c9921d243740c91708e20fc01a61aefd0ac7b2d56d1cc211ceeddf6a117d65ec

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
Size

408KB
MD5

2e558f98600c58e382ab1a0159d3f58c
SHA1

3edacc46ef239c3af4cff01829c6df9325504d7b
SHA256

c9921d243740c91708e20fc01a61aefd0ac7b2d56d1cc211ceeddf6a117d65ec
SHA512

44a37e8f70409fa91bb30b745e7693f08b312ab9cd4d57cdb7b5187149e12bdf5dd236c5a7e5b8e0d7cde5cc51c1c374a6f649a0a28c2d2eb683991e0d80ea42
SSDEEP

3072:CEGh0osl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGKldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 20 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022d04-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022d04-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000231fc-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000231fc-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023219-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023219-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023219-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00140000000231fc-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00140000000231fc-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}\stubpath = "C:\\Windows\\{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}.exe"	{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17B883D6-982E-43a9-9CC0-C31C3A40F979}\stubpath = "C:\\Windows\\{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe"	{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}	{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}	{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{936396CC-3571-4376-9C57-C8A7F26602F3}\stubpath = "C:\\Windows\\{936396CC-3571-4376-9C57-C8A7F26602F3}.exe"	{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}\stubpath = "C:\\Windows\\{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe"	{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE96A6B5-8154-4ef7-8215-1FE04633244D}	{936396CC-3571-4376-9C57-C8A7F26602F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE96A6B5-8154-4ef7-8215-1FE04633244D}\stubpath = "C:\\Windows\\{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe"	{936396CC-3571-4376-9C57-C8A7F26602F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}\stubpath = "C:\\Windows\\{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe"	{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECE460CC-2782-48ca-9E86-08BD62C791F5}	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}\stubpath = "C:\\Windows\\{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe"	{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}\stubpath = "C:\\Windows\\{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe"	{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B30CA1F-7551-450e-974B-258F71E6B3AD}	{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0EEA982-BB79-465b-8241-1CF286AAA088}\stubpath = "C:\\Windows\\{B0EEA982-BB79-465b-8241-1CF286AAA088}.exe"	{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{936396CC-3571-4376-9C57-C8A7F26602F3}	{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}	{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17B883D6-982E-43a9-9CC0-C31C3A40F979}	{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B30CA1F-7551-450e-974B-258F71E6B3AD}\stubpath = "C:\\Windows\\{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe"	{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}\stubpath = "C:\\Windows\\{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe"	{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0EEA982-BB79-465b-8241-1CF286AAA088}	{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECE460CC-2782-48ca-9E86-08BD62C791F5}\stubpath = "C:\\Windows\\{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe"	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}	{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}	{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}	{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe

Executes dropped EXE 12 IoCs

pid	Process
696	{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe
1568	{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe
4392	{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe
5092	{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe
2808	{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe
5072	{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe
4336	{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe
3560	{936396CC-3571-4376-9C57-C8A7F26602F3}.exe
1584	{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe
4960	{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe
4288	{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}.exe
604	{B0EEA982-BB79-465b-8241-1CF286AAA088}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe	{936396CC-3571-4376-9C57-C8A7F26602F3}.exe
File created	C:\Windows\{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe	{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe
File created	C:\Windows\{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}.exe	{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe
File created	C:\Windows\{B0EEA982-BB79-465b-8241-1CF286AAA088}.exe	{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}.exe
File created	C:\Windows\{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
File created	C:\Windows\{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe	{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe
File created	C:\Windows\{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe	{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe
File created	C:\Windows\{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe	{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe
File created	C:\Windows\{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe	{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe
File created	C:\Windows\{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe	{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe
File created	C:\Windows\{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe	{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe
File created	C:\Windows\{936396CC-3571-4376-9C57-C8A7F26602F3}.exe	{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4664	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	696	{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe
Token: SeIncBasePriorityPrivilege	1568	{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe
Token: SeIncBasePriorityPrivilege	4392	{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe
Token: SeIncBasePriorityPrivilege	5092	{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe
Token: SeIncBasePriorityPrivilege	2808	{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe
Token: SeIncBasePriorityPrivilege	5072	{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe
Token: SeIncBasePriorityPrivilege	4336	{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe
Token: SeIncBasePriorityPrivilege	3560	{936396CC-3571-4376-9C57-C8A7F26602F3}.exe
Token: SeIncBasePriorityPrivilege	1584	{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe
Token: SeIncBasePriorityPrivilege	4960	{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe
Token: SeIncBasePriorityPrivilege	4288	{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 696	4664	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	96
PID 4664 wrote to memory of 696	4664	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	96
PID 4664 wrote to memory of 696	4664	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	96
PID 4664 wrote to memory of 4244	4664	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	95
PID 4664 wrote to memory of 4244	4664	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	95
PID 4664 wrote to memory of 4244	4664	2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe	95
PID 696 wrote to memory of 1568	696	{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe	98
PID 696 wrote to memory of 1568	696	{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe	98
PID 696 wrote to memory of 1568	696	{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe	98
PID 696 wrote to memory of 2472	696	{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe	97
PID 696 wrote to memory of 2472	696	{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe	97
PID 696 wrote to memory of 2472	696	{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe	97
PID 1568 wrote to memory of 4392	1568	{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe	101
PID 1568 wrote to memory of 4392	1568	{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe	101
PID 1568 wrote to memory of 4392	1568	{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe	101
PID 1568 wrote to memory of 1664	1568	{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe	100
PID 1568 wrote to memory of 1664	1568	{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe	100
PID 1568 wrote to memory of 1664	1568	{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe	100
PID 4392 wrote to memory of 5092	4392	{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe	103
PID 4392 wrote to memory of 5092	4392	{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe	103
PID 4392 wrote to memory of 5092	4392	{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe	103
PID 4392 wrote to memory of 5056	4392	{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe	102
PID 4392 wrote to memory of 5056	4392	{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe	102
PID 4392 wrote to memory of 5056	4392	{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe	102
PID 5092 wrote to memory of 2808	5092	{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe	105
PID 5092 wrote to memory of 2808	5092	{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe	105
PID 5092 wrote to memory of 2808	5092	{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe	105
PID 5092 wrote to memory of 3708	5092	{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe	104
PID 5092 wrote to memory of 3708	5092	{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe	104
PID 5092 wrote to memory of 3708	5092	{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe	104
PID 2808 wrote to memory of 5072	2808	{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe	107
PID 2808 wrote to memory of 5072	2808	{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe	107
PID 2808 wrote to memory of 5072	2808	{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe	107
PID 2808 wrote to memory of 2756	2808	{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe	106
PID 2808 wrote to memory of 2756	2808	{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe	106
PID 2808 wrote to memory of 2756	2808	{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe	106
PID 5072 wrote to memory of 4336	5072	{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe	109
PID 5072 wrote to memory of 4336	5072	{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe	109
PID 5072 wrote to memory of 4336	5072	{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe	109
PID 5072 wrote to memory of 4332	5072	{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe	108
PID 5072 wrote to memory of 4332	5072	{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe	108
PID 5072 wrote to memory of 4332	5072	{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe	108
PID 4336 wrote to memory of 3560	4336	{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe	111
PID 4336 wrote to memory of 3560	4336	{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe	111
PID 4336 wrote to memory of 3560	4336	{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe	111
PID 4336 wrote to memory of 3420	4336	{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe	110
PID 4336 wrote to memory of 3420	4336	{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe	110
PID 4336 wrote to memory of 3420	4336	{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe	110
PID 3560 wrote to memory of 1584	3560	{936396CC-3571-4376-9C57-C8A7F26602F3}.exe	113
PID 3560 wrote to memory of 1584	3560	{936396CC-3571-4376-9C57-C8A7F26602F3}.exe	113
PID 3560 wrote to memory of 1584	3560	{936396CC-3571-4376-9C57-C8A7F26602F3}.exe	113
PID 3560 wrote to memory of 5032	3560	{936396CC-3571-4376-9C57-C8A7F26602F3}.exe	112
PID 3560 wrote to memory of 5032	3560	{936396CC-3571-4376-9C57-C8A7F26602F3}.exe	112
PID 3560 wrote to memory of 5032	3560	{936396CC-3571-4376-9C57-C8A7F26602F3}.exe	112
PID 1584 wrote to memory of 4960	1584	{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe	114
PID 1584 wrote to memory of 4960	1584	{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe	114
PID 1584 wrote to memory of 4960	1584	{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe	114
PID 1584 wrote to memory of 2512	1584	{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe	115
PID 1584 wrote to memory of 2512	1584	{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe	115
PID 1584 wrote to memory of 2512	1584	{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe	115
PID 4960 wrote to memory of 4288	4960	{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe	116
PID 4960 wrote to memory of 4288	4960	{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe	116
PID 4960 wrote to memory of 4288	4960	{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe	116
PID 4960 wrote to memory of 3472	4960	{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_2e558f98600c58e382ab1a0159d3f58c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4244
- C:\Windows\{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe
  C:\Windows\{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ECE46~1.EXE > nul
    3⤵
    PID:2472
- - C:\Windows\{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe
    C:\Windows\{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{647A6~1.EXE > nul
      4⤵
      PID:1664
  - - C:\Windows\{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe
      C:\Windows\{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17B88~1.EXE > nul
        5⤵
        
        PID:5056
    - - C:\Windows\{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe
        
        C:\Windows\{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FAA6~1.EXE > nul
        6⤵
        
        PID:3708
      - C:\Windows\{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe
        
        C:\Windows\{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B30C~1.EXE > nul
        7⤵
        
        PID:2756
        
        C:\Windows\{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe
        
        C:\Windows\{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C1AB~1.EXE > nul
        8⤵
        
        PID:4332
        
        C:\Windows\{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe
        
        C:\Windows\{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11E6F~1.EXE > nul
        9⤵
        
        PID:3420
        
        C:\Windows\{936396CC-3571-4376-9C57-C8A7F26602F3}.exe
        
        C:\Windows\{936396CC-3571-4376-9C57-C8A7F26602F3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93639~1.EXE > nul
        10⤵
        
        PID:5032
        
        C:\Windows\{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe
        
        C:\Windows\{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe
        
        C:\Windows\{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}.exe
        
        C:\Windows\{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5223F~1.EXE > nul
        13⤵
        
        PID:1612
        
        C:\Windows\{B0EEA982-BB79-465b-8241-1CF286AAA088}.exe
        
        C:\Windows\{B0EEA982-BB79-465b-8241-1CF286AAA088}.exe
        13⤵
        Executes dropped EXE
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CF72~1.EXE > nul
        12⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE96A~1.EXE > nul
        11⤵
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11E6F2B4-048B-4ae5-996A-45CDFD8515B6}.exe

Filesize
408KB

MD5
a2ff7734919f8fdb6bc87f50e3595f35

SHA1
f94dfd7f5ede73bf0e5f48557803b2281bbc153b

SHA256
c2e6b745da91b03cc6fec45181014bc88ca3170bc99118738769c4bda4c322b6

SHA512
78ea044c381f9d9daf13ef6f7d4ab4f61f0086da829b2f379236f750953f484c82f7d217821d2c889d06566ba4e65c0def1977a0476ff2c270cd10a1fa53c72e

Download Submit
C:\Windows\{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe

Filesize
73KB

MD5
0331ff20ddb8af6627e7d9477ac025f8

SHA1
d200747d8fe473877daf1a75b1104a89fc805e3d

SHA256
dc57becb07a99ec93c570d94026c266d19696d5fdeb4bdc6af05f01ca73b14ae

SHA512
18b5d3f29fb44c04c8bf2cc5a68bcdfcff1a4861627fbe641f2beb2840e53adaddfeb69495b42c0022a7cc7057131997a1637fe46c3b75f007f20a0f6f6360db

Download Submit
C:\Windows\{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe

Filesize
13KB

MD5
9ab56a095ed96ca2730b62029cd182f2

SHA1
23a8a0f425148013b9a262c6a15896a8bd7e530f

SHA256
ca987224202fa8b38278da126c15ab64d89e6e15f276774e6edda1df72cd9d30

SHA512
5d40441e2efb3ff23e03bd357915ea480cc12d7bfb5e309abc563b9f74b6efedd6a9ad0eaf479feb61d5a82df626f07a55a3f410cd3427929f7f0fa59031c5a2

Download Submit
C:\Windows\{17B883D6-982E-43a9-9CC0-C31C3A40F979}.exe

Filesize
57KB

MD5
20a1d50cc34ef456355a0a82ec6dd4f1

SHA1
97613e3063a274f0c2a23a5c5c3a1920649cede9

SHA256
7c2c5cc639a22e4fdb1c647a29482ca62b822190598b0119a8d77c7ebd7760ee

SHA512
1382921588747f178ca2c20f2fbad35d591cfda6a41870cb28d30d9a412d1aa0ea2f3e85575e51dd01bd696c3b706fc3091b016e79bc704dea977b936c1ca9e1

Download Submit
C:\Windows\{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe

Filesize
75KB

MD5
c58e4031b274d8735e709f7b8dccd7d3

SHA1
8cff42ff8476516087be210dee17b46c17c67e6a

SHA256
03d7b0ee3434b58f488b5851f7b6d8f474c79d5bf22a0c76830e3648c049337d

SHA512
1e356e94a5e3f956b42791fd06088c74ee1e139269004ff4263297991785900d67c9e470ccf335ca288cf94cca0062ec22e9a73ab36c208e6894d05723bdf8c6

Download Submit
C:\Windows\{1B30CA1F-7551-450e-974B-258F71E6B3AD}.exe

Filesize
57KB

MD5
b156b47a4f5181a55cafe2fc40f47d1d

SHA1
e8d2a5b5b98bceee2de2b8143ea6e2ebc6230f13

SHA256
fa22ba2aea7ac80285f36f83b0dceb454f76c9972a9be6b6f813f3c7b4d5d11e

SHA512
0fe5bf5e3bea6997f9a080ba9c9b0e0e6f89d89f3a632f852a7d2f79e02f16da8bca769eaf4845d0c9d497c37a96806f7060cb258c03fef5e46a17825c6f375f

Download Submit
C:\Windows\{1CF72A47-6D2E-4cc5-8C43-976B4BDA33EC}.exe

Filesize
408KB

MD5
c0914ead7cb9d49e6e1bfed5564e2a90

SHA1
91240ebf68b7b1e3fd79278f0b3a4341bd2b0ed6

SHA256
e77aa3a5bd829753dd19cc20037cf84255e8a207362d00a38dfd050d7e20056d

SHA512
2ff192dd9f58b0651785cfca6e9a095172f8779271e2a5d096f4d2a01c92dd9d883e101959faa03fd3994e5e7f27c254e70a971146198e5321a196e33aa4b014

Download Submit
C:\Windows\{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe

Filesize
112KB

MD5
caf062b8f71bb1ff067fd019c7424f74

SHA1
e09734cdd02e23049bd42dd6e306276527ba144b

SHA256
ef86381670c8e92438404961aa192c3e266a1c3680de3cbaea7ae4b716c380d9

SHA512
2e3115a015e44bb62c1bb3186b87dc0475c003ebcd43305258a948c8b6c518f51ae2864b4ddb00d2e0259b2428e2c23c895273f07f99aabcd17639da5dd3c4ac

Download Submit
C:\Windows\{3C1AB3D6-EB99-4f28-B30B-CBA2F884B8A6}.exe

Filesize
141KB

MD5
36bcc109fb940da7b2092faffd26aa26

SHA1
0bed2ee156782af4c3bdfa5d55277dda1b9dba4c

SHA256
f8e9ef6b7fe524b6eb918038527f8b1ea286546eafe7e1f61c974f5e3e89912a

SHA512
54c7e5a27ce6e10fe2dc894b2bdcb0615a4db79bd0c33ea2c9b2cb5af61480a09e17cc178939d3d5d431e26553cae16407671c2595d0d9b54c0f549c540fe389

Download Submit
C:\Windows\{5223FC38-EB8E-4f56-BCF1-8E5E26BA0A9F}.exe

Filesize
408KB

MD5
f63ba2e46d0c4ebdb6ad24af91af06ce

SHA1
291296264fc01a4deb8a95dac500cb34e9bab656

SHA256
a334c12d1211fbe9ce3051bc4ee6e10d3108704b267c04d83c3af522dc5d4762

SHA512
340c7c5352afdfb79f95abf16b2e20fa35631ec54b228748ae5a851def3136f8dadccb690be6881ce12b34b8a06c68031a1ca1ec72cfa89afa32240440a26a6c

Download Submit
C:\Windows\{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe

Filesize
9KB

MD5
8ddb4b87628f8466877cd65c36fabca2

SHA1
eeba9b949395d4ae6bbbfed5047f2f0aa040bec9

SHA256
66530ce29dc181656512a08577d9eba9893eaef0c3863d1ebcc092922cb8ce2e

SHA512
7b28d2f6b83b3564286ca861811928f81cd6f31b3be73e5af9fa2ad8acc4f3b8efd592aedb026fc57a6622105a462a7971a314634ef8966eb1a8f59ba451fcf9

Download Submit
C:\Windows\{5FAA6A33-EC61-4710-B136-E4D4AF90EAC9}.exe

Filesize
57KB

MD5
4a8663d1699a21d1b366a4c60814e841

SHA1
f66b7fda89647dce3d2d82051f729fde3000494e

SHA256
06105670b9ff14e09f7c2851e6a5f723a4daf3679e6c19a285171083db03bdec

SHA512
f9fe7a070fa2f661e370038d71011b08e8a982683dc2504cf6e859a6c0833413ced55dd7bc3fbd786a9de5f5c53519aafd978e0b8dddb14f065f49e2eb828be6

Download Submit
C:\Windows\{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe

Filesize
67KB

MD5
962a25c468440656c01f5dfbf93aaa93

SHA1
302e3cca1131df616a282ec1660b03d4716b75e2

SHA256
6c4cbe27c1fb878bb0dec5c6c0a82cc3134614a641e51430b1cfdf85418db322

SHA512
f951e36cb3255d90dc93069a72cacba51381857219835a3b1c71b5cddfba4ece3f71c2ff71fa7d518a49fa2567f1790b7d78c59b367528a4303acb46087ec630

Download Submit
C:\Windows\{647A6C13-1A65-46c5-B4A8-5E7F8DCBA0F2}.exe

Filesize
54KB

MD5
fd742276fadccdd480ab0f3de0b0c31b

SHA1
167ecb3a2c268749685df7ca47f2a663608d6e2f

SHA256
74608ba52d005eb01c8832e7c17d27cb54eea4d25e8878ae22547fc8b4180989

SHA512
031a164a1706d7a9812aef104ee11251095c08127bb0f5081700a7545808d4a60564f659fba6b32576339397746fc359ae02d6261b5e8457119a7351e8576f8b

Download Submit
C:\Windows\{936396CC-3571-4376-9C57-C8A7F26602F3}.exe

Filesize
408KB

MD5
4aa13d20e0d6d511271b3146759605f0

SHA1
754e8d8dff63030d9ffc89ba21b91d494682bc51

SHA256
d52e489ca5978f9b0cb6226880ae9fa168fc7c3ebceff184e3dbfea6e349c9d5

SHA512
6096f38113a31322db5addf43bc792d3faa1451c033f28e64dab02d552f38dab955bcd03cbb32d05723d044a724a0082b5db17e1bed1834d26a7493abdb5a777

Download Submit
C:\Windows\{B0EEA982-BB79-465b-8241-1CF286AAA088}.exe

Filesize
3KB

MD5
04eafd283f6bef81ba5ab78662616267

SHA1
1a02d6f0f4387084db849798617bcf2836cc3071

SHA256
7fc74cba14d7ddfad6c7f8e665371323a0d691384452c8080f544545e23773b3

SHA512
792d650b94ff0b375a2193b29494ba2d3f205c4b415e88c824f3f4f8a76edf3dc03df9e6bd5bbcfdae3f09328f5726ddf16847cc4cb37023548a521ea01496d4

Download Submit
C:\Windows\{BE96A6B5-8154-4ef7-8215-1FE04633244D}.exe

Filesize
408KB

MD5
11c552b59a6c2ce54a83a85cacd26dd2

SHA1
8e7a65f16d2febbedfca70beafecad9ebbc21e79

SHA256
e110f351f8d49e055a2e30df898b8757dc0894abe3b76f18931d139d57e03658

SHA512
f6c3d04b2c2f1efca26821b9bd02bbe43d94c456fd6fe6f1c38ac70124374c905f730e26fdfd19b2035ee26460700729ddc2ed48606db784c5cb64bc0d785456

Download Submit
C:\Windows\{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe

Filesize
115KB

MD5
15bcd539af331c52c44c482ee4acc7ca

SHA1
70715d41b5ce93f1173b24ee31c4c4ebbb81a6ea

SHA256
dc8d0529a9998073f1645fab682558f7bd614e4b1f67995001ea6f30a301eba2

SHA512
bae79bac478cb70c36f4d2bf7ec452f34d3e5dcfae98785e7e218cf2e316facbe1ebeab6eae7844811f1f9ad9dae30efbad96d4dc9b2fde084ff3ccda2defc76

Download Submit
C:\Windows\{ECE460CC-2782-48ca-9E86-08BD62C791F5}.exe

Filesize
96KB

MD5
3d131a56e04ee11937cb174f3f00d34a

SHA1
8abf56188647f8a3c2001ebf0037c9d9f596f0fb

SHA256
01a6a7ecb8937becf0577b82bec4bf6af22526f944c4a93ca51a972e40295484

SHA512
9f2d75a2a6472eb53a42a5567335397698a6ed41d1d685cc771dbe2152ffef17e00585c4553fde2b2a792f5383c9de99941cb4ba4bc2ff10b3d97905c9b7354e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads