7157d6199bdf099598ebd24ad7465171c3e4fd68e08b6d7e99ab5c56cd8c62b1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe
Size

372KB
MD5

e2c1bfeed2de4891b22b3edc77f5085f
SHA1

b2e677ddb01ba5ea6f66b3bb320bff12616b3955
SHA256

7157d6199bdf099598ebd24ad7465171c3e4fd68e08b6d7e99ab5c56cd8c62b1
SHA512

4c87b44b12e244fbfb5458519dd5e8020b7b58181c4ee4ecb26c03e65f042c26059c9bcae86d10bdb4e5e024236a2496492a9721ea9460137c96f12ab0b82877
SSDEEP

3072:CEGh0ormlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGcl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023230-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023234-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023234-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000215d0-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE252155-19FC-423c-BBBB-DF18C6A5AD01}\stubpath = "C:\\Windows\\{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe"	{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}	{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}\stubpath = "C:\\Windows\\{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe"	{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}\stubpath = "C:\\Windows\\{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe"	{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78E264C9-C143-4b73-820D-79886B07CD0D}	{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}	2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}	{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}\stubpath = "C:\\Windows\\{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe"	{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78E264C9-C143-4b73-820D-79886B07CD0D}\stubpath = "C:\\Windows\\{78E264C9-C143-4b73-820D-79886B07CD0D}.exe"	{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6080B411-067D-4181-8261-D4E2C0DCF3D6}\stubpath = "C:\\Windows\\{6080B411-067D-4181-8261-D4E2C0DCF3D6}.exe"	{158D6DBE-B98A-4058-99A8-E11D08D97A9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD5E3803-FDA7-419a-98B1-02473E65F219}	{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}	{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{158D6DBE-B98A-4058-99A8-E11D08D97A9D}	{78E264C9-C143-4b73-820D-79886B07CD0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6080B411-067D-4181-8261-D4E2C0DCF3D6}	{158D6DBE-B98A-4058-99A8-E11D08D97A9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6242C92F-40F1-4efe-B959-D3C1B13D0511}\stubpath = "C:\\Windows\\{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe"	{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE252155-19FC-423c-BBBB-DF18C6A5AD01}	{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}\stubpath = "C:\\Windows\\{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe"	{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD5E3803-FDA7-419a-98B1-02473E65F219}\stubpath = "C:\\Windows\\{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe"	{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}\stubpath = "C:\\Windows\\{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe"	{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{158D6DBE-B98A-4058-99A8-E11D08D97A9D}\stubpath = "C:\\Windows\\{158D6DBE-B98A-4058-99A8-E11D08D97A9D}.exe"	{78E264C9-C143-4b73-820D-79886B07CD0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}	{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}\stubpath = "C:\\Windows\\{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe"	2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6242C92F-40F1-4efe-B959-D3C1B13D0511}	{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}	{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe

Executes dropped EXE 12 IoCs

pid	Process
1180	{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe
4524	{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe
3916	{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe
2680	{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe
3724	{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe
2184	{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe
5048	{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe
4944	{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe
4168	{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe
1404	{78E264C9-C143-4b73-820D-79886B07CD0D}.exe
3548	{158D6DBE-B98A-4058-99A8-E11D08D97A9D}.exe
1748	{6080B411-067D-4181-8261-D4E2C0DCF3D6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe	{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe
File created	C:\Windows\{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe	{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe
File created	C:\Windows\{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe	{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe
File created	C:\Windows\{78E264C9-C143-4b73-820D-79886B07CD0D}.exe	{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe
File created	C:\Windows\{158D6DBE-B98A-4058-99A8-E11D08D97A9D}.exe	{78E264C9-C143-4b73-820D-79886B07CD0D}.exe
File created	C:\Windows\{6080B411-067D-4181-8261-D4E2C0DCF3D6}.exe	{158D6DBE-B98A-4058-99A8-E11D08D97A9D}.exe
File created	C:\Windows\{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe	2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe
File created	C:\Windows\{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe	{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe
File created	C:\Windows\{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe	{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe
File created	C:\Windows\{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe	{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe
File created	C:\Windows\{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe	{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe
File created	C:\Windows\{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe	{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	644	2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1180	{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe
Token: SeIncBasePriorityPrivilege	4524	{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe
Token: SeIncBasePriorityPrivilege	3916	{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe
Token: SeIncBasePriorityPrivilege	2680	{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe
Token: SeIncBasePriorityPrivilege	3724	{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe
Token: SeIncBasePriorityPrivilege	2184	{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe
Token: SeIncBasePriorityPrivilege	5048	{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe
Token: SeIncBasePriorityPrivilege	4944	{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe
Token: SeIncBasePriorityPrivilege	4168	{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe
Token: SeIncBasePriorityPrivilege	1404	{78E264C9-C143-4b73-820D-79886B07CD0D}.exe
Token: SeIncBasePriorityPrivilege	3548	{158D6DBE-B98A-4058-99A8-E11D08D97A9D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 1180	644	2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe	91
PID 644 wrote to memory of 1180	644	2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe	91
PID 644 wrote to memory of 1180	644	2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe	91
PID 644 wrote to memory of 3984	644	2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe	92
PID 644 wrote to memory of 3984	644	2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe	92
PID 644 wrote to memory of 3984	644	2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe	92
PID 1180 wrote to memory of 4524	1180	{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe	93
PID 1180 wrote to memory of 4524	1180	{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe	93
PID 1180 wrote to memory of 4524	1180	{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe	93
PID 1180 wrote to memory of 4152	1180	{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe	94
PID 1180 wrote to memory of 4152	1180	{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe	94
PID 1180 wrote to memory of 4152	1180	{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe	94
PID 4524 wrote to memory of 3916	4524	{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe	96
PID 4524 wrote to memory of 3916	4524	{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe	96
PID 4524 wrote to memory of 3916	4524	{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe	96
PID 4524 wrote to memory of 4808	4524	{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe	97
PID 4524 wrote to memory of 4808	4524	{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe	97
PID 4524 wrote to memory of 4808	4524	{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe	97
PID 3916 wrote to memory of 2680	3916	{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe	99
PID 3916 wrote to memory of 2680	3916	{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe	99
PID 3916 wrote to memory of 2680	3916	{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe	99
PID 3916 wrote to memory of 4264	3916	{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe	98
PID 3916 wrote to memory of 4264	3916	{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe	98
PID 3916 wrote to memory of 4264	3916	{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe	98
PID 2680 wrote to memory of 3724	2680	{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe	100
PID 2680 wrote to memory of 3724	2680	{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe	100
PID 2680 wrote to memory of 3724	2680	{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe	100
PID 2680 wrote to memory of 656	2680	{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe	101
PID 2680 wrote to memory of 656	2680	{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe	101
PID 2680 wrote to memory of 656	2680	{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe	101
PID 3724 wrote to memory of 2184	3724	{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe	102
PID 3724 wrote to memory of 2184	3724	{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe	102
PID 3724 wrote to memory of 2184	3724	{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe	102
PID 3724 wrote to memory of 1288	3724	{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe	103
PID 3724 wrote to memory of 1288	3724	{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe	103
PID 3724 wrote to memory of 1288	3724	{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe	103
PID 2184 wrote to memory of 5048	2184	{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe	104
PID 2184 wrote to memory of 5048	2184	{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe	104
PID 2184 wrote to memory of 5048	2184	{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe	104
PID 2184 wrote to memory of 2372	2184	{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe	105
PID 2184 wrote to memory of 2372	2184	{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe	105
PID 2184 wrote to memory of 2372	2184	{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe	105
PID 5048 wrote to memory of 4944	5048	{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe	106
PID 5048 wrote to memory of 4944	5048	{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe	106
PID 5048 wrote to memory of 4944	5048	{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe	106
PID 5048 wrote to memory of 1256	5048	{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe	107
PID 5048 wrote to memory of 1256	5048	{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe	107
PID 5048 wrote to memory of 1256	5048	{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe	107
PID 4944 wrote to memory of 4168	4944	{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe	109
PID 4944 wrote to memory of 4168	4944	{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe	109
PID 4944 wrote to memory of 4168	4944	{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe	109
PID 4944 wrote to memory of 3140	4944	{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe	108
PID 4944 wrote to memory of 3140	4944	{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe	108
PID 4944 wrote to memory of 3140	4944	{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe	108
PID 4168 wrote to memory of 1404	4168	{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe	110
PID 4168 wrote to memory of 1404	4168	{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe	110
PID 4168 wrote to memory of 1404	4168	{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe	110
PID 4168 wrote to memory of 64	4168	{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe	111
PID 4168 wrote to memory of 64	4168	{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe	111
PID 4168 wrote to memory of 64	4168	{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe	111
PID 1404 wrote to memory of 3548	1404	{78E264C9-C143-4b73-820D-79886B07CD0D}.exe	112
PID 1404 wrote to memory of 3548	1404	{78E264C9-C143-4b73-820D-79886B07CD0D}.exe	112
PID 1404 wrote to memory of 3548	1404	{78E264C9-C143-4b73-820D-79886B07CD0D}.exe	112
PID 1404 wrote to memory of 1620	1404	{78E264C9-C143-4b73-820D-79886B07CD0D}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_e2c1bfeed2de4891b22b3edc77f5085f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe
  C:\Windows\{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe
    C:\Windows\{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe
      C:\Windows\{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D172C~1.EXE > nul
        5⤵
        
        PID:4264
    - - C:\Windows\{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe
        
        C:\Windows\{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe
        
        C:\Windows\{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe
        
        C:\Windows\{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe
        
        C:\Windows\{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe
        
        C:\Windows\{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F82D2~1.EXE > nul
        10⤵
        
        PID:3140
        
        C:\Windows\{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe
        
        C:\Windows\{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\{78E264C9-C143-4b73-820D-79886B07CD0D}.exe
        
        C:\Windows\{78E264C9-C143-4b73-820D-79886B07CD0D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\{158D6DBE-B98A-4058-99A8-E11D08D97A9D}.exe
        
        C:\Windows\{158D6DBE-B98A-4058-99A8-E11D08D97A9D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\{6080B411-067D-4181-8261-D4E2C0DCF3D6}.exe
        
        C:\Windows\{6080B411-067D-4181-8261-D4E2C0DCF3D6}.exe
        13⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{158D6~1.EXE > nul
        13⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78E26~1.EXE > nul
        12⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC76D~1.EXE > nul
        11⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F08CE~1.EXE > nul
        9⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD5E3~1.EXE > nul
        8⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C05AA~1.EXE > nul
        7⤵
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE252~1.EXE > nul
        6⤵
        
        PID:656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6242C~1.EXE > nul
      4⤵
      PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4C1F6~1.EXE > nul
    3⤵
    PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{158D6DBE-B98A-4058-99A8-E11D08D97A9D}.exe

Filesize
372KB

MD5
fb6dbabdf69972f7a0cacb7e7459913f

SHA1
01e21b36e1880883b031b4a9255ced661ac4f5c6

SHA256
b826d73c57a4ea81b51cba43311a5abcdda078c79486b9f5f6d264fa2f4b31a7

SHA512
43dc9801a4673a388136a7868c155870efdb0a51a400cac9a1d55913d19126a2f6da33c33549e8368ea43c913015ffb9fce657e7894cbd400dcd2ccde544214c

Download Submit
C:\Windows\{4C1F6257-D8FD-43a1-B7D5-D456509AF5B4}.exe

Filesize
372KB

MD5
017fb5e8a3d3ec8c87c2361e720c6dd9

SHA1
82277cd6df9eebb172424d33a315dc1a3e0eff2e

SHA256
d8f7cb4acd5c95867bf1e479254e973de4eaa6642de741c3aa1d1f5ea977ee8e

SHA512
b33882809136ac15e568b1abbb8ea697d6327686d9563d51853113ee7250df6faafde624dedcb51168224ad2efe39d0299443eda8d2bfe40d2cdd127fa6959c1

Download Submit
C:\Windows\{6080B411-067D-4181-8261-D4E2C0DCF3D6}.exe

Filesize
372KB

MD5
dd3682808f05a08894cdc1b1beca4e6d

SHA1
5dab51fb8515383ebb329d22acc5025f00ab05f3

SHA256
76e40182bb06f610d0685cde4a02d5c860ac7bb9669294daf3cc66ae423ac96e

SHA512
fa8be902f569a2473b332923b45f6f805c5da539f7216fe7376de62ef994f9aebecd51ea198b5f625bbb4b48e16a7f6372c925c1774f9509a056be88f71db757

Download Submit
C:\Windows\{6242C92F-40F1-4efe-B959-D3C1B13D0511}.exe

Filesize
372KB

MD5
d061ee50db8a5b0cbca1edf0d481f0a9

SHA1
de73d8b49dace31040fd08d8ca75b4c4b7865835

SHA256
6cef77fb33cf0cb9d990891650a39eaf476938c48c4cbd9923473624205e69f7

SHA512
4080265d380defa16f9020445cb8b253e831640cb358b33ecbac4c0d66872bf7a3036b26f04676f078ba634c0489f31db00236ff7ec581985f468b21a970cebe

Download Submit
C:\Windows\{78E264C9-C143-4b73-820D-79886B07CD0D}.exe

Filesize
372KB

MD5
88e6a439d38f4c0ebc374a1f4d35fef3

SHA1
a7a235aab34d32b9afc12c19e86faf8e63eae8b2

SHA256
e334c07e37d436b9d6620aad4533432e063cf13e5868a187f9d53a51e08919bc

SHA512
95ec629e54159eb27f5aa2e12aadbf1d29e2188ccb6df00401e2b91f112416b316c97d55569df70491844014939175061c56a4291cca49124ecee8bc2e2a53d6

Download Submit
C:\Windows\{BE252155-19FC-423c-BBBB-DF18C6A5AD01}.exe

Filesize
372KB

MD5
808fe8e82e4c19d44919c6703a3619d2

SHA1
ef943ca4a9841cd63c2c41bf4098c82b2662c59b

SHA256
456351c04a213a3891d25a3efc494903d41222936c1adf9ff51fffe15387ffda

SHA512
1805d74810519cfa6b5264276ec0c11bb6602cdf79a28af9a14c045105f085ba626a12627b384b5c1fd79c9059a93611433a20908a9cab24dff35f1a5941635b

Download Submit
C:\Windows\{C05AAAEE-7ED9-43c9-8339-C68E9D0DF4E2}.exe

Filesize
372KB

MD5
f351c008657bd9af74492f945a443e53

SHA1
69c7e1e462273c02f75daa0bba3c945b3690d197

SHA256
8d9879dfd7964e9d43f06ed50df3bc747c035e8f5865b93284ee3849468fd791

SHA512
20dbc5b33332694011c233dbc46eebc29767585097022eab0bc264228a76f9c11b5f454a2089ef2fbe81c3743510d37bba5821aeec11c95ea10b092339e1b35b

Download Submit
C:\Windows\{D172CF30-B4C8-4616-9BEB-7B1C7E6F9F74}.exe

Filesize
372KB

MD5
f1036b18eb6ce8f4cd241f0ab1e87ab7

SHA1
090fa16a0b7b76c4a4eab2ad86350967c3e79135

SHA256
2965c78f8ebdadc5f65bbfed20466d7f1636cfe5d08b642a65be1723bdc46ca1

SHA512
33727180b3955131e8c380a849e410ff7119b57d215d4939f57a036d295d8e34c4442a5683d98448b33afa66bbc1d289d0378b6c2814df9dacdee5d4ab08064e

Download Submit
C:\Windows\{F08CE2FC-5AF5-4b86-8F32-C3468DF1CA8E}.exe

Filesize
372KB

MD5
3206b4258d0ea2c24058fd4100610b9d

SHA1
ee8b0f67a5465c3e4f03624dde54f484819b8673

SHA256
8bb2f6637ed591d1f39ee21bc1e039aa6adf2ad8ba32668312130a5981ab6944

SHA512
556482a75b894a7cbf1bb75596c4d1f437810f9dc2d0d0e125054f799c22a3b5ae216110dae4a36f6ae5d3e9be07d558b3b5b3a2be6bafd2df511cb67fe74fda

Download Submit
C:\Windows\{F82D2CAE-F2C9-492f-9E73-9866CBB51C7A}.exe

Filesize
372KB

MD5
ad50de5a497403a571ea4772f9057118

SHA1
f85190e7de773c44007cda79d144f222ad287d7e

SHA256
1cea152f752f6860d6a88d2a7659fdb6bc0a6d248a8869e4d65c1203be8f190b

SHA512
f9bdc785ce6e07c2164fcc632f676612e1a2b18fe20168d66e2bc00b7176db6b7f42266effcfbe4d1563f9f5f08846de797afbb1a4057d4a7681c1c11f71dd2b

Download Submit
C:\Windows\{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe

Filesize
120KB

MD5
4bf41ac0a5cc707700a66915d54554a4

SHA1
c7e392e15810fd94c45ec17fcd9b7642862349ac

SHA256
797a602dca3307fde51ebb9f535f852f1534a9fb94e468a205c0e935abb08200

SHA512
894def9dc02d02ce4d48566177c9c164a5de6d804c44b3281d898e93de53a0147bfea8d3576412669c73c08bc135a8b5399d359115470557987d5836cbacf349

Download Submit
C:\Windows\{FC76DB6D-AD39-414d-B848-B4FFE2CB5FEE}.exe

Filesize
74KB

MD5
acfb60d261150bbd55f1def732b14b43

SHA1
a152cb588f3126d68a84875680c7e92d7b73729c

SHA256
aae5ab65eb8bf58f7342c69e50cbf341662705610aac4e66d6489c2a1a431b1d

SHA512
bb3d7efaf0eebd7d9eb7711cbac3c78b45095bbcfa9d02e07c28af5d64a4140cc772840e2287a8404b04d305bd7ec645a2805509b01cf4661efb790ad02d7255

Download Submit
C:\Windows\{FD5E3803-FDA7-419a-98B1-02473E65F219}.exe

Filesize
372KB

MD5
e4ee0994b9ebf0d59f8c4d146cf9aa8e

SHA1
d04c3e87267fef56c6cc9664afd9d8a723cdf170

SHA256
9ca21db31ac52de5a3d3c5755d0611ab49a5d5dbafd9872d886c434182d48a3f

SHA512
fff6e3303c22d5c09086c0b35b7bb24eaaf9b29603a16de4ff3ddde18bba62e49b5aa2bfd8aa833e7e31172a0075bc2e5be02b814ce9cc93223f864b242eed87

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads