0083691c16b5f6e1c36f2494d5f02e351e08ba072da48c2d68e5f9bb8d7a4757

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe
Size

180KB
MD5

c1158a0c88fc7470aee2b977e06527fe
SHA1

a69db3a40eaafbb80048d62c0f84f3342c7f15cb
SHA256

0083691c16b5f6e1c36f2494d5f02e351e08ba072da48c2d68e5f9bb8d7a4757
SHA512

e8aad9a06d5484342a2ca1214bcd00ca8633776953ac44ac44b787e77020d6162ddc8b062edab8284ca06ac65136a7a7a4f248215c2448d69ccb1baf1616a8f2
SSDEEP

3072:jEGh0onlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGZl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023145-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002314e-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002315d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002314e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002315d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002314e-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{156B34D7-1476-47f3-A48F-46D14B91D0AA}\stubpath = "C:\\Windows\\{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe"	2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6695563E-D36B-409b-8CF5-E80F1FD99E97}	{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}	{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}	{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E457C166-4E0D-4e8e-BD88-7715A17549A4}\stubpath = "C:\\Windows\\{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe"	{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}	{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C43F3BB4-7363-487f-AE94-BD468D02DD7F}\stubpath = "C:\\Windows\\{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe"	{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6695563E-D36B-409b-8CF5-E80F1FD99E97}\stubpath = "C:\\Windows\\{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe"	{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B933B4E7-7A61-452a-A753-3186105754BE}	{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}\stubpath = "C:\\Windows\\{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}.exe"	{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB15DB82-EFC2-49c6-A083-93ACF3DF676D}	{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB15DB82-EFC2-49c6-A083-93ACF3DF676D}\stubpath = "C:\\Windows\\{AB15DB82-EFC2-49c6-A083-93ACF3DF676D}.exe"	{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}\stubpath = "C:\\Windows\\{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe"	{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}	{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E457C166-4E0D-4e8e-BD88-7715A17549A4}	{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B933B4E7-7A61-452a-A753-3186105754BE}\stubpath = "C:\\Windows\\{B933B4E7-7A61-452a-A753-3186105754BE}.exe"	{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{976EB1F5-8E12-4553-8894-BCDCEEBA7695}\stubpath = "C:\\Windows\\{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe"	{41363236-4447-4613-B372-3292F5D6EB05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{156B34D7-1476-47f3-A48F-46D14B91D0AA}	2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C43F3BB4-7363-487f-AE94-BD468D02DD7F}	{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}\stubpath = "C:\\Windows\\{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe"	{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}\stubpath = "C:\\Windows\\{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe"	{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41363236-4447-4613-B372-3292F5D6EB05}	{B933B4E7-7A61-452a-A753-3186105754BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41363236-4447-4613-B372-3292F5D6EB05}\stubpath = "C:\\Windows\\{41363236-4447-4613-B372-3292F5D6EB05}.exe"	{B933B4E7-7A61-452a-A753-3186105754BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{976EB1F5-8E12-4553-8894-BCDCEEBA7695}	{41363236-4447-4613-B372-3292F5D6EB05}.exe

Executes dropped EXE 12 IoCs

pid	Process
1348	{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe
3912	{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe
4012	{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe
1768	{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe
4908	{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe
3048	{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe
800	{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe
3428	{B933B4E7-7A61-452a-A753-3186105754BE}.exe
1140	{41363236-4447-4613-B372-3292F5D6EB05}.exe
116	{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe
4960	{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}.exe
1964	{AB15DB82-EFC2-49c6-A083-93ACF3DF676D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe	{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe
File created	C:\Windows\{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe	{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe
File created	C:\Windows\{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe	{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe
File created	C:\Windows\{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe	{41363236-4447-4613-B372-3292F5D6EB05}.exe
File created	C:\Windows\{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}.exe	{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe
File created	C:\Windows\{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe	2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe
File created	C:\Windows\{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe	{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe
File created	C:\Windows\{B933B4E7-7A61-452a-A753-3186105754BE}.exe	{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe
File created	C:\Windows\{41363236-4447-4613-B372-3292F5D6EB05}.exe	{B933B4E7-7A61-452a-A753-3186105754BE}.exe
File created	C:\Windows\{AB15DB82-EFC2-49c6-A083-93ACF3DF676D}.exe	{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}.exe
File created	C:\Windows\{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe	{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe
File created	C:\Windows\{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe	{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3508	2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1348	{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe
Token: SeIncBasePriorityPrivilege	3912	{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe
Token: SeIncBasePriorityPrivilege	4012	{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe
Token: SeIncBasePriorityPrivilege	1768	{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe
Token: SeIncBasePriorityPrivilege	4908	{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe
Token: SeIncBasePriorityPrivilege	3048	{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe
Token: SeIncBasePriorityPrivilege	800	{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe
Token: SeIncBasePriorityPrivilege	3428	{B933B4E7-7A61-452a-A753-3186105754BE}.exe
Token: SeIncBasePriorityPrivilege	1140	{41363236-4447-4613-B372-3292F5D6EB05}.exe
Token: SeIncBasePriorityPrivilege	116	{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe
Token: SeIncBasePriorityPrivilege	4960	{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 1348	3508	2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe	84
PID 3508 wrote to memory of 1348	3508	2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe	84
PID 3508 wrote to memory of 1348	3508	2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe	84
PID 3508 wrote to memory of 3120	3508	2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe	85
PID 3508 wrote to memory of 3120	3508	2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe	85
PID 3508 wrote to memory of 3120	3508	2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe	85
PID 1348 wrote to memory of 3912	1348	{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe	92
PID 1348 wrote to memory of 3912	1348	{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe	92
PID 1348 wrote to memory of 3912	1348	{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe	92
PID 1348 wrote to memory of 1800	1348	{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe	93
PID 1348 wrote to memory of 1800	1348	{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe	93
PID 1348 wrote to memory of 1800	1348	{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe	93
PID 3912 wrote to memory of 4012	3912	{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe	97
PID 3912 wrote to memory of 4012	3912	{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe	97
PID 3912 wrote to memory of 4012	3912	{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe	97
PID 3912 wrote to memory of 3544	3912	{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe	96
PID 3912 wrote to memory of 3544	3912	{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe	96
PID 3912 wrote to memory of 3544	3912	{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe	96
PID 4012 wrote to memory of 1768	4012	{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe	98
PID 4012 wrote to memory of 1768	4012	{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe	98
PID 4012 wrote to memory of 1768	4012	{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe	98
PID 4012 wrote to memory of 4292	4012	{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe	99
PID 4012 wrote to memory of 4292	4012	{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe	99
PID 4012 wrote to memory of 4292	4012	{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe	99
PID 1768 wrote to memory of 4908	1768	{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe	100
PID 1768 wrote to memory of 4908	1768	{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe	100
PID 1768 wrote to memory of 4908	1768	{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe	100
PID 1768 wrote to memory of 3216	1768	{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe	101
PID 1768 wrote to memory of 3216	1768	{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe	101
PID 1768 wrote to memory of 3216	1768	{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe	101
PID 4908 wrote to memory of 3048	4908	{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe	102
PID 4908 wrote to memory of 3048	4908	{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe	102
PID 4908 wrote to memory of 3048	4908	{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe	102
PID 4908 wrote to memory of 2964	4908	{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe	103
PID 4908 wrote to memory of 2964	4908	{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe	103
PID 4908 wrote to memory of 2964	4908	{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe	103
PID 3048 wrote to memory of 800	3048	{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe	104
PID 3048 wrote to memory of 800	3048	{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe	104
PID 3048 wrote to memory of 800	3048	{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe	104
PID 3048 wrote to memory of 4452	3048	{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe	105
PID 3048 wrote to memory of 4452	3048	{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe	105
PID 3048 wrote to memory of 4452	3048	{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe	105
PID 800 wrote to memory of 3428	800	{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe	106
PID 800 wrote to memory of 3428	800	{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe	106
PID 800 wrote to memory of 3428	800	{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe	106
PID 800 wrote to memory of 3000	800	{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe	107
PID 800 wrote to memory of 3000	800	{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe	107
PID 800 wrote to memory of 3000	800	{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe	107
PID 3428 wrote to memory of 1140	3428	{B933B4E7-7A61-452a-A753-3186105754BE}.exe	108
PID 3428 wrote to memory of 1140	3428	{B933B4E7-7A61-452a-A753-3186105754BE}.exe	108
PID 3428 wrote to memory of 1140	3428	{B933B4E7-7A61-452a-A753-3186105754BE}.exe	108
PID 3428 wrote to memory of 2492	3428	{B933B4E7-7A61-452a-A753-3186105754BE}.exe	109
PID 3428 wrote to memory of 2492	3428	{B933B4E7-7A61-452a-A753-3186105754BE}.exe	109
PID 3428 wrote to memory of 2492	3428	{B933B4E7-7A61-452a-A753-3186105754BE}.exe	109
PID 1140 wrote to memory of 116	1140	{41363236-4447-4613-B372-3292F5D6EB05}.exe	110
PID 1140 wrote to memory of 116	1140	{41363236-4447-4613-B372-3292F5D6EB05}.exe	110
PID 1140 wrote to memory of 116	1140	{41363236-4447-4613-B372-3292F5D6EB05}.exe	110
PID 1140 wrote to memory of 4832	1140	{41363236-4447-4613-B372-3292F5D6EB05}.exe	111
PID 1140 wrote to memory of 4832	1140	{41363236-4447-4613-B372-3292F5D6EB05}.exe	111
PID 1140 wrote to memory of 4832	1140	{41363236-4447-4613-B372-3292F5D6EB05}.exe	111
PID 116 wrote to memory of 4960	116	{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe	112
PID 116 wrote to memory of 4960	116	{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe	112
PID 116 wrote to memory of 4960	116	{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe	112
PID 116 wrote to memory of 4448	116	{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_c1158a0c88fc7470aee2b977e06527fe_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe
  C:\Windows\{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe
    C:\Windows\{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C43F3~1.EXE > nul
      4⤵
      PID:3544
  - - C:\Windows\{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe
      C:\Windows\{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe
        
        C:\Windows\{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe
        
        C:\Windows\{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe
        
        C:\Windows\{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe
        
        C:\Windows\{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\{B933B4E7-7A61-452a-A753-3186105754BE}.exe
        
        C:\Windows\{B933B4E7-7A61-452a-A753-3186105754BE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\{41363236-4447-4613-B372-3292F5D6EB05}.exe
        
        C:\Windows\{41363236-4447-4613-B372-3292F5D6EB05}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe
        
        C:\Windows\{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}.exe
        
        C:\Windows\{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Windows\{AB15DB82-EFC2-49c6-A083-93ACF3DF676D}.exe
        
        C:\Windows\{AB15DB82-EFC2-49c6-A083-93ACF3DF676D}.exe
        13⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4155B~1.EXE > nul
        13⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{976EB~1.EXE > nul
        12⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41363~1.EXE > nul
        11⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B933B~1.EXE > nul
        10⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E457C~1.EXE > nul
        9⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{663AE~1.EXE > nul
        8⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78C34~1.EXE > nul
        7⤵
        
        PID:2964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E9CA~1.EXE > nul
        6⤵
        
        PID:3216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66955~1.EXE > nul
        5⤵
        
        PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{156B3~1.EXE > nul
    3⤵
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{156B34D7-1476-47f3-A48F-46D14B91D0AA}.exe

Filesize
180KB

MD5
5fc976dadd1bfc721a39683b3baf1af3

SHA1
8e5297066daf2af16c54de6512e37b1bfb9d37c4

SHA256
10610a47000a24ca4103089e8162d7fc209a8217505b09abe8362867c2e0eec3

SHA512
fbfd31f3aadd035791ec6b8657b8d9fa33174fe72caf54e7f843bc45232000769852413f7aa967e687fac489028e9d97bb5a3003da45499a3aba8e252299d874

Download Submit
C:\Windows\{41363236-4447-4613-B372-3292F5D6EB05}.exe

Filesize
180KB

MD5
38c0b0b0ee331f1d674c06b907e8cc98

SHA1
4226b2fead32b07ac103f5304fa9111827172657

SHA256
cae4f1609b4548be481b7f0c6c4e6269e69dea0abe7ebdb6e0e59a8e43284e5a

SHA512
ee66c9f41a6516ae6059ff0f5fbaa6a6e7eb409f0c6db9ba52cf50aba50e54fa42139ab14c3a23e0304edfacd5be9193c509397c661c69c3a6ebea8893aee593

Download Submit
C:\Windows\{4155B8CD-73BC-41a7-9FD6-2B9E35AC203C}.exe

Filesize
180KB

MD5
62586a718f31fc004f7d9f389dfd71c5

SHA1
33564a9343013cbb9179bc0267e36f44f77486c3

SHA256
1e453995d62c938ede3385e2bece402766e49ad315b052c7cd04b9ede6ee471a

SHA512
4fae3afc6cf35005a0c3213acac0b761b2db6d29d89edda384e269dd40717bc8566ff61b9ff9d6811cdb0a9f28174b459e174c12e46b21024e503a451718e039

Download Submit
C:\Windows\{663AEAEF-CEF3-4bc1-B65B-09DF536CA3CA}.exe

Filesize
180KB

MD5
1c00659321bf9987d8a23f3bf2c06341

SHA1
8659faa51f8ba72bb2d28d89e863798e99c929c5

SHA256
c53f53d18fc9d68652f5c6c440e99a1601875a42b293b00696340e121be70f26

SHA512
72a1dabf955d15706e402014b522e8d54346015b4c0b45755ef14e3812c24ba8becbfe7daa35080afcfa367cf1503b1dc456813b3aef4890ffafec069be2eaca

Download Submit
C:\Windows\{6695563E-D36B-409b-8CF5-E80F1FD99E97}.exe

Filesize
180KB

MD5
dd9529d783fb344fa47597792962da4f

SHA1
eed71108360c9964b872319bd5a9c82ddd9b4472

SHA256
ba9efbd40bedb9d707f0fd1ad7c2184d6e320f562c90f49f8bdcebae77a2d9fd

SHA512
354bb2ee05e9ca9e2d860b004877595e3e01e5635a018bc3c408f16563cb9381c198d8fdd5b2493c6f7ad1b36e71fb47ef2504a074b959b8799a484659b9e826

Download Submit
C:\Windows\{6E9CAF5E-4CF7-4dd9-8ADB-D9C5DF01E51C}.exe

Filesize
180KB

MD5
711c22c5561c44c96f1911ec5e59231c

SHA1
22f92b996b16bc99aaea28a72cd1e05ca4588423

SHA256
34a2ee0b164549b7df82a5c665eca85fedd4a9c3ab63b1a03d931ffa78022968

SHA512
4b86bcb1c60492d15db457ad71369b654b171cc68ef1a1b5bb539b39d3cb55a28bfc6e339653ff02d5f7b3ba4f1aae8c3ef57da2e4edfed6001d5c969f22a408

Download Submit
C:\Windows\{78C346C6-2B60-4a2d-B4E9-6E9BDD2EEAEB}.exe

Filesize
180KB

MD5
f9299e0fa1741d591d27f2c9564885b5

SHA1
869ec35fdeff0a3991a14b1c54f332885d5d250e

SHA256
7ad558486c395574d5d3451aca02d89335a531bbfd8b56e791ed02405d9174f4

SHA512
5b03edd2c8a37005677ccb26d59722eadd5c24fe095c6785bf269418c81ee721e3b2e3f0ce687fd8c7e6d0e56ab858f4da7615776d29f64195a77f5affaa0697

Download Submit
C:\Windows\{976EB1F5-8E12-4553-8894-BCDCEEBA7695}.exe

Filesize
180KB

MD5
8bb84d4b71676cbb13809b1fbeb6b4b9

SHA1
cdbd1c87a32298b8a7b75c21dd890eddda5bc9e5

SHA256
a126a3fe6951f804bce46b3a30034556ad1ab216bcd6049062e47b5b999adfc1

SHA512
d4fb3addb95feab51b48b0a8e6521af56f3f84abdb8471cce3761180c94d33b9610dc14ad7687138104962719ea41710517f6fc46b321e57e1bdfc258ebd7485

Download Submit
C:\Windows\{AB15DB82-EFC2-49c6-A083-93ACF3DF676D}.exe

Filesize
180KB

MD5
56623db16f40c6d7dc1622cf2ef265d6

SHA1
d56de3190ce36695b41775ab4234bdacd4f082c9

SHA256
e7306eb7284c84ce4fa94b08e93359758bade567f7b630b70bfeeb78f4be3acb

SHA512
a7004d4c078bd63703d63b09015063b724b7ec405288df8d373a56a383b9b813008a9cd80f32de44c49e551bcc273ede81228e45f7c08cb30edb9abf1df6b8e0

Download Submit
C:\Windows\{B933B4E7-7A61-452a-A753-3186105754BE}.exe

Filesize
180KB

MD5
41d50b697045ea6ce982a7d30f812f04

SHA1
af6e0208d4e6fd4810e6d5e467880c9f127234d1

SHA256
af02e5c097f3fd360dd5e58f19bf6a3e10c9ae3bff9001271cecab044ae92fb3

SHA512
ad8e441cc99642b52cedea9858ad0a3f7aa0a114a231e2700d53534ae7819c69cd13771a36c0354c135d98095da522e00ecebd531fc31195035606982bdb52b1

Download Submit
C:\Windows\{C43F3BB4-7363-487f-AE94-BD468D02DD7F}.exe

Filesize
180KB

MD5
2e9e326b767a185243f6e2139e49b777

SHA1
54d928c890837b06242bf30693178ac770bbb44f

SHA256
94fd6e22277272548ac5c7fd5a74a1f5f4dc9c47d4349a59cad83a5d7db9bdb9

SHA512
1b8f5a25728c47ef459274325c650af1192b406756b1576f924979ba39636f81b86650c168e8a1247eadc223d232a92aaf3c82296ae7de751e746228c6184685

Download Submit
C:\Windows\{E457C166-4E0D-4e8e-BD88-7715A17549A4}.exe

Filesize
180KB

MD5
58f20d7b4e734b4b2a2dcce6dacd3956

SHA1
c58429fbf03992ab240e1e2e93779b4f2a8133b2

SHA256
b66c6169c58344f1b2eab2a6ad64213aac3b8ef3ed8ae0539cc6ba715b4d4d11

SHA512
ef9d398488b9ae70d3fa80c0cc6011807f576c7f92a980095dd5a3d442e7cf9b4ab58ddfb6b9a2ac24633356439b76bfa447f9cbc5b6f71c21b4e951056d01ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads