9723d4dacb3de4ddbc89cb7c77cd630a90ebaaa987e1a4ab7821e23ade4a4754

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 18:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe
Size

216KB
MD5

1a89d8843bb81444fe3882c02560756f
SHA1

92e2a2191fe19efd7a541e985398e72fe1b6e785
SHA256

9723d4dacb3de4ddbc89cb7c77cd630a90ebaaa987e1a4ab7821e23ade4a4754
SHA512

13ebef22ce64e2ab414c2e39df585afc567180266e412e26d86d113018e1bbf14ad5473788d091eed1052eec3473d73375e045973c446737109222baa94d120e
SSDEEP

3072:jEGh0oFl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGblEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x001000000002323e-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023239-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023245-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023239-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023245-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023245-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023239-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023245-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000737-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000735-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000737-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000735-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}\stubpath = "C:\\Windows\\{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe"	{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}	{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD679FDD-9C2F-4e6f-992A-17E7EE29A7DF}	{DEB0C454-4AD7-4f20-918F-263BCE491809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD679FDD-9C2F-4e6f-992A-17E7EE29A7DF}\stubpath = "C:\\Windows\\{FD679FDD-9C2F-4e6f-992A-17E7EE29A7DF}.exe"	{DEB0C454-4AD7-4f20-918F-263BCE491809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{721E369E-9ACB-4890-A2F7-5B88117CAE25}\stubpath = "C:\\Windows\\{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe"	{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}	{8316EFD7-8942-475a-B3F4-96F981C55149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}	{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}	{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{721E369E-9ACB-4890-A2F7-5B88117CAE25}	{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}\stubpath = "C:\\Windows\\{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe"	{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}\stubpath = "C:\\Windows\\{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe"	{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEB0C454-4AD7-4f20-918F-263BCE491809}\stubpath = "C:\\Windows\\{DEB0C454-4AD7-4f20-918F-263BCE491809}.exe"	{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E8353DB-69F8-4177-88C2-785962AB5257}\stubpath = "C:\\Windows\\{1E8353DB-69F8-4177-88C2-785962AB5257}.exe"	{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}	{1E8353DB-69F8-4177-88C2-785962AB5257}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}\stubpath = "C:\\Windows\\{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe"	{1E8353DB-69F8-4177-88C2-785962AB5257}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8316EFD7-8942-475a-B3F4-96F981C55149}\stubpath = "C:\\Windows\\{8316EFD7-8942-475a-B3F4-96F981C55149}.exe"	{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E8353DB-69F8-4177-88C2-785962AB5257}	{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8316EFD7-8942-475a-B3F4-96F981C55149}	{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}\stubpath = "C:\\Windows\\{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe"	{8316EFD7-8942-475a-B3F4-96F981C55149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEB0C454-4AD7-4f20-918F-263BCE491809}	{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}	2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}\stubpath = "C:\\Windows\\{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe"	2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2C3DDCD-28D0-49a4-976F-685347471ECB}	{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2C3DDCD-28D0-49a4-976F-685347471ECB}\stubpath = "C:\\Windows\\{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe"	{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe

Executes dropped EXE 12 IoCs

pid	Process
3508	{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe
1896	{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe
3012	{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe
4844	{1E8353DB-69F8-4177-88C2-785962AB5257}.exe
2588	{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe
4168	{8316EFD7-8942-475a-B3F4-96F981C55149}.exe
4336	{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe
512	{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe
2252	{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe
4716	{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe
2912	{DEB0C454-4AD7-4f20-918F-263BCE491809}.exe
2288	{FD679FDD-9C2F-4e6f-992A-17E7EE29A7DF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe	2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe
File created	C:\Windows\{1E8353DB-69F8-4177-88C2-785962AB5257}.exe	{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe
File created	C:\Windows\{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe	{1E8353DB-69F8-4177-88C2-785962AB5257}.exe
File created	C:\Windows\{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe	{8316EFD7-8942-475a-B3F4-96F981C55149}.exe
File created	C:\Windows\{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe	{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe
File created	C:\Windows\{FD679FDD-9C2F-4e6f-992A-17E7EE29A7DF}.exe	{DEB0C454-4AD7-4f20-918F-263BCE491809}.exe
File created	C:\Windows\{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe	{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe
File created	C:\Windows\{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe	{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe
File created	C:\Windows\{8316EFD7-8942-475a-B3F4-96F981C55149}.exe	{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe
File created	C:\Windows\{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe	{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe
File created	C:\Windows\{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe	{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe
File created	C:\Windows\{DEB0C454-4AD7-4f20-918F-263BCE491809}.exe	{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1820	2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3508	{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe
Token: SeIncBasePriorityPrivilege	1896	{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe
Token: SeIncBasePriorityPrivilege	3012	{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe
Token: SeIncBasePriorityPrivilege	4844	{1E8353DB-69F8-4177-88C2-785962AB5257}.exe
Token: SeIncBasePriorityPrivilege	2588	{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe
Token: SeIncBasePriorityPrivilege	4168	{8316EFD7-8942-475a-B3F4-96F981C55149}.exe
Token: SeIncBasePriorityPrivilege	4336	{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe
Token: SeIncBasePriorityPrivilege	512	{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe
Token: SeIncBasePriorityPrivilege	2252	{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe
Token: SeIncBasePriorityPrivilege	4716	{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe
Token: SeIncBasePriorityPrivilege	2912	{DEB0C454-4AD7-4f20-918F-263BCE491809}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 3508	1820	2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe	98
PID 1820 wrote to memory of 3508	1820	2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe	98
PID 1820 wrote to memory of 3508	1820	2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe	98
PID 1820 wrote to memory of 4760	1820	2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe	97
PID 1820 wrote to memory of 4760	1820	2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe	97
PID 1820 wrote to memory of 4760	1820	2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe	97
PID 3508 wrote to memory of 1896	3508	{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe	99
PID 3508 wrote to memory of 1896	3508	{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe	99
PID 3508 wrote to memory of 1896	3508	{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe	99
PID 3508 wrote to memory of 3096	3508	{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe	100
PID 3508 wrote to memory of 3096	3508	{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe	100
PID 3508 wrote to memory of 3096	3508	{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe	100
PID 1896 wrote to memory of 3012	1896	{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe	103
PID 1896 wrote to memory of 3012	1896	{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe	103
PID 1896 wrote to memory of 3012	1896	{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe	103
PID 1896 wrote to memory of 2644	1896	{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe	102
PID 1896 wrote to memory of 2644	1896	{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe	102
PID 1896 wrote to memory of 2644	1896	{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe	102
PID 3012 wrote to memory of 4844	3012	{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe	104
PID 3012 wrote to memory of 4844	3012	{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe	104
PID 3012 wrote to memory of 4844	3012	{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe	104
PID 3012 wrote to memory of 4668	3012	{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe	105
PID 3012 wrote to memory of 4668	3012	{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe	105
PID 3012 wrote to memory of 4668	3012	{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe	105
PID 4844 wrote to memory of 2588	4844	{1E8353DB-69F8-4177-88C2-785962AB5257}.exe	107
PID 4844 wrote to memory of 2588	4844	{1E8353DB-69F8-4177-88C2-785962AB5257}.exe	107
PID 4844 wrote to memory of 2588	4844	{1E8353DB-69F8-4177-88C2-785962AB5257}.exe	107
PID 4844 wrote to memory of 2400	4844	{1E8353DB-69F8-4177-88C2-785962AB5257}.exe	106
PID 4844 wrote to memory of 2400	4844	{1E8353DB-69F8-4177-88C2-785962AB5257}.exe	106
PID 4844 wrote to memory of 2400	4844	{1E8353DB-69F8-4177-88C2-785962AB5257}.exe	106
PID 2588 wrote to memory of 4168	2588	{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe	109
PID 2588 wrote to memory of 4168	2588	{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe	109
PID 2588 wrote to memory of 4168	2588	{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe	109
PID 2588 wrote to memory of 5108	2588	{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe	108
PID 2588 wrote to memory of 5108	2588	{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe	108
PID 2588 wrote to memory of 5108	2588	{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe	108
PID 4168 wrote to memory of 4336	4168	{8316EFD7-8942-475a-B3F4-96F981C55149}.exe	110
PID 4168 wrote to memory of 4336	4168	{8316EFD7-8942-475a-B3F4-96F981C55149}.exe	110
PID 4168 wrote to memory of 4336	4168	{8316EFD7-8942-475a-B3F4-96F981C55149}.exe	110
PID 4168 wrote to memory of 2308	4168	{8316EFD7-8942-475a-B3F4-96F981C55149}.exe	111
PID 4168 wrote to memory of 2308	4168	{8316EFD7-8942-475a-B3F4-96F981C55149}.exe	111
PID 4168 wrote to memory of 2308	4168	{8316EFD7-8942-475a-B3F4-96F981C55149}.exe	111
PID 4336 wrote to memory of 512	4336	{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe	112
PID 4336 wrote to memory of 512	4336	{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe	112
PID 4336 wrote to memory of 512	4336	{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe	112
PID 4336 wrote to memory of 2256	4336	{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe	113
PID 4336 wrote to memory of 2256	4336	{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe	113
PID 4336 wrote to memory of 2256	4336	{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe	113
PID 512 wrote to memory of 2252	512	{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe	114
PID 512 wrote to memory of 2252	512	{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe	114
PID 512 wrote to memory of 2252	512	{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe	114
PID 512 wrote to memory of 4536	512	{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe	115
PID 512 wrote to memory of 4536	512	{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe	115
PID 512 wrote to memory of 4536	512	{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe	115
PID 2252 wrote to memory of 4716	2252	{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe	116
PID 2252 wrote to memory of 4716	2252	{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe	116
PID 2252 wrote to memory of 4716	2252	{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe	116
PID 2252 wrote to memory of 2100	2252	{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe	117
PID 2252 wrote to memory of 2100	2252	{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe	117
PID 2252 wrote to memory of 2100	2252	{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe	117
PID 4716 wrote to memory of 2912	4716	{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe	118
PID 4716 wrote to memory of 2912	4716	{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe	118
PID 4716 wrote to memory of 2912	4716	{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe	118
PID 4716 wrote to memory of 4884	4716	{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_1a89d8843bb81444fe3882c02560756f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4760
- C:\Windows\{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe
  C:\Windows\{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe
    C:\Windows\{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B2C3D~1.EXE > nul
      4⤵
      PID:2644
  - - C:\Windows\{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe
      C:\Windows\{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\{1E8353DB-69F8-4177-88C2-785962AB5257}.exe
        
        C:\Windows\{1E8353DB-69F8-4177-88C2-785962AB5257}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E835~1.EXE > nul
        6⤵
        
        PID:2400
      - C:\Windows\{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe
        
        C:\Windows\{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0199~1.EXE > nul
        7⤵
        
        PID:5108
        
        C:\Windows\{8316EFD7-8942-475a-B3F4-96F981C55149}.exe
        
        C:\Windows\{8316EFD7-8942-475a-B3F4-96F981C55149}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe
        
        C:\Windows\{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe
        
        C:\Windows\{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe
        
        C:\Windows\{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe
        
        C:\Windows\{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\{DEB0C454-4AD7-4f20-918F-263BCE491809}.exe
        
        C:\Windows\{DEB0C454-4AD7-4f20-918F-263BCE491809}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\{FD679FDD-9C2F-4e6f-992A-17E7EE29A7DF}.exe
        
        C:\Windows\{FD679FDD-9C2F-4e6f-992A-17E7EE29A7DF}.exe
        13⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEB0C~1.EXE > nul
        13⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C242~1.EXE > nul
        12⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E55F~1.EXE > nul
        11⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C10E~1.EXE > nul
        10⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D139C~1.EXE > nul
        9⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8316E~1.EXE > nul
        8⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{721E3~1.EXE > nul
        5⤵
        
        PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E5F7~1.EXE > nul
    3⤵
    PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C10EA5A-5DCD-4658-B404-17A4DC82BC52}.exe

Filesize
216KB

MD5
778e259e3df6455f4a54a3f145c5c5cf

SHA1
ef055c75f619af66a17b638ca84b1b652f21ff16

SHA256
7a61956d2b8855e981e8fde0a3b0c569bb6a7d91343768aec46617787c2ea535

SHA512
64298939e34a17def75abee754985a04a5d02ac04304b37e3aef13f60989bc63c9c75e9e526afcf4138d71b870075985cf19647b3ebf9580270b63b91214630e

Download Submit
C:\Windows\{1E8353DB-69F8-4177-88C2-785962AB5257}.exe

Filesize
216KB

MD5
7d8b5d6b6daf5190281c23a4a78e1364

SHA1
3c7ec839db56b6569fa301d62a9eeac6526ebaf0

SHA256
3ec878c7bd7c88d79557202f6c9c88dd3184d7f4022b01bca67c98e5545f5181

SHA512
3268962f6f66e422efde708e778c0aedf268bb8e4bd1b92f7139fca516a3afcbd69b6f92961945ee0568f6fbecbb335461495df3b4dbd475dfdd83dc6730d4a5

Download Submit
C:\Windows\{4E55F04B-D170-4f6d-8AF1-96EDB9A3EA9D}.exe

Filesize
216KB

MD5
6f3e5c39a2787756cbf917040d65fc80

SHA1
bbb5e59c5a857f6a4c74e13433f1946beb00685d

SHA256
82a378c4ba68ed7bbbe063f7a0e16a705e56fa6c983788c58c6348bfc01d292a

SHA512
73d850e1dcafc6246d873ebacbf08bb56742c95cb14babf08b572c90adfbe5d99e49d9ffe6e8b27cd498c3ba4110bde81efc2ab20ff36dacbe16802c60028700

Download Submit
C:\Windows\{6E5F711E-D57B-4d01-ABDA-557AB8F8707E}.exe

Filesize
216KB

MD5
7947c132502449ce58651428827ea0d1

SHA1
78e2e856969e4ecc6d1802c64d8d75e0a4d3c571

SHA256
1c61436873d5be649fa748b01472700805486f8b379f926c7a54a95222c7b08d

SHA512
deddb18006b488e136cdbf899c1a0e97e2fc9b661bd3a894ab775138e85541b29cee4e126ea57d58a060b126624279d086340236917d5a3a09d6718450430c70

Download Submit
C:\Windows\{721E369E-9ACB-4890-A2F7-5B88117CAE25}.exe

Filesize
216KB

MD5
1e1307f4f3868fa3471d03b80d59d40f

SHA1
a171df975ebaeb00fdc2bc4229e698d24780dd95

SHA256
0b69db3ef2c22d72f1b16064a9608b96cdc6d4f2afa782856050611140182366

SHA512
ac4f68552c03a80f7d6dec379c20f39b758410c9902836f121ed0e9cb2e7e5e878dbb21a2295ff8ebb052948e74dcfae5666e6abf6e061d096559164bf6ff949

Download Submit
C:\Windows\{8316EFD7-8942-475a-B3F4-96F981C55149}.exe

Filesize
216KB

MD5
922794193842e3b375d888504aad7ccb

SHA1
ddd46245297aa4214845dd2764b8597666888dc9

SHA256
583f29da8bfde39b019ca75227545921f7406fd7b304a9d4ec8c6b7f1c0b844c

SHA512
4a5157d9e4ae0a370b5be755cb947fb3933747fdaae88ba7014d8a54c49c596e8c0e7fe3d24ed949f7a4752c7c1f6b88faff49fb91f97d1282c6b40c4c73fbab

Download Submit
C:\Windows\{9C242268-C2AB-42b1-BD1E-147B9F0C4AD8}.exe

Filesize
216KB

MD5
df4f25ba2e6647279df7507dde73fbc4

SHA1
a1e8d87accaaf76989e78c606bd04e497c5bb140

SHA256
b8e84b773b36b44c0b62727c032ec1c599b20e383dcbe17db8f064387a3f14f5

SHA512
048a3084c8b2c1d9a88e15d15da623f15be51e887107c143dd2ba40e3ba254642d644c094a0912b033957ebce2d889ef776f352fc84fa7b6f8ad00be6ff2b5e3

Download Submit
C:\Windows\{B2C3DDCD-28D0-49a4-976F-685347471ECB}.exe

Filesize
216KB

MD5
dae6de088405bfb50b71ed53dfa37f9f

SHA1
5d76894c97513b53adf4dd13a1d79c07a409dfaa

SHA256
860b88cf3378d5c172584cfde229745a239ea5360c115649bd09556ca76b3480

SHA512
e867dc9dcf897c25c180abac897da74fbde424a0530a0de4191f16e43d9c92c80a5a2998e371b0d0b0ab2d69f1e35752899bc4c6e6cb799cbd724a811ec938fa

Download Submit
C:\Windows\{D139CDD0-AD3C-45bf-91CE-E50628A24EE4}.exe

Filesize
216KB

MD5
1bded5956937158acfff8cdce2653283

SHA1
849cb3a027f8b8171e76646905d9134ab5336ef4

SHA256
70cdab0b1cc0e968238a7cde4ed1bce15471d8bc3218707010acc9887cbb6d05

SHA512
dadd3d667462f710957aa9ba6e4ac0b1e429dd8aaf759bc99cfb1bd926dfa636e5028ad33d39b52cdbc0f7b5cfd75141aa8090aa6a9679c51f971f8af7623d53

Download Submit
C:\Windows\{DEB0C454-4AD7-4f20-918F-263BCE491809}.exe

Filesize
216KB

MD5
31f7e9e987fb1ad5d8c63303e505e1e8

SHA1
bfa0147c77da2c05ba261b7c472c918bfb1d35e5

SHA256
11a675609259a254bacf887651fc121407835e6b07955c05de5634dee4c7cb43

SHA512
33d02c1069bec4bbd0f4676d9be44f34d22441c1f604ec9ef53e379a6f48705d20d6ba156a6a41bd23fe9ac983d0ea6bc1e13a9cfaea14c642670345e9c6d499

Download Submit
C:\Windows\{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe

Filesize
216KB

MD5
07116354133c0da9785887baf70ff87f

SHA1
5556f1242ef66e38b752d51984e235ecfc3b92d2

SHA256
96534c4e45eced71266e1c31549d48e88f0a22f7a7f35893e94ffb52bf2a1379

SHA512
9410a9f05a44bce7c9c18ddb837f77a906f4e41ad824de9a1d5199cd91e238ad531de8e046d77a83b5c64025521a474408a16f49aae255176be44cb932a9ab2a

Download Submit
C:\Windows\{E01994BF-5A8B-4ef5-B8E8-147F723B0FEE}.exe

Filesize
73KB

MD5
b3b7c3db3be8ae521a47445dd514a525

SHA1
5c4a635cee84ce59093d9ff840e45df327553102

SHA256
5baf579cac3f3c0794fa22dedf55c9939029aaf0ae986ad5bd7b6fddbd1fa878

SHA512
aebd4af5b9de93958047a322bafa74419631ba529f5001420f497f2c04a3aaf2a8b59f1dc2e03af07cd928876952744093dc3d6b76f935437f947a8dced1cbad

Download Submit
C:\Windows\{FD679FDD-9C2F-4e6f-992A-17E7EE29A7DF}.exe

Filesize
216KB

MD5
5644f241a1bcacb258c41caabdca5443

SHA1
ddf07f3d68dee28b911611cf27c01406ab5ec927

SHA256
7b7c35b308010d5171b5815daec9bf6921703b0bfd66c699a483d97d937d496f

SHA512
27e628a3c86571075a15ccae69df085d01dd19e6aaf899657b68b87e01c4534ce02b08203b0afe749e02878e4ae8cc7329905cddeffad503d57a0889a47ff701

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads