4d9c-90AF-78DB3C2831B8}.exe
        
        C:\Windows\{AF54F76E-7383-4d9c-90AF-78DB3C2831B8}.exe
        13⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E86AB~1.EXE > nul
        13⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05B84~1.EXE > nul
        12⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95354~1.EXE > nul
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6C9B~1.EXE > nul
        10⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79BB7~1.EXE > nul
        9⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEC94~1.EXE > nul
        7⤵
        
        PID:3172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{892C9~1.EXE > nul
        6⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C6FB~1.EXE > nul
        5⤵
        
        PID:4520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AAD72~1.EXE > nul
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E8592~1.EXE > nul
    3⤵
    PID:512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05B845EA-73CF-461f-AEA4-BEFBDFF95042}.exe

Filesize
168KB

MD5
02c1deb3c63c3b4a7147a49100dc6f90

SHA1
30b5358423b6cb9a6e37004dda0c8ea2efd100a5

SHA256
de9e5b695bef9b49fb8bd1043d0ac2fc037412e7d607a0edc7a94f426ad4fc49

SHA512
a48787b1d028397420456f5351fd2c6c46ba6bfb3b0fb2af89e0168d6650ead05bfd89f6fd570ed103937453b684a4ec488ed2662376ea51d421c1e623a64e44

Download Submit
C:\Windows\{4C6FB479-A10A-4ac6-AE3E-BBCE34318ABE}.exe

Filesize
168KB

MD5
192dcf435ea30dd2e1b9f269dce10e49

SHA1
dd668f96af83a0b5d03697ab0b079a68649d4a10

SHA256
3a9c1398ccc6295c5a943fcdb455f5645bb4ea3af0f880f72ad0cce717f8564e

SHA512
65f5e5c6929f92e4076cbf2f98176422fbe26ffca3705a30c54c414bee63d8cb924bbbbe4a5599bd317c739fb923b49fa2703b68aa76d16b23ec41a6dae05c00

Download Submit
C:\Windows\{5E697D10-06CF-4a15-953F-A14A6B4AB78F}.exe

Filesize
168KB

MD5
ce09d791b840d1b606247bee97fcc466

SHA1
9774a71f6ba010faa48b4b0ac2e21e684a49864d

SHA256
affd7b6e0aaa8dd95be2ea1bb29837adfdacf6f16086e7660fac059d53fb2b10

SHA512
16ededed70ba61fe3a1887c5150c60e3f6f56899cfa34dace80dcf2a3f6681b41db0929d67f57ce30bcbd490c53a0fcc78e64832bf6da37a8e88629388be635f

Download Submit
C:\Windows\{79BB7BF6-993F-4b7d-8C3E-0ABF296DD511}.exe

Filesize
168KB

MD5
0b87f9da053fc8b6bc85292646c40e1e

SHA1
2dcc145bb8fc617c718aa6a2815b78b686da0bcf

SHA256
af187e78c36a520aef8a3b8f3cd0417f1fea6af7ae7e3ed0b16ccabca6977cd1

SHA512
f0f61cc157f39474c2c952aa5d87c8a9797ba43a7514a9d6b8cbc65d49eba2ad013365289b3c435786494b80fde5aa1e15ab229f6c451babde26dd976c96a956

Download Submit
C:\Windows\{892C998A-9AFC-4c51-84C9-A3C68F40CB59}.exe

Filesize
168KB

MD5
0db04b3f423ba1debcf8e15a322348a8

SHA1
fdc393f44fa5b0cfae539adea021ccdf56ca301c

SHA256
6f0d4d94cfd8c3e8d1b8cb57870be16c19b4a3d59171b8b8b9e59075fbf22018

SHA512
645dde1d63e3d1df9f3909dc33ac524ed41fff8dd6393c32487f3e6dd3655a1b482958c26449a5280b7f7268f7d68bcd94cfdebd57600bf2a9e732c1c3a94e54

Download Submit
C:\Windows\{95354DD5-C5DC-46d4-9789-3BF3E0F3BC0F}.exe

Filesize
168KB

MD5
0a381217021aa0b3152a0ba422dea65d

SHA1
aefb3abdd05c23bfc7f019fbfe7234ccbac849a0

SHA256
406f8a699e7724f329f09c6da1485b6b14974b4eb4a4a45bc9464eebd67a2907

SHA512
d2820a908966031eb491cf3493641380789fa8ffda6c6d9a8e666f0e015d5a122d5372088421edd95a1fa2fef0ca9e529ffbc692452a79ff1e6c660b92daa6bd

Download Submit
C:\Windows\{AAD72F90-5415-4119-BEA1-5D32DE5EA98F}.exe

Filesize
168KB

MD5
138d3e0224c3e24a559746baa1535c7b

SHA1
6d993f5a2a7b7e9d46f883395702aa374c434a66

SHA256
50e03530e7f0a183b768f3cb4c25cacb01d508e7b6457fa80ec7ba24aecd6812

SHA512
450a3a9a947af408ed368a23661c0fedfb4991b96e1fc5e1b5e361ce4db157cf4eb4931836b91e326798744ab705e59da6fd32522acc32b5f5e3e886edfd9e42

Download Submit
C:\Windows\{AF54F76E-7383-4d9c-90AF-78DB3C2831B8}.exe

Filesize
168KB

MD5
dcca978b8be9c878bf1d2bf297b3fdcd

SHA1
a02b049fa3bfc5afe61941c01762d3fb79506b38

SHA256
25a0b09b819d8394c06f04888651118bc2f50647646835d35a1ab8f1e6d19b25

SHA512
cd83465cd1e488fb6a481628f48df7600c55c04579e61e63969e80eacc7e58045ab11eb3de32a04027db133000255ce578900edd7193858c737643eca53ef279

Download Submit
C:\Windows\{AF54F76E-7383-4d9c-90AF-78DB3C2831B8}.exe

Filesize
59KB

MD5
cdefc0853093f8968f187799bb2dd59a

SHA1
94b537a66a29371f789a7829296b442cd0416161

SHA256
ebda606daff8220a9d6ff123a37fbd6727603db0b370a78ef689124c10ac4248

SHA512
7b650b945ddc99c5234fd9f181a61d81bdcbea58ce811a53a9b0607ab647e5ef6f5776c1a512d570e89e966be442338da4db5411d544679aa02b730b2db78355

Download Submit
C:\Windows\{C6C9B67C-1DCF-4541-9D55-598AC3AD4883}.exe

Filesize
168KB

MD5
fb5b159d3b383d64cf6aa3aae416df7e

SHA1
bac07c7ca20bd87273cc70a5da7fd8342113ef68

SHA256
add238e781ee6fb5e49ff08e1a5c294c386b7de024244a5e43efe5241ddf4bc6

SHA512
f24eb3c9b794c092fb747b8fd74580e1d07f942a055020413835d589792ca5211dfc574b2c1b1786f5f44a24eb6489e4f648e9545b7a30de75f6c51a5855de46

Download Submit
C:\Windows\{E8592835-FA64-443e-8167-DCE9C23C881B}.exe

Filesize
168KB

MD5
937e4617bb93cbb6fa5775102fe726f9

SHA1
b023c18f7100a43cafc64e1ce4723104e1d9ad57

SHA256
8f60751c6f8e21dcfa7758dde1aafec09b6eb4298729983a02e50211411214de

SHA512
7bf7745950c76fa2e4df202d9bb9906ccc381b694961b5b219804ee92cdc879ca9f93de70ce6f9b45e6843a5b6fcf42902b75971ef87b50a93232ec514a80133

Download Submit
C:\Windows\{E86AB1E7-403D-403f-BC7F-694E698C3E16}.exe

Filesize
168KB

MD5
813be239f467140f9d9ef73a564e3e61

SHA1
39438f6605707355efeaa4359796cf950df7cf19

SHA256
a62b1dab58a009368c1d0667dab4506a31ee0d2d5fb5765e04342c5429c94b1b

SHA512
1521e28251dd2176e0ffed426c68832218c2a79b74251e6b821505e07c59802e91db0c22cfc58bd61eb42f5245b0609ca10da0925b6fa40e11fb0d0e75203dd8

Download Submit
C:\Windows\{FEC9409C-D325-4d80-B413-23AA1A6633C0}.exe

Filesize
168KB

MD5
3c4e876111732e1f8c7ecb1e0eef542e

SHA1
30434378aafe20f2f724138ad4e843cbdc05f856

SHA256
ab2c36e710630caedb04b9433f4835154db93dea67cf47e59d5703ce3789d4a9

SHA512
d32ab66dc986af267f20a3164837daa245c202e200af588747d947d1231f827b463fdf9edc742b90be0877213d2f342bc03481fa01456f30085d89f6af140b23

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads