c0d2380a52f9c355b2595fc8b57196f05f8f04eef641f857362ca5199e1de52d

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
Size

380KB
MD5

6c2c95a0759f3d6f5b451a640b7953b3
SHA1

c5fe6e15725a5b36aba685774bf86fae7cd90ce3
SHA256

c0d2380a52f9c355b2595fc8b57196f05f8f04eef641f857362ca5199e1de52d
SHA512

fe9f18fdcc8585921fc6ae1cd8209d22eafc33544e9cac6c584e2a1da3797724f48d9d62c0b999e4e243bed55d0d0bd2e73bc8275ca88f6617438635ce1510e5
SSDEEP

3072:mEGh0o3lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGhl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023204-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023204-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231ff-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320b-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231ff-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}\stubpath = "C:\\Windows\\{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe"	{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8693064-1FE5-489c-9CF0-FD4D44D81125}\stubpath = "C:\\Windows\\{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe"	{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}\stubpath = "C:\\Windows\\{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe"	{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35CDB075-5277-4d7c-9ECC-C447BA85BC55}	{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}	{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EE6409C-81E1-4a5f-B222-D637C9AFB456}	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8693064-1FE5-489c-9CF0-FD4D44D81125}	{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}	{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35CDB075-5277-4d7c-9ECC-C447BA85BC55}\stubpath = "C:\\Windows\\{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe"	{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{027299DA-6E82-4e2c-A2EC-767F2FA3C956}\stubpath = "C:\\Windows\\{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe"	{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C12F468-254E-4527-A2F9-5957821154F9}	{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C12F468-254E-4527-A2F9-5957821154F9}\stubpath = "C:\\Windows\\{0C12F468-254E-4527-A2F9-5957821154F9}.exe"	{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9208336A-715B-4a29-BADA-D93FCD4F016E}\stubpath = "C:\\Windows\\{9208336A-715B-4a29-BADA-D93FCD4F016E}.exe"	{0C12F468-254E-4527-A2F9-5957821154F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}	{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}	{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}\stubpath = "C:\\Windows\\{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe"	{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA6ECDD-E394-4113-85E9-3C26DA976108}\stubpath = "C:\\Windows\\{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe"	{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{027299DA-6E82-4e2c-A2EC-767F2FA3C956}	{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}\stubpath = "C:\\Windows\\{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe"	{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9208336A-715B-4a29-BADA-D93FCD4F016E}	{0C12F468-254E-4527-A2F9-5957821154F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EE6409C-81E1-4a5f-B222-D637C9AFB456}\stubpath = "C:\\Windows\\{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe"	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}	{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}\stubpath = "C:\\Windows\\{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe"	{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA6ECDD-E394-4113-85E9-3C26DA976108}	{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe

Executes dropped EXE 12 IoCs

pid	Process
912	{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe
2944	{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe
3920	{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe
2672	{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe
2052	{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe
2244	{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe
2780	{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe
1516	{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe
4948	{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe
4792	{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe
3604	{0C12F468-254E-4527-A2F9-5957821154F9}.exe
3560	{9208336A-715B-4a29-BADA-D93FCD4F016E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe	{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe
File created	C:\Windows\{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe	{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe
File created	C:\Windows\{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe	{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe
File created	C:\Windows\{9208336A-715B-4a29-BADA-D93FCD4F016E}.exe	{0C12F468-254E-4527-A2F9-5957821154F9}.exe
File created	C:\Windows\{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe	{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe
File created	C:\Windows\{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe	{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe
File created	C:\Windows\{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe	{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe
File created	C:\Windows\{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe	{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe
File created	C:\Windows\{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe	{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe
File created	C:\Windows\{0C12F468-254E-4527-A2F9-5957821154F9}.exe	{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe
File created	C:\Windows\{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
File created	C:\Windows\{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe	{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2008	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	912	{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe
Token: SeIncBasePriorityPrivilege	2944	{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe
Token: SeIncBasePriorityPrivilege	3920	{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe
Token: SeIncBasePriorityPrivilege	2672	{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe
Token: SeIncBasePriorityPrivilege	2052	{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe
Token: SeIncBasePriorityPrivilege	2244	{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe
Token: SeIncBasePriorityPrivilege	2780	{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe
Token: SeIncBasePriorityPrivilege	1516	{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe
Token: SeIncBasePriorityPrivilege	4948	{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe
Token: SeIncBasePriorityPrivilege	4792	{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe
Token: SeIncBasePriorityPrivilege	3604	{0C12F468-254E-4527-A2F9-5957821154F9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 912	2008	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	97
PID 2008 wrote to memory of 912	2008	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	97
PID 2008 wrote to memory of 912	2008	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	97
PID 2008 wrote to memory of 1344	2008	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	98
PID 2008 wrote to memory of 1344	2008	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	98
PID 2008 wrote to memory of 1344	2008	2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe	98
PID 912 wrote to memory of 2944	912	{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe	99
PID 912 wrote to memory of 2944	912	{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe	99
PID 912 wrote to memory of 2944	912	{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe	99
PID 912 wrote to memory of 3220	912	{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe	100
PID 912 wrote to memory of 3220	912	{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe	100
PID 912 wrote to memory of 3220	912	{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe	100
PID 2944 wrote to memory of 3920	2944	{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe	103
PID 2944 wrote to memory of 3920	2944	{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe	103
PID 2944 wrote to memory of 3920	2944	{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe	103
PID 2944 wrote to memory of 4236	2944	{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe	102
PID 2944 wrote to memory of 4236	2944	{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe	102
PID 2944 wrote to memory of 4236	2944	{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe	102
PID 3920 wrote to memory of 2672	3920	{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe	104
PID 3920 wrote to memory of 2672	3920	{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe	104
PID 3920 wrote to memory of 2672	3920	{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe	104
PID 3920 wrote to memory of 2332	3920	{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe	105
PID 3920 wrote to memory of 2332	3920	{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe	105
PID 3920 wrote to memory of 2332	3920	{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe	105
PID 2672 wrote to memory of 2052	2672	{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe	106
PID 2672 wrote to memory of 2052	2672	{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe	106
PID 2672 wrote to memory of 2052	2672	{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe	106
PID 2672 wrote to memory of 3680	2672	{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe	107
PID 2672 wrote to memory of 3680	2672	{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe	107
PID 2672 wrote to memory of 3680	2672	{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe	107
PID 2052 wrote to memory of 2244	2052	{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe	108
PID 2052 wrote to memory of 2244	2052	{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe	108
PID 2052 wrote to memory of 2244	2052	{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe	108
PID 2052 wrote to memory of 1280	2052	{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe	109
PID 2052 wrote to memory of 1280	2052	{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe	109
PID 2052 wrote to memory of 1280	2052	{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe	109
PID 2244 wrote to memory of 2780	2244	{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe	110
PID 2244 wrote to memory of 2780	2244	{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe	110
PID 2244 wrote to memory of 2780	2244	{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe	110
PID 2244 wrote to memory of 4044	2244	{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe	111
PID 2244 wrote to memory of 4044	2244	{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe	111
PID 2244 wrote to memory of 4044	2244	{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe	111
PID 2780 wrote to memory of 1516	2780	{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe	112
PID 2780 wrote to memory of 1516	2780	{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe	112
PID 2780 wrote to memory of 1516	2780	{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe	112
PID 2780 wrote to memory of 2220	2780	{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe	113
PID 2780 wrote to memory of 2220	2780	{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe	113
PID 2780 wrote to memory of 2220	2780	{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe	113
PID 1516 wrote to memory of 4948	1516	{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe	115
PID 1516 wrote to memory of 4948	1516	{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe	115
PID 1516 wrote to memory of 4948	1516	{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe	115
PID 1516 wrote to memory of 208	1516	{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe	114
PID 1516 wrote to memory of 208	1516	{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe	114
PID 1516 wrote to memory of 208	1516	{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe	114
PID 4948 wrote to memory of 4792	4948	{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe	117
PID 4948 wrote to memory of 4792	4948	{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe	117
PID 4948 wrote to memory of 4792	4948	{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe	117
PID 4948 wrote to memory of 3308	4948	{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe	116
PID 4948 wrote to memory of 3308	4948	{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe	116
PID 4948 wrote to memory of 3308	4948	{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe	116
PID 4792 wrote to memory of 3604	4792	{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe	118
PID 4792 wrote to memory of 3604	4792	{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe	118
PID 4792 wrote to memory of 3604	4792	{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe	118
PID 4792 wrote to memory of 4120	4792	{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_6c2c95a0759f3d6f5b451a640b7953b3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe
  C:\Windows\{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe
    C:\Windows\{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{10BE3~1.EXE > nul
      4⤵
      PID:4236
  - - C:\Windows\{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe
      C:\Windows\{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Windows\{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe
        
        C:\Windows\{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe
        
        C:\Windows\{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe
        
        C:\Windows\{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe
        
        C:\Windows\{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe
        
        C:\Windows\{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1AE4~1.EXE > nul
        10⤵
        
        PID:208
        
        C:\Windows\{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe
        
        C:\Windows\{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02729~1.EXE > nul
        11⤵
        
        PID:3308
        
        C:\Windows\{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe
        
        C:\Windows\{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\{0C12F468-254E-4527-A2F9-5957821154F9}.exe
        
        C:\Windows\{0C12F468-254E-4527-A2F9-5957821154F9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
        
        C:\Windows\{9208336A-715B-4a29-BADA-D93FCD4F016E}.exe
        
        C:\Windows\{9208336A-715B-4a29-BADA-D93FCD4F016E}.exe
        13⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C12F~1.EXE > nul
        13⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{210F3~1.EXE > nul
        12⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FA6E~1.EXE > nul
        9⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35CDB~1.EXE > nul
        8⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D41D0~1.EXE > nul
        7⤵
        
        PID:1280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A93B~1.EXE > nul
        6⤵
        
        PID:3680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8693~1.EXE > nul
        5⤵
        
        PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8EE64~1.EXE > nul
    3⤵
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{027299DA-6E82-4e2c-A2EC-767F2FA3C956}.exe

Filesize
380KB

MD5
849482f04855d20432442705ea2cf9ce

SHA1
44b669940e3840a8acbfacef97ec3d8cba782c70

SHA256
78558452e118018b61f148973d7f2643a7285ccca48660d59cae0fdb7f7d389f

SHA512
a8b4c365fe3781b44339ecabbd6af70c9887ac3cac24f2203cce6482a6fc76a0451ded7705af54483f0aaaecb6e36e63ab366e9436a15b1ed843926c19126e1f

Download Submit
C:\Windows\{0C12F468-254E-4527-A2F9-5957821154F9}.exe

Filesize
380KB

MD5
4ad6d1b2a52abf0f0a80301defedc888

SHA1
63ccda6b8ff00f419aabd04a27bd2b3dce4b1342

SHA256
485b2fd5ea7fc6a32cec1ca59aadb4484efd39499926ab4a3c792be0a4e67eec

SHA512
d7b423f9218925d117c0f7862c1d5c3a81ad9c9296bbb7bf903abb61a55d115c3f92494f790321528f560d401f34db485cba5f600fff0aa61f8fe8ed388fc69b

Download Submit
C:\Windows\{10BE3F63-46F3-42f4-8D9D-0206B8E278EC}.exe

Filesize
380KB

MD5
76eabfc9ef3bdd500f4ad93605d7ff02

SHA1
77ac05fa378dd36e157a4cfd9def95ea9d090f01

SHA256
42dd4de71b0eee24f4fa895bc49205a612907cbe099f57d0a58b193b52b9ad96

SHA512
0297a8cb7856c1d695d1de0b720ec35dca4c26e0fa1c520939393a75d65d7657820bd5d786ae8967c006a36365ba444820a88b92e3c44c4fdce34002b1e1474b

Download Submit
C:\Windows\{210F3E5F-C13C-4d2b-A7C9-F08910A3F303}.exe

Filesize
380KB

MD5
abe52161803159f2b99e3acd7cdf719e

SHA1
1c677dba0134d578bd7b2645fd2a2f6c29c96514

SHA256
fe7a6a8cf2c0c27b26d15f64ff597f76c1d3329c8318bad5623ca19751ce21e9

SHA512
d6e38d3a102ab44b958b3d6d86d0c74843080e1f7f3ce8c30229a7a296cfb3693519298f7429ebec9a8d9b86a89ac811a39bd5175399b9e395a8ec93b0df5acf

Download Submit
C:\Windows\{35CDB075-5277-4d7c-9ECC-C447BA85BC55}.exe

Filesize
380KB

MD5
17fc0d8c44533c848871b16ab4157717

SHA1
f41c8c43bd2b8eb6cb4a13c7529e91704113a21c

SHA256
038c56e4590a650607c4985c1b5ab967b3138bb76714b6c0dfb95378a5970e8e

SHA512
d7f62e8cba341262263a790d6c6023e6d399a004146093eeb9f39c61201ea7c9a03770db9c5880d6438786fe3b136cf4d687d1d1131f7aeab376fe86e45f5961

Download Submit
C:\Windows\{6FA6ECDD-E394-4113-85E9-3C26DA976108}.exe

Filesize
380KB

MD5
24be2a9dee06c41d17b7795592a1b393

SHA1
0ed10f680662dd98f74013bbd79480d89355aac8

SHA256
9a180c93ec0e5e61f34d09621fc448c95787d0f9de9cb1cbcd861d3318ff2b31

SHA512
80b9e771a2fb5baae93f4452721d62b49b868765b76b1fb7c38a09f8637757a4e360a12a8ef717021b5ac749995e60de92b576f9f91d973fa0f0a5f7cbe812c1

Download Submit
C:\Windows\{8A93BB8C-FB8E-4b0f-808C-AFC55BEF3365}.exe

Filesize
380KB

MD5
f273811a28fe4c739a846bbcea482816

SHA1
4883fe47fd6aaf628d2553886977c08a9f06d47e

SHA256
9336a5d612d42652e7e539c4820c47344c110738be8dcd34e39efa1ea7df0d17

SHA512
f812bc90f8874839a403d352def5c45931972acebf950ce5063964c51f567bc5049e5869c50cc106107d33530df162132e41fe8b520d2537b37c076d62d58329

Download Submit
C:\Windows\{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe

Filesize
139KB

MD5
f36a271f806dd3e865d6dadb12c1df61

SHA1
b9fff944b1f26d4d0478c14839b08cd0c54a1a34

SHA256
4ec74b45acca02454db7a5cebac42e6fff6dcfca7153502797a2b62ef7718c20

SHA512
696f6ef3e9566d6afe8de3bd707e90cc51739f870e3c74dce063f1e730ce442618c4e463037f50d5de1bf0af5e626823ded5fa3387f2230cd35dd38e32ce8e7b

Download Submit
C:\Windows\{8EE6409C-81E1-4a5f-B222-D637C9AFB456}.exe

Filesize
2KB

MD5
b642edf226ec9d9dbc24d3fc67122574

SHA1
b621c115aac8c1ef2c2105fc175c6d745400ad7e

SHA256
0a3c457e7b45d59382579ca336f1f85913d7406511cb372bcc9c31ac85ed43e9

SHA512
b7548ae9fe3adab4afbb696b1b7be4c9f3c21c08cf838d538f17c9b24028583395404216bc1cbe5d76f7055d5d379ddf6a4f88c03b621339a6fab6c67e91341a

Download Submit
C:\Windows\{9208336A-715B-4a29-BADA-D93FCD4F016E}.exe

Filesize
380KB

MD5
8056724e33cd3f3bd665871b6b790f90

SHA1
00369e7ac4da719e975028695cb93ca6df94a93b

SHA256
fa16f718e182330f2b83d71c244d319251273296933891422018ded3d05116b4

SHA512
8d506fb25d91bc8e2a73cfc478dae671846eadcf5fab9a896b3d9244f58e4313b42510aa1afb2abbd93126e64d76dfe15f5826de4afedd483e528cd606147616

Download Submit
C:\Windows\{D1AE4E52-047C-4b96-BE54-DD0BDB724F23}.exe

Filesize
380KB

MD5
54a68733dabadb56d70f74dba1cf34ef

SHA1
022a29b3838e6fca72fe2fadf8c4d1221fd498b5

SHA256
c999cf10be3f8540cee3b07b44c26da15ad99a4471c3356dcb75b25c7b99357b

SHA512
1fc6deebbb16a59a2cb50043bd507fbb21276472de76adecb319679e039f801a33b572e6728f97adf94a47fdf2709b84b7ff2422210db93c59b869ab6afb138e

Download Submit
C:\Windows\{D41D0AF1-06D9-4a59-B514-7C0A81B1FC19}.exe

Filesize
380KB

MD5
5f163e472d8f8bb58d802e67c53d9a31

SHA1
3377613ce0bf184ba3848974105a42e942cf419d

SHA256
16ea7afcca1caab7c78a3ffa278161a9897b54affd777802e8d5b92905b1109f

SHA512
669e17912d2e68148875f07140e8341e810b1991211701e932c6b18a1bd91bf4d4ace867ed65002bef57fda59536c94bf924e565cf3e570141fc31c1d19e958e

Download Submit
C:\Windows\{D8693064-1FE5-489c-9CF0-FD4D44D81125}.exe

Filesize
380KB

MD5
98b206c575a0163c90f7ae6452320753

SHA1
093869e64b3383c91c8e65562b221a463851fb54

SHA256
8d5f86cedbdc24c7c8d76b27fd15f8774362ba12ad42c79fa3a3ff4d5333d7b8

SHA512
65fea4818b4065dc95d2390dd28dedda602fa5e4578f572bb3edb6f1c7bcca96d646c31ecaabc9a43c026555e0ac0fb488a9e5d9aad226b3c5a06ef344900ed4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads