1552e79932ec94fadc185809463989d8e2aa37662b0aa4169ae40000704700ed

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe
Size

380KB
MD5

1fd7e3cca40c7f82df0600b0cbaf9e6b
SHA1

598f362a5be790be66a9e98bfe1d086bc098ad97
SHA256

1552e79932ec94fadc185809463989d8e2aa37662b0aa4169ae40000704700ed
SHA512

d271c87ecf74240f3e1de2076fc861afebb630cff0bb36ae000e9595e5575fcfdc8135496bed183edf64401b4ebcde2b34c184411d14745a8424628380a0ce91
SSDEEP

3072:mEGh0oPlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023225-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023225-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002321a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002321a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021569-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021570-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021569-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000071b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E96F8F7A-0E97-4c27-A099-3B51904C350E}\stubpath = "C:\\Windows\\{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe"	{0780119E-22EC-4980-9582-E359456930E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}	{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}	{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}\stubpath = "C:\\Windows\\{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe"	{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}	{3FF4BC6C-E133-4ee2-B652-786989222688}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DDA46B-3B40-4fc3-8B7B-C267C681115D}\stubpath = "C:\\Windows\\{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe"	{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F06244F9-2B80-43f2-8DD8-0179D0E4F4EF}\stubpath = "C:\\Windows\\{F06244F9-2B80-43f2-8DD8-0179D0E4F4EF}.exe"	{A883667B-44C3-4813-9C7A-512C7DEA2032}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CF23156-CA84-4782-8AAC-F5310E83E5AC}\stubpath = "C:\\Windows\\{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe"	{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F668DC8-B040-4ba1-A64F-055CC441FC5F}	{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}\stubpath = "C:\\Windows\\{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe"	{3FF4BC6C-E133-4ee2-B652-786989222688}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DDA46B-3B40-4fc3-8B7B-C267C681115D}	{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A883667B-44C3-4813-9C7A-512C7DEA2032}\stubpath = "C:\\Windows\\{A883667B-44C3-4813-9C7A-512C7DEA2032}.exe"	{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}	2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}\stubpath = "C:\\Windows\\{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe"	{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CF23156-CA84-4782-8AAC-F5310E83E5AC}	{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F668DC8-B040-4ba1-A64F-055CC441FC5F}\stubpath = "C:\\Windows\\{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe"	{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF4BC6C-E133-4ee2-B652-786989222688}	{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF4BC6C-E133-4ee2-B652-786989222688}\stubpath = "C:\\Windows\\{3FF4BC6C-E133-4ee2-B652-786989222688}.exe"	{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A883667B-44C3-4813-9C7A-512C7DEA2032}	{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}\stubpath = "C:\\Windows\\{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe"	2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0780119E-22EC-4980-9582-E359456930E8}	{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0780119E-22EC-4980-9582-E359456930E8}\stubpath = "C:\\Windows\\{0780119E-22EC-4980-9582-E359456930E8}.exe"	{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E96F8F7A-0E97-4c27-A099-3B51904C350E}	{0780119E-22EC-4980-9582-E359456930E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F06244F9-2B80-43f2-8DD8-0179D0E4F4EF}	{A883667B-44C3-4813-9C7A-512C7DEA2032}.exe

Executes dropped EXE 12 IoCs

pid	Process
2316	{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe
4016	{0780119E-22EC-4980-9582-E359456930E8}.exe
384	{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe
1196	{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe
4516	{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe
1108	{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe
3924	{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe
4036	{3FF4BC6C-E133-4ee2-B652-786989222688}.exe
1980	{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe
2084	{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe
2776	{A883667B-44C3-4813-9C7A-512C7DEA2032}.exe
4536	{F06244F9-2B80-43f2-8DD8-0179D0E4F4EF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe	{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe
File created	C:\Windows\{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe	{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe
File created	C:\Windows\{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe	{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe
File created	C:\Windows\{3FF4BC6C-E133-4ee2-B652-786989222688}.exe	{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe
File created	C:\Windows\{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe	{3FF4BC6C-E133-4ee2-B652-786989222688}.exe
File created	C:\Windows\{A883667B-44C3-4813-9C7A-512C7DEA2032}.exe	{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe
File created	C:\Windows\{F06244F9-2B80-43f2-8DD8-0179D0E4F4EF}.exe	{A883667B-44C3-4813-9C7A-512C7DEA2032}.exe
File created	C:\Windows\{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe	2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe
File created	C:\Windows\{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe	{0780119E-22EC-4980-9582-E359456930E8}.exe
File created	C:\Windows\{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe	{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe
File created	C:\Windows\{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe	{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe
File created	C:\Windows\{0780119E-22EC-4980-9582-E359456930E8}.exe	{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5064	2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2316	{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe
Token: SeIncBasePriorityPrivilege	4016	{0780119E-22EC-4980-9582-E359456930E8}.exe
Token: SeIncBasePriorityPrivilege	384	{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe
Token: SeIncBasePriorityPrivilege	1196	{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe
Token: SeIncBasePriorityPrivilege	4516	{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe
Token: SeIncBasePriorityPrivilege	1108	{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe
Token: SeIncBasePriorityPrivilege	3924	{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe
Token: SeIncBasePriorityPrivilege	4036	{3FF4BC6C-E133-4ee2-B652-786989222688}.exe
Token: SeIncBasePriorityPrivilege	1980	{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe
Token: SeIncBasePriorityPrivilege	2084	{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe
Token: SeIncBasePriorityPrivilege	2776	{A883667B-44C3-4813-9C7A-512C7DEA2032}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2316	5064	2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe	91
PID 5064 wrote to memory of 2316	5064	2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe	91
PID 5064 wrote to memory of 2316	5064	2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe	91
PID 5064 wrote to memory of 2884	5064	2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe	92
PID 5064 wrote to memory of 2884	5064	2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe	92
PID 5064 wrote to memory of 2884	5064	2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe	92
PID 2316 wrote to memory of 4016	2316	{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe	93
PID 2316 wrote to memory of 4016	2316	{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe	93
PID 2316 wrote to memory of 4016	2316	{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe	93
PID 2316 wrote to memory of 4100	2316	{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe	94
PID 2316 wrote to memory of 4100	2316	{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe	94
PID 2316 wrote to memory of 4100	2316	{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe	94
PID 4016 wrote to memory of 384	4016	{0780119E-22EC-4980-9582-E359456930E8}.exe	96
PID 4016 wrote to memory of 384	4016	{0780119E-22EC-4980-9582-E359456930E8}.exe	96
PID 4016 wrote to memory of 384	4016	{0780119E-22EC-4980-9582-E359456930E8}.exe	96
PID 4016 wrote to memory of 4368	4016	{0780119E-22EC-4980-9582-E359456930E8}.exe	97
PID 4016 wrote to memory of 4368	4016	{0780119E-22EC-4980-9582-E359456930E8}.exe	97
PID 4016 wrote to memory of 4368	4016	{0780119E-22EC-4980-9582-E359456930E8}.exe	97
PID 384 wrote to memory of 1196	384	{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe	98
PID 384 wrote to memory of 1196	384	{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe	98
PID 384 wrote to memory of 1196	384	{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe	98
PID 384 wrote to memory of 1532	384	{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe	99
PID 384 wrote to memory of 1532	384	{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe	99
PID 384 wrote to memory of 1532	384	{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe	99
PID 1196 wrote to memory of 4516	1196	{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe	100
PID 1196 wrote to memory of 4516	1196	{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe	100
PID 1196 wrote to memory of 4516	1196	{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe	100
PID 1196 wrote to memory of 1388	1196	{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe	101
PID 1196 wrote to memory of 1388	1196	{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe	101
PID 1196 wrote to memory of 1388	1196	{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe	101
PID 4516 wrote to memory of 1108	4516	{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe	102
PID 4516 wrote to memory of 1108	4516	{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe	102
PID 4516 wrote to memory of 1108	4516	{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe	102
PID 4516 wrote to memory of 4236	4516	{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe	103
PID 4516 wrote to memory of 4236	4516	{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe	103
PID 4516 wrote to memory of 4236	4516	{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe	103
PID 1108 wrote to memory of 3924	1108	{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe	104
PID 1108 wrote to memory of 3924	1108	{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe	104
PID 1108 wrote to memory of 3924	1108	{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe	104
PID 1108 wrote to memory of 3572	1108	{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe	105
PID 1108 wrote to memory of 3572	1108	{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe	105
PID 1108 wrote to memory of 3572	1108	{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe	105
PID 3924 wrote to memory of 4036	3924	{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe	106
PID 3924 wrote to memory of 4036	3924	{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe	106
PID 3924 wrote to memory of 4036	3924	{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe	106
PID 3924 wrote to memory of 2736	3924	{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe	107
PID 3924 wrote to memory of 2736	3924	{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe	107
PID 3924 wrote to memory of 2736	3924	{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe	107
PID 4036 wrote to memory of 1980	4036	{3FF4BC6C-E133-4ee2-B652-786989222688}.exe	108
PID 4036 wrote to memory of 1980	4036	{3FF4BC6C-E133-4ee2-B652-786989222688}.exe	108
PID 4036 wrote to memory of 1980	4036	{3FF4BC6C-E133-4ee2-B652-786989222688}.exe	108
PID 4036 wrote to memory of 368	4036	{3FF4BC6C-E133-4ee2-B652-786989222688}.exe	109
PID 4036 wrote to memory of 368	4036	{3FF4BC6C-E133-4ee2-B652-786989222688}.exe	109
PID 4036 wrote to memory of 368	4036	{3FF4BC6C-E133-4ee2-B652-786989222688}.exe	109
PID 1980 wrote to memory of 2084	1980	{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe	110
PID 1980 wrote to memory of 2084	1980	{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe	110
PID 1980 wrote to memory of 2084	1980	{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe	110
PID 1980 wrote to memory of 4804	1980	{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe	111
PID 1980 wrote to memory of 4804	1980	{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe	111
PID 1980 wrote to memory of 4804	1980	{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe	111
PID 2084 wrote to memory of 2776	2084	{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe	112
PID 2084 wrote to memory of 2776	2084	{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe	112
PID 2084 wrote to memory of 2776	2084	{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe	112
PID 2084 wrote to memory of 4084	2084	{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_1fd7e3cca40c7f82df0600b0cbaf9e6b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe
  C:\Windows\{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\{0780119E-22EC-4980-9582-E359456930E8}.exe
    C:\Windows\{0780119E-22EC-4980-9582-E359456930E8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe
      C:\Windows\{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Windows\{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe
        
        C:\Windows\{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe
        
        C:\Windows\{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe
        
        C:\Windows\{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe
        
        C:\Windows\{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\{3FF4BC6C-E133-4ee2-B652-786989222688}.exe
        
        C:\Windows\{3FF4BC6C-E133-4ee2-B652-786989222688}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe
        
        C:\Windows\{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe
        
        C:\Windows\{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{A883667B-44C3-4813-9C7A-512C7DEA2032}.exe
        
        C:\Windows\{A883667B-44C3-4813-9C7A-512C7DEA2032}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\{F06244F9-2B80-43f2-8DD8-0179D0E4F4EF}.exe
        
        C:\Windows\{F06244F9-2B80-43f2-8DD8-0179D0E4F4EF}.exe
        13⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8836~1.EXE > nul
        13⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98DDA~1.EXE > nul
        12⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4420~1.EXE > nul
        11⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FF4B~1.EXE > nul
        10⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A0D0~1.EXE > nul
        9⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F668~1.EXE > nul
        8⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CF23~1.EXE > nul
        7⤵
        
        PID:4236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{091DC~1.EXE > nul
        6⤵
        
        PID:1388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E96F8~1.EXE > nul
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{07801~1.EXE > nul
      4⤵
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2FCBA~1.EXE > nul
    3⤵
    PID:4100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0780119E-22EC-4980-9582-E359456930E8}.exe

Filesize
380KB

MD5
0a006808c1a4b71c106b0fd4e3921b60

SHA1
30e0e5c5e1c0af655f60c1dc915391638ee534cf

SHA256
93ceac8dc257773b07cee592a9576a335eb40c5e0309d4223ef037a3e73bbdf1

SHA512
3821a99219d25032deccb9be6ec33b6701c3de030c3b856eae4f2c4ca4a3eb3533922ca4b2147a2461fd89a4abe7eb1184347b19dc3cbb511a49681707c31470

Download Submit
C:\Windows\{091DC3B8-E5B4-47a9-AE84-4C7E583051A5}.exe

Filesize
380KB

MD5
159e4f9e4bc1742b51188c17ab95495d

SHA1
af00882b1e18a6677db70943ec46f787430bd341

SHA256
a43f9bccaa8178f381e03a75ae7f9956973197483b06c1c25efa0e817fb0cc71

SHA512
b25a976db680b990a2f96f38fe30ef0fcc3b52d4bf2ce27bdc8a79d36c03cfaa2de7e48885997d1e31ef6b6eae4644aa7553a4ca0ad81c9cf5beeb5bc8d161e7

Download Submit
C:\Windows\{2CF23156-CA84-4782-8AAC-F5310E83E5AC}.exe

Filesize
380KB

MD5
66cc46d630284bd9a19ba71eeaadbb03

SHA1
4f76b633a6c2216eec6afad5a6afb8bc3a3f9ca5

SHA256
41313ab7b3737c779464c6db5154ad54ca6e0ffac02df1935c07ed4c0f08c202

SHA512
8d8e716749ef4108b0cf4d6ac4622a9790443dc5253a516ae49b3c5ac853287174a83b3dc12d9555f4c04be6e993b1194dede307cbd46a3e817d6d500849e63a

Download Submit
C:\Windows\{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe

Filesize
380KB

MD5
4d2b1ef7a24f80aab050430d23e600a2

SHA1
546282ed7bc1b14f359533763367f2bf4a5e3321

SHA256
69400b0e320b3fa2074992303767325cece4e98c178235d08038d903951e821e

SHA512
e7a29b39a42e213bba65bc20a10dee2db548bc53a864e67056c70f7de192c70f2da6ab18e926872dcba3e918a5ac568d4f1dc52b556c83b08ee5df372f7bfda5

Download Submit
C:\Windows\{2FCBA5E3-C5C4-4329-B098-BAD0D79C0065}.exe

Filesize
365KB

MD5
2e4430a7d9c6ecb1e664bebdf865e27a

SHA1
2e68a601090a7c6c00b922e0f6995c9c2485ebfc

SHA256
043543f8cbcb32327655a266af7755e816708c0578b7351a4983764b1b3f5144

SHA512
88960d6b3a908ce3d6f7d682270a9c0637da7dddbaf7b6d92e2a14e64a2e612c2e4f391dc36f0f9dadea60f98cd4c7c1abfd733d7b6fcad8c133859628cc3503

Download Submit
C:\Windows\{3FF4BC6C-E133-4ee2-B652-786989222688}.exe

Filesize
380KB

MD5
a182fe296716c318853d7e44bb92a980

SHA1
3d629e51bfa842b3a50373c2f1c870169267a635

SHA256
b1d2f2c5cc05e07c40e884e2443ac39ca72c464416c63eefcf6761937020c8e4

SHA512
764899461e6703924afb109473a214145358a8589809ac7238e428f6a0ef55ab8b2330d9a4aba10ea7045a87fef0394645c9476f4fc32f572abc2ba551b4c900

Download Submit
C:\Windows\{5A0D0FE4-1C81-4141-8FB3-BA6038F15354}.exe

Filesize
380KB

MD5
04c34e48bda30fa8c1541292b1c8b6fc

SHA1
80c4e3ec4d27a1b0d967035f5f0332e65b8d6028

SHA256
3e71ec229f12421bba45a9cc3cf6d4480c19a7aa5562014a80a7f7c6985dfc12

SHA512
c969056666ff50dcba5171f11609bb06d47118b9ad210ce84e0526633eaa3170a2490f8f658a61294e15863c4fc88127553634deb0ab2c4ed59b4556f0fbd0e3

Download Submit
C:\Windows\{98DDA46B-3B40-4fc3-8B7B-C267C681115D}.exe

Filesize
380KB

MD5
53c4d46165001b77e0c9da8e1855e013

SHA1
5f75588b0dc0721cbe2fa899f85c3a9d4b94c3a8

SHA256
56cd9f02d7adfdc92fc25ad6ceb5e922636c12a0bcb7787091aa320b274862c2

SHA512
1d603306309069b38ed2ae5bd2ccf08d5ceecb03698fc1739c5df936bc860853e5e95fc8790e76fbec87164c3f7da62140e3559ea6a6300aea6a8e87a680057d

Download Submit
C:\Windows\{9F668DC8-B040-4ba1-A64F-055CC441FC5F}.exe

Filesize
380KB

MD5
2cf42fc8c9f393a39f7868399ab63402

SHA1
41052519a3da731262996101000227810078c14c

SHA256
2f780ec69079bbf64b127d10091ed63d55b3943672246d4beb0679cbd906f49f

SHA512
27f60a4df1b2a0e5323a311930314bd04280bcc7bbe23311f7845280efa0f3bb0ca7a9a286bb5c7fb061968664ab6287444b3c0ececd71d4299d565f90d481bc

Download Submit
C:\Windows\{A883667B-44C3-4813-9C7A-512C7DEA2032}.exe

Filesize
380KB

MD5
a959a6d01e0e49cada259b926ffe8638

SHA1
27229490e4b6fbbcbce43c9d0c6478ba455f5068

SHA256
5dde5dbb06fc95f6e10e3300571950e3e3d7902c173e60df843d5d8627f51cbf

SHA512
8cf8a2a2ab4d2d02af929d92869c7d7cdf681908aa15369bf4786ef0b42eb47677209ca8a324e1c92c919c132c97bf70732136ea3dab9860d33f9074fb7f9409

Download Submit
C:\Windows\{E4420CA9-F9C2-4a16-B4C0-B320D67BAA33}.exe

Filesize
380KB

MD5
58ac6d609e63796f8ec89ade56641233

SHA1
08efb4fdf56d8171308fd639200e793bd08d49b9

SHA256
fc53eabd4b14e0fa6dbba6756dbdf83e465c8b8e83ba387740bcad413f1546a6

SHA512
bc73b727a4163bb78be1844d00b85b0dce278322056f3442d7979fdc525bba30cb0704f4ca46c0c1d12553efa409db39a4383afbe67ffbcc5ee791d9929362e9

Download Submit
C:\Windows\{E96F8F7A-0E97-4c27-A099-3B51904C350E}.exe

Filesize
380KB

MD5
91cfdc1d8a5179333d7e0c696d12d6d5

SHA1
5d4ee675aee1d91b6d8afbdca773d01ff1d1c4e5

SHA256
d1f81cf658050847cfc33b482529698b4f3e16be10f9a8cab2a8c5bfc2c24770

SHA512
6a62642ca4fd5cc0774e9a37b5135767862d6b5e4a004897848efa0742659ccbb978bf6b26ac5533e4181c11a64243a978b2a815f400bba6fd50a07f64c74505

Download Submit
C:\Windows\{F06244F9-2B80-43f2-8DD8-0179D0E4F4EF}.exe

Filesize
380KB

MD5
726aa7f1ad6b0f463327be98e786c21f

SHA1
c4f1009314b1da62804368c3ca2cde61b7ff48d9

SHA256
c62615e1548fb2cda0efbdad207db4a24d899324ad2c018c41f0fdc5769e0488

SHA512
7bea931a7615779ffd72f755252a5483ab6443bb1b274e18c3fd81f6ea8313788a39263aba4b536aaf9702cb5ceba2e14dad3da3ebc75ffd3c87e31f605213d3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads