ebb5e1b0fe2aa739501b2da1755d927e614ed2f1872d7d2dad14c174a54525d3

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
Size

408KB
MD5

c8d45fe99f261d75ba6714704ae7931a
SHA1

f34032950e78e80d8cb65ec0961a5918ed02861c
SHA256

ebb5e1b0fe2aa739501b2da1755d927e614ed2f1872d7d2dad14c174a54525d3
SHA512

96b651eb5d71afa8bdc9f40f97c5127eb32affdc955ee78e7b61de0024b3756e7a39e99762624d01e4acb7e63edb846402cdd7295415059965bff51acf3acb0f
SSDEEP

3072:CEGh0oUl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGOldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 20 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122c4-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122c4-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122c4-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000133c4-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122c4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a24-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a24-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122c4-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122c4-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122c4-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122c4-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122c4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122c4-69.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA8A0FF5-07E6-4b16-A860-013B70B499E9}\stubpath = "C:\\Windows\\{DA8A0FF5-07E6-4b16-A860-013B70B499E9}.exe"	{F8870D7C-0B21-4eda-9386-118BB52A126F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}\stubpath = "C:\\Windows\\{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe"	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}\stubpath = "C:\\Windows\\{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe"	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}	{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA8A0FF5-07E6-4b16-A860-013B70B499E9}	{F8870D7C-0B21-4eda-9386-118BB52A126F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8870D7C-0B21-4eda-9386-118BB52A126F}	{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8870D7C-0B21-4eda-9386-118BB52A126F}\stubpath = "C:\\Windows\\{F8870D7C-0B21-4eda-9386-118BB52A126F}.exe"	{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69FBBD72-F640-43ba-8475-BE6DF222D404}	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69FBBD72-F640-43ba-8475-BE6DF222D404}\stubpath = "C:\\Windows\\{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe"	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCB96F38-262A-4c27-8114-6AEBEED397BA}\stubpath = "C:\\Windows\\{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe"	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}\stubpath = "C:\\Windows\\{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}.exe"	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{285563B5-0876-4b25-BBE0-3F75498300C3}	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}\stubpath = "C:\\Windows\\{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe"	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}\stubpath = "C:\\Windows\\{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}.exe"	{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{285563B5-0876-4b25-BBE0-3F75498300C3}\stubpath = "C:\\Windows\\{285563B5-0876-4b25-BBE0-3F75498300C3}.exe"	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}\stubpath = "C:\\Windows\\{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe"	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCB96F38-262A-4c27-8114-6AEBEED397BA}	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3012	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe
2656	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe
2616	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe
2808	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe
1512	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe
2776	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe
2764	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe
1656	{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}.exe
2284	{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}.exe
2272	{F8870D7C-0B21-4eda-9386-118BB52A126F}.exe
1492	{DA8A0FF5-07E6-4b16-A860-013B70B499E9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F8870D7C-0B21-4eda-9386-118BB52A126F}.exe	{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}.exe
File created	C:\Windows\{285563B5-0876-4b25-BBE0-3F75498300C3}.exe	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
File created	C:\Windows\{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe
File created	C:\Windows\{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe
File created	C:\Windows\{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe
File created	C:\Windows\{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}.exe	{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}.exe
File created	C:\Windows\{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe
File created	C:\Windows\{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe
File created	C:\Windows\{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe
File created	C:\Windows\{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}.exe	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe
File created	C:\Windows\{DA8A0FF5-07E6-4b16-A860-013B70B499E9}.exe	{F8870D7C-0B21-4eda-9386-118BB52A126F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3012	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe
Token: SeIncBasePriorityPrivilege	2656	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe
Token: SeIncBasePriorityPrivilege	2616	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe
Token: SeIncBasePriorityPrivilege	2808	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe
Token: SeIncBasePriorityPrivilege	1512	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe
Token: SeIncBasePriorityPrivilege	2776	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe
Token: SeIncBasePriorityPrivilege	2764	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe
Token: SeIncBasePriorityPrivilege	1656	{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}.exe
Token: SeIncBasePriorityPrivilege	2284	{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}.exe
Token: SeIncBasePriorityPrivilege	2272	{F8870D7C-0B21-4eda-9386-118BB52A126F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3012	2972	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	28
PID 2972 wrote to memory of 3012	2972	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	28
PID 2972 wrote to memory of 3012	2972	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	28
PID 2972 wrote to memory of 3012	2972	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	28
PID 2972 wrote to memory of 3056	2972	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	29
PID 2972 wrote to memory of 3056	2972	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	29
PID 2972 wrote to memory of 3056	2972	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	29
PID 2972 wrote to memory of 3056	2972	2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe	29
PID 3012 wrote to memory of 2656	3012	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe	30
PID 3012 wrote to memory of 2656	3012	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe	30
PID 3012 wrote to memory of 2656	3012	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe	30
PID 3012 wrote to memory of 2656	3012	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe	30
PID 3012 wrote to memory of 2680	3012	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe	31
PID 3012 wrote to memory of 2680	3012	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe	31
PID 3012 wrote to memory of 2680	3012	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe	31
PID 3012 wrote to memory of 2680	3012	{285563B5-0876-4b25-BBE0-3F75498300C3}.exe	31
PID 2656 wrote to memory of 2616	2656	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe	32
PID 2656 wrote to memory of 2616	2656	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe	32
PID 2656 wrote to memory of 2616	2656	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe	32
PID 2656 wrote to memory of 2616	2656	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe	32
PID 2656 wrote to memory of 2728	2656	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe	33
PID 2656 wrote to memory of 2728	2656	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe	33
PID 2656 wrote to memory of 2728	2656	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe	33
PID 2656 wrote to memory of 2728	2656	{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe	33
PID 2616 wrote to memory of 2808	2616	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe	37
PID 2616 wrote to memory of 2808	2616	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe	37
PID 2616 wrote to memory of 2808	2616	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe	37
PID 2616 wrote to memory of 2808	2616	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe	37
PID 2616 wrote to memory of 3068	2616	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe	36
PID 2616 wrote to memory of 3068	2616	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe	36
PID 2616 wrote to memory of 3068	2616	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe	36
PID 2616 wrote to memory of 3068	2616	{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe	36
PID 2808 wrote to memory of 1512	2808	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe	38
PID 2808 wrote to memory of 1512	2808	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe	38
PID 2808 wrote to memory of 1512	2808	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe	38
PID 2808 wrote to memory of 1512	2808	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe	38
PID 2808 wrote to memory of 2744	2808	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe	39
PID 2808 wrote to memory of 2744	2808	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe	39
PID 2808 wrote to memory of 2744	2808	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe	39
PID 2808 wrote to memory of 2744	2808	{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe	39
PID 1512 wrote to memory of 2776	1512	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe	40
PID 1512 wrote to memory of 2776	1512	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe	40
PID 1512 wrote to memory of 2776	1512	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe	40
PID 1512 wrote to memory of 2776	1512	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe	40
PID 1512 wrote to memory of 1848	1512	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe	41
PID 1512 wrote to memory of 1848	1512	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe	41
PID 1512 wrote to memory of 1848	1512	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe	41
PID 1512 wrote to memory of 1848	1512	{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe	41
PID 2776 wrote to memory of 2764	2776	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe	42
PID 2776 wrote to memory of 2764	2776	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe	42
PID 2776 wrote to memory of 2764	2776	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe	42
PID 2776 wrote to memory of 2764	2776	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe	42
PID 2776 wrote to memory of 2280	2776	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe	43
PID 2776 wrote to memory of 2280	2776	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe	43
PID 2776 wrote to memory of 2280	2776	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe	43
PID 2776 wrote to memory of 2280	2776	{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe	43
PID 2764 wrote to memory of 1656	2764	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe	45
PID 2764 wrote to memory of 1656	2764	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe	45
PID 2764 wrote to memory of 1656	2764	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe	45
PID 2764 wrote to memory of 1656	2764	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe	45
PID 2764 wrote to memory of 1096	2764	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe	44
PID 2764 wrote to memory of 1096	2764	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe	44
PID 2764 wrote to memory of 1096	2764	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe	44
PID 2764 wrote to memory of 1096	2764	{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_c8d45fe99f261d75ba6714704ae7931a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\{285563B5-0876-4b25-BBE0-3F75498300C3}.exe
  C:\Windows\{285563B5-0876-4b25-BBE0-3F75498300C3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe
    C:\Windows\{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe
      C:\Windows\{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69FBB~1.EXE > nul
        5⤵
        
        PID:3068
    - - C:\Windows\{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe
        
        C:\Windows\{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe
        
        C:\Windows\{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe
        
        C:\Windows\{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe
        
        C:\Windows\{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCB96~1.EXE > nul
        9⤵
        
        PID:1096
        
        C:\Windows\{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}.exe
        
        C:\Windows\{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}.exe
        
        C:\Windows\{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CA21~1.EXE > nul
        11⤵
        
        PID:336
        
        C:\Windows\{F8870D7C-0B21-4eda-9386-118BB52A126F}.exe
        
        C:\Windows\{F8870D7C-0B21-4eda-9386-118BB52A126F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\{DA8A0FF5-07E6-4b16-A860-013B70B499E9}.exe
        
        C:\Windows\{DA8A0FF5-07E6-4b16-A860-013B70B499E9}.exe
        12⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8870~1.EXE > nul
        12⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF6DB~1.EXE > nul
        10⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43C2D~1.EXE > nul
        8⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35057~1.EXE > nul
        7⤵
        
        PID:1848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{578D2~1.EXE > nul
        6⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64E5C~1.EXE > nul
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{28556~1.EXE > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{285563B5-0876-4b25-BBE0-3F75498300C3}.exe

Filesize
108KB

MD5
14fc6d8083edba8b4ccc4e64959b5170

SHA1
056da981bede31b0611255228ac96504f4c0edc6

SHA256
5365bc838eb0cb5f65c05561c5c5491f201bc601219c6f2b923fc0cbb98ee1d4

SHA512
e420add19e91038052153e18b3b0b33ace3a2dbed280da0ad52cf5ed375859640fbcbbe99a5400d0f030dc64808f07f128d2eea97e5ba6a9f2a80125e10cf7d1

Download Submit
C:\Windows\{285563B5-0876-4b25-BBE0-3F75498300C3}.exe

Filesize
156KB

MD5
a5428d3b8922c6661071e4a1a493e6ba

SHA1
d6113b5645499a2999d8970649115cde0eff1580

SHA256
e3f37f487513084c07421951baf98bf04b877b298a152ac6859182ba2a115578

SHA512
95c85e5e20bccba41f9029195fb76064750546419407bb123804a67cfcf6d3d021303cbb0c663854f67558b0f736621c3fc6e62b5d2abdf49138220606561e97

Download Submit
C:\Windows\{285563B5-0876-4b25-BBE0-3F75498300C3}.exe

Filesize
408KB

MD5
7f7f75ab172d7afa3da9a8318d156e46

SHA1
b0bcb12ad889489ef06596a0c7cd9d5f41aade2a

SHA256
dbcc31f3adf3243c9030ac9ba830e2f3a482840383da8cdcc7b32adf326376a5

SHA512
d1c32c997d435ccca9b26c077b41ec085d7c67a403aab37ce19198fa4987caa33585e78dcd50817071ba6085359fba960660bfe89b5bf25e21190e4b57bcfbab

Download Submit
C:\Windows\{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe

Filesize
397KB

MD5
b946520161e3a35177452ae65df32da3

SHA1
b4eddc3303c20008badd811f7d2b1ad87a577a70

SHA256
9c5c7c89c1b2e9fd4c673477eb4fdc72f2fe6f020b1be88e0afe66962f9dd421

SHA512
687f330b2c2b1b2eb79dff3ecb4ea54227ceb82b87ad3162ed54fb523f5151e8227793a68487fb3865687d6880d819ddd8e122e241c79555384b49b04915d4e9

Download Submit
C:\Windows\{350577BB-8EF1-48bf-8AC0-E1DBCFC420EF}.exe

Filesize
408KB

MD5
37695f80b63058dadf8dfe049e3c3a28

SHA1
2ae4130ea7cf6c878f7515b253f8a3b1dcb4490f

SHA256
8370ff6fac91d16d27722bc472a15b8d2dd796d07a8b71a1517a6a920a880992

SHA512
d8de74cebf8ac5c939aaf546bd04454641a1042b604453546b64a1b403eee6948cfcb69579d567b778f82e71ba3a2dd4291eea0bba9a45e84e5d437c243a05d4

Download Submit
C:\Windows\{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe

Filesize
408KB

MD5
73be3519b9e96b17f9ae73e9f58153e7

SHA1
2ca39e97bb5f1a5a05df88bf47cc3827ad03b1bc

SHA256
b5de0e01bc5b7344787ff84dafda54904d71cd4b30e4a10af2e0a14247c5fa07

SHA512
d1b8715411b4849b7c17efc0a468d0856b8f05224100ae3e026789b099b4338dc6efa1a413fd1458d5c76ccbd6d964d9091b1848cf44c5b698e633ad888fc952

Download Submit
C:\Windows\{43C2DF11-061A-4ae8-B40A-93F7DCF0C98C}.exe

Filesize
129KB

MD5
87eedfffe49ec86b4e049abf993eb4e0

SHA1
9b6ede7971479fdbdcc90b65864d31c9e4cd187d

SHA256
986d5faaae1a6911ec26ede0764dc89c65a825d81bd7b3a7b71c0572b0d5c409

SHA512
6c097aa2a8738684a4a23d63fa623e2081468e9de22827a8fd3d11132fb7a8e96c79c8d1422f47c6b21adb42b59224e08cb68bf67b628e37b42bce864374d692

Download Submit
C:\Windows\{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}.exe

Filesize
408KB

MD5
5b7084b637a7ec2ab77510da9d0ac5f6

SHA1
bf0d7d48f0752785938b969e5b86fd839399179c

SHA256
b6822aea8211dc50de2cff2ef8d4be8af6da224bb8a7237eaf64339cc9243b99

SHA512
8e0d31cb625a129f5c863747f3085b57ab5c1a2ef74f4e6b2210e192cd701ce4902fe47ccd8420545809ec0cc606160af60c3d02e29d92da32decf17f4c2d85d

Download Submit
C:\Windows\{4CA219DF-2D8F-4900-8EE5-631C0ADCA12E}.exe

Filesize
64KB

MD5
058d79f2fb908efacecaa21f8ae656a3

SHA1
4a3d3548bf9c90cd09ea83caf427cb3a4e5175f2

SHA256
092f3c24e90fb16b0cb44790270c08a288369d6335e899355a242ebf04739a6d

SHA512
38e8282bd0063b9956064fcb8b2bea2147441ae29c213eda3b078f7b1b8c49daba9be0a1945c75e0ea107e8fc25e58366313320b32f0e2b6b3c7e34286458ce2

Download Submit
C:\Windows\{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe

Filesize
408KB

MD5
acdc6569eced25d7496fbadef7f5c2e8

SHA1
cfa022fc8e26944448a7c825c4d5d4e7a79b6a67

SHA256
4b4e24a975f339a269c5433875caabc9a52e7166c7c98010d9ec20ec7cd8d330

SHA512
1464b5bb44eab182d80c137a3e90e0fbb0b470227b82b68287f5a2c17b614830880e9a3be87e34b9f94ed506f66bd436603ddf4aca8f13350a1e31f41fdf5958

Download Submit
C:\Windows\{578D27C9-C35F-46d9-AFE4-BAD19C0344EB}.exe

Filesize
245KB

MD5
1170cca164c7d3833f6088028b957e27

SHA1
5b407f0cde9ea66a935f25eac6fbe0fc306ecc06

SHA256
da9665e9a5a40f2e6f3a766dcea25362342eae2739291503a75bb13e899d037b

SHA512
af43101f7d2b820669f1a3221d1b4a6325c002534d24dca93f50c3c19cf46f0665a0731294e06886b7986b7625b7233e67e32e88ec62364bb5688a453e5248aa

Download Submit
C:\Windows\{64E5CD0A-8947-4b6f-9DA5-3C8B2FDF1D09}.exe

Filesize
408KB

MD5
859d2199b447d7b0fcda509c59771d4c

SHA1
dbef00e8770b49246d29eae83e73ef1d197f0f1c

SHA256
44967aa8a153aa87f4b561f7c98bc0152ad63ae276322ab10730dcf364b12905

SHA512
6eff58490c95e0d3e2036dcb46ae39fc8975755ab762ad1356092b23aff8c0f9ec7a6ac2a68ffbfea86a0c16bf82c24cf95f272a3e57fa40b3bdcc74437fed14

Download Submit
C:\Windows\{69FBBD72-F640-43ba-8475-BE6DF222D404}.exe

Filesize
408KB

MD5
3653aca91848297a58762acde9c9f454

SHA1
5b8551e231be7dacf6e0eeea5a07d802d2a38057

SHA256
ca4a60184fe37eefe4db129e66b32b0593174288c34addf4110db0efb13fac70

SHA512
79751d00674ec9cbf08024a854d3fb2234f1c22868db45460a9bdf01f93e17e53b3f42578703c8a53048fc284cf271ca9cb8a9cec616a7844544823f90037661

Download Submit
C:\Windows\{DA8A0FF5-07E6-4b16-A860-013B70B499E9}.exe

Filesize
281KB

MD5
9103e6d5585196c9206e59c2e6dd717c

SHA1
38082b7b191a36a74e050fedf355bf90979e9f04

SHA256
42c05914aa1bd7f7c5075693de5af13af0ff957eb4a954eadf6b8a8e9e23bc95

SHA512
5dd8d829164209af36f523ec294629d71aa648d37d2422dd6f0196f2981d4c5a96f99f811af4599948094ece4a0f1de2ff4169148fc2061bb9009de6835ac6bc

Download Submit
C:\Windows\{F8870D7C-0B21-4eda-9386-118BB52A126F}.exe

Filesize
45KB

MD5
28ef811724bd128327828799c174ddbe

SHA1
97f0dac623cfcb016d585eb0617f39b25c019621

SHA256
da73f6d8f9fface15d1188eb5ef47c1aee4bead052a5e9956b51b2fd8ec80bc1

SHA512
2adbe3693f42e37c72841ae0207966df5cce44cc0bfde8cd95e3e10448d09d808acfdec5590bf8c0128ac47e9c1698565dcf2060b20754fae31bb8fb8b07327a

Download Submit
C:\Windows\{F8870D7C-0B21-4eda-9386-118BB52A126F}.exe

Filesize
327KB

MD5
21a071be2773e5d2afe53c497645bd34

SHA1
9ea9e6b6727abf1bbc0ac15bff8feeb52bb526ba

SHA256
093d0612c1e541b10c275ffb4ffc31414a9adf1d32c829017ace3cd7c3ead22d

SHA512
a8761ab77ea166d338839391460b0df656785d40ad171bab6487a99c01689b448189ea25bdc2cc10a374058622b5ec4e53364691f522defd50dc84adbc3690c3

Download Submit
C:\Windows\{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe

Filesize
233KB

MD5
e450b78394e00abdc70767c202cd79d4

SHA1
ce00fe9077a2edb1c00c93e46dcfac84cd253273

SHA256
e56d7c3adee8d068493bf8686ab6e2c17f4e95db42b80c59ce4df98a34ba3d47

SHA512
4dd2512475c5a2f8c8b63255a46ccad180ef1d12c5d7f6227f0d53f953fbcfec748445a44428b7afced4ea56f45be39583033c6874e0faa3371912b377182a7f

Download Submit
C:\Windows\{FCB96F38-262A-4c27-8114-6AEBEED397BA}.exe

Filesize
319KB

MD5
1e6fb4c8231abf94eaa293a3786a5f27

SHA1
e8b6b71ebce53bfaaa74f4d13c1b616c036c8b07

SHA256
9426d3785e69281dbd4d010ca87d8ba3cb7197b18734adf12ac757ba60d5cfd7

SHA512
3909ddb3810c779f155883f1d6cab189d2b83a18316746e27cefccdeb0a520a06699249d4da6c2ecf83de9e51dd532db8d6ee1f20cfa598d7c5d4013f305fb2c

Download Submit
C:\Windows\{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}.exe

Filesize
408KB

MD5
2c0373f149a6b84ec91d84a36cc71eb3

SHA1
0f0f42fbc8772943402e16ce4760bece2cfaf479

SHA256
1392e3754bf83993b1db9235e362abff34e96aaf52658568a25ed9e148f02ce6

SHA512
ee2aa5e65217d5b1ea3383957766723b9a50626f79ce01f65a89beaf2c67bcee7c213eb323870014d52abd6159e50349712b8cc32866f9765f93e03582f34774

Download Submit
C:\Windows\{FF6DB96A-06AC-4782-B5B6-A9D4EC8771CB}.exe

Filesize
350KB

MD5
31efccceaa57660f5c8438c3fae88e0e

SHA1
a05a3f394ad4e5ded2bb4490128408811dbe8dd3

SHA256
ad947b78635045a4e6ecef3650ec2b9ff20ae4270d1bb410913dd9e39d45399a

SHA512
b101387e7c0e44628dc7d7f364f372dcfa13474b36ac30b8ed11bc2e8e31250550175ffbf6cdc7525a351c5fba6eade7716f54201c9977c29fce42a7bd3c3717

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads