de9503714a838d2e4bc25b5cf7c18171916d8f29557627590a30cf6f126040c6

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
Size

380KB
MD5

97c6c282b880e075d46a4dae292c9a53
SHA1

f1176b7f44e32e0511b78f363b5a71873900b609
SHA256

de9503714a838d2e4bc25b5cf7c18171916d8f29557627590a30cf6f126040c6
SHA512

a27817e61cf9ca7a363cc5190c402a45e74d9166a3b9f8b28b4071091e22767fa0275b04c59170a07da0a086a83d24601bbcee283b2a845c0c3a52465ba17ea4
SSDEEP

3072:mEGh0oAlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGCl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012287-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000012287-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000014b90-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000012287-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000004ed5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000b1f5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed5-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000b1f5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed5-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000b1f5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000b1f5-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed5-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001400000000b1f5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed5-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10FEE3CC-14A4-405b-9B54-22B582518084}	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}\stubpath = "C:\\Windows\\{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe"	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}\stubpath = "C:\\Windows\\{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}.exe"	{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BD400F6-A0B1-48f0-8443-02770A327731}\stubpath = "C:\\Windows\\{4BD400F6-A0B1-48f0-8443-02770A327731}.exe"	{93FDE7AB-ACED-4dc7-844D-1255762353E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{238A9D86-61F4-4753-8D7A-A03151258E9A}	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{238A9D86-61F4-4753-8D7A-A03151258E9A}\stubpath = "C:\\Windows\\{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe"	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}\stubpath = "C:\\Windows\\{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe"	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}\stubpath = "C:\\Windows\\{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe"	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6397073-C701-4a8e-88B3-E916C140CC5B}	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}	{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93FDE7AB-ACED-4dc7-844D-1255762353E2}	{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BD400F6-A0B1-48f0-8443-02770A327731}	{93FDE7AB-ACED-4dc7-844D-1255762353E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10FEE3CC-14A4-405b-9B54-22B582518084}\stubpath = "C:\\Windows\\{10FEE3CC-14A4-405b-9B54-22B582518084}.exe"	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}\stubpath = "C:\\Windows\\{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe"	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6397073-C701-4a8e-88B3-E916C140CC5B}\stubpath = "C:\\Windows\\{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe"	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}\stubpath = "C:\\Windows\\{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}.exe"	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}\stubpath = "C:\\Windows\\{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}.exe"	{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}	{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93FDE7AB-ACED-4dc7-844D-1255762353E2}\stubpath = "C:\\Windows\\{93FDE7AB-ACED-4dc7-844D-1255762353E2}.exe"	{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}.exe

Deletes itself 1 IoCs

pid	Process
1396	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2656	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe
2720	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe
2728	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe
2044	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe
2960	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe
1788	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe
1724	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe
2624	{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}.exe
1496	{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}.exe
3008	{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}.exe
1916	{93FDE7AB-ACED-4dc7-844D-1255762353E2}.exe
2344	{4BD400F6-A0B1-48f0-8443-02770A327731}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}.exe	{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}.exe
File created	C:\Windows\{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}.exe	{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}.exe
File created	C:\Windows\{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe
File created	C:\Windows\{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe
File created	C:\Windows\{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe
File created	C:\Windows\{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe
File created	C:\Windows\{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}.exe	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe
File created	C:\Windows\{93FDE7AB-ACED-4dc7-844D-1255762353E2}.exe	{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}.exe
File created	C:\Windows\{4BD400F6-A0B1-48f0-8443-02770A327731}.exe	{93FDE7AB-ACED-4dc7-844D-1255762353E2}.exe
File created	C:\Windows\{10FEE3CC-14A4-405b-9B54-22B582518084}.exe	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
File created	C:\Windows\{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe
File created	C:\Windows\{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1248	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2656	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe
Token: SeIncBasePriorityPrivilege	2720	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe
Token: SeIncBasePriorityPrivilege	2728	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe
Token: SeIncBasePriorityPrivilege	2044	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe
Token: SeIncBasePriorityPrivilege	2960	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe
Token: SeIncBasePriorityPrivilege	1788	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe
Token: SeIncBasePriorityPrivilege	1724	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe
Token: SeIncBasePriorityPrivilege	2624	{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}.exe
Token: SeIncBasePriorityPrivilege	1496	{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}.exe
Token: SeIncBasePriorityPrivilege	3008	{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}.exe
Token: SeIncBasePriorityPrivilege	1916	{93FDE7AB-ACED-4dc7-844D-1255762353E2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2656	1248	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	28
PID 1248 wrote to memory of 2656	1248	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	28
PID 1248 wrote to memory of 2656	1248	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	28
PID 1248 wrote to memory of 2656	1248	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	28
PID 1248 wrote to memory of 1396	1248	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	29
PID 1248 wrote to memory of 1396	1248	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	29
PID 1248 wrote to memory of 1396	1248	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	29
PID 1248 wrote to memory of 1396	1248	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	29
PID 2656 wrote to memory of 2720	2656	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe	30
PID 2656 wrote to memory of 2720	2656	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe	30
PID 2656 wrote to memory of 2720	2656	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe	30
PID 2656 wrote to memory of 2720	2656	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe	30
PID 2656 wrote to memory of 2872	2656	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe	31
PID 2656 wrote to memory of 2872	2656	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe	31
PID 2656 wrote to memory of 2872	2656	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe	31
PID 2656 wrote to memory of 2872	2656	{10FEE3CC-14A4-405b-9B54-22B582518084}.exe	31
PID 2720 wrote to memory of 2728	2720	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe	32
PID 2720 wrote to memory of 2728	2720	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe	32
PID 2720 wrote to memory of 2728	2720	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe	32
PID 2720 wrote to memory of 2728	2720	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe	32
PID 2720 wrote to memory of 2616	2720	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe	33
PID 2720 wrote to memory of 2616	2720	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe	33
PID 2720 wrote to memory of 2616	2720	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe	33
PID 2720 wrote to memory of 2616	2720	{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe	33
PID 2728 wrote to memory of 2044	2728	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe	36
PID 2728 wrote to memory of 2044	2728	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe	36
PID 2728 wrote to memory of 2044	2728	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe	36
PID 2728 wrote to memory of 2044	2728	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe	36
PID 2728 wrote to memory of 2784	2728	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe	37
PID 2728 wrote to memory of 2784	2728	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe	37
PID 2728 wrote to memory of 2784	2728	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe	37
PID 2728 wrote to memory of 2784	2728	{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe	37
PID 2044 wrote to memory of 2960	2044	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe	39
PID 2044 wrote to memory of 2960	2044	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe	39
PID 2044 wrote to memory of 2960	2044	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe	39
PID 2044 wrote to memory of 2960	2044	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe	39
PID 2044 wrote to memory of 660	2044	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe	38
PID 2044 wrote to memory of 660	2044	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe	38
PID 2044 wrote to memory of 660	2044	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe	38
PID 2044 wrote to memory of 660	2044	{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe	38
PID 2960 wrote to memory of 1788	2960	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe	41
PID 2960 wrote to memory of 1788	2960	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe	41
PID 2960 wrote to memory of 1788	2960	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe	41
PID 2960 wrote to memory of 1788	2960	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe	41
PID 2960 wrote to memory of 2460	2960	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe	40
PID 2960 wrote to memory of 2460	2960	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe	40
PID 2960 wrote to memory of 2460	2960	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe	40
PID 2960 wrote to memory of 2460	2960	{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe	40
PID 1788 wrote to memory of 1724	1788	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe	42
PID 1788 wrote to memory of 1724	1788	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe	42
PID 1788 wrote to memory of 1724	1788	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe	42
PID 1788 wrote to memory of 1724	1788	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe	42
PID 1788 wrote to memory of 624	1788	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe	43
PID 1788 wrote to memory of 624	1788	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe	43
PID 1788 wrote to memory of 624	1788	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe	43
PID 1788 wrote to memory of 624	1788	{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe	43
PID 1724 wrote to memory of 2624	1724	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe	44
PID 1724 wrote to memory of 2624	1724	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe	44
PID 1724 wrote to memory of 2624	1724	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe	44
PID 1724 wrote to memory of 2624	1724	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe	44
PID 1724 wrote to memory of 284	1724	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe	45
PID 1724 wrote to memory of 284	1724	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe	45
PID 1724 wrote to memory of 284	1724	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe	45
PID 1724 wrote to memory of 284	1724	{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\{10FEE3CC-14A4-405b-9B54-22B582518084}.exe
  C:\Windows\{10FEE3CC-14A4-405b-9B54-22B582518084}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe
    C:\Windows\{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe
      C:\Windows\{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe
        
        C:\Windows\{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91232~1.EXE > nul
        6⤵
        
        PID:660
      - C:\Windows\{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe
        
        C:\Windows\{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDF7D~1.EXE > nul
        7⤵
        
        PID:2460
        
        C:\Windows\{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe
        
        C:\Windows\{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe
        
        C:\Windows\{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}.exe
        
        C:\Windows\{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}.exe
        
        C:\Windows\{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}.exe
        
        C:\Windows\{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\{93FDE7AB-ACED-4dc7-844D-1255762353E2}.exe
        
        C:\Windows\{93FDE7AB-ACED-4dc7-844D-1255762353E2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\{4BD400F6-A0B1-48f0-8443-02770A327731}.exe
        
        C:\Windows\{4BD400F6-A0B1-48f0-8443-02770A327731}.exe
        13⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93FDE~1.EXE > nul
        13⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{914F9~1.EXE > nul
        12⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BB84~1.EXE > nul
        11⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D26DE~1.EXE > nul
        10⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6397~1.EXE > nul
        9⤵
        
        PID:284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74DCE~1.EXE > nul
        8⤵
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{238A9~1.EXE > nul
        5⤵
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4D3C6~1.EXE > nul
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{10FEE~1.EXE > nul
    3⤵
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10FEE3CC-14A4-405b-9B54-22B582518084}.exe

Filesize
192KB

MD5
3c57f71674b6fbd6409b0cd351918c4d

SHA1
9500c003d2240b78b56d6e5d54f3bfdae1ef2a37

SHA256
b93aa1f5340a1070694449c325af909cbcadab3510ef10faa49024c0c8f17fd5

SHA512
01bab6935377ccdb7f22d06963697fc20d347632335ed742a76a384dc8155395d7975459ca531a16bdf179067a5123ec49ada7a7c633a3601794dc4a078e7237

Download Submit
C:\Windows\{10FEE3CC-14A4-405b-9B54-22B582518084}.exe

Filesize
380KB

MD5
78504a8ae183ad8b9e98104ad23bbf04

SHA1
e9536f449407e08351d7682e78a3a544c3cfffd8

SHA256
74dcb035a8200b8f622f44d767da17f1dee0b25b2c80412134fa455dae481b4a

SHA512
0a4bdca48b8a7e9bd7130955d92beab9901e6ae5026fdb9078b7ac5556f1e14e662c48ff0a9911341bbe987f03324f75c6c6eaa08005886b871c93946c4d82a7

Download Submit
C:\Windows\{238A9D86-61F4-4753-8D7A-A03151258E9A}.exe

Filesize
380KB

MD5
eb1762bcb73eede5ebb6cedebbb10ac5

SHA1
ac8fddb0f820cf388406eca5cc7a1414c388ac21

SHA256
97a6fb33cc765b1f0813d0cf0f105ef3c027084b88accd2672d4c76a5a299d2b

SHA512
46ab3b1ef4e2a83fd638df7f39c728aed571a082b086c1d5ca0964fc203d644f087e548ce57ef09890bd681c9f179e2c4f75f5ad80bc9f3f0f8126b5e412f4d6

Download Submit
C:\Windows\{4BD400F6-A0B1-48f0-8443-02770A327731}.exe

Filesize
380KB

MD5
624d3183d54120a32a59b3965b626820

SHA1
af8f9b7cf65fe1cb4f58c456ea8c8f14d7677fe4

SHA256
7144097b2b8cf922cc611bbef313a8fb17d44847469b716af2629a52c0da48aa

SHA512
677a940b30e674c0410f2e067ecf908244bf7ecc3d50cd83d234fe57716a13e5337e56ef2f6befa952639b383c312a44865c4dc718e307d289131321a1b8ae2f

Download Submit
C:\Windows\{4D3C62B7-AC44-4370-9372-DDC0BB7F0724}.exe

Filesize
380KB

MD5
c13eab64f36049f06376a43ee9db6d7c

SHA1
57904dd056b973cdae6e2d6b3fd4fc98c4f7fc0d

SHA256
1727457eadf2c99930aa2a706b00f6e885c811a9209d22c17b277d604d2e6bd2

SHA512
52a250ac21cf5a608acf20d268a69b8b00d190a19dcecf54bef3320b7139e7d8455b5d0f184eb163f01f36828ac89e1156c1486aba9bd513242f4a6d2dbb7496

Download Submit
C:\Windows\{74DCE77C-E299-42e5-8B88-6BE74EE9DA64}.exe

Filesize
380KB

MD5
b0dd44d7cb7a38f76a1e173d9aa89a21

SHA1
b523b4a18c0b79d71b3a963429765f5ad9d17128

SHA256
fb9e079ccaad4494d10c4f1208c7422f747453cb74fc63f3275e9bf5f86fc97e

SHA512
779959ea74ff0a16fd0e1348e034c1d239223e692c778e4aaff554cb307e4ef41059c97322d7782cf0eff07b0b529258c054a6ae722514f00a4962975f7b8e36

Download Submit
C:\Windows\{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}.exe

Filesize
380KB

MD5
915dfe08ef4d40275d3440ef8cb040b3

SHA1
05e0596d4fbb12fdd3dc7d8ac9463cbfbe2abb46

SHA256
4115245b5116ac0ac9c9c813ef5d9f5a2ba7ca1773746de15cd1253c2d7fd8ab

SHA512
d1b1c957d89a1a93f23789fb97baa4c70d847159aec2ea47375d01ef5115b4718e9fb77c4d717ffbacd1156667de137eb840f252eba46a614dba14a304e00c95

Download Submit
C:\Windows\{8BB84871-CB95-4eae-86BE-2EDBBDE81A9B}.exe

Filesize
363KB

MD5
d6f44c06f693abf606b1692be1c0ce19

SHA1
b726b041784772d2f5cae61aa6c54a9a9fc02416

SHA256
d8ccf51422daee96e98309cb8033921435175c7016ba9c9854377d4b393b4a03

SHA512
566a0b317a358e89be0d10f626a0c555bada5a63b80fc32be8a408609e4e5f2a09fb61d6abd118c8de3bd761ea5b2332b87d417faf23a74d47990f2b9d8beea4

Download Submit
C:\Windows\{91232A3C-94A9-4e4c-B4EB-FB6A405D6051}.exe

Filesize
380KB

MD5
ceef5dcd2261381c693e2546720c74d9

SHA1
67dfce61369f811a5ed2306f6a04c22b784b5700

SHA256
a5a380c80c6fe1bf1544a0a37903b4858be4925c5479d078351c58b807206f33

SHA512
937fee675de11addd0c58f2c8524fd1ef59d94be721f443871063cf909c6e6646bdb262a0d0dc1e1a35aebcf232bf2aea720b5e12b3310d50455a0580d821335

Download Submit
C:\Windows\{914F98E2-0581-4fc9-B95D-BE9B0CD39E40}.exe

Filesize
380KB

MD5
cdd214617c376781d656c8ccb36b1531

SHA1
aab0e3829b96e776d50028e27e8072ed1f30a658

SHA256
17a9f0d88e7d28fc894fc4304b6d93ac1d74350ef934f8083ea44376a31d9bd0

SHA512
ecb9f35d9198f6a8c88c1714fe19baea6b0ce2e50dfd69250d5dd427891d08a281e67f6160e4adba8b2839ae584e722a721bd72ff5ef5b2f60de1e12d3fc2d2a

Download Submit
C:\Windows\{93FDE7AB-ACED-4dc7-844D-1255762353E2}.exe

Filesize
380KB

MD5
125bfc5d7b513c3b2d5f3fc073dbfd9c

SHA1
28115dd7d807f92403182a887439722e7dc57c4f

SHA256
2ae177c4f35c152637c0574127a4a83cc23c558b3216d8b4e09423fbd0ba7e92

SHA512
f81bd6c9b526b27781af9e31085d44019053dd057f73b3593b7f6040547b6908f0afc9bb4f6ba1923932be07f43a0a4fafd510cc171def694d748cc9b5211fc7

Download Submit
C:\Windows\{D26DEB7C-DFBC-44e7-87E1-0386B6DA70F5}.exe

Filesize
380KB

MD5
ba7eea83917c9867862786e295d1bce5

SHA1
276174422e6ded3588576a70f6d98b9a92dd8c4f

SHA256
fa3d46c6badb77ee1668541deefecaf046dde41494d202554d0cf73a089d76f2

SHA512
fe5cb0becca48f315bf636a55890ef5490cabf89579dfc1f503f7011bd51bde9e012a21a9004729f042b2f3c942e7f891f6c846c04cbe5599c727db4a8c1800c

Download Submit
C:\Windows\{E6397073-C701-4a8e-88B3-E916C140CC5B}.exe

Filesize
380KB

MD5
cdf392b3c61ba6a6055261220929322c

SHA1
f4045bef7fe92ae73b33d996c141cde3e2d2d3f0

SHA256
0bcd41f817646c32f78e8702e63327d87241afddbe7a0b1f19f713ec44413de3

SHA512
75d62331697d3e560974b8b2c429fb1a902b4ce853c19bf8ea8aa3be95a815758e62b77b064bfcc2087514de1dfb0a766b55517fc2f6b115c043c4739b23a89f

Download Submit
C:\Windows\{EDF7DA8F-E51A-4bb1-840C-EF51B3C3A4FE}.exe

Filesize
380KB

MD5
e5e1f1cd2705560e62ea3b7fae817712

SHA1
c84a6b20b0a667e9833c0192bc69f16a7e8e6ba8

SHA256
f4b4e7ab508fc091280a67f5da91654a4b0838e26ecd9d26e23675c3f5a2d1bf

SHA512
acab2b39b781bfb8edc7da03e06b070abade3d23bf1ea95e94cd05c685d5652e0c5ae7617cd0ef07fca204c4c677293f16aeccd0351b928806ab2632a961b209

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads