1ae5bd86edc6f4a7a712bb7d54d7c1372c0f5bb54feac840e48d1ee35a7299d1

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 22:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
Size

380KB
MD5

adc3dbf65584279e11da53aac8740bcf
SHA1

0a2018db9ecfef5036cbd8c0388ea405de574e1f
SHA256

1ae5bd86edc6f4a7a712bb7d54d7c1372c0f5bb54feac840e48d1ee35a7299d1
SHA512

65ece10a67c59fe2507aac0e7e67be4ea71ceb3bc905a45d2a9d7fb675076fa13ac5d51942ae2fb902a6da68b748c8b15f7107268d70685f318c8110408a8e2f
SSDEEP

3072:mEGh0oMlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGSl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002322d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002322e-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023235-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002322e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5725450-5C4B-44de-828D-D1418DB1D5EF}	{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}	{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}	{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}\stubpath = "C:\\Windows\\{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe"	{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{855B4EA8-1152-43cf-A5DF-29A380A85974}\stubpath = "C:\\Windows\\{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe"	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}\stubpath = "C:\\Windows\\{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe"	{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}	{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}\stubpath = "C:\\Windows\\{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe"	{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85BBAD76-4751-4f6d-AE67-54EA8C762308}	{E4FF8D93-DF0C-473a-8358-F70C854C423A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E619259B-C382-4e8b-82FF-B19172FFC23D}\stubpath = "C:\\Windows\\{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe"	{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E619259B-C382-4e8b-82FF-B19172FFC23D}	{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}	{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA449C95-3603-415b-BA1A-4C00858ABF7E}\stubpath = "C:\\Windows\\{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe"	{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}\stubpath = "C:\\Windows\\{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe"	{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4FF8D93-DF0C-473a-8358-F70C854C423A}\stubpath = "C:\\Windows\\{E4FF8D93-DF0C-473a-8358-F70C854C423A}.exe"	{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85BBAD76-4751-4f6d-AE67-54EA8C762308}\stubpath = "C:\\Windows\\{85BBAD76-4751-4f6d-AE67-54EA8C762308}.exe"	{E4FF8D93-DF0C-473a-8358-F70C854C423A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{855B4EA8-1152-43cf-A5DF-29A380A85974}	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}	{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}\stubpath = "C:\\Windows\\{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe"	{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}\stubpath = "C:\\Windows\\{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe"	{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA449C95-3603-415b-BA1A-4C00858ABF7E}	{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}	{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4FF8D93-DF0C-473a-8358-F70C854C423A}	{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5725450-5C4B-44de-828D-D1418DB1D5EF}\stubpath = "C:\\Windows\\{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe"	{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1916	{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe
4556	{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe
3196	{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe
4288	{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe
1972	{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe
4764	{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe
3572	{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe
3068	{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe
3324	{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe
2576	{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe
4380	{E4FF8D93-DF0C-473a-8358-F70C854C423A}.exe
3248	{85BBAD76-4751-4f6d-AE67-54EA8C762308}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe	{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe
File created	C:\Windows\{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe	{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe
File created	C:\Windows\{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe	{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe
File created	C:\Windows\{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe	{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe
File created	C:\Windows\{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe	{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe
File created	C:\Windows\{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe	{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe
File created	C:\Windows\{85BBAD76-4751-4f6d-AE67-54EA8C762308}.exe	{E4FF8D93-DF0C-473a-8358-F70C854C423A}.exe
File created	C:\Windows\{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
File created	C:\Windows\{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe	{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe
File created	C:\Windows\{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe	{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe
File created	C:\Windows\{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe	{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe
File created	C:\Windows\{E4FF8D93-DF0C-473a-8358-F70C854C423A}.exe	{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3040	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1916	{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe
Token: SeIncBasePriorityPrivilege	4556	{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe
Token: SeIncBasePriorityPrivilege	3196	{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe
Token: SeIncBasePriorityPrivilege	4288	{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe
Token: SeIncBasePriorityPrivilege	1972	{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe
Token: SeIncBasePriorityPrivilege	4764	{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe
Token: SeIncBasePriorityPrivilege	3572	{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe
Token: SeIncBasePriorityPrivilege	3068	{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe
Token: SeIncBasePriorityPrivilege	3324	{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe
Token: SeIncBasePriorityPrivilege	2576	{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe
Token: SeIncBasePriorityPrivilege	4380	{E4FF8D93-DF0C-473a-8358-F70C854C423A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1916	3040	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	97
PID 3040 wrote to memory of 1916	3040	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	97
PID 3040 wrote to memory of 1916	3040	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	97
PID 3040 wrote to memory of 2944	3040	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	98
PID 3040 wrote to memory of 2944	3040	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	98
PID 3040 wrote to memory of 2944	3040	2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe	98
PID 1916 wrote to memory of 4556	1916	{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe	99
PID 1916 wrote to memory of 4556	1916	{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe	99
PID 1916 wrote to memory of 4556	1916	{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe	99
PID 1916 wrote to memory of 2848	1916	{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe	100
PID 1916 wrote to memory of 2848	1916	{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe	100
PID 1916 wrote to memory of 2848	1916	{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe	100
PID 4556 wrote to memory of 3196	4556	{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe	102
PID 4556 wrote to memory of 3196	4556	{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe	102
PID 4556 wrote to memory of 3196	4556	{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe	102
PID 4556 wrote to memory of 3300	4556	{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe	103
PID 4556 wrote to memory of 3300	4556	{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe	103
PID 4556 wrote to memory of 3300	4556	{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe	103
PID 3196 wrote to memory of 4288	3196	{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe	104
PID 3196 wrote to memory of 4288	3196	{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe	104
PID 3196 wrote to memory of 4288	3196	{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe	104
PID 3196 wrote to memory of 2792	3196	{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe	105
PID 3196 wrote to memory of 2792	3196	{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe	105
PID 3196 wrote to memory of 2792	3196	{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe	105
PID 4288 wrote to memory of 1972	4288	{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe	106
PID 4288 wrote to memory of 1972	4288	{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe	106
PID 4288 wrote to memory of 1972	4288	{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe	106
PID 4288 wrote to memory of 448	4288	{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe	107
PID 4288 wrote to memory of 448	4288	{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe	107
PID 4288 wrote to memory of 448	4288	{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe	107
PID 1972 wrote to memory of 4764	1972	{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe	108
PID 1972 wrote to memory of 4764	1972	{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe	108
PID 1972 wrote to memory of 4764	1972	{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe	108
PID 1972 wrote to memory of 2300	1972	{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe	109
PID 1972 wrote to memory of 2300	1972	{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe	109
PID 1972 wrote to memory of 2300	1972	{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe	109
PID 4764 wrote to memory of 3572	4764	{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe	110
PID 4764 wrote to memory of 3572	4764	{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe	110
PID 4764 wrote to memory of 3572	4764	{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe	110
PID 4764 wrote to memory of 3740	4764	{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe	111
PID 4764 wrote to memory of 3740	4764	{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe	111
PID 4764 wrote to memory of 3740	4764	{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe	111
PID 3572 wrote to memory of 3068	3572	{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe	112
PID 3572 wrote to memory of 3068	3572	{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe	112
PID 3572 wrote to memory of 3068	3572	{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe	112
PID 3572 wrote to memory of 2916	3572	{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe	113
PID 3572 wrote to memory of 2916	3572	{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe	113
PID 3572 wrote to memory of 2916	3572	{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe	113
PID 3068 wrote to memory of 3324	3068	{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe	114
PID 3068 wrote to memory of 3324	3068	{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe	114
PID 3068 wrote to memory of 3324	3068	{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe	114
PID 3068 wrote to memory of 2612	3068	{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe	115
PID 3068 wrote to memory of 2612	3068	{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe	115
PID 3068 wrote to memory of 2612	3068	{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe	115
PID 3324 wrote to memory of 2576	3324	{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe	116
PID 3324 wrote to memory of 2576	3324	{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe	116
PID 3324 wrote to memory of 2576	3324	{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe	116
PID 3324 wrote to memory of 368	3324	{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe	117
PID 3324 wrote to memory of 368	3324	{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe	117
PID 3324 wrote to memory of 368	3324	{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe	117
PID 2576 wrote to memory of 4380	2576	{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe	118
PID 2576 wrote to memory of 4380	2576	{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe	118
PID 2576 wrote to memory of 4380	2576	{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe	118
PID 2576 wrote to memory of 2164	2576	{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_adc3dbf65584279e11da53aac8740bcf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe
  C:\Windows\{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe
    C:\Windows\{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe
      C:\Windows\{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Windows\{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe
        
        C:\Windows\{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
      - C:\Windows\{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe
        
        C:\Windows\{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe
        
        C:\Windows\{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe
        
        C:\Windows\{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe
        
        C:\Windows\{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe
        
        C:\Windows\{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe
        
        C:\Windows\{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\{E4FF8D93-DF0C-473a-8358-F70C854C423A}.exe
        
        C:\Windows\{E4FF8D93-DF0C-473a-8358-F70C854C423A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
        
        C:\Windows\{85BBAD76-4751-4f6d-AE67-54EA8C762308}.exe
        
        C:\Windows\{85BBAD76-4751-4f6d-AE67-54EA8C762308}.exe
        13⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4FF8~1.EXE > nul
        13⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FC88~1.EXE > nul
        12⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEEF3~1.EXE > nul
        11⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A07B~1.EXE > nul
        10⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA449~1.EXE > nul
        9⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{380AB~1.EXE > nul
        8⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8A59~1.EXE > nul
        7⤵
        
        PID:2300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D76F2~1.EXE > nul
        6⤵
        
        PID:448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5725~1.EXE > nul
        5⤵
        
        PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E6192~1.EXE > nul
      4⤵
      PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{855B4~1.EXE > nul
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FC88ECC-6612-48f3-BA3F-1D37C38D5DC1}.exe

Filesize
380KB

MD5
1188fdfc69a42932558389f41c06b2c0

SHA1
bf90b93fbc1af140348f8de59b766ef5b9f87ddd

SHA256
17f02949781c03e36d1d74124dfb0d96842603d78aec011703c20eaa49d0e6d9

SHA512
2cf8762c8c88ca58be074e68cbfb6197eace0da73bbbc52422655909a1dc4d8492bcf21afc3445d3964c2a14bce3bb5e03a97e98af53ad7635da2b76a4d67d84

Download Submit
C:\Windows\{380AB388-3C80-4d16-AA7E-A11E7FDC76FC}.exe

Filesize
380KB

MD5
07e955446527bd3d6bdc48903f1dca65

SHA1
44adf654496d30051e8904d3992481596b0d5c12

SHA256
0783cca0cfa5d8e7016c4257f2a12f895f3bcc161bf7a0703bcb99998bc597fe

SHA512
b202603a1a8b633051b07204ac0e5eff06a02630f84eace6e04ff5f8bebaae2e10a3bc863b637d4aa3b527d3339c2384688afe1003f00c512cde9f45cd70e1b7

Download Submit
C:\Windows\{855B4EA8-1152-43cf-A5DF-29A380A85974}.exe

Filesize
380KB

MD5
ce9aa2f171749c8d267f7e9815c7440e

SHA1
cb10ee45eb1324370442293844ea8190f2261749

SHA256
203b330f2ddf60030b5502dc7f4584d7c0e160cf7ec3f6fe32f353d54288f880

SHA512
74e1fbb67883c15e1a73009bdf6b688f6b3e61848db0bb7fb351cde69077acf4fcbf0824f5e7caa921b1a60464562b6a824111707749b475b15087ffc0c1a919

Download Submit
C:\Windows\{85BBAD76-4751-4f6d-AE67-54EA8C762308}.exe

Filesize
380KB

MD5
bb92ad823d8b5409dd05b27e2b9c923a

SHA1
d822e22479fb392f8db33f3bbd996f044c2ce912

SHA256
2b0a3a2e7e95a68c372915b3374c656db250ab4d90b10f94a4d2a8356917fcf3

SHA512
4a9b180a3d9024e7e2af059c13ceb43b938a0b41c79e5973e449b81e43edbee66432e0902718f42e7558fc4752c999ce09605a08091769a5bcea1c21192ddbe2

Download Submit
C:\Windows\{9A07BAE3-A4B7-4d63-92B1-B8BCE29C525B}.exe

Filesize
380KB

MD5
c251d6881506c556897504acfa84f218

SHA1
de279cae700b3909ead31f68975a928391052802

SHA256
551aa6730065f5f8039ebff7ba278eacd048d314610c9aacc19488d49f70094e

SHA512
2aef6a49a76dc3e68c401c9249e25d8e155e66baa7295d91261ac9f648ba63d0771302349d0ada8c6eb3ec99e50b1623b2f60387716a9ad384accb81a42d095b

Download Submit
C:\Windows\{A5725450-5C4B-44de-828D-D1418DB1D5EF}.exe

Filesize
380KB

MD5
97abcb8e2014a4e231a7df6885d8f716

SHA1
92ad691b6e3cf846f6dfd28d481364f31353d00b

SHA256
7e0103d8a92b03922ff1f5fc043f993d927700b5d61c44859b623b6724f0905b

SHA512
22bd9fe618dd73daf55d208ed1c4cbfb738aafe7c0ba15c0c737648373a36a63ad59dbdf6763a41a2b6dd90a349d89b7403fa9125a2e878a0fe5ff035e528082

Download Submit
C:\Windows\{B8A596C3-EB66-4f6d-90B6-FC99EF5765DF}.exe

Filesize
380KB

MD5
53c860aa5752a97e3ef58c050285914a

SHA1
97564172c48b06d532586188f1bfac6e3f07665d

SHA256
b52451b66bd2a6b5b3f71161a819fbb3430e08d5cbf4c639dc3e5720e48ae89c

SHA512
ca54256a493f52d662ff466ccb3a55d1d3c86bff61eaa8f59aec95edbf94c39a8005d6abab3731d62bec2d9d3675c92692477be147d98e5986d1490f038a7b09

Download Submit
C:\Windows\{CA449C95-3603-415b-BA1A-4C00858ABF7E}.exe

Filesize
380KB

MD5
fb4bd2065141c76252a82c23a9acb033

SHA1
3f30b68af71e8fef48883afad921533597922f1e

SHA256
f13042b3f314d983b94545a2e0f96e99837467eaac41f5d0a598457b76913c43

SHA512
605f6136e02101b750d045e558b9204af04c767cff28efb7d52a01fe77e93d01278b39436f19caaf2833fd63df9b081a2f4e3ff05f8879be90a3fa95d96c069a

Download Submit
C:\Windows\{D76F2A08-DD0F-4ecf-ABBA-CEFEADCF2A37}.exe

Filesize
380KB

MD5
33a4562a2357089d72dc7bfeaf399711

SHA1
6a1593e6906790ad38fb55d46bf1cb8688cd4c00

SHA256
32ee085bc14e8e6a760b32cbd6767d55407be42cec1c8bba04e9c51da728ab88

SHA512
123889df6751e8255c10e4f35395696972df6274f4f2d8666263900c9a4e7c7ed06dc3cba9ebfa9ab6fb46a5473670548adbef5500bb1889d8aa0da22476111c

Download Submit
C:\Windows\{DEEF3B99-144A-4961-88AA-18B4EEFE6F8F}.exe

Filesize
380KB

MD5
5bebb13a833b168d9d7ce6aace218e28

SHA1
616a0bdcbe67241b47ed6dd5da67b94eed62470c

SHA256
ebb27509931775abc8e55e3715541d5ee083ca5a3b20d82a4a08264eb70741af

SHA512
1d7c4476e362a821a376195ee64f1d14a1ebfcf0e56fdbcebf38ebbac3c969822e73504fd6a57e216fd14513f05e63360d19541214aeaa3e640aa65933f92372

Download Submit
C:\Windows\{E4FF8D93-DF0C-473a-8358-F70C854C423A}.exe

Filesize
380KB

MD5
8b787b1d39a9eeb079fe83234be8c0a8

SHA1
2cfa4ebcf1622b1e3a68e122c568b90a531d3a74

SHA256
bd4b4cf4217b1be7850ce89697db62f23b003f9b6c8945dda60d0618d320be8c

SHA512
16d2416c28b626967718d772024a2699844b858a64d5592d10e057c28f0cdbd306dfc9109dcc4a6755a9b619bf56078e5fa97583754f5ddd8653d37da4e2c64e

Download Submit
C:\Windows\{E619259B-C382-4e8b-82FF-B19172FFC23D}.exe

Filesize
380KB

MD5
eab5e8ab5b345fc78cb59b881a44e89a

SHA1
ffac33a6951edab1a86c1afb615a09018eeba308

SHA256
17b48486e8255a87de74c2e456f3623e047bd647e054f3525f404be22f810b09

SHA512
973527bc65334de1c306082e3beb35074d8aa5486e846547009bd3146a6452c87bae7918b124943657fcc4076b48be379e781be9d2ae533b923fa6297b771733

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads