c2635f101a56c0c643b11815c9819924569751db7b524acd8ff6f3bcac984332

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe
Size

408KB
MD5

0dc3faeb2f4e6f92019c6d3002a3fb25
SHA1

c409e6ae8f6d26909d6959de18999e5573d1df41
SHA256

c2635f101a56c0c643b11815c9819924569751db7b524acd8ff6f3bcac984332
SHA512

97be2953be4cb590d472edff4ab670c2ddb8be84ef3f2a36073de03c77ac8dd0f14a6bb7f0482f29c29d36777a11374f3dcab21c3c2b32ccda1dd8188aa88833
SSDEEP

3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGsldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023213-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321a-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023213-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321a-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023213-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002321a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000737-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000735-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000737-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000735-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23F680F1-E3AE-4124-BCFD-C0CF062799C7}	{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{908A1702-2497-4534-A7C9-2B81BD2AB8C0}\stubpath = "C:\\Windows\\{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe"	{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01DF9F0D-99A3-4a14-AF05-F45FD4202337}	{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{841BFDE9-3B74-40a8-9B65-6C93002DF204}	{363AAF28-4A03-4d55-9921-2022613B7F79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{841BFDE9-3B74-40a8-9B65-6C93002DF204}\stubpath = "C:\\Windows\\{841BFDE9-3B74-40a8-9B65-6C93002DF204}.exe"	{363AAF28-4A03-4d55-9921-2022613B7F79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4840422-62EB-4940-AF14-912C70550E64}	2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}	{E4840422-62EB-4940-AF14-912C70550E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}\stubpath = "C:\\Windows\\{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe"	{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A949E324-4FF6-4a78-97AB-64B6328F964A}\stubpath = "C:\\Windows\\{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe"	{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}	{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{363AAF28-4A03-4d55-9921-2022613B7F79}	{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4840422-62EB-4940-AF14-912C70550E64}\stubpath = "C:\\Windows\\{E4840422-62EB-4940-AF14-912C70550E64}.exe"	2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}\stubpath = "C:\\Windows\\{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe"	{E4840422-62EB-4940-AF14-912C70550E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23F680F1-E3AE-4124-BCFD-C0CF062799C7}\stubpath = "C:\\Windows\\{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe"	{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}	{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}\stubpath = "C:\\Windows\\{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe"	{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{908A1702-2497-4534-A7C9-2B81BD2AB8C0}	{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}	{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A949E324-4FF6-4a78-97AB-64B6328F964A}	{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01DF9F0D-99A3-4a14-AF05-F45FD4202337}\stubpath = "C:\\Windows\\{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe"	{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}\stubpath = "C:\\Windows\\{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe"	{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{363AAF28-4A03-4d55-9921-2022613B7F79}\stubpath = "C:\\Windows\\{363AAF28-4A03-4d55-9921-2022613B7F79}.exe"	{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92D3C2A-C530-4799-96D0-AD3C4FFB5A45}	{841BFDE9-3B74-40a8-9B65-6C93002DF204}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92D3C2A-C530-4799-96D0-AD3C4FFB5A45}\stubpath = "C:\\Windows\\{B92D3C2A-C530-4799-96D0-AD3C4FFB5A45}.exe"	{841BFDE9-3B74-40a8-9B65-6C93002DF204}.exe

Executes dropped EXE 12 IoCs

pid	Process
4316	{E4840422-62EB-4940-AF14-912C70550E64}.exe
1996	{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe
2312	{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe
4520	{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe
4908	{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe
4924	{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe
4804	{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe
1248	{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe
3388	{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe
4960	{363AAF28-4A03-4d55-9921-2022613B7F79}.exe
2420	{841BFDE9-3B74-40a8-9B65-6C93002DF204}.exe
1080	{B92D3C2A-C530-4799-96D0-AD3C4FFB5A45}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B92D3C2A-C530-4799-96D0-AD3C4FFB5A45}.exe	{841BFDE9-3B74-40a8-9B65-6C93002DF204}.exe
File created	C:\Windows\{E4840422-62EB-4940-AF14-912C70550E64}.exe	2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe
File created	C:\Windows\{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe	{E4840422-62EB-4940-AF14-912C70550E64}.exe
File created	C:\Windows\{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe	{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe
File created	C:\Windows\{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe	{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe
File created	C:\Windows\{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe	{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe
File created	C:\Windows\{841BFDE9-3B74-40a8-9B65-6C93002DF204}.exe	{363AAF28-4A03-4d55-9921-2022613B7F79}.exe
File created	C:\Windows\{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe	{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe
File created	C:\Windows\{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe	{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe
File created	C:\Windows\{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe	{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe
File created	C:\Windows\{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe	{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe
File created	C:\Windows\{363AAF28-4A03-4d55-9921-2022613B7F79}.exe	{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3116	2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4316	{E4840422-62EB-4940-AF14-912C70550E64}.exe
Token: SeIncBasePriorityPrivilege	1996	{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe
Token: SeIncBasePriorityPrivilege	2312	{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe
Token: SeIncBasePriorityPrivilege	4520	{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe
Token: SeIncBasePriorityPrivilege	4908	{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe
Token: SeIncBasePriorityPrivilege	4924	{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe
Token: SeIncBasePriorityPrivilege	4804	{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe
Token: SeIncBasePriorityPrivilege	1248	{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe
Token: SeIncBasePriorityPrivilege	3388	{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe
Token: SeIncBasePriorityPrivilege	4960	{363AAF28-4A03-4d55-9921-2022613B7F79}.exe
Token: SeIncBasePriorityPrivilege	2420	{841BFDE9-3B74-40a8-9B65-6C93002DF204}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 4316	3116	2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe	95
PID 3116 wrote to memory of 4316	3116	2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe	95
PID 3116 wrote to memory of 4316	3116	2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe	95
PID 3116 wrote to memory of 1472	3116	2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe	96
PID 3116 wrote to memory of 1472	3116	2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe	96
PID 3116 wrote to memory of 1472	3116	2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe	96
PID 4316 wrote to memory of 1996	4316	{E4840422-62EB-4940-AF14-912C70550E64}.exe	97
PID 4316 wrote to memory of 1996	4316	{E4840422-62EB-4940-AF14-912C70550E64}.exe	97
PID 4316 wrote to memory of 1996	4316	{E4840422-62EB-4940-AF14-912C70550E64}.exe	97
PID 4316 wrote to memory of 2924	4316	{E4840422-62EB-4940-AF14-912C70550E64}.exe	98
PID 4316 wrote to memory of 2924	4316	{E4840422-62EB-4940-AF14-912C70550E64}.exe	98
PID 4316 wrote to memory of 2924	4316	{E4840422-62EB-4940-AF14-912C70550E64}.exe	98
PID 1996 wrote to memory of 2312	1996	{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe	101
PID 1996 wrote to memory of 2312	1996	{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe	101
PID 1996 wrote to memory of 2312	1996	{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe	101
PID 1996 wrote to memory of 2720	1996	{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe	100
PID 1996 wrote to memory of 2720	1996	{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe	100
PID 1996 wrote to memory of 2720	1996	{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe	100
PID 2312 wrote to memory of 4520	2312	{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe	102
PID 2312 wrote to memory of 4520	2312	{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe	102
PID 2312 wrote to memory of 4520	2312	{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe	102
PID 2312 wrote to memory of 3576	2312	{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe	103
PID 2312 wrote to memory of 3576	2312	{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe	103
PID 2312 wrote to memory of 3576	2312	{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe	103
PID 4520 wrote to memory of 4908	4520	{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe	104
PID 4520 wrote to memory of 4908	4520	{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe	104
PID 4520 wrote to memory of 4908	4520	{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe	104
PID 4520 wrote to memory of 4844	4520	{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe	105
PID 4520 wrote to memory of 4844	4520	{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe	105
PID 4520 wrote to memory of 4844	4520	{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe	105
PID 4908 wrote to memory of 4924	4908	{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe	106
PID 4908 wrote to memory of 4924	4908	{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe	106
PID 4908 wrote to memory of 4924	4908	{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe	106
PID 4908 wrote to memory of 4484	4908	{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe	107
PID 4908 wrote to memory of 4484	4908	{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe	107
PID 4908 wrote to memory of 4484	4908	{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe	107
PID 4924 wrote to memory of 4804	4924	{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe	108
PID 4924 wrote to memory of 4804	4924	{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe	108
PID 4924 wrote to memory of 4804	4924	{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe	108
PID 4924 wrote to memory of 4412	4924	{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe	109
PID 4924 wrote to memory of 4412	4924	{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe	109
PID 4924 wrote to memory of 4412	4924	{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe	109
PID 4804 wrote to memory of 1248	4804	{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe	110
PID 4804 wrote to memory of 1248	4804	{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe	110
PID 4804 wrote to memory of 1248	4804	{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe	110
PID 4804 wrote to memory of 4684	4804	{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe	111
PID 4804 wrote to memory of 4684	4804	{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe	111
PID 4804 wrote to memory of 4684	4804	{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe	111
PID 1248 wrote to memory of 3388	1248	{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe	112
PID 1248 wrote to memory of 3388	1248	{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe	112
PID 1248 wrote to memory of 3388	1248	{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe	112
PID 1248 wrote to memory of 3772	1248	{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe	113
PID 1248 wrote to memory of 3772	1248	{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe	113
PID 1248 wrote to memory of 3772	1248	{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe	113
PID 3388 wrote to memory of 4960	3388	{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe	114
PID 3388 wrote to memory of 4960	3388	{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe	114
PID 3388 wrote to memory of 4960	3388	{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe	114
PID 3388 wrote to memory of 4672	3388	{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe	115
PID 3388 wrote to memory of 4672	3388	{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe	115
PID 3388 wrote to memory of 4672	3388	{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe	115
PID 4960 wrote to memory of 2420	4960	{363AAF28-4A03-4d55-9921-2022613B7F79}.exe	117
PID 4960 wrote to memory of 2420	4960	{363AAF28-4A03-4d55-9921-2022613B7F79}.exe	117
PID 4960 wrote to memory of 2420	4960	{363AAF28-4A03-4d55-9921-2022613B7F79}.exe	117
PID 4960 wrote to memory of 688	4960	{363AAF28-4A03-4d55-9921-2022613B7F79}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_0dc3faeb2f4e6f92019c6d3002a3fb25_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\{E4840422-62EB-4940-AF14-912C70550E64}.exe
  C:\Windows\{E4840422-62EB-4940-AF14-912C70550E64}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe
    C:\Windows\{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1CBEC~1.EXE > nul
      4⤵
      PID:2720
  - - C:\Windows\{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe
      C:\Windows\{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe
        
        C:\Windows\{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4520
      - C:\Windows\{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe
        
        C:\Windows\{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe
        
        C:\Windows\{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe
        
        C:\Windows\{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe
        
        C:\Windows\{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe
        
        C:\Windows\{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\{363AAF28-4A03-4d55-9921-2022613B7F79}.exe
        
        C:\Windows\{363AAF28-4A03-4d55-9921-2022613B7F79}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{363AA~1.EXE > nul
        12⤵
        
        PID:688
        
        C:\Windows\{841BFDE9-3B74-40a8-9B65-6C93002DF204}.exe
        
        C:\Windows\{841BFDE9-3B74-40a8-9B65-6C93002DF204}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\{B92D3C2A-C530-4799-96D0-AD3C4FFB5A45}.exe
        
        C:\Windows\{B92D3C2A-C530-4799-96D0-AD3C4FFB5A45}.exe
        13⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{841BF~1.EXE > nul
        13⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94189~1.EXE > nul
        11⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AAE3~1.EXE > nul
        10⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01DF9~1.EXE > nul
        9⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A949E~1.EXE > nul
        8⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{862DC~1.EXE > nul
        7⤵
        
        PID:4484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{908A1~1.EXE > nul
        6⤵
        
        PID:4844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23F68~1.EXE > nul
        5⤵
        
        PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4840~1.EXE > nul
    3⤵
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01DF9F0D-99A3-4a14-AF05-F45FD4202337}.exe

Filesize
408KB

MD5
19a53fcbb7ff4537bb7facbd5fbea2e2

SHA1
b90d7ed2875036736df23195762eb44998f6f587

SHA256
a981c2dc32d514581f61ad8f8928298429db2dc4456380676c76e65fa8f53cce

SHA512
911c47f3a8d689dc2b23eb2bc23144c38ca86ef28703cefe0081eca8a2f5ec0e4d1e3a405258c1e25f4ba65d91b2569bc7116b75d9dc82c693563e5548fb8c3d

Download Submit
C:\Windows\{1CBECB5D-E3D5-42d9-8117-4F5A077A12C0}.exe

Filesize
408KB

MD5
f4f9346e04ce5130aa17d9ee887f1adf

SHA1
35a533769041ac05493f0bcbbd935e362b632314

SHA256
906d84ce1e1510c07483e3baacdbd01744f0807d766f2120fca1c23533c4cd03

SHA512
d501b751b4e9b1919ea70c3d50c35b8603c12c7f7273533956088fbcae0049ced45887a138376be435e0d24e43470d0e540a601fc247702a059aa5775642a17f

Download Submit
C:\Windows\{23F680F1-E3AE-4124-BCFD-C0CF062799C7}.exe

Filesize
408KB

MD5
6893b3bdadbdba3d72a8357505c06741

SHA1
ede7591bb750da3ffa49b583025f6abc55c8896b

SHA256
5aa3851f194717e42c9c7d8eea3550639a8cc032c74be74c43577b6ddf68911e

SHA512
674f5219f4b259f6a5734d346aa5771f6fdc7d10bdf4772cd522ac62dad7a6267e70f45b35faf5e9ef58b62e518a2b849dbce6a83323af9d40845833eb761fef

Download Submit
C:\Windows\{363AAF28-4A03-4d55-9921-2022613B7F79}.exe

Filesize
408KB

MD5
4f66c9814e3dba285a0ba980602d527d

SHA1
ed810d9671190ce1ba6bf8e79e8004af32f9b50f

SHA256
5708cc53e99ad444331976b3145406c097d4d075112ca094911b912009dd24b7

SHA512
54169761db267ca22e9d351addf8494ab25695826957db32bcc06f165295b58210d0d0044446f605a35e83ed338ca1d83c27a2cf8b0035b93d240e7031a7fdcb

Download Submit
C:\Windows\{3AAE3AF2-2943-4875-85D0-54BC8B5D66B4}.exe

Filesize
408KB

MD5
fc9cb578ae9b4625d8ffc193d5abbb65

SHA1
c611a97272675f5c16f5fe4ef42a750348dbbf49

SHA256
bbf724928cd6bfe95ba1dca4d7509cbd99d8e0caff21f3a899e6daca64922483

SHA512
72014268229cf8c09d704f6f4ddde26bf733d9b4ada4e71612896b95cecc2dfca1a2ebd4187ee46cd5902a4e1d3d1a8c15cbed5ce00d4d578c1a0cccd8a13b04

Download Submit
C:\Windows\{841BFDE9-3B74-40a8-9B65-6C93002DF204}.exe

Filesize
408KB

MD5
4840508fbe1a54989bf42ab9f4f7aff6

SHA1
bad1f4e3f18e1f7507dd004d9292804bb00b189a

SHA256
1fa74b4c7f5b8e58c0eb818faae2eb05a6361dd94b553b41a00c93a50de9b173

SHA512
935dba50b22cc0822f0947dc4a6ae0c60622dd52b68b2e3566f27f598a83ebe96b4d0db2eb424de2631d8a89a935aa20ca007348484ca0f2a85fda50d9d691e2

Download Submit
C:\Windows\{862DC0B2-99D0-4b2c-8F1F-BE71D4553BE6}.exe

Filesize
408KB

MD5
943f4be1bdb168d48ee46572997297a9

SHA1
62541616b49242a42226807a03a279f8d1de57b9

SHA256
012b066d7c6a7465778d5eca2ac5448f317ed660b99dcc270d1572b069a60130

SHA512
ac65f9b4fb8f8dbc80b34268fd199f34a66aab7a8ef31702d9724009796ffca76246a068e69d3c66622095deb391b5633d3acfed06992c8847cced6baebd12f0

Download Submit
C:\Windows\{908A1702-2497-4534-A7C9-2B81BD2AB8C0}.exe

Filesize
408KB

MD5
895ec5d9b54ca421408fefb22bbc4fee

SHA1
fca2c8a423582f80c3ffe93443dd43398d4786d7

SHA256
ace90a9dd41aea6d92606fd322454a00343fea34198fe4c4967571ebe7e3e803

SHA512
6af0de075c6d05ac2491c64b51407bff8a31fb3635a5aa545f5bf035f42e4a8567eead8837513882d2448f873777c4d164800b8c75171c6b5dfb922739eeea5d

Download Submit
C:\Windows\{941897A7-3A25-4f0c-9F4B-2501EAF3CCBF}.exe

Filesize
408KB

MD5
c303f8531439d6b9554e9e8152d19135

SHA1
c0506eb1e7ff33b388e25ae67609c1d3b92ad2ae

SHA256
d39e03fc3cb0316af1a91c7d30dfa3efd1371d62d6c8189298e97b176aaaac41

SHA512
a37b8abca637907f8d298073b8f8ccba888df06be2656e4a7142cc50060ecbe40a7161cc94333fb18f5e3fe2d88f477159555505520fa59b54ce8bf77ccc3341

Download Submit
C:\Windows\{A949E324-4FF6-4a78-97AB-64B6328F964A}.exe

Filesize
408KB

MD5
2615599cb86a6be967aa002a6c597923

SHA1
db68f70c953a7acfa476a0ec4dd3c01f53c7cbd0

SHA256
e69075e6d36bda49d21a657f218f4be62307bdbcb912c2b5f46970f89937ab11

SHA512
5fde3c71538e1bd10c5fe001889685e5dab3a0a4d712c1fa8fa466a9167b1fd0806d69e67e71b0c5c4269fd38fa02ec5c424a7f5ee4646d34c46ad403ea79d80

Download Submit
C:\Windows\{B92D3C2A-C530-4799-96D0-AD3C4FFB5A45}.exe

Filesize
408KB

MD5
0492ed7b83ac7c217ae383f21ce724f8

SHA1
32caff7a567487f9db53c09071a9e1b4c0d679c6

SHA256
2b140acbfa0aa1d110aa35eb8c2e1df1316777b65498e663a30dad9867865f9e

SHA512
7c939cf02294e786e9a2d8f14c9a15f9749ac5a6b607f1b92e7a5bf25946a81a28cde4b7250dc7c03e7191aafefe563457ce8693d15e8ad66f6662b1f0a8f955

Download Submit
C:\Windows\{E4840422-62EB-4940-AF14-912C70550E64}.exe

Filesize
408KB

MD5
93056e04254f33739fd45a8850a11aae

SHA1
877c89b31468b167edc49ca491dfde841467b7db

SHA256
c3a5e5fe2dc9c668b8ef2d3cb902d6b13e29553a0746d5391b8ef1a0cef31dd5

SHA512
2409e09d2d2fb52d6754689d9a5b314d4b9234d16ab31999ddca93c0a52fb7943bb839b67270deb33254f19b633e7c2035636315f83e47cd9d84429c91a60e33

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads