a60e41b03d814e431bf72b084bf0369775272ba0687086016b20856212fc91d4

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Size

372KB
MD5

66df83b4656869eefb369c65fabebc92
SHA1

c48f2936456db8e002839828bfbfcf321378a409
SHA256

a60e41b03d814e431bf72b084bf0369775272ba0687086016b20856212fc91d4
SHA512

5570cac2367d35143a3caab225e76c04a91b4f974b07c3cd248401f03d22cd10b75770c7b8eb33980d7ba46b8ae70196a648715e921d455f1976aeaee04f06d3
SSDEEP

3072:CEGh0ommlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG5l/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 19 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012251-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015d81-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-20.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00320000000164cc-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00320000000164cc-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000164cc-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012251-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00330000000164cc-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00340000000164cc-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012251-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012251-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00340000000164cc-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}\stubpath = "C:\\Windows\\{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe"	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F117DCF2-D6A5-46a2-877F-4DA0329A292F}\stubpath = "C:\\Windows\\{F117DCF2-D6A5-46a2-877F-4DA0329A292F}.exe"	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6ECBC05-8C1F-4786-92D0-146DB636631D}\stubpath = "C:\\Windows\\{D6ECBC05-8C1F-4786-92D0-146DB636631D}.exe"	{F117DCF2-D6A5-46a2-877F-4DA0329A292F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}	{D6ECBC05-8C1F-4786-92D0-146DB636631D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}\stubpath = "C:\\Windows\\{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}.exe"	{D6ECBC05-8C1F-4786-92D0-146DB636631D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38F2EB0B-957C-4ade-A14B-8E86F18D295A}	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38F2EB0B-957C-4ade-A14B-8E86F18D295A}\stubpath = "C:\\Windows\\{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe"	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85B8251B-EE37-47c8-8DB5-E54E9AFC0DA5}\stubpath = "C:\\Windows\\{85B8251B-EE37-47c8-8DB5-E54E9AFC0DA5}.exe"	{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F117DCF2-D6A5-46a2-877F-4DA0329A292F}	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0148536-A4D1-46e3-BAF3-21C150DC54D4}	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0148536-A4D1-46e3-BAF3-21C150DC54D4}\stubpath = "C:\\Windows\\{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe"	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}\stubpath = "C:\\Windows\\{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe"	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}\stubpath = "C:\\Windows\\{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe"	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}\stubpath = "C:\\Windows\\{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe"	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85B8251B-EE37-47c8-8DB5-E54E9AFC0DA5}	{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6ECBC05-8C1F-4786-92D0-146DB636631D}	{F117DCF2-D6A5-46a2-877F-4DA0329A292F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}\stubpath = "C:\\Windows\\{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe"	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2316	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe
2664	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe
2556	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe
2408	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe
2040	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe
2708	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe
2732	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe
832	{F117DCF2-D6A5-46a2-877F-4DA0329A292F}.exe
672	{D6ECBC05-8C1F-4786-92D0-146DB636631D}.exe
1196	{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}.exe
3004	{85B8251B-EE37-47c8-8DB5-E54E9AFC0DA5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe
File created	C:\Windows\{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe
File created	C:\Windows\{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe
File created	C:\Windows\{D6ECBC05-8C1F-4786-92D0-146DB636631D}.exe	{F117DCF2-D6A5-46a2-877F-4DA0329A292F}.exe
File created	C:\Windows\{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}.exe	{D6ECBC05-8C1F-4786-92D0-146DB636631D}.exe
File created	C:\Windows\{85B8251B-EE37-47c8-8DB5-E54E9AFC0DA5}.exe	{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}.exe
File created	C:\Windows\{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
File created	C:\Windows\{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe
File created	C:\Windows\{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe
File created	C:\Windows\{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe
File created	C:\Windows\{F117DCF2-D6A5-46a2-877F-4DA0329A292F}.exe	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2612	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2316	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe
Token: SeIncBasePriorityPrivilege	2664	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe
Token: SeIncBasePriorityPrivilege	2556	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe
Token: SeIncBasePriorityPrivilege	2408	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe
Token: SeIncBasePriorityPrivilege	2040	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe
Token: SeIncBasePriorityPrivilege	2708	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe
Token: SeIncBasePriorityPrivilege	2732	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe
Token: SeIncBasePriorityPrivilege	832	{F117DCF2-D6A5-46a2-877F-4DA0329A292F}.exe
Token: SeIncBasePriorityPrivilege	672	{D6ECBC05-8C1F-4786-92D0-146DB636631D}.exe
Token: SeIncBasePriorityPrivilege	1196	{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2316	2612	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	28
PID 2612 wrote to memory of 2316	2612	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	28
PID 2612 wrote to memory of 2316	2612	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	28
PID 2612 wrote to memory of 2316	2612	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	28
PID 2612 wrote to memory of 2676	2612	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	29
PID 2612 wrote to memory of 2676	2612	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	29
PID 2612 wrote to memory of 2676	2612	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	29
PID 2612 wrote to memory of 2676	2612	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	29
PID 2316 wrote to memory of 2664	2316	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe	30
PID 2316 wrote to memory of 2664	2316	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe	30
PID 2316 wrote to memory of 2664	2316	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe	30
PID 2316 wrote to memory of 2664	2316	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe	30
PID 2316 wrote to memory of 2780	2316	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe	31
PID 2316 wrote to memory of 2780	2316	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe	31
PID 2316 wrote to memory of 2780	2316	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe	31
PID 2316 wrote to memory of 2780	2316	{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe	31
PID 2664 wrote to memory of 2556	2664	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe	32
PID 2664 wrote to memory of 2556	2664	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe	32
PID 2664 wrote to memory of 2556	2664	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe	32
PID 2664 wrote to memory of 2556	2664	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe	32
PID 2664 wrote to memory of 2704	2664	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe	33
PID 2664 wrote to memory of 2704	2664	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe	33
PID 2664 wrote to memory of 2704	2664	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe	33
PID 2664 wrote to memory of 2704	2664	{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe	33
PID 2556 wrote to memory of 2408	2556	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe	36
PID 2556 wrote to memory of 2408	2556	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe	36
PID 2556 wrote to memory of 2408	2556	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe	36
PID 2556 wrote to memory of 2408	2556	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe	36
PID 2556 wrote to memory of 2932	2556	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe	37
PID 2556 wrote to memory of 2932	2556	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe	37
PID 2556 wrote to memory of 2932	2556	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe	37
PID 2556 wrote to memory of 2932	2556	{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe	37
PID 2408 wrote to memory of 2040	2408	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe	38
PID 2408 wrote to memory of 2040	2408	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe	38
PID 2408 wrote to memory of 2040	2408	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe	38
PID 2408 wrote to memory of 2040	2408	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe	38
PID 2408 wrote to memory of 2728	2408	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe	39
PID 2408 wrote to memory of 2728	2408	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe	39
PID 2408 wrote to memory of 2728	2408	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe	39
PID 2408 wrote to memory of 2728	2408	{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe	39
PID 2040 wrote to memory of 2708	2040	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe	40
PID 2040 wrote to memory of 2708	2040	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe	40
PID 2040 wrote to memory of 2708	2040	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe	40
PID 2040 wrote to memory of 2708	2040	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe	40
PID 2040 wrote to memory of 1540	2040	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe	41
PID 2040 wrote to memory of 1540	2040	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe	41
PID 2040 wrote to memory of 1540	2040	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe	41
PID 2040 wrote to memory of 1540	2040	{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe	41
PID 2708 wrote to memory of 2732	2708	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe	43
PID 2708 wrote to memory of 2732	2708	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe	43
PID 2708 wrote to memory of 2732	2708	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe	43
PID 2708 wrote to memory of 2732	2708	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe	43
PID 2708 wrote to memory of 2860	2708	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe	42
PID 2708 wrote to memory of 2860	2708	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe	42
PID 2708 wrote to memory of 2860	2708	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe	42
PID 2708 wrote to memory of 2860	2708	{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe	42
PID 2732 wrote to memory of 832	2732	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe	45
PID 2732 wrote to memory of 832	2732	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe	45
PID 2732 wrote to memory of 832	2732	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe	45
PID 2732 wrote to memory of 832	2732	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe	45
PID 2732 wrote to memory of 836	2732	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe	44
PID 2732 wrote to memory of 836	2732	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe	44
PID 2732 wrote to memory of 836	2732	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe	44
PID 2732 wrote to memory of 836	2732	{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe
  C:\Windows\{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe
    C:\Windows\{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe
      C:\Windows\{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe
        
        C:\Windows\{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe
        
        C:\Windows\{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe
        
        C:\Windows\{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4300D~1.EXE > nul
        8⤵
        
        PID:2860
        
        C:\Windows\{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe
        
        C:\Windows\{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADBAE~1.EXE > nul
        9⤵
        
        PID:836
        
        C:\Windows\{F117DCF2-D6A5-46a2-877F-4DA0329A292F}.exe
        
        C:\Windows\{F117DCF2-D6A5-46a2-877F-4DA0329A292F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F117D~1.EXE > nul
        10⤵
        
        PID:556
        
        C:\Windows\{D6ECBC05-8C1F-4786-92D0-146DB636631D}.exe
        
        C:\Windows\{D6ECBC05-8C1F-4786-92D0-146DB636631D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6ECB~1.EXE > nul
        11⤵
        
        PID:2016
        
        C:\Windows\{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}.exe
        
        C:\Windows\{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA77C~1.EXE > nul
        12⤵
        
        PID:2056
        
        C:\Windows\{85B8251B-EE37-47c8-8DB5-E54E9AFC0DA5}.exe
        
        C:\Windows\{85B8251B-EE37-47c8-8DB5-E54E9AFC0DA5}.exe
        12⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE0EA~1.EXE > nul
        7⤵
        
        PID:1540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4A0D~1.EXE > nul
        6⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0148~1.EXE > nul
        5⤵
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{38F2E~1.EXE > nul
      4⤵
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB707~1.EXE > nul
    3⤵
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{38F2EB0B-957C-4ade-A14B-8E86F18D295A}.exe

Filesize
372KB

MD5
e573c3a3ea281840e8beaf64b746a014

SHA1
e4cee3eeb896e0e2491a29861c1b8bf864097aea

SHA256
991d747b517e741e9bd8a5b6d9078c88d29a8cf50526573d9228ccb26d4f8bb8

SHA512
cb5ebf7640755c6f24e9062f9451607d6f681d1cdf1e813b3f7a274aaa6c10afbaf716feacccc80050070c21af3abc72ab5cb2289d3dc955ef691539b39f6a6a

Download Submit
C:\Windows\{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe

Filesize
350KB

MD5
2ea68c4b21af7932e7b9a877ff499a06

SHA1
ae0f90ac2a677316a6542b27f4fdee6cdf9cad6f

SHA256
45df3c752e139297cd5582ab5accd07410221dc240ced000574c6278e4d70ce5

SHA512
53b02e36baae444a332c6e5013a15c539ae5419c784bc8e3aec78aab5f4ce9e35539ce7451851182b4a5ee544c0e947158aef58c203b65bece011a6687c457f3

Download Submit
C:\Windows\{4300DCE0-480A-4d9b-BC75-2A3E512A1C15}.exe

Filesize
258KB

MD5
ec6d2530b01d0202428055839ac1ca8d

SHA1
2fb102b39c9857ee79aab1fcda2e2f5a84b8d2f8

SHA256
38998d87314ceed570ea93074072294f0572c28ae0b867d7183949dd4c0a3cf4

SHA512
8cee4a3973071d8dfb5ea997acb82178d28b6e11a83abeecf0d4b0dde6ef77bb56fbbf0b0959a282c190b57712a4b2badd8a8223e1f88daa36dcf2a69224c0ff

Download Submit
C:\Windows\{85B8251B-EE37-47c8-8DB5-E54E9AFC0DA5}.exe

Filesize
300KB

MD5
150ca09e8eb78bd659c8bf25075bb667

SHA1
74ea3b82b4a5d0bc049918685840324d334bcd2e

SHA256
36d6829ce9945bc0c688ac7f6f0bff05014f24f892e81ba99e80797a2a2cfaaa

SHA512
841f57a66748cf648176d9a4344bf63a4c7b6cedd3139d38bc7e6a46cab42c14629535da8c75a6f380f63ae96047b9cbac6f7f3cf76e90dbf7ff6960a8b6d01c

Download Submit
C:\Windows\{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe

Filesize
372KB

MD5
aebacd8628f08d138ea753f79fda663c

SHA1
2854485f4a12e49f69b499b8c7d31ff8b69c0d31

SHA256
0ab8d0aeff884b2fa5fafafa3a27a3459da94090f9f823dff18fb17e1ec73fdc

SHA512
a14df48549cba15582fce6c075c9b4aa7c55026ea904fc957af5923d173e2dae8f7a81972492f5037b57765a0bfdccef41151f85e14352aba14949ad21a4095c

Download Submit
C:\Windows\{A0148536-A4D1-46e3-BAF3-21C150DC54D4}.exe

Filesize
204KB

MD5
d13822a8470b770a5516d0fb8af5778f

SHA1
606f85a81dc44606b1174ec0ae25005c2741f069

SHA256
8b5acf71ffb77e23b871bd616a5a743e73b9559b4abdcd3805e371cfee108bc2

SHA512
3c92f4a6f2ae4487c48b9782652fad8f47ae285c232449375cd20a219dd4c04f5f8d23a1809825a2e2c79b1e5a1661bfb746e9d1167ccf575484d9d882733d1f

Download Submit
C:\Windows\{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe

Filesize
245KB

MD5
ad938fc2b1e7d72a5d0cba97e7a15c79

SHA1
6ac80daf836128f85014346a900da563a7887ae5

SHA256
2734e9078c2fef258098a479c4516db0a068e44dcc97c3ade5769c9f5e2242fc

SHA512
212de15060e2ef2d717714e0afce1162bdc12f5dfe9bfa523b77d478ef2a1686c2fa1cf4ff704558cddbe249e9dc08d394057ba949c743dba68ccd056fb8859a

Download Submit
C:\Windows\{ADBAEBB3-2DE0-4668-9786-3F949CA214A7}.exe

Filesize
334KB

MD5
57e5b596af2b5ee23c32ccf65644d904

SHA1
d591259fa4dd24c3e2106d1ff6da00da5b568a9d

SHA256
fec1a1a34d0052e68835be3143e466b17139ff5b9299b0bb83f8cf93ddc30914

SHA512
19c09baed208ba0cc19c7909d8d41b8c2287f51aa7dc227a769253a391391b3e2901841ac797a8fe95b5cc4f29df637757262b9e8876d611fd9c3a1d4ebbf794

Download Submit
C:\Windows\{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe

Filesize
180KB

MD5
e29f86f69448c485869d4b278965194b

SHA1
75f24f71c305b400dc69207ccc109cbd0d677b4c

SHA256
b44617ca690634fef1d5b6cec7733117267c011f09ed45a1d7965ae881219315

SHA512
781347423ffd29fc34eb20bfbe1e15fe065369194fce2157eda2f829cbe1acc20826c0b907d5ec9555cd7f3f6ed9dfaf64a91a8a10a800b8eb38086f8b5221b6

Download Submit
C:\Windows\{B4A0DD48-BC54-465c-A5D0-0F665DD1BAA8}.exe

Filesize
372KB

MD5
94d2abe3692efc39b5cefe7fe9c0433f

SHA1
e82dd3f89f57ca226423f4c6d0d685e5933a9c21

SHA256
4f915e087ea232bd3ab86784c55becc0b6845e65090ff02194704e7117a09533

SHA512
882c101cae3c13af8dc1207c61967d9775bfe89cf8fa47d29369f2645b16811ccd486dd8ccf053c549a08225e89a7947698c1830aaf1d605d81c779537262ddf

Download Submit
C:\Windows\{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}.exe

Filesize
372KB

MD5
67f9cd65b3db0c6c95375259a35dfa55

SHA1
e92176e1e03a74b4d56fe9bd3469974a0c42e5f2

SHA256
cf1866e95956961090de8bd7046406bc72c75775c2a146aeaaf95258c964d219

SHA512
616df2261e31aca2bce836ffdd9a8e7b7b9bce3103589689321ec16cd10e1eab28d4af5024e6bb10a8b976b5f222f05b2525c8e722033d340f0f67144aa62f5e

Download Submit
C:\Windows\{BA77C7BC-8B96-4950-A0B8-7DDA7E547648}.exe

Filesize
293KB

MD5
4668a429c41fd523195737d16d5e8019

SHA1
b4541b9413c10b2918a15236f684d0708d74e6b1

SHA256
72dac5a4467399e728ca68c4975020805ac8bad7b5a4275113a09cfee7a2a1ef

SHA512
665d819467958ec21c46adc15235a0df71d33ce199bcfff720dc957c5d63644bf9b431d6d2d3c37dd374a5a2c8514564eee4bff38d624f14e3647519338db8b7

Download Submit
C:\Windows\{CB707ABB-E8A4-4a35-ABAD-36BCE9596590}.exe

Filesize
372KB

MD5
37ac2b5b5673fd919c0f995fadade432

SHA1
facb9652fd8837f6b15763473556f4bc0ef10bd0

SHA256
5dfea6c4322954c00fcfab77730d440f0f1733c44243f2d0f868bcd51ee8ccfa

SHA512
7ba227ce4bd912479bbef366bb6c782da5fbb9a05dbe0e2ffaf680bcb8a888b79472a76fcdf6fbec336ffdcac89cc83c7b008635c43d9f5fbff55a70924c9e48

Download Submit
C:\Windows\{D6ECBC05-8C1F-4786-92D0-146DB636631D}.exe

Filesize
129KB

MD5
718bf942ecc145064eb8c085f32451bc

SHA1
c6cb141e7dc979fa9c0ca747ddf5597eafb9ff17

SHA256
a84c990f8ee5ca036cd730e61e1f758141bf6dcbd666e85c57cfb32c91df6c36

SHA512
72bb4239555dba797ed7d410f262d319b209edaca8d94a1c1707ba15646590096cb5f1608af2ab755924215aaab495f71c519df221ef4c8b8e1bb23e2e540898

Download Submit
C:\Windows\{D6ECBC05-8C1F-4786-92D0-146DB636631D}.exe

Filesize
372KB

MD5
b1966fe97aea85d86281d14137526d46

SHA1
b40a93a33663ff41a71a364974cd469ada9169fd

SHA256
8c17e184b3e25ef9b5d475bec122b2ea4e44da6cb35e5c3507b81737b9579187

SHA512
63d9b74bd5d3aaeac251c8f7e34275ac20190e478623672288bcb7be166da8e5f305f4bd7bfd114a0be867533f5567efabbc2d4a32ab1994cb25249259024dbb

Download Submit
C:\Windows\{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe

Filesize
372KB

MD5
addecbb43ebd1a8bff35bccd05e0ee56

SHA1
6f4cbc4a74f3c12aae370b649c2a59cb73ff65d6

SHA256
448e2f9f5b85a418c5207aae00c74a16f2101c7b5422e5396b2e361d507b4d22

SHA512
cbf93a906a64f2d116f0b065b144db3059d05fb4548cc8b44b150ae7819fc14bcdc32e85abc11629616e317347038b081b2381cafb76122d8de443ff6abfea5a

Download Submit
C:\Windows\{DE0EAE96-9105-4d09-A9DC-0A5384F7C6A1}.exe

Filesize
291KB

MD5
bfb95cc7e9e97ca725286ca61bbcc2e9

SHA1
ab1fd40c0c06e52a19cb07cabda87dee3db52da4

SHA256
9b4220039fc331f2cd18f41ec541191f5178466c8a9c8ed5843f876949a93395

SHA512
d862b50977e5756b6e533c2ff458149e297413249593ab2b2630a93f747ea9dc836b244b098216ca75f9fbd42d4ab78d3916defaf547b6ed29890714030cacb8

Download Submit
C:\Windows\{F117DCF2-D6A5-46a2-877F-4DA0329A292F}.exe

Filesize
231KB

MD5
c5501fe5e33bf9c36dde8ed3f338eb2e

SHA1
95438fbbc2a0d2dedc5bfe2fdecf7d72e928f5d2

SHA256
1fd809dfc33cdafb5ed8983be5f4351d7a17a997392bab63c259aaee4239a2c6

SHA512
08f8a82326c5dbd81ccfeef1918f79b165e27186a2549540da386f8672fcf6d59a7e2648a3cc79f671bbcf62f235efed5093ca2b4bfaa1329e356046e69ccba9

Download Submit
C:\Windows\{F117DCF2-D6A5-46a2-877F-4DA0329A292F}.exe

Filesize
29KB

MD5
9ea41d34092120eafc3c43816f6ea43c

SHA1
252c53e418c63080f91aba10362c141df2167ac7

SHA256
beedf2c99d4faf3bf5cbfa1b302496486f737b5b44ee4af81e157b7fb2bf52d1

SHA512
002f01202c300a3ff22ecb53f076412a260cea3faabbba0201332a3594a49bf801363b5c8bcc606686c9fbabab8f1ccd42bf625acaccbc8e3a21e0b6e56cdd92

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads