de9503714a838d2e4bc25b5cf7c18171916d8f29557627590a30cf6f126040c6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 11:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
Size

380KB
MD5

97c6c282b880e075d46a4dae292c9a53
SHA1

f1176b7f44e32e0511b78f363b5a71873900b609
SHA256

de9503714a838d2e4bc25b5cf7c18171916d8f29557627590a30cf6f126040c6
SHA512

a27817e61cf9ca7a363cc5190c402a45e74d9166a3b9f8b28b4071091e22767fa0275b04c59170a07da0a086a83d24601bbcee283b2a845c0c3a52465ba17ea4
SSDEEP

3072:mEGh0oAlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGCl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002314a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023156-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002315d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023156-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002315d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}	{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}	{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}\stubpath = "C:\\Windows\\{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe"	{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}	{30E9BC57-0735-47b6-B316-A762241CEF06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A40507E-2A88-4c44-8F2A-FC7C38C0F5F6}	{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A40507E-2A88-4c44-8F2A-FC7C38C0F5F6}\stubpath = "C:\\Windows\\{3A40507E-2A88-4c44-8F2A-FC7C38C0F5F6}.exe"	{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}	{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}\stubpath = "C:\\Windows\\{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe"	{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9EC5196-3D20-4d46-A365-F5CD03650AD9}	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}\stubpath = "C:\\Windows\\{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe"	{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A80A3427-D22D-42f0-BA47-C94A03931C29}\stubpath = "C:\\Windows\\{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe"	{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}\stubpath = "C:\\Windows\\{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe"	{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{580F680B-61A5-4f37-B045-79B92D2F1205}	{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}\stubpath = "C:\\Windows\\{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe"	{580F680B-61A5-4f37-B045-79B92D2F1205}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30E9BC57-0735-47b6-B316-A762241CEF06}\stubpath = "C:\\Windows\\{30E9BC57-0735-47b6-B316-A762241CEF06}.exe"	{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}	{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}	{580F680B-61A5-4f37-B045-79B92D2F1205}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30E9BC57-0735-47b6-B316-A762241CEF06}	{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}\stubpath = "C:\\Windows\\{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}.exe"	{30E9BC57-0735-47b6-B316-A762241CEF06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9EC5196-3D20-4d46-A365-F5CD03650AD9}\stubpath = "C:\\Windows\\{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe"	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4684C038-ABA2-4fb7-AF5A-640B21065ED9}	{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4684C038-ABA2-4fb7-AF5A-640B21065ED9}\stubpath = "C:\\Windows\\{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe"	{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A80A3427-D22D-42f0-BA47-C94A03931C29}	{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{580F680B-61A5-4f37-B045-79B92D2F1205}\stubpath = "C:\\Windows\\{580F680B-61A5-4f37-B045-79B92D2F1205}.exe"	{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe

Executes dropped EXE 12 IoCs

pid	Process
3616	{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe
856	{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe
4012	{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe
1768	{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe
2600	{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe
1212	{580F680B-61A5-4f37-B045-79B92D2F1205}.exe
3824	{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe
3788	{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe
3500	{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe
2004	{30E9BC57-0735-47b6-B316-A762241CEF06}.exe
3060	{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}.exe
4920	{3A40507E-2A88-4c44-8F2A-FC7C38C0F5F6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}.exe	{30E9BC57-0735-47b6-B316-A762241CEF06}.exe
File created	C:\Windows\{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe	{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe
File created	C:\Windows\{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe	{580F680B-61A5-4f37-B045-79B92D2F1205}.exe
File created	C:\Windows\{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe	{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe
File created	C:\Windows\{30E9BC57-0735-47b6-B316-A762241CEF06}.exe	{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe
File created	C:\Windows\{580F680B-61A5-4f37-B045-79B92D2F1205}.exe	{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe
File created	C:\Windows\{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe	{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe
File created	C:\Windows\{3A40507E-2A88-4c44-8F2A-FC7C38C0F5F6}.exe	{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}.exe
File created	C:\Windows\{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
File created	C:\Windows\{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe	{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe
File created	C:\Windows\{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe	{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe
File created	C:\Windows\{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe	{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3348	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3616	{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe
Token: SeIncBasePriorityPrivilege	856	{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe
Token: SeIncBasePriorityPrivilege	4012	{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe
Token: SeIncBasePriorityPrivilege	1768	{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe
Token: SeIncBasePriorityPrivilege	2600	{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe
Token: SeIncBasePriorityPrivilege	1212	{580F680B-61A5-4f37-B045-79B92D2F1205}.exe
Token: SeIncBasePriorityPrivilege	3824	{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe
Token: SeIncBasePriorityPrivilege	3788	{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe
Token: SeIncBasePriorityPrivilege	3500	{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe
Token: SeIncBasePriorityPrivilege	2004	{30E9BC57-0735-47b6-B316-A762241CEF06}.exe
Token: SeIncBasePriorityPrivilege	3060	{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 3616	3348	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	86
PID 3348 wrote to memory of 3616	3348	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	86
PID 3348 wrote to memory of 3616	3348	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	86
PID 3348 wrote to memory of 1512	3348	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	87
PID 3348 wrote to memory of 1512	3348	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	87
PID 3348 wrote to memory of 1512	3348	2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe	87
PID 3616 wrote to memory of 856	3616	{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe	93
PID 3616 wrote to memory of 856	3616	{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe	93
PID 3616 wrote to memory of 856	3616	{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe	93
PID 3616 wrote to memory of 4572	3616	{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe	94
PID 3616 wrote to memory of 4572	3616	{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe	94
PID 3616 wrote to memory of 4572	3616	{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe	94
PID 856 wrote to memory of 4012	856	{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe	96
PID 856 wrote to memory of 4012	856	{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe	96
PID 856 wrote to memory of 4012	856	{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe	96
PID 856 wrote to memory of 3544	856	{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe	97
PID 856 wrote to memory of 3544	856	{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe	97
PID 856 wrote to memory of 3544	856	{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe	97
PID 4012 wrote to memory of 1768	4012	{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe	98
PID 4012 wrote to memory of 1768	4012	{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe	98
PID 4012 wrote to memory of 1768	4012	{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe	98
PID 4012 wrote to memory of 4492	4012	{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe	99
PID 4012 wrote to memory of 4492	4012	{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe	99
PID 4012 wrote to memory of 4492	4012	{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe	99
PID 1768 wrote to memory of 2600	1768	{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe	100
PID 1768 wrote to memory of 2600	1768	{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe	100
PID 1768 wrote to memory of 2600	1768	{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe	100
PID 1768 wrote to memory of 4320	1768	{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe	101
PID 1768 wrote to memory of 4320	1768	{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe	101
PID 1768 wrote to memory of 4320	1768	{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe	101
PID 2600 wrote to memory of 1212	2600	{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe	102
PID 2600 wrote to memory of 1212	2600	{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe	102
PID 2600 wrote to memory of 1212	2600	{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe	102
PID 2600 wrote to memory of 1192	2600	{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe	103
PID 2600 wrote to memory of 1192	2600	{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe	103
PID 2600 wrote to memory of 1192	2600	{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe	103
PID 1212 wrote to memory of 3824	1212	{580F680B-61A5-4f37-B045-79B92D2F1205}.exe	104
PID 1212 wrote to memory of 3824	1212	{580F680B-61A5-4f37-B045-79B92D2F1205}.exe	104
PID 1212 wrote to memory of 3824	1212	{580F680B-61A5-4f37-B045-79B92D2F1205}.exe	104
PID 1212 wrote to memory of 4372	1212	{580F680B-61A5-4f37-B045-79B92D2F1205}.exe	105
PID 1212 wrote to memory of 4372	1212	{580F680B-61A5-4f37-B045-79B92D2F1205}.exe	105
PID 1212 wrote to memory of 4372	1212	{580F680B-61A5-4f37-B045-79B92D2F1205}.exe	105
PID 3824 wrote to memory of 3788	3824	{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe	106
PID 3824 wrote to memory of 3788	3824	{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe	106
PID 3824 wrote to memory of 3788	3824	{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe	106
PID 3824 wrote to memory of 4088	3824	{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe	107
PID 3824 wrote to memory of 4088	3824	{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe	107
PID 3824 wrote to memory of 4088	3824	{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe	107
PID 3788 wrote to memory of 3500	3788	{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe	108
PID 3788 wrote to memory of 3500	3788	{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe	108
PID 3788 wrote to memory of 3500	3788	{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe	108
PID 3788 wrote to memory of 3936	3788	{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe	109
PID 3788 wrote to memory of 3936	3788	{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe	109
PID 3788 wrote to memory of 3936	3788	{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe	109
PID 3500 wrote to memory of 2004	3500	{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe	110
PID 3500 wrote to memory of 2004	3500	{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe	110
PID 3500 wrote to memory of 2004	3500	{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe	110
PID 3500 wrote to memory of 4772	3500	{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe	111
PID 3500 wrote to memory of 4772	3500	{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe	111
PID 3500 wrote to memory of 4772	3500	{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe	111
PID 2004 wrote to memory of 3060	2004	{30E9BC57-0735-47b6-B316-A762241CEF06}.exe	112
PID 2004 wrote to memory of 3060	2004	{30E9BC57-0735-47b6-B316-A762241CEF06}.exe	112
PID 2004 wrote to memory of 3060	2004	{30E9BC57-0735-47b6-B316-A762241CEF06}.exe	112
PID 2004 wrote to memory of 3432	2004	{30E9BC57-0735-47b6-B316-A762241CEF06}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_97c6c282b880e075d46a4dae292c9a53_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe
  C:\Windows\{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe
    C:\Windows\{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe
      C:\Windows\{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe
        
        C:\Windows\{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe
        
        C:\Windows\{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{580F680B-61A5-4f37-B045-79B92D2F1205}.exe
        
        C:\Windows\{580F680B-61A5-4f37-B045-79B92D2F1205}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe
        
        C:\Windows\{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe
        
        C:\Windows\{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe
        
        C:\Windows\{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\{30E9BC57-0735-47b6-B316-A762241CEF06}.exe
        
        C:\Windows\{30E9BC57-0735-47b6-B316-A762241CEF06}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}.exe
        
        C:\Windows\{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\{3A40507E-2A88-4c44-8F2A-FC7C38C0F5F6}.exe
        
        C:\Windows\{3A40507E-2A88-4c44-8F2A-FC7C38C0F5F6}.exe
        13⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FB0E~1.EXE > nul
        13⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30E9B~1.EXE > nul
        12⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37FCB~1.EXE > nul
        11⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64973~1.EXE > nul
        10⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFF89~1.EXE > nul
        9⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{580F6~1.EXE > nul
        8⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B71E8~1.EXE > nul
        7⤵
        
        PID:1192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A80A3~1.EXE > nul
        6⤵
        
        PID:4320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4684C~1.EXE > nul
        5⤵
        
        PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ED71E~1.EXE > nul
      4⤵
      PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D9EC5~1.EXE > nul
    3⤵
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FB0EFC1-E824-45aa-B05F-F3BBACA9F5BE}.exe

Filesize
380KB

MD5
6c1f79bca1d32978c742650417dd5d4e

SHA1
e0d1a843611d896d10bc6dd31cd5ef3af74a53c1

SHA256
04ff67c0133b131a7a2740644d432aea144246e1c706a837bcd7714008dc1dc0

SHA512
8016d21b613cdce980b14b0eac5bc74fe367fc145bf152e7df29921f78404291e754f2e80b50132103ac6e04d6630427c735c53b961f8134e0b236810388758b

Download Submit
C:\Windows\{30E9BC57-0735-47b6-B316-A762241CEF06}.exe

Filesize
380KB

MD5
eef8c58ae885e9d6217c929b07dd7bdf

SHA1
69ed8e611a5aff007adf220f5d6e54535d55ac26

SHA256
8fbefd2756d771b0b78121afb08b7c5b191af18f2d3fefbbcd665a2810ee7d72

SHA512
c77f37c77cab830ccb886f7c234ff043e71df0e6f7adce752017e899a8bca8cd903731025610d6fd211db0eaac242ae9be9be7fc5ed3a2ae6278c54c559c9149

Download Submit
C:\Windows\{37FCB32B-FC29-4c20-9ED7-CC876C4F3AFD}.exe

Filesize
380KB

MD5
1819addad6c2bc7e0391178835e4d148

SHA1
4ea095a12fa993bdce78e2e24fb9c229e8d53983

SHA256
e8c0e326d03c762e6a7e943425224fc61f130621f13ea26ce945debbf908e789

SHA512
6d3e17235f75bc3a19fec79d78b4fdef92b947781a24613468ae4e361c543b55f6d7b9b93f66dd42529abc8df2d4ea64d8c982218275dc3939c919179982d539

Download Submit
C:\Windows\{3A40507E-2A88-4c44-8F2A-FC7C38C0F5F6}.exe

Filesize
380KB

MD5
cfe14b484e45bfc3343b0f93f982ac0d

SHA1
75b9c8352cc2202595bd61857ac83e0ef44768d6

SHA256
2a026ef3c71ec7f39c378380b7e144999b47c9a3ccfa4170741d7594b5733c3d

SHA512
8faef1e30de9c320a615a327a78e382c6ff86e042d69c92cb09bad7f8d778a47372db1bd7ab59ece7671f9a1a92127d6e17fc0a51c31e66ab92c10fa0d7edf9e

Download Submit
C:\Windows\{4684C038-ABA2-4fb7-AF5A-640B21065ED9}.exe

Filesize
380KB

MD5
5b0c623ebfa299fe4b58474b9853029a

SHA1
7f6d491fed632e33d0a7f144d75a88182de3416e

SHA256
7919b5b7dc7b0b2e7f6f994eaa23349f3be0aaa1e6d49f9b53a251f9e1256e3e

SHA512
3339685e106cea79460359b8a4879644a5cfbc054294ab5da237c6f7bb79ab41fca7edc01aa3d294f4dcc8e7d901d52a3c78332962e4ca0f87bd89255f5b21d3

Download Submit
C:\Windows\{580F680B-61A5-4f37-B045-79B92D2F1205}.exe

Filesize
380KB

MD5
00fb9cd66ee8f7cf5fa4bc5a06edf210

SHA1
81aef4af81a1bdda7c46f56e28736e48190b26fa

SHA256
ccd2c87d66c725bd70b3e6f7874cfe4134f8f7c1cd3804f4dd849e135cec2a76

SHA512
d74ffec672e017411a708df2323ebc42f1f25731c49ad1cd38e7317510f6bd65c0ce397c024fe2b011c9e4d28ce83efaa3271d27f4daf12efc6dd7673c014b35

Download Submit
C:\Windows\{64973ABF-9924-497b-BA83-CCB0C2AD4B2F}.exe

Filesize
380KB

MD5
a2e9de369914b58db738af6580b5d8b1

SHA1
dac567c09f17d31a9f563f44adef00c1504c447e

SHA256
dc080ac88d49b12f51d6e15419e1972ac7939276fa5ca01d9ef9471dc42a9696

SHA512
1bc995d06bde4ad8d18084d09e3d64327b9fd991080c24fdf8d1d0e326f0e1e5494f3f3a3f6cdf1221112a102e3f31eba1538e6af4bdf9f8b0cb538989bd923d

Download Submit
C:\Windows\{A80A3427-D22D-42f0-BA47-C94A03931C29}.exe

Filesize
380KB

MD5
f64a619c00859d74099ae04ed9aa75d6

SHA1
190d2a17a7be8dc92cefc26295eb1883ba96fee0

SHA256
e65f46aed3cbddc5e435e5d9140f41f2c2484601db82e8dbdfa0d647dd91d0cf

SHA512
369535c0ae772c342b98951ef15ffc4283bdc4777e5ce9f51f72d90c2ff23de47f11de011c9564241878e6c5e89677f1e921a2c38b3b5fdc299c3831c9f7d2fd

Download Submit
C:\Windows\{B71E8DB9-8AC6-4450-902B-BA7AD1A86E71}.exe

Filesize
380KB

MD5
dc3a2b8a9e309e6c49015f28f65860bf

SHA1
7dc4555b66a2853b6be297fe063fe0fa9c511750

SHA256
8282f1c503a7e9e9c2f05e3b1fccc5106456acfbde88163af17cd7234e449cf0

SHA512
9e2ca6c6f72ee8547eea549d17b1f745d99208682ed319e515d124425e849e42ab97b09dea324b37b92f140fb0c437163211cff2aad69e5eabac1bb86e75f4df

Download Submit
C:\Windows\{CFF8941E-C4BE-4c19-87BE-1C23E8C72BA5}.exe

Filesize
380KB

MD5
9a7061b4b5d41ce6e8430f81abafcb2a

SHA1
3c7e8bb12a2bd14f389f0417d3f1fbb8fa3a7398

SHA256
69f8ef5937323a2a2cf46b000814abdcc743e4474d75420825438d3f11249824

SHA512
a37c54bd396a3227786058391d4948c74a755ae0aef4724867d6c85f856d46003e29ce46ed907942e6dda2d4ef6043abceb6f3cc2dcbad88d3725d7d61bc5fb2

Download Submit
C:\Windows\{D9EC5196-3D20-4d46-A365-F5CD03650AD9}.exe

Filesize
380KB

MD5
a8c4d81768d32102dbb3f4fc8353b2d1

SHA1
932842433022bc8cbefd54f5b54dd644b115690c

SHA256
b904cc466ac3078e80acd34b535f30b1362e1ce72e2416858c11d492904d2510

SHA512
af9b23b1275d393b426dbbd9c96b60b45cbde26111f6b419fb13749db495bfe8b2a259130f03c284f0f46d34401228e4f1496873441c70ba28556bbcd091ce8a

Download Submit
C:\Windows\{ED71EF01-C135-4d51-A1AB-EE3173D2AD68}.exe

Filesize
380KB

MD5
12d2e8da00766d7b8704ddedf8082508

SHA1
61d9b66b6e2100987f0f7fd8d9d2801cc48c24b9

SHA256
50c4bed19bccba59abbb332a0ba78b60b0f62bad9d20430d95ed355e2068b85b

SHA512
6ea1c09d1face3ee43510c85bf7311cc4c507747f3fcf6f6408675efc45139ee49bd38023dc683729bfcf2db4dece10a45652299c469fa80b8fb9b3a2d5b1c62

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads