0821af32da8909170e7ee4aa08b09631b18c0b77b63a8c1440b8674b582c3d3d

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
Size

408KB
MD5

93ee1ef4d187c0d866d4679df4c802cf
SHA1

addd362847360c7958ee8f4464d4ed6317d9cc60
SHA256

0821af32da8909170e7ee4aa08b09631b18c0b77b63a8c1440b8674b582c3d3d
SHA512

abe47ec1c726740c4e1be55e777a950eea70d1dcc545e65244fd580d400a49b030d7c456519176064ff86bde07c57a014ed3a506306a65aeb67e939e6943ebe7
SSDEEP

3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGNldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x001000000002321c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023215-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023223-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023215-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e70-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021e71-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021e70-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7A28D90-1292-4fcb-8039-4DAC530DC456}\stubpath = "C:\\Windows\\{C7A28D90-1292-4fcb-8039-4DAC530DC456}.exe"	{417286FB-9E40-4968-B438-4B1A419C9E78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129146F5-560F-4c35-9278-92900E56CAC2}	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{866532EB-5561-47b3-91BD-CCFE54CD5B1A}\stubpath = "C:\\Windows\\{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe"	{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4394C213-38E3-4bf2-B933-33D756F02887}\stubpath = "C:\\Windows\\{4394C213-38E3-4bf2-B933-33D756F02887}.exe"	{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADA74BDF-3D11-4b07-93E0-742BE61D437A}	{4394C213-38E3-4bf2-B933-33D756F02887}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{986FA97A-EAA5-46ae-B11A-7E64C14F860C}\stubpath = "C:\\Windows\\{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe"	{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{417286FB-9E40-4968-B438-4B1A419C9E78}	{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7A28D90-1292-4fcb-8039-4DAC530DC456}	{417286FB-9E40-4968-B438-4B1A419C9E78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}	{129146F5-560F-4c35-9278-92900E56CAC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4394C213-38E3-4bf2-B933-33D756F02887}	{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{986FA97A-EAA5-46ae-B11A-7E64C14F860C}	{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}	{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}\stubpath = "C:\\Windows\\{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe"	{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B5B3C8C-8EE2-42d8-BAE8-3BE06D58D369}	{C7A28D90-1292-4fcb-8039-4DAC530DC456}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B5B3C8C-8EE2-42d8-BAE8-3BE06D58D369}\stubpath = "C:\\Windows\\{4B5B3C8C-8EE2-42d8-BAE8-3BE06D58D369}.exe"	{C7A28D90-1292-4fcb-8039-4DAC530DC456}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}	{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}\stubpath = "C:\\Windows\\{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe"	{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{866532EB-5561-47b3-91BD-CCFE54CD5B1A}	{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129146F5-560F-4c35-9278-92900E56CAC2}\stubpath = "C:\\Windows\\{129146F5-560F-4c35-9278-92900E56CAC2}.exe"	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}\stubpath = "C:\\Windows\\{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe"	{129146F5-560F-4c35-9278-92900E56CAC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}	{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}\stubpath = "C:\\Windows\\{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe"	{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADA74BDF-3D11-4b07-93E0-742BE61D437A}\stubpath = "C:\\Windows\\{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe"	{4394C213-38E3-4bf2-B933-33D756F02887}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{417286FB-9E40-4968-B438-4B1A419C9E78}\stubpath = "C:\\Windows\\{417286FB-9E40-4968-B438-4B1A419C9E78}.exe"	{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe

Executes dropped EXE 12 IoCs

pid	Process
3248	{129146F5-560F-4c35-9278-92900E56CAC2}.exe
1676	{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe
4080	{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe
3496	{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe
3732	{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe
812	{4394C213-38E3-4bf2-B933-33D756F02887}.exe
1552	{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe
2300	{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe
2788	{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe
1352	{417286FB-9E40-4968-B438-4B1A419C9E78}.exe
3516	{C7A28D90-1292-4fcb-8039-4DAC530DC456}.exe
4852	{4B5B3C8C-8EE2-42d8-BAE8-3BE06D58D369}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe	{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe
File created	C:\Windows\{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe	{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe
File created	C:\Windows\{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe	{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe
File created	C:\Windows\{417286FB-9E40-4968-B438-4B1A419C9E78}.exe	{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe
File created	C:\Windows\{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe	{129146F5-560F-4c35-9278-92900E56CAC2}.exe
File created	C:\Windows\{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe	{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe
File created	C:\Windows\{4394C213-38E3-4bf2-B933-33D756F02887}.exe	{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe
File created	C:\Windows\{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe	{4394C213-38E3-4bf2-B933-33D756F02887}.exe
File created	C:\Windows\{C7A28D90-1292-4fcb-8039-4DAC530DC456}.exe	{417286FB-9E40-4968-B438-4B1A419C9E78}.exe
File created	C:\Windows\{4B5B3C8C-8EE2-42d8-BAE8-3BE06D58D369}.exe	{C7A28D90-1292-4fcb-8039-4DAC530DC456}.exe
File created	C:\Windows\{129146F5-560F-4c35-9278-92900E56CAC2}.exe	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
File created	C:\Windows\{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe	{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4904	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3248	{129146F5-560F-4c35-9278-92900E56CAC2}.exe
Token: SeIncBasePriorityPrivilege	1676	{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe
Token: SeIncBasePriorityPrivilege	4080	{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe
Token: SeIncBasePriorityPrivilege	3496	{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe
Token: SeIncBasePriorityPrivilege	3732	{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe
Token: SeIncBasePriorityPrivilege	812	{4394C213-38E3-4bf2-B933-33D756F02887}.exe
Token: SeIncBasePriorityPrivilege	1552	{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe
Token: SeIncBasePriorityPrivilege	2300	{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe
Token: SeIncBasePriorityPrivilege	2788	{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe
Token: SeIncBasePriorityPrivilege	1352	{417286FB-9E40-4968-B438-4B1A419C9E78}.exe
Token: SeIncBasePriorityPrivilege	3516	{C7A28D90-1292-4fcb-8039-4DAC530DC456}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3248	4904	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	97
PID 4904 wrote to memory of 3248	4904	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	97
PID 4904 wrote to memory of 3248	4904	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	97
PID 4904 wrote to memory of 2584	4904	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	98
PID 4904 wrote to memory of 2584	4904	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	98
PID 4904 wrote to memory of 2584	4904	2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe	98
PID 3248 wrote to memory of 1676	3248	{129146F5-560F-4c35-9278-92900E56CAC2}.exe	99
PID 3248 wrote to memory of 1676	3248	{129146F5-560F-4c35-9278-92900E56CAC2}.exe	99
PID 3248 wrote to memory of 1676	3248	{129146F5-560F-4c35-9278-92900E56CAC2}.exe	99
PID 3248 wrote to memory of 1548	3248	{129146F5-560F-4c35-9278-92900E56CAC2}.exe	100
PID 3248 wrote to memory of 1548	3248	{129146F5-560F-4c35-9278-92900E56CAC2}.exe	100
PID 3248 wrote to memory of 1548	3248	{129146F5-560F-4c35-9278-92900E56CAC2}.exe	100
PID 1676 wrote to memory of 4080	1676	{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe	103
PID 1676 wrote to memory of 4080	1676	{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe	103
PID 1676 wrote to memory of 4080	1676	{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe	103
PID 1676 wrote to memory of 4308	1676	{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe	102
PID 1676 wrote to memory of 4308	1676	{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe	102
PID 1676 wrote to memory of 4308	1676	{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe	102
PID 4080 wrote to memory of 3496	4080	{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe	104
PID 4080 wrote to memory of 3496	4080	{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe	104
PID 4080 wrote to memory of 3496	4080	{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe	104
PID 4080 wrote to memory of 4856	4080	{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe	105
PID 4080 wrote to memory of 4856	4080	{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe	105
PID 4080 wrote to memory of 4856	4080	{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe	105
PID 3496 wrote to memory of 3732	3496	{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe	106
PID 3496 wrote to memory of 3732	3496	{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe	106
PID 3496 wrote to memory of 3732	3496	{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe	106
PID 3496 wrote to memory of 2424	3496	{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe	107
PID 3496 wrote to memory of 2424	3496	{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe	107
PID 3496 wrote to memory of 2424	3496	{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe	107
PID 3732 wrote to memory of 812	3732	{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe	108
PID 3732 wrote to memory of 812	3732	{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe	108
PID 3732 wrote to memory of 812	3732	{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe	108
PID 3732 wrote to memory of 116	3732	{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe	109
PID 3732 wrote to memory of 116	3732	{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe	109
PID 3732 wrote to memory of 116	3732	{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe	109
PID 812 wrote to memory of 1552	812	{4394C213-38E3-4bf2-B933-33D756F02887}.exe	110
PID 812 wrote to memory of 1552	812	{4394C213-38E3-4bf2-B933-33D756F02887}.exe	110
PID 812 wrote to memory of 1552	812	{4394C213-38E3-4bf2-B933-33D756F02887}.exe	110
PID 812 wrote to memory of 4388	812	{4394C213-38E3-4bf2-B933-33D756F02887}.exe	111
PID 812 wrote to memory of 4388	812	{4394C213-38E3-4bf2-B933-33D756F02887}.exe	111
PID 812 wrote to memory of 4388	812	{4394C213-38E3-4bf2-B933-33D756F02887}.exe	111
PID 1552 wrote to memory of 2300	1552	{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe	112
PID 1552 wrote to memory of 2300	1552	{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe	112
PID 1552 wrote to memory of 2300	1552	{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe	112
PID 1552 wrote to memory of 4428	1552	{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe	113
PID 1552 wrote to memory of 4428	1552	{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe	113
PID 1552 wrote to memory of 4428	1552	{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe	113
PID 2300 wrote to memory of 2788	2300	{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe	114
PID 2300 wrote to memory of 2788	2300	{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe	114
PID 2300 wrote to memory of 2788	2300	{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe	114
PID 2300 wrote to memory of 4452	2300	{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe	115
PID 2300 wrote to memory of 4452	2300	{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe	115
PID 2300 wrote to memory of 4452	2300	{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe	115
PID 2788 wrote to memory of 1352	2788	{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe	116
PID 2788 wrote to memory of 1352	2788	{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe	116
PID 2788 wrote to memory of 1352	2788	{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe	116
PID 2788 wrote to memory of 2356	2788	{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe	117
PID 2788 wrote to memory of 2356	2788	{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe	117
PID 2788 wrote to memory of 2356	2788	{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe	117
PID 1352 wrote to memory of 3516	1352	{417286FB-9E40-4968-B438-4B1A419C9E78}.exe	118
PID 1352 wrote to memory of 3516	1352	{417286FB-9E40-4968-B438-4B1A419C9E78}.exe	118
PID 1352 wrote to memory of 3516	1352	{417286FB-9E40-4968-B438-4B1A419C9E78}.exe	118
PID 1352 wrote to memory of 1084	1352	{417286FB-9E40-4968-B438-4B1A419C9E78}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_93ee1ef4d187c0d866d4679df4c802cf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\{129146F5-560F-4c35-9278-92900E56CAC2}.exe
  C:\Windows\{129146F5-560F-4c35-9278-92900E56CAC2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe
    C:\Windows\{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1FAB~1.EXE > nul
      4⤵
      PID:4308
  - - C:\Windows\{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe
      C:\Windows\{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe
        
        C:\Windows\{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - C:\Windows\{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe
        
        C:\Windows\{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{4394C213-38E3-4bf2-B933-33D756F02887}.exe
        
        C:\Windows\{4394C213-38E3-4bf2-B933-33D756F02887}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe
        
        C:\Windows\{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe
        
        C:\Windows\{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe
        
        C:\Windows\{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{417286FB-9E40-4968-B438-4B1A419C9E78}.exe
        
        C:\Windows\{417286FB-9E40-4968-B438-4B1A419C9E78}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{C7A28D90-1292-4fcb-8039-4DAC530DC456}.exe
        
        C:\Windows\{C7A28D90-1292-4fcb-8039-4DAC530DC456}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Windows\{4B5B3C8C-8EE2-42d8-BAE8-3BE06D58D369}.exe
        
        C:\Windows\{4B5B3C8C-8EE2-42d8-BAE8-3BE06D58D369}.exe
        13⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7A28~1.EXE > nul
        13⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41728~1.EXE > nul
        12⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E53CD~1.EXE > nul
        11⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{986FA~1.EXE > nul
        10⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADA74~1.EXE > nul
        9⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4394C~1.EXE > nul
        8⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86653~1.EXE > nul
        7⤵
        
        PID:116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAE7B~1.EXE > nul
        6⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E25B~1.EXE > nul
        5⤵
        
        PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{12914~1.EXE > nul
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{129146F5-560F-4c35-9278-92900E56CAC2}.exe

Filesize
408KB

MD5
93cc6b8b15742c48bc94b291c02fb51f

SHA1
ecffcb21f5452b071bb2558f982ce199d8b75f06

SHA256
f6a56c6534b55475b41c0a811ad05db8dd5b2b2cc0b598cd60035bef9e265a1c

SHA512
fd7ac1b2e2e8af24b1e369e2dff12b4020c162e9fe94057f9b08a2078565fb923ae867ef0f6d14956ee0c2597a572f018839296cc05919868582b50836e66282

Download Submit
C:\Windows\{1E25B7BB-5EF5-447e-8404-CB3B6CA1A405}.exe

Filesize
408KB

MD5
7506ebaf72c0c6fafefdd4a0f8765e60

SHA1
df24e92a2588ac7508518c68480a3d8129fe9442

SHA256
d85932121de0241288dc896e2366ebcfb1f3fcb0bb6b4d2a814f955eb2a4845a

SHA512
4a3d80f83f161b9ce006624cf516b22c7bb6d9458d41c5c59a5defc8a608b996cded310b68a786991b356877a3a7509c21104bb29e9f91a9bd1d10e6c69aba4b

Download Submit
C:\Windows\{417286FB-9E40-4968-B438-4B1A419C9E78}.exe

Filesize
408KB

MD5
6bcb3c7c69e9725da467df7c2a5fdb06

SHA1
8d72ed20878ee19b672b2823d472ad61a98bc84a

SHA256
dc6afb1f8f86b451b90784e9df2182fa1dc53e8b1136de67ffe0803fb46bac34

SHA512
b30e96e2df1bf9dd131ae178ca63b400b4f208ec6350419f58575d11e9c695ad336b9a1fe011416327699f9614b1e338413b3a0479d2a9be0b8a3de99ad2b37c

Download Submit
C:\Windows\{4394C213-38E3-4bf2-B933-33D756F02887}.exe

Filesize
408KB

MD5
d443b5e2298cb41b08fbdf442fefc539

SHA1
3fb16ab12718a1a193f5e09003f954a8962d7b87

SHA256
730a54e53c1f373987a371fbb450c53b1b21286b656c93e2d4033ddfc4ebca21

SHA512
fea108b1213a18ef0340eb7a2a295aca7bb43cf541a3589d10a5e4da9e1ce9a21f0c1d4291223c4a17ffa06b6452cf763decc4fbea34417c836b10778693e8a2

Download Submit
C:\Windows\{4B5B3C8C-8EE2-42d8-BAE8-3BE06D58D369}.exe

Filesize
328KB

MD5
b89b882f12f5c03fd6304bb2766f5014

SHA1
226fa3666e68cdfacdea84c8ebfb4923ab38e37a

SHA256
281031522e17767d0df68f54bc46e54b68476622c07a9398025c0b37ed59c33e

SHA512
921539d984a4127814c3b1bc10d1fe49935ac29ada764a5c57df1c015e30dcab77427d0a3e73d7958789b3cd8568ae1a34ca6a2e56b7913f36163347a91d8bf9

Download Submit
C:\Windows\{4B5B3C8C-8EE2-42d8-BAE8-3BE06D58D369}.exe

Filesize
228KB

MD5
db673cb0a974dbddd6796a32aee05948

SHA1
1d9116b4b5ddf9f5fce05780fd5d0d18849336d8

SHA256
9716f8a4411f48069be8d6deefd4d1d54960047c6a8ed01bf4e0f3454291198c

SHA512
4d27575e201a220ffee38bbbeb4279ebf5844460f6af4ed77556bfa6115234402ce3692108644ce88bfd3ad2acd8c9d34ea488b806f836af0f49cb59c1902504

Download Submit
C:\Windows\{866532EB-5561-47b3-91BD-CCFE54CD5B1A}.exe

Filesize
408KB

MD5
09c9d12f7324fb31f2caf396fbf1626d

SHA1
46fb2f0628986325ce6d1e79fd8748a4afc8ac50

SHA256
c1083ce63edac0695dff35b437c5bd66b4714606c5e75b3eb81776ac0d99511d

SHA512
507de437b1d6df1cbcff03261d01e4ecd7460133e99a0a1376ce8172012d8419730e5a09beb83cd203af3defacc4c35aa9b71b8c38b37dfdde97b718ded48be5

Download Submit
C:\Windows\{986FA97A-EAA5-46ae-B11A-7E64C14F860C}.exe

Filesize
408KB

MD5
18b34268f162b2360b092e64dc7eb800

SHA1
129e80df706d85a122fb1c138449e378c88cff64

SHA256
0123f99848ce2034f2abe91d1c8f83af00caca5a2fd3dc104bf7468f4d93302d

SHA512
9b219c8314f8f6a33c59ecb8692e5ada0aa99d0ffe482b2a56fa3ad1ddf4b9c2bee017b324e1764c4b5b5073c6be8a2ceadb96d246faa0dacf4ab47ad9a35157

Download Submit
C:\Windows\{ADA74BDF-3D11-4b07-93E0-742BE61D437A}.exe

Filesize
408KB

MD5
b57075f56b6456c75f0b76d571fad602

SHA1
0a19e3a672b96f45dbc591c05fe79273b1623ee8

SHA256
b15bd6b116ed7506cb9f0dc994632d6b7d01c70aae52ff3469f1a5bf1ffaccf4

SHA512
9305c37283eefc89beb33774ab7d63870d9d3e50080b2704b15a9fb07c0f542b9c49f47eb6301ba6a1f7a2761f3aeb34c48092d64e480482ba8ea46bd2066535

Download Submit
C:\Windows\{C7A28D90-1292-4fcb-8039-4DAC530DC456}.exe

Filesize
408KB

MD5
b4c5e7297df5f67d25fba2a85fb1d206

SHA1
532ecd372ae65d0b98811f921ebf1ea9a106e203

SHA256
c4d9c961978671a871084f97e325fa5bb5a1ae997f724a71d0ddd77b12bc379c

SHA512
c981a3b7527e9e83f794419136bb628d1b1376ba84958020f4f5766f7181d0a9b6427c59c27e080466990ff32aba624e55b05b007c7564d86c02f2806c845973

Download Submit
C:\Windows\{DAE7B226-D1A2-45de-ABC3-DD0FCC75717B}.exe

Filesize
408KB

MD5
88204ca992885faf83685b705f30f264

SHA1
3a66a2ca11d581be00982aa908e2a5e6f08d3ae1

SHA256
7f9dd4e4b23070f2279ce6f4e4801f726a2da2a10f7545b6a3989126e104845f

SHA512
5e137f37a79e81a2beb7de2c43559b79716652beb43ad2afff9c01ea24b9de876d7f6fa92c821522b0f5bb6d6c36232e5927ab56df5fcf97dcd31a6e4fc61222

Download Submit
C:\Windows\{E1FAB71F-1FFA-4c2e-802A-A2BAC9C93359}.exe

Filesize
408KB

MD5
15d1f4a01a22c9cccac647aacd3b3262

SHA1
2a355c4fe30f84ac5ccf97dd0faa510c3dcdb1f2

SHA256
27d1b3771aa251aa4052581c9daf92ef12bf78c93a5bc080adbf2b9d8228f7fb

SHA512
f92591a5d55c9263320b54baf62da4b3c39ef3924f88581a1c7fa4273144f36debe65083a868ac9df001e5ed5035060c0bacb4c0edb9984edf8506311a7fc6c7

Download Submit
C:\Windows\{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe

Filesize
408KB

MD5
b9a2f5ede5397cf2cd76384292011808

SHA1
c568000ba21136ad54b49404b48627dc51bd7527

SHA256
4956fc955833119ebba62a8775de3aa23cede2abaf749fb107dbf8fa7dd0327e

SHA512
75c3b920da5db4bd87717e4622a2aabce8c36c3ea69ecd0dc8bcd8a8c07a54511274c22a0d54f7371886d093b6b5d99e76ccc2a7a16089cb689f795f6c8ed5d1

Download Submit
C:\Windows\{E53CD4B0-1DDA-4808-81FA-827430F7D3AE}.exe

Filesize
391KB

MD5
be35fe07f42f0ce60d3acb3a55ffb48d

SHA1
712c770d6c88d4fd6439f171031bc8cc69f1bd01

SHA256
85294046db6f77b69ec2df328a95f64ada708127d957ed1a63685ff9dd838842

SHA512
4c53d318cb9ab236e76cd176fb17daa1c9ac3bd14edbe1c7436bf03cc922102ccfc3effef44fc4c74f5bb2a80b0c4320da043793a69d0c17d8d751138d7c0c83

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads