7b19486c6c256918bd8991acbd894732af6b5cd474c8e9b67c1a1f1431601bbc

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe
Size

197KB
MD5

bdd2bfca38ebe5a3d376dd501bef41f6
SHA1

ee0fb6e93430e9ceb90bc348faf40ded9c7a1bad
SHA256

7b19486c6c256918bd8991acbd894732af6b5cd474c8e9b67c1a1f1431601bbc
SHA512

a68c3e4910bcc6a8e91b1703ffbd76f2da9b197887fe29805caee7ff567a5f2fbdc0b5a0c02ebe10d9e35bb06b738a1a5c4cca5869e54f81ddc7f4fb15b504e0
SSDEEP

3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG5lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022721-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023220-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023227-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023220-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023227-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002177b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002177d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e1-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}\stubpath = "C:\\Windows\\{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe"	2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}	{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}	{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}\stubpath = "C:\\Windows\\{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe"	{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70FE0C36-C5F7-4261-B96D-53454E940AE5}\stubpath = "C:\\Windows\\{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe"	{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35007171-2D6A-48a4-8BEA-CA09CF7147DA}	{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9760F587-9860-4876-B493-883D303A311A}	{EFE2276B-8E29-419b-8383-652EBE96F4EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}	2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}	{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760DB335-64F1-49db-948C-359E27BADA2D}	{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70FE0C36-C5F7-4261-B96D-53454E940AE5}	{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFE2276B-8E29-419b-8383-652EBE96F4EA}	{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}\stubpath = "C:\\Windows\\{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe"	{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}	{760DB335-64F1-49db-948C-359E27BADA2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}\stubpath = "C:\\Windows\\{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe"	{760DB335-64F1-49db-948C-359E27BADA2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6046CAFB-82CC-46b5-AC73-A0F92A627025}\stubpath = "C:\\Windows\\{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe"	{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35007171-2D6A-48a4-8BEA-CA09CF7147DA}\stubpath = "C:\\Windows\\{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe"	{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9760F587-9860-4876-B493-883D303A311A}\stubpath = "C:\\Windows\\{9760F587-9860-4876-B493-883D303A311A}.exe"	{EFE2276B-8E29-419b-8383-652EBE96F4EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}\stubpath = "C:\\Windows\\{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe"	{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760DB335-64F1-49db-948C-359E27BADA2D}\stubpath = "C:\\Windows\\{760DB335-64F1-49db-948C-359E27BADA2D}.exe"	{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}	{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}\stubpath = "C:\\Windows\\{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe"	{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6046CAFB-82CC-46b5-AC73-A0F92A627025}	{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFE2276B-8E29-419b-8383-652EBE96F4EA}\stubpath = "C:\\Windows\\{EFE2276B-8E29-419b-8383-652EBE96F4EA}.exe"	{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe

Executes dropped EXE 12 IoCs

pid	Process
2864	{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe
2804	{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe
3440	{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe
3652	{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe
404	{760DB335-64F1-49db-948C-359E27BADA2D}.exe
3600	{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe
2720	{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe
1584	{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe
3104	{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe
3548	{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe
4184	{EFE2276B-8E29-419b-8383-652EBE96F4EA}.exe
2364	{9760F587-9860-4876-B493-883D303A311A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe	{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe
File created	C:\Windows\{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe	{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe
File created	C:\Windows\{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe	{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe
File created	C:\Windows\{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe	{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe
File created	C:\Windows\{9760F587-9860-4876-B493-883D303A311A}.exe	{EFE2276B-8E29-419b-8383-652EBE96F4EA}.exe
File created	C:\Windows\{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe	2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe
File created	C:\Windows\{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe	{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe
File created	C:\Windows\{760DB335-64F1-49db-948C-359E27BADA2D}.exe	{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe
File created	C:\Windows\{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe	{760DB335-64F1-49db-948C-359E27BADA2D}.exe
File created	C:\Windows\{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe	{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe
File created	C:\Windows\{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe	{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe
File created	C:\Windows\{EFE2276B-8E29-419b-8383-652EBE96F4EA}.exe	{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	488	2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2864	{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe
Token: SeIncBasePriorityPrivilege	2804	{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe
Token: SeIncBasePriorityPrivilege	3440	{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe
Token: SeIncBasePriorityPrivilege	3652	{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe
Token: SeIncBasePriorityPrivilege	404	{760DB335-64F1-49db-948C-359E27BADA2D}.exe
Token: SeIncBasePriorityPrivilege	3600	{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe
Token: SeIncBasePriorityPrivilege	2720	{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe
Token: SeIncBasePriorityPrivilege	1584	{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe
Token: SeIncBasePriorityPrivilege	3104	{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe
Token: SeIncBasePriorityPrivilege	3548	{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe
Token: SeIncBasePriorityPrivilege	4184	{EFE2276B-8E29-419b-8383-652EBE96F4EA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 2864	488	2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe	88
PID 488 wrote to memory of 2864	488	2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe	88
PID 488 wrote to memory of 2864	488	2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe	88
PID 488 wrote to memory of 3344	488	2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe	89
PID 488 wrote to memory of 3344	488	2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe	89
PID 488 wrote to memory of 3344	488	2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe	89
PID 2864 wrote to memory of 2804	2864	{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe	98
PID 2864 wrote to memory of 2804	2864	{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe	98
PID 2864 wrote to memory of 2804	2864	{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe	98
PID 2864 wrote to memory of 2004	2864	{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe	97
PID 2864 wrote to memory of 2004	2864	{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe	97
PID 2864 wrote to memory of 2004	2864	{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe	97
PID 2804 wrote to memory of 3440	2804	{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe	100
PID 2804 wrote to memory of 3440	2804	{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe	100
PID 2804 wrote to memory of 3440	2804	{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe	100
PID 2804 wrote to memory of 4572	2804	{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe	101
PID 2804 wrote to memory of 4572	2804	{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe	101
PID 2804 wrote to memory of 4572	2804	{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe	101
PID 3440 wrote to memory of 3652	3440	{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe	102
PID 3440 wrote to memory of 3652	3440	{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe	102
PID 3440 wrote to memory of 3652	3440	{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe	102
PID 3440 wrote to memory of 1948	3440	{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe	103
PID 3440 wrote to memory of 1948	3440	{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe	103
PID 3440 wrote to memory of 1948	3440	{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe	103
PID 3652 wrote to memory of 404	3652	{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe	104
PID 3652 wrote to memory of 404	3652	{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe	104
PID 3652 wrote to memory of 404	3652	{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe	104
PID 3652 wrote to memory of 3248	3652	{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe	105
PID 3652 wrote to memory of 3248	3652	{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe	105
PID 3652 wrote to memory of 3248	3652	{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe	105
PID 404 wrote to memory of 3600	404	{760DB335-64F1-49db-948C-359E27BADA2D}.exe	106
PID 404 wrote to memory of 3600	404	{760DB335-64F1-49db-948C-359E27BADA2D}.exe	106
PID 404 wrote to memory of 3600	404	{760DB335-64F1-49db-948C-359E27BADA2D}.exe	106
PID 404 wrote to memory of 3016	404	{760DB335-64F1-49db-948C-359E27BADA2D}.exe	107
PID 404 wrote to memory of 3016	404	{760DB335-64F1-49db-948C-359E27BADA2D}.exe	107
PID 404 wrote to memory of 3016	404	{760DB335-64F1-49db-948C-359E27BADA2D}.exe	107
PID 3600 wrote to memory of 2720	3600	{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe	108
PID 3600 wrote to memory of 2720	3600	{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe	108
PID 3600 wrote to memory of 2720	3600	{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe	108
PID 3600 wrote to memory of 2984	3600	{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe	109
PID 3600 wrote to memory of 2984	3600	{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe	109
PID 3600 wrote to memory of 2984	3600	{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe	109
PID 2720 wrote to memory of 1584	2720	{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe	110
PID 2720 wrote to memory of 1584	2720	{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe	110
PID 2720 wrote to memory of 1584	2720	{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe	110
PID 2720 wrote to memory of 3012	2720	{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe	111
PID 2720 wrote to memory of 3012	2720	{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe	111
PID 2720 wrote to memory of 3012	2720	{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe	111
PID 1584 wrote to memory of 3104	1584	{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe	112
PID 1584 wrote to memory of 3104	1584	{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe	112
PID 1584 wrote to memory of 3104	1584	{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe	112
PID 1584 wrote to memory of 4628	1584	{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe	113
PID 1584 wrote to memory of 4628	1584	{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe	113
PID 1584 wrote to memory of 4628	1584	{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe	113
PID 3104 wrote to memory of 3548	3104	{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe	114
PID 3104 wrote to memory of 3548	3104	{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe	114
PID 3104 wrote to memory of 3548	3104	{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe	114
PID 3104 wrote to memory of 764	3104	{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe	115
PID 3104 wrote to memory of 764	3104	{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe	115
PID 3104 wrote to memory of 764	3104	{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe	115
PID 3548 wrote to memory of 4184	3548	{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe	116
PID 3548 wrote to memory of 4184	3548	{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe	116
PID 3548 wrote to memory of 4184	3548	{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe	116
PID 3548 wrote to memory of 2172	3548	{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_bdd2bfca38ebe5a3d376dd501bef41f6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488
- C:\Windows\{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe
  C:\Windows\{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{92EC2~1.EXE > nul
    3⤵
    PID:2004
- - C:\Windows\{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe
    C:\Windows\{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe
      C:\Windows\{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Windows\{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe
        
        C:\Windows\{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\{760DB335-64F1-49db-948C-359E27BADA2D}.exe
        
        C:\Windows\{760DB335-64F1-49db-948C-359E27BADA2D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe
        
        C:\Windows\{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe
        
        C:\Windows\{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe
        
        C:\Windows\{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe
        
        C:\Windows\{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe
        
        C:\Windows\{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\{EFE2276B-8E29-419b-8383-652EBE96F4EA}.exe
        
        C:\Windows\{EFE2276B-8E29-419b-8383-652EBE96F4EA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\{9760F587-9860-4876-B493-883D303A311A}.exe
        
        C:\Windows\{9760F587-9860-4876-B493-883D303A311A}.exe
        13⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFE22~1.EXE > nul
        13⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35007~1.EXE > nul
        12⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70FE0~1.EXE > nul
        11⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6046C~1.EXE > nul
        10⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AD91~1.EXE > nul
        9⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF2B0~1.EXE > nul
        8⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{760DB~1.EXE > nul
        7⤵
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E503~1.EXE > nul
        6⤵
        
        PID:3248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CCF2~1.EXE > nul
        5⤵
        
        PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{47491~1.EXE > nul
      4⤵
      PID:4572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{35007171-2D6A-48a4-8BEA-CA09CF7147DA}.exe

Filesize
197KB

MD5
66f99fda6b736aec032907c439e33fea

SHA1
0e92327f719f7b185a7fea2d3fc4bd00a13e98d7

SHA256
c0a3fda54d1091b49f7de42eb9e548abdcbef6bcf4e4b02ed6e0cf8c54a64c29

SHA512
39ecf591f45f1ee1415901896794e51b8a63963f6cca7614da869d9dbd3ac42a74fe08d6dd3a0e79d7408ac6af9b5eb0e74bce2ce20299b19e119814e11e1edb

Download Submit
C:\Windows\{47491AA2-E158-474f-8FEB-4DB5B6FFA3A2}.exe

Filesize
197KB

MD5
13b6bca24577c88d064137a2129bcd37

SHA1
575e28838ab291c8384087c44fae12c277c1b3d1

SHA256
2a42d63a21f2223e8a6bc6368a3fc2feac4bff371be225042421d1c1ef5b0989

SHA512
ecd187e96e9aeea9ede01a74e03a5ff6b3f1924e0ee9ab2ecd60cad79094ca8d1467d1d4fc29c85d8baa87a742527e627c04c89963f3a047c2ae603a77f1caf7

Download Submit
C:\Windows\{4CCF2CFA-236A-4f4a-B1CA-9F0B43166D03}.exe

Filesize
197KB

MD5
27c3499674da3576022e526759e8e67c

SHA1
a295fa6fecea31e17e40575df7223b0f5e6710b7

SHA256
c230a3dd2aeabd68f75415e2b382c17aec27dc081795e8aa5bb971c3e5106724

SHA512
53b4d19463d0b96fb73aa74bf14d5cf9b40c1d01d243bd2490a81b3ffa3a5bd38992ae85f67b572a0ddf92f2f47cb8f97ec8cb29cf8bf3a8fc1d00a4fda14289

Download Submit
C:\Windows\{6046CAFB-82CC-46b5-AC73-A0F92A627025}.exe

Filesize
197KB

MD5
7d0db40a9a2a8e2e72b2d00af6df9356

SHA1
fc0dcc8e23860e9db6030fe8d12f019589ad643e

SHA256
7ab4345735e9e2a4bb99a81d630a364ed0e30670a1b3a80e7ff296a4a16aeefa

SHA512
5f4ac33e3c8290e03e124d5be1c53739e791c5f1e7277da05e5a5e855264d72f25b5da342dc4db4e31a22041e0fcae40543cd7a3f33e34a2c6b31adbcdfd4505

Download Submit
C:\Windows\{70FE0C36-C5F7-4261-B96D-53454E940AE5}.exe

Filesize
197KB

MD5
9595f244a2dcfb41dd0610f8a2e8306f

SHA1
d19b9277f8b615382f448e13f5ac563db77f3126

SHA256
de27e72a29aacba30e44008886091021e1a13084cd36298e24c00a9a1f22b09d

SHA512
b6bc884ef5cf3ac2c5807156c99612913b54212aa385042e9b65e794db4e73136d2358bbfa6c42fbe1a0dbcc2da65a9cbaaf6bfe887d27053034e99c9af21c00

Download Submit
C:\Windows\{760DB335-64F1-49db-948C-359E27BADA2D}.exe

Filesize
197KB

MD5
ff01bae0c9be19e24468591de2e4d58a

SHA1
b221a7e1a423fc143a2c20ebc192327d55396bd4

SHA256
997fc9734347c81c486b785384eed0794759ae66fa13f981dce251fb1d5f0ea3

SHA512
2f5ddba8e21369ac0f13738d14f56f5096add47e3d36900782fcfa60d2b4c5df25d9a96d33f8682b3680787afc6082dfe7d6601a99a2c114d3e1f01816f9ba01

Download Submit
C:\Windows\{8AD9159E-7FC4-4d7d-8FF2-E7442F306122}.exe

Filesize
197KB

MD5
ac131543f896c92f9bc7aea2318371bf

SHA1
b62a4f7871dbd180c5696a223cd6395f074be0f0

SHA256
b4aa221b8870bc9d0f2e9c7ae2b36c856210f5fb4f9e0f0f819a12ab9610a5f6

SHA512
e2c3067768a0a80618aa1684e7eba18b35b7f1d89a85b1f5836c21f71e867f194febaf5d5359fe63e8c6bbf94b1ddc93d90eed0aa4ee6c92d6d4fd4521e69549

Download Submit
C:\Windows\{92EC221E-4228-4ac2-AEB4-E15647FEF9EA}.exe

Filesize
197KB

MD5
a9499602654ad22f3de9adae1a5ee630

SHA1
6acec7f2d1521c552c2182082e1c4b64e18d2e2e

SHA256
e3f6830a59e06f19f2a038afe286bf08235ae6f720a4af37fc2a1f17398ba2a3

SHA512
476a5e20d3acf2e83392a2e59df01869f84eb707a0104ca09b4e463ba9e978b10a1c5044b6a17aec923e42c1677d1a1b0513c010856943ec5b419c47aefa2a59

Download Submit
C:\Windows\{9760F587-9860-4876-B493-883D303A311A}.exe

Filesize
197KB

MD5
cee9ae928ca65e6503f3a146920e27e5

SHA1
012e95ee8a2bef0382cca91017421506e90ec241

SHA256
e19a70c6238dbe36b844a0fba5b1bb815e46719aa6992bf4be81833714c07a96

SHA512
6c4f11d75ab3d0effd7b816338a9725fcd90926ab4e1f53ec94bd546430950b670867bf4d2aad0ec105f7f1adfe489cc12c09025fffbdf9b643d32c265f3703a

Download Submit
C:\Windows\{9E503A69-CC2B-4dfb-93C6-8E359B8049E9}.exe

Filesize
197KB

MD5
9a9088e1937f0aad0fc54f3ae99143b4

SHA1
a4153622280348bfca15471e98af1e0f4f1fb0fb

SHA256
ac5e99ba1fd9769f278a3aa041d347258f35c51f1a7fbaaf41756002a2417d79

SHA512
b3445bf1b9b44a2c3d87d731fd39604895a77fd68cc166b77e8e4bbec7ebd8b19b91f418e53ad5fc2329a122b9b191550ba79370ec6ae5a2ac80f8793b500feb

Download Submit
C:\Windows\{EF2B0766-E5E9-4cd4-A51F-02D2FE253897}.exe

Filesize
197KB

MD5
2bce8c9921907b563460313f99c93d81

SHA1
0a43921ed2b8b9207e8dda1905ac46528157a25b

SHA256
4bfc993a2b1b6364ee50aa39f6ab45eb527fd39dd1697895ca46a1ca1d31b33e

SHA512
f7c634cf32481b7b22524f2fb10c8f57ea60ec4a050fe0439260a9564a107db383069038964aa099a030854e63511cdb93195c83b7a4fcf3fd15fbccac5152df

Download Submit
C:\Windows\{EFE2276B-8E29-419b-8383-652EBE96F4EA}.exe

Filesize
197KB

MD5
f780359f98a310e208968a4fe104e419

SHA1
3f7404a1d543c8ca3c61f31beee7df551b263aeb

SHA256
fc33d5484ca883f178b321fcc1f5432943c2a6223a2b98ea546fed3d62598d92

SHA512
426b4be4459633a7d17e750817b8aa9061fc9226f7f0d51de5b731cfb2d4258744bdfcc95e2f0fe355a341abf08717ce26e35a44bca8eaaeeed2cbef35eb88cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads