093312433e929c2679134e0a3149cfe361e4cee0beecb0bc4b0d5974d8be2fe2

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
Size

197KB
MD5

b07b25ff46e4ec1313ad891a5a3292eb
SHA1

e59c118a9431521febb259750b20f8a46a524381
SHA256

093312433e929c2679134e0a3149cfe361e4cee0beecb0bc4b0d5974d8be2fe2
SHA512

d05df002791471adca9c3029d5d1fdace56cbede6ad65bdcfa69bd678f95160fe7c2928890082dccb5455c13490a3cacce3df5376681a161453cd00c28aa413f
SSDEEP

3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGolEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f5-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231ef-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231fb-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231ef-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42A049E7-4DD0-4519-88FA-146C4A7334FE}	{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B1306D9-E3E7-445f-9055-E4CE4822A372}	{42A049E7-4DD0-4519-88FA-146C4A7334FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1E0FE7D-8BAB-463a-920E-B13B82353984}	{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}	{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}\stubpath = "C:\\Windows\\{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe"	{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}	{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}	{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6399C84D-F531-4675-902B-E3A33BCF09C7}	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3E07101-2247-4ccd-BB82-12E7043A2D3E}\stubpath = "C:\\Windows\\{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe"	{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA5DB66-A25E-414a-BF14-C212D54451A5}	{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}\stubpath = "C:\\Windows\\{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe"	{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FDE8748-6462-4df6-8BE9-4480154FA2E6}\stubpath = "C:\\Windows\\{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe"	{70BB0670-FA0F-4626-80A9-1800049B685B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C86E431-192F-4bdc-B2C2-EFAFD671B928}\stubpath = "C:\\Windows\\{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe"	{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}\stubpath = "C:\\Windows\\{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe"	{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70BB0670-FA0F-4626-80A9-1800049B685B}\stubpath = "C:\\Windows\\{70BB0670-FA0F-4626-80A9-1800049B685B}.exe"	{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FDE8748-6462-4df6-8BE9-4480154FA2E6}	{70BB0670-FA0F-4626-80A9-1800049B685B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1E0FE7D-8BAB-463a-920E-B13B82353984}\stubpath = "C:\\Windows\\{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe"	{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C86E431-192F-4bdc-B2C2-EFAFD671B928}	{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6399C84D-F531-4675-902B-E3A33BCF09C7}\stubpath = "C:\\Windows\\{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe"	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3E07101-2247-4ccd-BB82-12E7043A2D3E}	{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EA5DB66-A25E-414a-BF14-C212D54451A5}\stubpath = "C:\\Windows\\{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe"	{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70BB0670-FA0F-4626-80A9-1800049B685B}	{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42A049E7-4DD0-4519-88FA-146C4A7334FE}\stubpath = "C:\\Windows\\{42A049E7-4DD0-4519-88FA-146C4A7334FE}.exe"	{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B1306D9-E3E7-445f-9055-E4CE4822A372}\stubpath = "C:\\Windows\\{2B1306D9-E3E7-445f-9055-E4CE4822A372}.exe"	{42A049E7-4DD0-4519-88FA-146C4A7334FE}.exe

Executes dropped EXE 12 IoCs

pid	Process
1652	{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe
440	{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe
4536	{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe
4736	{70BB0670-FA0F-4626-80A9-1800049B685B}.exe
3184	{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe
5104	{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe
1848	{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe
1512	{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe
3376	{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe
1968	{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe
2612	{42A049E7-4DD0-4519-88FA-146C4A7334FE}.exe
3508	{2B1306D9-E3E7-445f-9055-E4CE4822A372}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
File created	C:\Windows\{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe	{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe
File created	C:\Windows\{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe	{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe
File created	C:\Windows\{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe	{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe
File created	C:\Windows\{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe	{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe
File created	C:\Windows\{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe	{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe
File created	C:\Windows\{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe	{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe
File created	C:\Windows\{42A049E7-4DD0-4519-88FA-146C4A7334FE}.exe	{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe
File created	C:\Windows\{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe	{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe
File created	C:\Windows\{70BB0670-FA0F-4626-80A9-1800049B685B}.exe	{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe
File created	C:\Windows\{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe	{70BB0670-FA0F-4626-80A9-1800049B685B}.exe
File created	C:\Windows\{2B1306D9-E3E7-445f-9055-E4CE4822A372}.exe	{42A049E7-4DD0-4519-88FA-146C4A7334FE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	396	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1652	{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe
Token: SeIncBasePriorityPrivilege	440	{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe
Token: SeIncBasePriorityPrivilege	4536	{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe
Token: SeIncBasePriorityPrivilege	4736	{70BB0670-FA0F-4626-80A9-1800049B685B}.exe
Token: SeIncBasePriorityPrivilege	3184	{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe
Token: SeIncBasePriorityPrivilege	5104	{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe
Token: SeIncBasePriorityPrivilege	1848	{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe
Token: SeIncBasePriorityPrivilege	1512	{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe
Token: SeIncBasePriorityPrivilege	3376	{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe
Token: SeIncBasePriorityPrivilege	1968	{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe
Token: SeIncBasePriorityPrivilege	2612	{42A049E7-4DD0-4519-88FA-146C4A7334FE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 1652	396	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	96
PID 396 wrote to memory of 1652	396	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	96
PID 396 wrote to memory of 1652	396	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	96
PID 396 wrote to memory of 3624	396	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	97
PID 396 wrote to memory of 3624	396	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	97
PID 396 wrote to memory of 3624	396	2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe	97
PID 1652 wrote to memory of 440	1652	{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe	98
PID 1652 wrote to memory of 440	1652	{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe	98
PID 1652 wrote to memory of 440	1652	{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe	98
PID 1652 wrote to memory of 3044	1652	{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe	99
PID 1652 wrote to memory of 3044	1652	{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe	99
PID 1652 wrote to memory of 3044	1652	{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe	99
PID 440 wrote to memory of 4536	440	{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe	101
PID 440 wrote to memory of 4536	440	{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe	101
PID 440 wrote to memory of 4536	440	{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe	101
PID 440 wrote to memory of 2784	440	{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe	102
PID 440 wrote to memory of 2784	440	{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe	102
PID 440 wrote to memory of 2784	440	{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe	102
PID 4536 wrote to memory of 4736	4536	{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe	103
PID 4536 wrote to memory of 4736	4536	{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe	103
PID 4536 wrote to memory of 4736	4536	{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe	103
PID 4536 wrote to memory of 2952	4536	{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe	104
PID 4536 wrote to memory of 2952	4536	{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe	104
PID 4536 wrote to memory of 2952	4536	{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe	104
PID 4736 wrote to memory of 3184	4736	{70BB0670-FA0F-4626-80A9-1800049B685B}.exe	105
PID 4736 wrote to memory of 3184	4736	{70BB0670-FA0F-4626-80A9-1800049B685B}.exe	105
PID 4736 wrote to memory of 3184	4736	{70BB0670-FA0F-4626-80A9-1800049B685B}.exe	105
PID 4736 wrote to memory of 5016	4736	{70BB0670-FA0F-4626-80A9-1800049B685B}.exe	106
PID 4736 wrote to memory of 5016	4736	{70BB0670-FA0F-4626-80A9-1800049B685B}.exe	106
PID 4736 wrote to memory of 5016	4736	{70BB0670-FA0F-4626-80A9-1800049B685B}.exe	106
PID 3184 wrote to memory of 5104	3184	{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe	107
PID 3184 wrote to memory of 5104	3184	{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe	107
PID 3184 wrote to memory of 5104	3184	{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe	107
PID 3184 wrote to memory of 1808	3184	{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe	108
PID 3184 wrote to memory of 1808	3184	{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe	108
PID 3184 wrote to memory of 1808	3184	{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe	108
PID 5104 wrote to memory of 1848	5104	{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe	110
PID 5104 wrote to memory of 1848	5104	{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe	110
PID 5104 wrote to memory of 1848	5104	{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe	110
PID 5104 wrote to memory of 4040	5104	{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe	109
PID 5104 wrote to memory of 4040	5104	{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe	109
PID 5104 wrote to memory of 4040	5104	{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe	109
PID 1848 wrote to memory of 1512	1848	{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe	112
PID 1848 wrote to memory of 1512	1848	{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe	112
PID 1848 wrote to memory of 1512	1848	{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe	112
PID 1848 wrote to memory of 2496	1848	{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe	111
PID 1848 wrote to memory of 2496	1848	{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe	111
PID 1848 wrote to memory of 2496	1848	{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe	111
PID 1512 wrote to memory of 3376	1512	{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe	113
PID 1512 wrote to memory of 3376	1512	{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe	113
PID 1512 wrote to memory of 3376	1512	{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe	113
PID 1512 wrote to memory of 4720	1512	{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe	114
PID 1512 wrote to memory of 4720	1512	{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe	114
PID 1512 wrote to memory of 4720	1512	{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe	114
PID 3376 wrote to memory of 1968	3376	{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe	115
PID 3376 wrote to memory of 1968	3376	{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe	115
PID 3376 wrote to memory of 1968	3376	{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe	115
PID 3376 wrote to memory of 1320	3376	{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe	116
PID 3376 wrote to memory of 1320	3376	{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe	116
PID 3376 wrote to memory of 1320	3376	{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe	116
PID 1968 wrote to memory of 2612	1968	{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe	117
PID 1968 wrote to memory of 2612	1968	{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe	117
PID 1968 wrote to memory of 2612	1968	{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe	117
PID 1968 wrote to memory of 1196	1968	{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_b07b25ff46e4ec1313ad891a5a3292eb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe
  C:\Windows\{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe
    C:\Windows\{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe
      C:\Windows\{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Windows\{70BB0670-FA0F-4626-80A9-1800049B685B}.exe
        
        C:\Windows\{70BB0670-FA0F-4626-80A9-1800049B685B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
      - C:\Windows\{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe
        
        C:\Windows\{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe
        
        C:\Windows\{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1E0F~1.EXE > nul
        8⤵
        
        PID:4040
        
        C:\Windows\{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe
        
        C:\Windows\{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A221E~1.EXE > nul
        9⤵
        
        PID:2496
        
        C:\Windows\{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe
        
        C:\Windows\{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe
        
        C:\Windows\{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe
        
        C:\Windows\{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{42A049E7-4DD0-4519-88FA-146C4A7334FE}.exe
        
        C:\Windows\{42A049E7-4DD0-4519-88FA-146C4A7334FE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\{2B1306D9-E3E7-445f-9055-E4CE4822A372}.exe
        
        C:\Windows\{2B1306D9-E3E7-445f-9055-E4CE4822A372}.exe
        13⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42A04~1.EXE > nul
        13⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC7A6~1.EXE > nul
        12⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10E8A~1.EXE > nul
        11⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C86E~1.EXE > nul
        10⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FDE8~1.EXE > nul
        7⤵
        
        PID:1808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70BB0~1.EXE > nul
        6⤵
        
        PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EA5D~1.EXE > nul
        5⤵
        
        PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D3E07~1.EXE > nul
      4⤵
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6399C~1.EXE > nul
    3⤵
    PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10E8AF3C-2ADE-4b81-96F8-A63ACDAA2061}.exe

Filesize
197KB

MD5
51268f43faf868e0da65584995da5af4

SHA1
e10053c979288d0d5e231ee6d226b0ea4302f7b6

SHA256
62055525ca5e6f56e39443d6a620b48abc932e41db2f5b2017c0b4fcb8e520f8

SHA512
814b1d16f5cf980ebab96caf979f158477c89174b38ae5a52aab7295a6759da679b380eea9e717c6b80bc40d57deff985bf9116f4a892603ca235d1e6de70ee8

Download Submit
C:\Windows\{2B1306D9-E3E7-445f-9055-E4CE4822A372}.exe

Filesize
197KB

MD5
fbd8cd57979d97cfe07faf2802cc9aa6

SHA1
c04c62bc2e11ef8953c917056be8d7cc685968d0

SHA256
9862e2f1f6d7a694edb746c807784e172ece7c25f1080a3221ac2f76c7c0cdbc

SHA512
5b62a90866a9bf61311009b2240b4ebc2b57c84e39a50e400f2665dea103923b0d843d891b709c2d1cf274ac2cba9b0dd0e37815210fce47b7a8441e3214ff38

Download Submit
C:\Windows\{42A049E7-4DD0-4519-88FA-146C4A7334FE}.exe

Filesize
197KB

MD5
ddcbfc4f5723ee5ce852c2105cfa5985

SHA1
d7a596c935909ef1313865bad9e1d3b2ddeb8c9a

SHA256
ac10ac610fb9cde74d9ec0d95c916146e7d1bd90519563ef0d0f403befef3404

SHA512
e86731b2eb5294535a8a9f49fc90b3d2264f4750cfd774eb47026d1c6eb183fc7b34cd71fe8b934d66299f3a9963f65e412216235f7e48dc95d5589bd5d3c9e4

Download Submit
C:\Windows\{4C86E431-192F-4bdc-B2C2-EFAFD671B928}.exe

Filesize
197KB

MD5
b90ec1fd7471c93813b43176db75d7f2

SHA1
bafb2fe04f392b4b71c1747ac7718f9821af086c

SHA256
87a58d33beae2ba5d2eba1387929597cda32a78d111d7fa8868dfdf460bfffe6

SHA512
ae204f045268c3b9a56809c9f35eb807d97c6e9bdd096d9998bcdd3d575f17c7c2152d8aa521c92728a2fe2aea8dfa35ac0aea8c8d7526558516cbd5fc5788c6

Download Submit
C:\Windows\{6399C84D-F531-4675-902B-E3A33BCF09C7}.exe

Filesize
197KB

MD5
aff458cd7b7028bb6ef260399282cf4e

SHA1
f937e15e7cb2fdc02873cc11e62a855415b858e1

SHA256
906c9f635e29acaec9c65e8c9e8337c99469cbf957f05f7cbc4202bb8229b53b

SHA512
440936b93220d2ac399c708cc90642d209e98ba1eb58f2734e9a75d200cf5d12721f3914a12d4a7591749ceeaf89c82d57c649de613214d8e2858e2e9567aebc

Download Submit
C:\Windows\{70BB0670-FA0F-4626-80A9-1800049B685B}.exe

Filesize
197KB

MD5
2b7993fd327c433ffe49760556690cf4

SHA1
2e344a753d06a7a83c84637aef2da20c7cbe3b27

SHA256
455d662523df33a55e69bcbc8225a9d6089bf6294618066314bf80b807f1172e

SHA512
023647f6a25d212eba362ec7aedfe007e86678042f61a6252d9715372c50b1569ad09704d61135c326042ab32b2b089326a2837d3de69503d56701f036052f7f

Download Submit
C:\Windows\{8EA5DB66-A25E-414a-BF14-C212D54451A5}.exe

Filesize
197KB

MD5
f2deab86588af93bab5f7452d5296197

SHA1
ec59940e83caa001d03acec66df31f13c3ab0f31

SHA256
75c247454d9974acf89446a043f298e0ada70a844925207f667d966864586c61

SHA512
689e9585e0177648853f7879b9f153ee56c4c277187039ccdfcfea887f8d6a5c441799106f3f7ae00907bbc417d30b655701e5951378881eb4e4304b212d508b

Download Submit
C:\Windows\{8FDE8748-6462-4df6-8BE9-4480154FA2E6}.exe

Filesize
197KB

MD5
31f12247f1f8eb381dbee270e7537787

SHA1
42d973401cafdd85faa6d9a6ef5246619fd86038

SHA256
80f4c6279a033d53e114031b13b349eea514ef8d88a56471b037b691a81172c0

SHA512
56fcd7295a088199a1c38ebb55993611c6b053d93c1dbc7a3c5907c4e6d3aa1709e7df51a046d089d377eb07ae468426b804090c034eb1388811b328c417aff6

Download Submit
C:\Windows\{A221E24A-7D16-4aeb-B245-8FEE7A6AA484}.exe

Filesize
197KB

MD5
69472e21c9c73bbba4f332f2415da0ad

SHA1
ff06322ee299625050cbe52ab6e2aa97a4b1c7e3

SHA256
f9ae57239561be86539112a4044191c19e48790f9d51f2268134df89432ab1a6

SHA512
379c520ba1ba9a8bc9845650051706bcee4c6ee186af25833cd113f0cda2d4820fdbf7b12b0d1dc606ef18f1c77ec8e65af6ac9256bb681d6533f07368d96423

Download Submit
C:\Windows\{BC7A67F1-2966-4b3d-B3C7-FF655C4B329D}.exe

Filesize
197KB

MD5
2e917c946004a42a16599d7d3417d1b7

SHA1
f0f6c05f3a91f9a588c28b39adf9cd9d058c2d46

SHA256
dad4e25f508f122ce7a991dd1ae8d58b0ae60c6aa3ed0d318cffb7dca00114ab

SHA512
2e7cc209e156cef1557e5ab99c3e286ad95f5beeccc51f51b7530cc4deaa9975fd62f0f4d13203d8018349813c13a623c655f975d186d97a435d7381b09093ae

Download Submit
C:\Windows\{D1E0FE7D-8BAB-463a-920E-B13B82353984}.exe

Filesize
197KB

MD5
ce9301ed5bc056a112c543eb7b958da2

SHA1
d187d02ea32e13099b7a30678b9d89e18238f5cb

SHA256
113576987e7e02dda36563e382d853e0deb79481822a93b0d500d00ee6984d05

SHA512
a15921e62b1dc7fb3adadc366a39ce056e09292dd18cd3384ef3338fb9786efbec2d0fa6ece5a9aba9b56c5641057af49288cc7fab36a41857305fbf8f3f85f9

Download Submit
C:\Windows\{D3E07101-2247-4ccd-BB82-12E7043A2D3E}.exe

Filesize
197KB

MD5
e67ede24a1ec7fec78dd30676790d4e9

SHA1
f8bda64a159ce62b854368b6b422c4777ea8047a

SHA256
3939834812efbd7915bda0f6a79806adcf10764d4f33197a193d360055a70054

SHA512
a67cd4ab1c5329d577ba5a50c06c8e207007376bd5d06842bd62ef15fe5dca652353a206818225fd685107f623852a12289ab069bde6faaa353503e2d7b91007

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads