e5d1096b008ffdcc194c0d5fb5bd954d84f30d70f2fbef37fd1a2a206cb0fb6d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 04:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe
Size

408KB
MD5

e8d49a719c47bb00e75f132f16742a49
SHA1

2c043d4b776e767e3368c59eb5ae4823d0b7d6ae
SHA256

e5d1096b008ffdcc194c0d5fb5bd954d84f30d70f2fbef37fd1a2a206cb0fb6d
SHA512

60831a4c0dd8682d2b5902e6f76a28607e0f574fc146719772e96bbd2aed5a389e3b53cc54fcc638ee1367418b6ced45333e341ec37cfddf76bf4b85cc31da92
SSDEEP

3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGUldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231fd-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f8-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023204-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231f8-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19472EEA-6203-43d0-93E8-2B94A7675EE1}	{E2D67957-14C1-4c16-A387-FB6815BDA663}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}\stubpath = "C:\\Windows\\{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe"	2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}\stubpath = "C:\\Windows\\{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe"	{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2843D755-184E-4bd9-B445-F570F05D5043}	{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}	{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}	{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}\stubpath = "C:\\Windows\\{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe"	{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2D67957-14C1-4c16-A387-FB6815BDA663}\stubpath = "C:\\Windows\\{E2D67957-14C1-4c16-A387-FB6815BDA663}.exe"	{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19472EEA-6203-43d0-93E8-2B94A7675EE1}\stubpath = "C:\\Windows\\{19472EEA-6203-43d0-93E8-2B94A7675EE1}.exe"	{E2D67957-14C1-4c16-A387-FB6815BDA663}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}\stubpath = "C:\\Windows\\{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe"	{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2976CC8E-9CBB-4934-B1A6-0114C4F89925}	{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{791BACB5-1A62-4f70-86BD-335204F9A78B}	{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{791BACB5-1A62-4f70-86BD-335204F9A78B}\stubpath = "C:\\Windows\\{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe"	{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}	{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}\stubpath = "C:\\Windows\\{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe"	{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B5421BE-30F7-4c81-9721-6D12578BDCBF}	{2843D755-184E-4bd9-B445-F570F05D5043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B5421BE-30F7-4c81-9721-6D12578BDCBF}\stubpath = "C:\\Windows\\{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe"	{2843D755-184E-4bd9-B445-F570F05D5043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}\stubpath = "C:\\Windows\\{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe"	{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2843D755-184E-4bd9-B445-F570F05D5043}\stubpath = "C:\\Windows\\{2843D755-184E-4bd9-B445-F570F05D5043}.exe"	{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2D67957-14C1-4c16-A387-FB6815BDA663}	{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}	2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}	{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}	{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2976CC8E-9CBB-4934-B1A6-0114C4F89925}\stubpath = "C:\\Windows\\{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe"	{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe

Executes dropped EXE 12 IoCs

pid	Process
2976	{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe
1380	{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe
1636	{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe
1700	{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe
1176	{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe
3048	{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe
3432	{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe
4352	{2843D755-184E-4bd9-B445-F570F05D5043}.exe
3684	{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe
3328	{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe
2216	{E2D67957-14C1-4c16-A387-FB6815BDA663}.exe
1344	{19472EEA-6203-43d0-93E8-2B94A7675EE1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe	2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe
File created	C:\Windows\{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe	{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe
File created	C:\Windows\{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe	{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe
File created	C:\Windows\{2843D755-184E-4bd9-B445-F570F05D5043}.exe	{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe
File created	C:\Windows\{E2D67957-14C1-4c16-A387-FB6815BDA663}.exe	{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe
File created	C:\Windows\{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe	{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe
File created	C:\Windows\{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe	{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe
File created	C:\Windows\{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe	{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe
File created	C:\Windows\{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe	{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe
File created	C:\Windows\{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe	{2843D755-184E-4bd9-B445-F570F05D5043}.exe
File created	C:\Windows\{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe	{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe
File created	C:\Windows\{19472EEA-6203-43d0-93E8-2B94A7675EE1}.exe	{E2D67957-14C1-4c16-A387-FB6815BDA663}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4192	2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2976	{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe
Token: SeIncBasePriorityPrivilege	1380	{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe
Token: SeIncBasePriorityPrivilege	1636	{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe
Token: SeIncBasePriorityPrivilege	1700	{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe
Token: SeIncBasePriorityPrivilege	1176	{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe
Token: SeIncBasePriorityPrivilege	3048	{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe
Token: SeIncBasePriorityPrivilege	3432	{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe
Token: SeIncBasePriorityPrivilege	4352	{2843D755-184E-4bd9-B445-F570F05D5043}.exe
Token: SeIncBasePriorityPrivilege	3684	{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe
Token: SeIncBasePriorityPrivilege	3328	{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe
Token: SeIncBasePriorityPrivilege	2216	{E2D67957-14C1-4c16-A387-FB6815BDA663}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2976	4192	2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe	95
PID 4192 wrote to memory of 2976	4192	2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe	95
PID 4192 wrote to memory of 2976	4192	2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe	95
PID 4192 wrote to memory of 3876	4192	2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe	96
PID 4192 wrote to memory of 3876	4192	2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe	96
PID 4192 wrote to memory of 3876	4192	2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe	96
PID 2976 wrote to memory of 1380	2976	{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe	97
PID 2976 wrote to memory of 1380	2976	{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe	97
PID 2976 wrote to memory of 1380	2976	{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe	97
PID 2976 wrote to memory of 3716	2976	{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe	98
PID 2976 wrote to memory of 3716	2976	{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe	98
PID 2976 wrote to memory of 3716	2976	{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe	98
PID 1380 wrote to memory of 1636	1380	{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe	100
PID 1380 wrote to memory of 1636	1380	{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe	100
PID 1380 wrote to memory of 1636	1380	{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe	100
PID 1380 wrote to memory of 708	1380	{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe	101
PID 1380 wrote to memory of 708	1380	{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe	101
PID 1380 wrote to memory of 708	1380	{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe	101
PID 1636 wrote to memory of 1700	1636	{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe	102
PID 1636 wrote to memory of 1700	1636	{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe	102
PID 1636 wrote to memory of 1700	1636	{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe	102
PID 1636 wrote to memory of 1368	1636	{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe	103
PID 1636 wrote to memory of 1368	1636	{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe	103
PID 1636 wrote to memory of 1368	1636	{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe	103
PID 1700 wrote to memory of 1176	1700	{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe	104
PID 1700 wrote to memory of 1176	1700	{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe	104
PID 1700 wrote to memory of 1176	1700	{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe	104
PID 1700 wrote to memory of 3440	1700	{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe	105
PID 1700 wrote to memory of 3440	1700	{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe	105
PID 1700 wrote to memory of 3440	1700	{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe	105
PID 1176 wrote to memory of 3048	1176	{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe	107
PID 1176 wrote to memory of 3048	1176	{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe	107
PID 1176 wrote to memory of 3048	1176	{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe	107
PID 1176 wrote to memory of 5084	1176	{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe	106
PID 1176 wrote to memory of 5084	1176	{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe	106
PID 1176 wrote to memory of 5084	1176	{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe	106
PID 3048 wrote to memory of 3432	3048	{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe	108
PID 3048 wrote to memory of 3432	3048	{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe	108
PID 3048 wrote to memory of 3432	3048	{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe	108
PID 3048 wrote to memory of 5092	3048	{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe	109
PID 3048 wrote to memory of 5092	3048	{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe	109
PID 3048 wrote to memory of 5092	3048	{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe	109
PID 3432 wrote to memory of 4352	3432	{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe	110
PID 3432 wrote to memory of 4352	3432	{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe	110
PID 3432 wrote to memory of 4352	3432	{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe	110
PID 3432 wrote to memory of 1372	3432	{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe	111
PID 3432 wrote to memory of 1372	3432	{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe	111
PID 3432 wrote to memory of 1372	3432	{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe	111
PID 4352 wrote to memory of 3684	4352	{2843D755-184E-4bd9-B445-F570F05D5043}.exe	112
PID 4352 wrote to memory of 3684	4352	{2843D755-184E-4bd9-B445-F570F05D5043}.exe	112
PID 4352 wrote to memory of 3684	4352	{2843D755-184E-4bd9-B445-F570F05D5043}.exe	112
PID 4352 wrote to memory of 2708	4352	{2843D755-184E-4bd9-B445-F570F05D5043}.exe	113
PID 4352 wrote to memory of 2708	4352	{2843D755-184E-4bd9-B445-F570F05D5043}.exe	113
PID 4352 wrote to memory of 2708	4352	{2843D755-184E-4bd9-B445-F570F05D5043}.exe	113
PID 3684 wrote to memory of 3328	3684	{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe	114
PID 3684 wrote to memory of 3328	3684	{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe	114
PID 3684 wrote to memory of 3328	3684	{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe	114
PID 3684 wrote to memory of 2980	3684	{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe	115
PID 3684 wrote to memory of 2980	3684	{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe	115
PID 3684 wrote to memory of 2980	3684	{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe	115
PID 3328 wrote to memory of 2216	3328	{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe	116
PID 3328 wrote to memory of 2216	3328	{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe	116
PID 3328 wrote to memory of 2216	3328	{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe	116
PID 3328 wrote to memory of 3576	3328	{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_e8d49a719c47bb00e75f132f16742a49_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe
  C:\Windows\{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe
    C:\Windows\{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe
      C:\Windows\{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe
        
        C:\Windows\{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe
        
        C:\Windows\{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2976C~1.EXE > nul
        7⤵
        
        PID:5084
        
        C:\Windows\{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe
        
        C:\Windows\{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe
        
        C:\Windows\{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\{2843D755-184E-4bd9-B445-F570F05D5043}.exe
        
        C:\Windows\{2843D755-184E-4bd9-B445-F570F05D5043}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe
        
        C:\Windows\{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe
        
        C:\Windows\{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\{E2D67957-14C1-4c16-A387-FB6815BDA663}.exe
        
        C:\Windows\{E2D67957-14C1-4c16-A387-FB6815BDA663}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{19472EEA-6203-43d0-93E8-2B94A7675EE1}.exe
        
        C:\Windows\{19472EEA-6203-43d0-93E8-2B94A7675EE1}.exe
        13⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2D67~1.EXE > nul
        13⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B842~1.EXE > nul
        12⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B542~1.EXE > nul
        11⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2843D~1.EXE > nul
        10⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BE8C~1.EXE > nul
        9⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{791BA~1.EXE > nul
        8⤵
        
        PID:5092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F615~1.EXE > nul
        6⤵
        
        PID:3440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A658E~1.EXE > nul
        5⤵
        
        PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EBCB4~1.EXE > nul
      4⤵
      PID:708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C6890~1.EXE > nul
    3⤵
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19472EEA-6203-43d0-93E8-2B94A7675EE1}.exe

Filesize
408KB

MD5
16e217e4b6bde24216b187d450748ea1

SHA1
8434c27100f48602f48f467bb29245ce7de2aa81

SHA256
ab37fc15b90642970567dc40ef8a4f3352557f05eafaf9dea035f0f38e63ad88

SHA512
489aa3f17e91bcd0752d320404ae2fab0708f77451429e1a7d8ada06d955574a411a42fd40604807a2eef42de01d191f5ff346318b48044423b97252a594ab06

Download Submit
C:\Windows\{2843D755-184E-4bd9-B445-F570F05D5043}.exe

Filesize
408KB

MD5
b3f65e7e43b1405792e681335423a887

SHA1
76b77cfb21643e96ada1f31784ed5c5a25c0be45

SHA256
b33b07d3d56d0dd6d1c546b2987ee39ba7a9bf92dd3d697a2b19b2c4fd5e7843

SHA512
3e105d4c6e8a385225dd0fe9f1f3494dab449538ec2175a8191cb571e77a6b537c7e98516e54d1ac820313d625ae41f3dd8fa5e6dd219c8efea86f010ec10d4f

Download Submit
C:\Windows\{2976CC8E-9CBB-4934-B1A6-0114C4F89925}.exe

Filesize
408KB

MD5
2e262dd2f23a459aeb24a5628e3c95c7

SHA1
b35bc1c0e895652ced4fb27ba43d1242df2101d7

SHA256
3759c59ac8bb167b868af3249a7ce921aab95c597acf6bb73668673c7db5e70c

SHA512
3fd474b1c3ee2d2b7bef2382d6796d33d9e000dc9240a8aa1ac4e92ffa4ee1d8c8cd2f22538b7aaa0bfa05c670f9330e2e21cda1cf7cace4e9b2c9cd5c7398b6

Download Submit
C:\Windows\{2B5421BE-30F7-4c81-9721-6D12578BDCBF}.exe

Filesize
408KB

MD5
f4c92b3266b087534cec729314f7903b

SHA1
bcfae12960f3a73275439da45ffe81e9ad252d4a

SHA256
36825873d3765300663e1307c751fa983b1980f1ced6ea4789e0d02b07d8c34a

SHA512
46291569eb346ee1bd7996f31d7d6f1cea515e48e8d625d31f49ca05274943634ac494c3816fda6da5a65808d05337561a756edc75f84a1159421bf50e30b945

Download Submit
C:\Windows\{2B842997-2FB6-4e7d-8135-10E3DCFA2E61}.exe

Filesize
408KB

MD5
61258963fd768c66d356378fc9b438a3

SHA1
9c2210ba553870642bbd4c3173e87d03e4173e9b

SHA256
44b80f08dd90d9e9e6c18aaaf960a1b4de6f30a986f2b7b8985a20491491fafd

SHA512
d7287265ceda7397db91314d512f90b7fcfce1256e8b20e4efd35b4396b69251e3f84fb21974713fdb91fa8086e14d55fc0675c66fe388778b6588976461c0a9

Download Submit
C:\Windows\{2F61514B-3506-4d0b-8F7C-57C5B6D4F749}.exe

Filesize
408KB

MD5
6999de1976b3c063b3a97856d2dbd91b

SHA1
0f97e71d5d62a3ea3d3a4c6d4d6bc8ac77969d73

SHA256
424e99d5badf5ccb57da0404209bc95d0c73e20ca3b51e11ffb20fdf98b040a5

SHA512
b497fcc56b450214b257f5d83eff3cd92380105c9127bab2dd5cf5be308e093d67334ca14f2da97b20a0a35d9745e5fdca338b6c820e65daa17c4d7304c82252

Download Submit
C:\Windows\{4BE8CD7F-C7E0-41ca-BCF9-127294D270D0}.exe

Filesize
408KB

MD5
184d75f92fe25e224ed9073c2f84ee91

SHA1
2fb4edb853d3e15fea2411a55fb85ce66495a826

SHA256
a291f7760d272d826b33e3f206b6f7528242260bcbe1af2f8e066befac61af53

SHA512
3a7af9a426ffb3c4e6b4b2a72d01bc46892fbe245452ce9fbddc9e37ca58b8cefd59280c560fdbf49c80383fc51e7d86420b6e8a6bc52400250d49bc7fc85cd1

Download Submit
C:\Windows\{791BACB5-1A62-4f70-86BD-335204F9A78B}.exe

Filesize
408KB

MD5
081b6aa75f3b236619e2f48a357961bd

SHA1
26b60567ba549b3fce984ffae651762829dcded0

SHA256
ffae4a470e281a8f6b46bba69b6c769500a889e00f74a3f3a011f64930067cb6

SHA512
acb2fde3a77f3d64a84b2b7e39b5585102ff6e1f6bf9de2162d6698baadf7bf74817fe7bcfe7e978f962404e4ae5644784157517a9078e2be93deb8d7b581956

Download Submit
C:\Windows\{A658E3F4-FD8E-4a83-A5A9-742659EAECCA}.exe

Filesize
408KB

MD5
b38ae7970e20d28b7197faf03152d0f4

SHA1
6200cfd0fe4d6061dae8b3ff3a6622d77da32125

SHA256
c6353e2c69a58a5e80e12a494114d2993cd22e1d1e145c4e8b4162b5090a5868

SHA512
94a7d5abd5858bc755cfb74a53114644423e9ec8cb3919f50862f95fed077aff0808d028dbacdadbc514a751b9a2e6c53da95b61e6e2981c125fda5239e74c25

Download Submit
C:\Windows\{C6890CD3-3388-42f8-99E9-5DA18B8C7EDA}.exe

Filesize
408KB

MD5
7f0351ce3737ffa8df0b9f084892487e

SHA1
3cc44013255bb5d2c8d99ff654af3f7119b4d6b4

SHA256
a9daa054d96eba49c3a8a6bc67c7330f423f71d3800d6c30a09aaea1e21b3a10

SHA512
bde3cf5c1303386f9f77312d6bd80d8e48e23e122ace793735a332321fbb43a66326c168ea59f90063b0b3afab3c6d98bc1ff21caede696d99681c669db1ebe9

Download Submit
C:\Windows\{E2D67957-14C1-4c16-A387-FB6815BDA663}.exe

Filesize
408KB

MD5
8ec5dd976ef4a8a2253aaf1e393e05d0

SHA1
5334397ee5b902c2364faa2eed1d644dd6df4996

SHA256
f81ad67994505a750864ad7aebb02f9138ec4ca9a78af41abf2be82743eb22db

SHA512
2634931c632242877aefbeaf90db3ee43bf1bb5fc5943affe57dac9951008d65340b96bc6f3e75148e65394f181ebb9857aa006337c2cfa26017a8dca70a81b8

Download Submit
C:\Windows\{EBCB47BE-8F6B-40eb-A035-AEB61C65E108}.exe

Filesize
408KB

MD5
f2dedc8a614c9a1b32acceee2f5e1ad3

SHA1
0422ef9313dc93c012f5a585cf3600b87db1a250

SHA256
96f28e8cff9d61131354626db586f2b321a4c3d3c026459ba30ab52df735830b

SHA512
9f4bc83c2fa9dcbd36a40a7190e9c6c2490d3ac29c9dd9339d49c22711dc6db98aaebbd4567c8170ffb9fdd382c1c1793323535be007878a508771cf35ca3929

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads