523d43cee78144d29e42d9952143cc0aa51efa38cee988abf930a0f25c03518c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe
Size

380KB
MD5

1bb0cfc62c12e69b9da10f48d3a286cf
SHA1

6135afda42af7d887441542b981c6ba0e7f4397d
SHA256

523d43cee78144d29e42d9952143cc0aa51efa38cee988abf930a0f25c03518c
SHA512

986d6a0c95b7b9264d1f172869915856f91990888e1529dea9279a55a97f71b14baaacc431e2277bf204e01455bce899210a3807cae050d276bbad4da62c9d6f
SSDEEP

3072:mEGh0oBlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x0011000000023225-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002322c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023233-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000217f9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000217f9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021805-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000217f9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000217f9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e1-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}	{D059954E-EB29-4db2-A49F-281B192A387C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F067BC46-A887-465e-B09B-E0908E0F6BF1}\stubpath = "C:\\Windows\\{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe"	{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1089B671-208B-471e-9487-EA7FDD321E70}	{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}\stubpath = "C:\\Windows\\{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe"	{1089B671-208B-471e-9487-EA7FDD321E70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B8FA20B-3587-450b-949C-79C8A4B1A502}	{58229C5A-4197-4e79-9ED6-2509E016B573}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D059954E-EB29-4db2-A49F-281B192A387C}\stubpath = "C:\\Windows\\{D059954E-EB29-4db2-A49F-281B192A387C}.exe"	2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}\stubpath = "C:\\Windows\\{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe"	{D059954E-EB29-4db2-A49F-281B192A387C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}	{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}\stubpath = "C:\\Windows\\{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe"	{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}	{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}\stubpath = "C:\\Windows\\{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe"	{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F661B280-048D-43aa-A735-0FD241BBF025}	{F74E049E-F44F-4dcf-82A0-BAC95E22E449}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F661B280-048D-43aa-A735-0FD241BBF025}\stubpath = "C:\\Windows\\{F661B280-048D-43aa-A735-0FD241BBF025}.exe"	{F74E049E-F44F-4dcf-82A0-BAC95E22E449}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58229C5A-4197-4e79-9ED6-2509E016B573}	{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58229C5A-4197-4e79-9ED6-2509E016B573}\stubpath = "C:\\Windows\\{58229C5A-4197-4e79-9ED6-2509E016B573}.exe"	{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B8FA20B-3587-450b-949C-79C8A4B1A502}\stubpath = "C:\\Windows\\{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe"	{58229C5A-4197-4e79-9ED6-2509E016B573}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F74E049E-F44F-4dcf-82A0-BAC95E22E449}\stubpath = "C:\\Windows\\{F74E049E-F44F-4dcf-82A0-BAC95E22E449}.exe"	{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D059954E-EB29-4db2-A49F-281B192A387C}	2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA2280F8-1FF6-493c-B844-B7DE364786FD}	{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA2280F8-1FF6-493c-B844-B7DE364786FD}\stubpath = "C:\\Windows\\{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe"	{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F067BC46-A887-465e-B09B-E0908E0F6BF1}	{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1089B671-208B-471e-9487-EA7FDD321E70}\stubpath = "C:\\Windows\\{1089B671-208B-471e-9487-EA7FDD321E70}.exe"	{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}	{1089B671-208B-471e-9487-EA7FDD321E70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F74E049E-F44F-4dcf-82A0-BAC95E22E449}	{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe

Executes dropped EXE 12 IoCs

pid	Process
3460	{D059954E-EB29-4db2-A49F-281B192A387C}.exe
3532	{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe
4332	{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe
4856	{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe
4428	{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe
4652	{1089B671-208B-471e-9487-EA7FDD321E70}.exe
4996	{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe
1032	{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe
1848	{58229C5A-4197-4e79-9ED6-2509E016B573}.exe
2848	{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe
1120	{F74E049E-F44F-4dcf-82A0-BAC95E22E449}.exe
372	{F661B280-048D-43aa-A735-0FD241BBF025}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe	{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe
File created	C:\Windows\{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe	{58229C5A-4197-4e79-9ED6-2509E016B573}.exe
File created	C:\Windows\{F74E049E-F44F-4dcf-82A0-BAC95E22E449}.exe	{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe
File created	C:\Windows\{F661B280-048D-43aa-A735-0FD241BBF025}.exe	{F74E049E-F44F-4dcf-82A0-BAC95E22E449}.exe
File created	C:\Windows\{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe	{D059954E-EB29-4db2-A49F-281B192A387C}.exe
File created	C:\Windows\{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe	{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe
File created	C:\Windows\{1089B671-208B-471e-9487-EA7FDD321E70}.exe	{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe
File created	C:\Windows\{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe	{1089B671-208B-471e-9487-EA7FDD321E70}.exe
File created	C:\Windows\{D059954E-EB29-4db2-A49F-281B192A387C}.exe	2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe
File created	C:\Windows\{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe	{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe
File created	C:\Windows\{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe	{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe
File created	C:\Windows\{58229C5A-4197-4e79-9ED6-2509E016B573}.exe	{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3348	2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3460	{D059954E-EB29-4db2-A49F-281B192A387C}.exe
Token: SeIncBasePriorityPrivilege	3532	{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe
Token: SeIncBasePriorityPrivilege	4332	{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe
Token: SeIncBasePriorityPrivilege	4856	{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe
Token: SeIncBasePriorityPrivilege	4428	{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe
Token: SeIncBasePriorityPrivilege	4652	{1089B671-208B-471e-9487-EA7FDD321E70}.exe
Token: SeIncBasePriorityPrivilege	4996	{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe
Token: SeIncBasePriorityPrivilege	1032	{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe
Token: SeIncBasePriorityPrivilege	1848	{58229C5A-4197-4e79-9ED6-2509E016B573}.exe
Token: SeIncBasePriorityPrivilege	2848	{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe
Token: SeIncBasePriorityPrivilege	1120	{F74E049E-F44F-4dcf-82A0-BAC95E22E449}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 3460	3348	2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe	96
PID 3348 wrote to memory of 3460	3348	2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe	96
PID 3348 wrote to memory of 3460	3348	2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe	96
PID 3348 wrote to memory of 2728	3348	2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe	97
PID 3348 wrote to memory of 2728	3348	2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe	97
PID 3348 wrote to memory of 2728	3348	2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe	97
PID 3460 wrote to memory of 3532	3460	{D059954E-EB29-4db2-A49F-281B192A387C}.exe	98
PID 3460 wrote to memory of 3532	3460	{D059954E-EB29-4db2-A49F-281B192A387C}.exe	98
PID 3460 wrote to memory of 3532	3460	{D059954E-EB29-4db2-A49F-281B192A387C}.exe	98
PID 3460 wrote to memory of 3076	3460	{D059954E-EB29-4db2-A49F-281B192A387C}.exe	99
PID 3460 wrote to memory of 3076	3460	{D059954E-EB29-4db2-A49F-281B192A387C}.exe	99
PID 3460 wrote to memory of 3076	3460	{D059954E-EB29-4db2-A49F-281B192A387C}.exe	99
PID 3532 wrote to memory of 4332	3532	{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe	101
PID 3532 wrote to memory of 4332	3532	{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe	101
PID 3532 wrote to memory of 4332	3532	{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe	101
PID 3532 wrote to memory of 2476	3532	{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe	102
PID 3532 wrote to memory of 2476	3532	{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe	102
PID 3532 wrote to memory of 2476	3532	{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe	102
PID 4332 wrote to memory of 4856	4332	{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe	103
PID 4332 wrote to memory of 4856	4332	{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe	103
PID 4332 wrote to memory of 4856	4332	{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe	103
PID 4332 wrote to memory of 3436	4332	{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe	104
PID 4332 wrote to memory of 3436	4332	{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe	104
PID 4332 wrote to memory of 3436	4332	{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe	104
PID 4856 wrote to memory of 4428	4856	{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe	105
PID 4856 wrote to memory of 4428	4856	{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe	105
PID 4856 wrote to memory of 4428	4856	{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe	105
PID 4856 wrote to memory of 4688	4856	{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe	106
PID 4856 wrote to memory of 4688	4856	{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe	106
PID 4856 wrote to memory of 4688	4856	{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe	106
PID 4428 wrote to memory of 4652	4428	{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe	107
PID 4428 wrote to memory of 4652	4428	{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe	107
PID 4428 wrote to memory of 4652	4428	{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe	107
PID 4428 wrote to memory of 544	4428	{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe	108
PID 4428 wrote to memory of 544	4428	{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe	108
PID 4428 wrote to memory of 544	4428	{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe	108
PID 4652 wrote to memory of 4996	4652	{1089B671-208B-471e-9487-EA7FDD321E70}.exe	109
PID 4652 wrote to memory of 4996	4652	{1089B671-208B-471e-9487-EA7FDD321E70}.exe	109
PID 4652 wrote to memory of 4996	4652	{1089B671-208B-471e-9487-EA7FDD321E70}.exe	109
PID 4652 wrote to memory of 360	4652	{1089B671-208B-471e-9487-EA7FDD321E70}.exe	110
PID 4652 wrote to memory of 360	4652	{1089B671-208B-471e-9487-EA7FDD321E70}.exe	110
PID 4652 wrote to memory of 360	4652	{1089B671-208B-471e-9487-EA7FDD321E70}.exe	110
PID 4996 wrote to memory of 1032	4996	{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe	112
PID 4996 wrote to memory of 1032	4996	{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe	112
PID 4996 wrote to memory of 1032	4996	{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe	112
PID 4996 wrote to memory of 3552	4996	{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe	111
PID 4996 wrote to memory of 3552	4996	{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe	111
PID 4996 wrote to memory of 3552	4996	{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe	111
PID 1032 wrote to memory of 1848	1032	{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe	113
PID 1032 wrote to memory of 1848	1032	{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe	113
PID 1032 wrote to memory of 1848	1032	{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe	113
PID 1032 wrote to memory of 2508	1032	{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe	114
PID 1032 wrote to memory of 2508	1032	{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe	114
PID 1032 wrote to memory of 2508	1032	{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe	114
PID 1848 wrote to memory of 2848	1848	{58229C5A-4197-4e79-9ED6-2509E016B573}.exe	115
PID 1848 wrote to memory of 2848	1848	{58229C5A-4197-4e79-9ED6-2509E016B573}.exe	115
PID 1848 wrote to memory of 2848	1848	{58229C5A-4197-4e79-9ED6-2509E016B573}.exe	115
PID 1848 wrote to memory of 4976	1848	{58229C5A-4197-4e79-9ED6-2509E016B573}.exe	116
PID 1848 wrote to memory of 4976	1848	{58229C5A-4197-4e79-9ED6-2509E016B573}.exe	116
PID 1848 wrote to memory of 4976	1848	{58229C5A-4197-4e79-9ED6-2509E016B573}.exe	116
PID 2848 wrote to memory of 1120	2848	{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe	117
PID 2848 wrote to memory of 1120	2848	{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe	117
PID 2848 wrote to memory of 1120	2848	{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe	117
PID 2848 wrote to memory of 1064	2848	{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_1bb0cfc62c12e69b9da10f48d3a286cf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\{D059954E-EB29-4db2-A49F-281B192A387C}.exe
  C:\Windows\{D059954E-EB29-4db2-A49F-281B192A387C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe
    C:\Windows\{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe
      C:\Windows\{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Windows\{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe
        
        C:\Windows\{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe
        
        C:\Windows\{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\{1089B671-208B-471e-9487-EA7FDD321E70}.exe
        
        C:\Windows\{1089B671-208B-471e-9487-EA7FDD321E70}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe
        
        C:\Windows\{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3362~1.EXE > nul
        9⤵
        
        PID:3552
        
        C:\Windows\{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe
        
        C:\Windows\{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{58229C5A-4197-4e79-9ED6-2509E016B573}.exe
        
        C:\Windows\{58229C5A-4197-4e79-9ED6-2509E016B573}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe
        
        C:\Windows\{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{F74E049E-F44F-4dcf-82A0-BAC95E22E449}.exe
        
        C:\Windows\{F74E049E-F44F-4dcf-82A0-BAC95E22E449}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\{F661B280-048D-43aa-A735-0FD241BBF025}.exe
        
        C:\Windows\{F661B280-048D-43aa-A735-0FD241BBF025}.exe
        13⤵
        Executes dropped EXE
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F74E0~1.EXE > nul
        13⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B8FA~1.EXE > nul
        12⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58229~1.EXE > nul
        11⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDB19~1.EXE > nul
        10⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1089B~1.EXE > nul
        8⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED92D~1.EXE > nul
        7⤵
        
        PID:544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F067B~1.EXE > nul
        6⤵
        
        PID:4688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA228~1.EXE > nul
        5⤵
        
        PID:3436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6F14C~1.EXE > nul
      4⤵
      PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D0599~1.EXE > nul
    3⤵
    PID:3076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1089B671-208B-471e-9487-EA7FDD321E70}.exe

Filesize
380KB

MD5
ee3e88e5681676a763f5e67671b5bbc0

SHA1
10ed69b450b4ed00812d2727052c7a8f9361da20

SHA256
a52787603d4152811b94bf687dd0fb039de552d9c99ed63fab68f50da1f6d87b

SHA512
9ec49a8abebc6614e8ee0b78e89f03098f4c79ec0577daf0073743aef9163580ee21054e6e77258ba66a7c75bb1dbb980dba3c17be62cc3719af6411c7e985df

Download Submit
C:\Windows\{58229C5A-4197-4e79-9ED6-2509E016B573}.exe

Filesize
380KB

MD5
b83a85afd1c0adad92e29f6db137b6ce

SHA1
0a042fd0daefb62d7cddc9312a0fba264bcabbbf

SHA256
41363cec5cda2a6f8b9f6a7baf5001f9b0853b693d88bebab7150cbbe835a18a

SHA512
64adec0756750612bcefff2f5c218177d411c0b2907eea2a6f4f33a1e1368c943a0a974f4effd11f5f97634f38a53881cf29ea1e736bf79c41f7d8b91d0fa7f6

Download Submit
C:\Windows\{6F14CAB4-BF2A-446b-A50A-F6EFF3D62886}.exe

Filesize
380KB

MD5
25eaf3ec42cf5de646a146c09738d880

SHA1
765a139086cbbaf8f100b51c4530dfe543993ed3

SHA256
3765bee9f0b61fc24a686dba06b5cd2383191b8742a1cc21e0bf1003ec25fdb0

SHA512
778e799e4dc3c297917f519f81b7a6eef1600b0141352312cc8e8ef72e2e39e1536e834613fde41c3ce78e75d8b177269eea22bd71cd5b8b1eaac20b9a7f1d86

Download Submit
C:\Windows\{8B8FA20B-3587-450b-949C-79C8A4B1A502}.exe

Filesize
380KB

MD5
42ced2183b2374c7645eeb0dc498e787

SHA1
a40de4da0e125db6f78fc8c1982db8de119cfea2

SHA256
48790c2c70d8cea0364fd82fe28f869d34fc320c7019d7e6bee014113a6313b5

SHA512
457f922b10821f5c7e5a610fa2fe10a0f5cab166d0a983af507dea8c89d984b7dfba9ef1338a1a26c9886f9ea9214072424f48fa799d3b25d2e294629844cab5

Download Submit
C:\Windows\{CDB19558-C03C-4a0c-92F5-E73619F6DF6C}.exe

Filesize
380KB

MD5
f0af14f6cee3bd0ec6e3e889c3a5cbdc

SHA1
c7ec1d253089bfeb3e0ba3e74fe248151ad4c5ab

SHA256
f52d8549be2f1e8f5cca238bf9b2da75dd8b7fea4329ca0911c6f9f8ee3f7547

SHA512
1cbb308e16d615752df31515c8c3b99f22f20621e4e6a61c9762db2df67f423d00fc5eecee48aa415b5fed47e39886678068bd9e42a559d035ef22c15dc47177

Download Submit
C:\Windows\{D059954E-EB29-4db2-A49F-281B192A387C}.exe

Filesize
380KB

MD5
d3f763511e21605af3ee95af4d8ca71a

SHA1
704a4e3b8b8af65fe22f1116d0b7b2f86be90316

SHA256
ba5f648592ab743584264351175131062e9c23135acd6ab5c4c72f1c1ace0440

SHA512
18370c9b21941e90f818078d63a68dc89d1f6816175d4132cf7aadf0ace836c5722d258b736ea766a1906a12c8ef006d6d3342dd123f25b696ff893e68e4fd03

Download Submit
C:\Windows\{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe

Filesize
380KB

MD5
26e459ffe230f9794c1157b9082db319

SHA1
cdc9766f2f173b253296d7b6de057dd6c9fc9d96

SHA256
e41dac0d4dd97388c187d1add26e8118b9c555f344b2bc761b0e867dc6a5a6b3

SHA512
0e4e223bdfe93e85308a341feef3f427758042f08ffe7dac6632b7eef8330be28c08f229f25128033e37ce05753d570f3e16c2126f4baed6cfcdd881c4491eb2

Download Submit
C:\Windows\{E336206F-F64D-4d12-9CCF-C1D9EEC7C7D7}.exe

Filesize
221KB

MD5
7e8a2bfb4dfed72caed134189c697675

SHA1
f741a505aa0f6fc40055bfc24e02d45aa1168159

SHA256
4e1b15ddfe68bd6d6252deeb2a69dec0ad8522596627488d64dba919ed7b76ae

SHA512
5b77066227e600ac2d4f4c027343a4da8998dcec9576c36d31bcf3d0466735c51f2bae950a212f1af66b31b4a6068831239c3756847ea9f5ce7670935af7a992

Download Submit
C:\Windows\{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe

Filesize
169KB

MD5
5b30df490094aa0091533f8e02f38a4a

SHA1
a9cd13aad84bca15bf6a613bcbfff89f47667710

SHA256
299b4b7a4f37a0d639fa6edd0d62b8e109a20ee5b175308ebc80c99675f86a88

SHA512
285d380252e8d2597438756f4d9b68ad36cc43eef2f7dc41ffe1c54c47115c990acc0167630f180f82ae2b22094f6e425c60f8412a1c2fdba9e3402925f529cb

Download Submit
C:\Windows\{ED92D35C-CF99-43e1-85FC-1B9D70EDCA87}.exe

Filesize
282KB

MD5
60d8d58c77ffa095db6c9a74186d7f4d

SHA1
b52bd00728cb148c6bdea5b76c591cb7c155131a

SHA256
33aca62df549a78af4c0cec80d4a68152bcbe97644f9f48dd1da73dba7c404d9

SHA512
9294e5e9ccd3f8bc636f0a8f4a29a0e915c3b64dbe93c8492253c214450eeaa9d2171cc421dd86187a23412a7de938b6b5dd1a4d9a45a681e0ce93c4d850a1dc

Download Submit
C:\Windows\{F067BC46-A887-465e-B09B-E0908E0F6BF1}.exe

Filesize
380KB

MD5
250e7f4a9383f515a00c5a02c4c8e03a

SHA1
e564f0e9078675af0f0ec20a818d14cdf8136645

SHA256
c06883c7ba21da6d31b65bb19514fd69094bee31aa18ddfe1b6ef31fc5cbfbc3

SHA512
51769ec2fd291fbc5fdeabc2510e9d37ceb3dfbee50a73ce9fee23aaad5771a1331bdbbec59bb41b81e49ee311ed599d05dd84a12755acb3b2d7909c95ab4523

Download Submit
C:\Windows\{F661B280-048D-43aa-A735-0FD241BBF025}.exe

Filesize
380KB

MD5
8e9fac3a15fa3f8083d502901347c2cf

SHA1
cacf8db126ca73e94b934bb012e9c3c19e0100f6

SHA256
009036d39d38d56f2a296fd4e6d8e42b989271e56de7936ae1d2ea4cfaada4c3

SHA512
3b776f36150949160a4b169a820b3e16ab7f53897ea43792294cde837441149fc94fe5aec03bbe6eacf25a2334677de9942c135f804a71adaacdbad5150b9cce

Download Submit
C:\Windows\{F74E049E-F44F-4dcf-82A0-BAC95E22E449}.exe

Filesize
380KB

MD5
65fb6d8cffb42076a18c1dfaf7de67dc

SHA1
d293a4af0998ee8743742c040017010430bdeaaf

SHA256
bf604b0a79b9a8d54912a7737fc8de67e0833fade69de1d0e3c9e102e61d3542

SHA512
5184b32edb419553285ab00d2169b268f70e5f90b2ac47ada03b81605c75e2ae87e57fa30ea570b489dff6a589a02e670aed0297435bb1da11a28b0e3d7b50cc

Download Submit
C:\Windows\{FA2280F8-1FF6-493c-B844-B7DE364786FD}.exe

Filesize
380KB

MD5
310ec4bb27d6da6a451926de444d30f5

SHA1
52516022217f0316e02373e19335f5944ada4561

SHA256
9d84f1cb09fe9c0d312dbb016238c13a1e3f06d06318f218dd8e01400cf69492

SHA512
dabea48f5ec6ccb2b9c9450165a9e6da86d9bba9c36cfc102c2fcbfb4d45c0b30ab5927cba61ab8c691f504967abdeac74cb233b726a320afa7d49304ed88fa4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads