efc1d3ee568c93071c612163b94ed7b339f1667255f85bf876ef5f2d08d2d340

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
Size

380KB
MD5

0b5ba4d013c95cfa205bd47112881dcb
SHA1

bbeb505152012aeae76983e741ffecb71a3fe0b4
SHA256

efc1d3ee568c93071c612163b94ed7b339f1667255f85bf876ef5f2d08d2d340
SHA512

563f97b93defe3937f3afeed3815fa8e1687f4c6f8bbcc50f65c7df1cc5afc1f22d4beea8cbe5c1b262598b82f697b9729f5b710ef6e527b19eddf4bbbf7b1e7
SSDEEP

3072:mEGh0oAlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGel7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012274-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016d7b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000b1f5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016d7b-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000b1f5-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016fda-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000b1f5-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016fda-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000b1f5-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000016fda-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001400000000b1f5-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D7B2578-8302-4688-BCAF-975FB92CAC71}	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B65EA05-0C9B-457a-8641-E5B663789BC4}	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B65EA05-0C9B-457a-8641-E5B663789BC4}\stubpath = "C:\\Windows\\{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe"	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF05033B-F518-4fb8-A0B1-EF9263D98029}	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4B1DC50-97B9-44a4-A13D-C919010F5E69}	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4B1DC50-97B9-44a4-A13D-C919010F5E69}\stubpath = "C:\\Windows\\{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe"	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}\stubpath = "C:\\Windows\\{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe"	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF05033B-F518-4fb8-A0B1-EF9263D98029}\stubpath = "C:\\Windows\\{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe"	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}\stubpath = "C:\\Windows\\{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}.exe"	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA71C189-3248-455d-A73A-F8914D71C62E}	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}	{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}\stubpath = "C:\\Windows\\{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}.exe"	{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{370B1524-7404-4579-9494-2420D85DC114}\stubpath = "C:\\Windows\\{370B1524-7404-4579-9494-2420D85DC114}.exe"	{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5041E02-1043-4e4b-A0A6-9FEF1FF71721}	{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}	{370B1524-7404-4579-9494-2420D85DC114}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}\stubpath = "C:\\Windows\\{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}.exe"	{370B1524-7404-4579-9494-2420D85DC114}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D7B2578-8302-4688-BCAF-975FB92CAC71}\stubpath = "C:\\Windows\\{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe"	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}\stubpath = "C:\\Windows\\{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe"	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA71C189-3248-455d-A73A-F8914D71C62E}\stubpath = "C:\\Windows\\{FA71C189-3248-455d-A73A-F8914D71C62E}.exe"	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{370B1524-7404-4579-9494-2420D85DC114}	{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5041E02-1043-4e4b-A0A6-9FEF1FF71721}\stubpath = "C:\\Windows\\{D5041E02-1043-4e4b-A0A6-9FEF1FF71721}.exe"	{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}.exe

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2784	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe
2300	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe
2148	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe
440	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe
3060	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe
2876	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe
2628	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe
2072	{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}.exe
1740	{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}.exe
2892	{370B1524-7404-4579-9494-2420D85DC114}.exe
320	{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}.exe
1720	{D5041E02-1043-4e4b-A0A6-9FEF1FF71721}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe
File created	C:\Windows\{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe
File created	C:\Windows\{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe
File created	C:\Windows\{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe
File created	C:\Windows\{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe
File created	C:\Windows\{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}.exe	{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}.exe
File created	C:\Windows\{370B1524-7404-4579-9494-2420D85DC114}.exe	{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}.exe
File created	C:\Windows\{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
File created	C:\Windows\{D5041E02-1043-4e4b-A0A6-9FEF1FF71721}.exe	{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}.exe
File created	C:\Windows\{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}.exe	{370B1524-7404-4579-9494-2420D85DC114}.exe
File created	C:\Windows\{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}.exe	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe
File created	C:\Windows\{FA71C189-3248-455d-A73A-F8914D71C62E}.exe	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1848	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2784	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe
Token: SeIncBasePriorityPrivilege	2300	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe
Token: SeIncBasePriorityPrivilege	2148	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe
Token: SeIncBasePriorityPrivilege	440	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe
Token: SeIncBasePriorityPrivilege	3060	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe
Token: SeIncBasePriorityPrivilege	2876	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe
Token: SeIncBasePriorityPrivilege	2628	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe
Token: SeIncBasePriorityPrivilege	2072	{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}.exe
Token: SeIncBasePriorityPrivilege	1740	{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}.exe
Token: SeIncBasePriorityPrivilege	2892	{370B1524-7404-4579-9494-2420D85DC114}.exe
Token: SeIncBasePriorityPrivilege	320	{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2784	1848	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	28
PID 1848 wrote to memory of 2784	1848	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	28
PID 1848 wrote to memory of 2784	1848	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	28
PID 1848 wrote to memory of 2784	1848	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	28
PID 1848 wrote to memory of 2840	1848	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	29
PID 1848 wrote to memory of 2840	1848	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	29
PID 1848 wrote to memory of 2840	1848	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	29
PID 1848 wrote to memory of 2840	1848	2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe	29
PID 2784 wrote to memory of 2300	2784	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe	30
PID 2784 wrote to memory of 2300	2784	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe	30
PID 2784 wrote to memory of 2300	2784	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe	30
PID 2784 wrote to memory of 2300	2784	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe	30
PID 2784 wrote to memory of 2728	2784	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe	31
PID 2784 wrote to memory of 2728	2784	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe	31
PID 2784 wrote to memory of 2728	2784	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe	31
PID 2784 wrote to memory of 2728	2784	{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe	31
PID 2300 wrote to memory of 2148	2300	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe	34
PID 2300 wrote to memory of 2148	2300	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe	34
PID 2300 wrote to memory of 2148	2300	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe	34
PID 2300 wrote to memory of 2148	2300	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe	34
PID 2300 wrote to memory of 616	2300	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe	35
PID 2300 wrote to memory of 616	2300	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe	35
PID 2300 wrote to memory of 616	2300	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe	35
PID 2300 wrote to memory of 616	2300	{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe	35
PID 2148 wrote to memory of 440	2148	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe	36
PID 2148 wrote to memory of 440	2148	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe	36
PID 2148 wrote to memory of 440	2148	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe	36
PID 2148 wrote to memory of 440	2148	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe	36
PID 2148 wrote to memory of 560	2148	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe	37
PID 2148 wrote to memory of 560	2148	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe	37
PID 2148 wrote to memory of 560	2148	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe	37
PID 2148 wrote to memory of 560	2148	{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe	37
PID 440 wrote to memory of 3060	440	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe	38
PID 440 wrote to memory of 3060	440	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe	38
PID 440 wrote to memory of 3060	440	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe	38
PID 440 wrote to memory of 3060	440	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe	38
PID 440 wrote to memory of 2128	440	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe	39
PID 440 wrote to memory of 2128	440	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe	39
PID 440 wrote to memory of 2128	440	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe	39
PID 440 wrote to memory of 2128	440	{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe	39
PID 3060 wrote to memory of 2876	3060	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe	40
PID 3060 wrote to memory of 2876	3060	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe	40
PID 3060 wrote to memory of 2876	3060	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe	40
PID 3060 wrote to memory of 2876	3060	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe	40
PID 3060 wrote to memory of 2888	3060	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe	41
PID 3060 wrote to memory of 2888	3060	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe	41
PID 3060 wrote to memory of 2888	3060	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe	41
PID 3060 wrote to memory of 2888	3060	{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe	41
PID 2876 wrote to memory of 2628	2876	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe	42
PID 2876 wrote to memory of 2628	2876	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe	42
PID 2876 wrote to memory of 2628	2876	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe	42
PID 2876 wrote to memory of 2628	2876	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe	42
PID 2876 wrote to memory of 2864	2876	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe	43
PID 2876 wrote to memory of 2864	2876	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe	43
PID 2876 wrote to memory of 2864	2876	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe	43
PID 2876 wrote to memory of 2864	2876	{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe	43
PID 2628 wrote to memory of 2072	2628	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe	45
PID 2628 wrote to memory of 2072	2628	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe	45
PID 2628 wrote to memory of 2072	2628	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe	45
PID 2628 wrote to memory of 2072	2628	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe	45
PID 2628 wrote to memory of 2660	2628	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe	44
PID 2628 wrote to memory of 2660	2628	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe	44
PID 2628 wrote to memory of 2660	2628	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe	44
PID 2628 wrote to memory of 2660	2628	{FA71C189-3248-455d-A73A-F8914D71C62E}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_0b5ba4d013c95cfa205bd47112881dcb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe
  C:\Windows\{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe
    C:\Windows\{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe
      C:\Windows\{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe
        
        C:\Windows\{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Windows\{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe
        
        C:\Windows\{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe
        
        C:\Windows\{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{FA71C189-3248-455d-A73A-F8914D71C62E}.exe
        
        C:\Windows\{FA71C189-3248-455d-A73A-F8914D71C62E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA71C~1.EXE > nul
        9⤵
        
        PID:2660
        
        C:\Windows\{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}.exe
        
        C:\Windows\{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}.exe
        
        C:\Windows\{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\{370B1524-7404-4579-9494-2420D85DC114}.exe
        
        C:\Windows\{370B1524-7404-4579-9494-2420D85DC114}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}.exe
        
        C:\Windows\{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\{D5041E02-1043-4e4b-A0A6-9FEF1FF71721}.exe
        
        C:\Windows\{D5041E02-1043-4e4b-A0A6-9FEF1FF71721}.exe
        13⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFCE3~1.EXE > nul
        13⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{370B1~1.EXE > nul
        12⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C08D5~1.EXE > nul
        11⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C27E2~1.EXE > nul
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4B1D~1.EXE > nul
        8⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF050~1.EXE > nul
        7⤵
        
        PID:2888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B65E~1.EXE > nul
        6⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05C26~1.EXE > nul
        5⤵
        
        PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F4F1B~1.EXE > nul
      4⤵
      PID:616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0D7B2~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05C26A7E-0097-4a07-BB02-ACDBF5564F7A}.exe

Filesize
380KB

MD5
e1a13a184e42d850bf5034fa9e21dc2f

SHA1
6e9778669af5a4b5c8cfce598dd4bb9ad168be7f

SHA256
f474d9598fc5d3d8a4be7fe8007966b97086720622e755234f49383bfb9f4749

SHA512
d623fcdcb6617ae4f65d1c17e7128601fb0bff17b9f4b2b2a8c2f38133693d3bc6c9b84b292b9a8bc81575db41a3928bfe5692915f4746f14d91ad7cfd8b708f

Download Submit
C:\Windows\{0D7B2578-8302-4688-BCAF-975FB92CAC71}.exe

Filesize
380KB

MD5
bfe453e3af0d40ee31011f3058d0c1af

SHA1
bd2a22a0f672c418f02bec4c408b30b749506dc6

SHA256
48536eb8409d28116792fce58af17d1f0d5da1b918bb4ab7553674ef5a941899

SHA512
c20dddfe90f001e520d0d40c526ba5fa78912daedfa34b8bdf8b77c07087a5bed1a73341f3dbd04f24f3865fddae44f121e8f48a22fd5b4edf7d55c2970b4989

Download Submit
C:\Windows\{370B1524-7404-4579-9494-2420D85DC114}.exe

Filesize
380KB

MD5
55b74fbc8f1deba6f1064f77db982d61

SHA1
5349d9753d58ebf69ab98886f8798c33feda8267

SHA256
f08a8faa2eee149e921c32dcfbfe8371a485e4888f6a6a1223002937571f0c63

SHA512
debea6e28ed2efdd753186d1e836ecb7c6d9a090b0af0d27505c65d4f054776a7d6b89f1fd5f3d06a1fa8bb623f612201851441ca8b18dafb9cfea29a62161d1

Download Submit
C:\Windows\{8B65EA05-0C9B-457a-8641-E5B663789BC4}.exe

Filesize
380KB

MD5
4886de0c696a4d41b7c420a5834c5356

SHA1
576b40a7de2018e0033743c6c8bcc1c13c039329

SHA256
829026920737996dbda30e98c4baa4494669725f2bac19cfca8f0a3757f5d3f9

SHA512
b5b3b9ae2b89e891f475616c6c4d61744d229d0934c3ce3b4c7d14aef5e49ed9a7f99eb8778772f10abc4bcff70dcb284e0e41a7397e29670363ed87a88ce0d9

Download Submit
C:\Windows\{BF05033B-F518-4fb8-A0B1-EF9263D98029}.exe

Filesize
380KB

MD5
b83b3da9be697687415e599355b5d79c

SHA1
7113431b989b974172550cb3dd4e596dbb8a5e22

SHA256
8385e31d3cdfac060f89ddec706d48751e87423e2597e015a23285a6a813ecf4

SHA512
876155d6549b24695f99eb90d77aa2e68694d79ff51e52e577933c300d98e00497f6d31994def0c1b9b96b025b0d8c5894d71cf5577814a3aa54492bb443ac02

Download Submit
C:\Windows\{BFCE3A53-F746-41d7-9C5F-DE30A9E4BFAC}.exe

Filesize
380KB

MD5
511b913d705ab3312d1f02888f73d598

SHA1
255a3d70f9ce25c33f15ba7aff7ce4cddf21b4ff

SHA256
0eeb8a2f3d7b98a3ad41a6ffaf2ea978f69eaa282a19bae4be8194a577e96860

SHA512
e44ee1a1831c01e6feaaf49103ab65d1c971c99d5468f1bb73a6aebcc74224286f3d8b5540c2e6f07b8ccb79058db8048a6176680a14e4332168c22c055e8472

Download Submit
C:\Windows\{C08D5CB7-FDBC-4264-884C-C7FBDE55EDC4}.exe

Filesize
380KB

MD5
4e53a85876fc2a936d3464c7652b3cf7

SHA1
78204af2b5fc703900ce0e2b47321ac9c5a5ca12

SHA256
e6efd7edeb9b55ce312777e27094f11fd22e41d7e3ad6e335634f30814acd628

SHA512
b7046f75646ea9ca94095ec4ee0ee0b83f5969374eb7bb17a9fb0860c77db54ee1d989018ceee4372631491ee4f4d6037846166b350597ceecefa93ff44d6db5

Download Submit
C:\Windows\{C27E259D-A7EA-4e6b-B5AA-60BA02A842C7}.exe

Filesize
380KB

MD5
0a0e47a08f8cf62a46daeb124ff53978

SHA1
b3d1a3597ec89c6c81f864296826a96e77f0d0a0

SHA256
7a18c02458b9dd65970b923cd79d855847174d07dc91065d43fa96053d7dd2b1

SHA512
4927abd73144e9d3f2f24758d759a340743ac80046e0949585f22d557305e4440782ad0c8c1730bc736f7a7bb8f53937e3c1c2bea961d7658b959c354a5a730b

Download Submit
C:\Windows\{D5041E02-1043-4e4b-A0A6-9FEF1FF71721}.exe

Filesize
380KB

MD5
d449562dc9082609d24bc947e538cac6

SHA1
43050722785f6e30458d980f202c4ee0968c309d

SHA256
156663f3b961e687c65e8e63c173c09f540e161efe8da262d3a888b8704e4d28

SHA512
445320787b162b820a8806c4eab7f6b2cfde08d7ae48e2634ddb1d4ed06ff6d2189960ffef375ebd931c1c8fa2f806fd48c2bc4e0494a583602473945e512224

Download Submit
C:\Windows\{F4B1DC50-97B9-44a4-A13D-C919010F5E69}.exe

Filesize
380KB

MD5
52f3df3e7ee28b9a59c951c4b8e05dd4

SHA1
134c907b813a47771a5331395af45cdd30b1b5d5

SHA256
fab0a57b63d418544fc5806738ddf123ad3b74e7c0ed3a0b8f6199707c0c79f0

SHA512
a9068e6ebcca99708f39c22bfc8dad3221e6ce8e27ba5b1b9bcf4869fc3a0cd4591b9e6ab50dc028543894da2d3c33aaba062ee7867175e7396601eb03192d12

Download Submit
C:\Windows\{F4F1BC05-6D2F-4972-88FC-C6A52738ADD4}.exe

Filesize
380KB

MD5
d6ac4fdb77df621017d22b849f60f994

SHA1
9dd538059181b51db6c2be867fecc068eb029b55

SHA256
796bfdbdbb64ce239af39ac4319bbb34664299539efabe241f11c663f1e3c8e5

SHA512
7b61f5c9f4aa7a3acef188abc84393d0e7c1d92d267022238fb27d97253bb285d809c0fd3f2ca3234dee2020faeec50701e8a3592e6fc5d0817118136103a34d

Download Submit
C:\Windows\{FA71C189-3248-455d-A73A-F8914D71C62E}.exe

Filesize
380KB

MD5
d05038981da202c0751077ae492ea43c

SHA1
508d1c5937b3e8f9fa95cd62d95995203e390e99

SHA256
e6aaae483b93382f7b342915b4939244685c9f9a08568c2e5d2219e457a2c3bf

SHA512
98444c62c01723b4d86d129327c7348caef7751f59d6e14762a429a950fcd133e7eb27dcb42c6d6ce23a8800a34067bfdffc425d292938cbba30fb87212a922d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads