887d454bcfb9f213418ce044f2aad69d6201d2cb3d65ba50f7b8ec9703e47f8b

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe
Size

192KB
MD5

e8a81dbe4934882bfcd2ec8cbfb7686f
SHA1

3e6a4c31e1bd1e4462a6561d6c66f853d58b0ae6
SHA256

887d454bcfb9f213418ce044f2aad69d6201d2cb3d65ba50f7b8ec9703e47f8b
SHA512

cb7400e5ac49f987268d840666b014bd6f0f109cfda555c71bde5b8bc7bf50c917df60544a321114fdba21a3373ff7b672c330f39427a3ce4fe9e4a04bb3c930
SSDEEP

1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oNl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023214-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023219-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023220-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023219-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000217f9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021805-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000217f9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000717-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}	2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}\stubpath = "C:\\Windows\\{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe"	{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}	{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE79FD92-4D2D-40f1-A834-4E8010855FC1}	{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AD0A775-D336-4317-9981-5A9097377B68}	{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA8A74F5-4762-421e-9213-58E4D7077F25}	{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}\stubpath = "C:\\Windows\\{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe"	{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC209676-78D8-4dd5-A3F1-1C692ECE6935}	{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC209676-78D8-4dd5-A3F1-1C692ECE6935}\stubpath = "C:\\Windows\\{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe"	{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FE82B8A-CE47-42b7-98E4-36311423ECFE}	{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FE82B8A-CE47-42b7-98E4-36311423ECFE}\stubpath = "C:\\Windows\\{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe"	{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}	{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}\stubpath = "C:\\Windows\\{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe"	{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE79FD92-4D2D-40f1-A834-4E8010855FC1}\stubpath = "C:\\Windows\\{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe"	{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}	{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}\stubpath = "C:\\Windows\\{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe"	{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AD0A775-D336-4317-9981-5A9097377B68}\stubpath = "C:\\Windows\\{5AD0A775-D336-4317-9981-5A9097377B68}.exe"	{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}	{5AD0A775-D336-4317-9981-5A9097377B68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}\stubpath = "C:\\Windows\\{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe"	{5AD0A775-D336-4317-9981-5A9097377B68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}\stubpath = "C:\\Windows\\{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe"	2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}	{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA8A74F5-4762-421e-9213-58E4D7077F25}\stubpath = "C:\\Windows\\{FA8A74F5-4762-421e-9213-58E4D7077F25}.exe"	{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E00398E8-07BA-423c-9906-4142342B012E}	{FA8A74F5-4762-421e-9213-58E4D7077F25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E00398E8-07BA-423c-9906-4142342B012E}\stubpath = "C:\\Windows\\{E00398E8-07BA-423c-9906-4142342B012E}.exe"	{FA8A74F5-4762-421e-9213-58E4D7077F25}.exe

Executes dropped EXE 12 IoCs

pid	Process
4556	{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe
2636	{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe
4372	{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe
3932	{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe
388	{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe
4884	{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe
4660	{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe
4908	{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe
1344	{5AD0A775-D336-4317-9981-5A9097377B68}.exe
1232	{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe
4748	{FA8A74F5-4762-421e-9213-58E4D7077F25}.exe
2624	{E00398E8-07BA-423c-9906-4142342B012E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe	2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe
File created	C:\Windows\{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe	{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe
File created	C:\Windows\{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe	{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe
File created	C:\Windows\{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe	{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe
File created	C:\Windows\{5AD0A775-D336-4317-9981-5A9097377B68}.exe	{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe
File created	C:\Windows\{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe	{5AD0A775-D336-4317-9981-5A9097377B68}.exe
File created	C:\Windows\{FA8A74F5-4762-421e-9213-58E4D7077F25}.exe	{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe
File created	C:\Windows\{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe	{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe
File created	C:\Windows\{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe	{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe
File created	C:\Windows\{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe	{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe
File created	C:\Windows\{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe	{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe
File created	C:\Windows\{E00398E8-07BA-423c-9906-4142342B012E}.exe	{FA8A74F5-4762-421e-9213-58E4D7077F25}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3364	2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4556	{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe
Token: SeIncBasePriorityPrivilege	2636	{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe
Token: SeIncBasePriorityPrivilege	4372	{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe
Token: SeIncBasePriorityPrivilege	3932	{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe
Token: SeIncBasePriorityPrivilege	388	{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe
Token: SeIncBasePriorityPrivilege	4884	{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe
Token: SeIncBasePriorityPrivilege	4660	{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe
Token: SeIncBasePriorityPrivilege	4908	{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe
Token: SeIncBasePriorityPrivilege	1344	{5AD0A775-D336-4317-9981-5A9097377B68}.exe
Token: SeIncBasePriorityPrivilege	1232	{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe
Token: SeIncBasePriorityPrivilege	4748	{FA8A74F5-4762-421e-9213-58E4D7077F25}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 4556	3364	2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe	91
PID 3364 wrote to memory of 4556	3364	2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe	91
PID 3364 wrote to memory of 4556	3364	2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe	91
PID 3364 wrote to memory of 5076	3364	2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe	92
PID 3364 wrote to memory of 5076	3364	2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe	92
PID 3364 wrote to memory of 5076	3364	2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe	92
PID 4556 wrote to memory of 2636	4556	{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe	93
PID 4556 wrote to memory of 2636	4556	{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe	93
PID 4556 wrote to memory of 2636	4556	{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe	93
PID 4556 wrote to memory of 4256	4556	{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe	94
PID 4556 wrote to memory of 4256	4556	{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe	94
PID 4556 wrote to memory of 4256	4556	{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe	94
PID 2636 wrote to memory of 4372	2636	{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe	96
PID 2636 wrote to memory of 4372	2636	{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe	96
PID 2636 wrote to memory of 4372	2636	{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe	96
PID 2636 wrote to memory of 1340	2636	{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe	97
PID 2636 wrote to memory of 1340	2636	{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe	97
PID 2636 wrote to memory of 1340	2636	{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe	97
PID 4372 wrote to memory of 3932	4372	{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe	98
PID 4372 wrote to memory of 3932	4372	{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe	98
PID 4372 wrote to memory of 3932	4372	{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe	98
PID 4372 wrote to memory of 4940	4372	{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe	99
PID 4372 wrote to memory of 4940	4372	{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe	99
PID 4372 wrote to memory of 4940	4372	{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe	99
PID 3932 wrote to memory of 388	3932	{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe	100
PID 3932 wrote to memory of 388	3932	{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe	100
PID 3932 wrote to memory of 388	3932	{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe	100
PID 3932 wrote to memory of 3560	3932	{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe	101
PID 3932 wrote to memory of 3560	3932	{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe	101
PID 3932 wrote to memory of 3560	3932	{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe	101
PID 388 wrote to memory of 4884	388	{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe	103
PID 388 wrote to memory of 4884	388	{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe	103
PID 388 wrote to memory of 4884	388	{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe	103
PID 388 wrote to memory of 3432	388	{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe	102
PID 388 wrote to memory of 3432	388	{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe	102
PID 388 wrote to memory of 3432	388	{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe	102
PID 4884 wrote to memory of 4660	4884	{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe	104
PID 4884 wrote to memory of 4660	4884	{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe	104
PID 4884 wrote to memory of 4660	4884	{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe	104
PID 4884 wrote to memory of 1944	4884	{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe	105
PID 4884 wrote to memory of 1944	4884	{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe	105
PID 4884 wrote to memory of 1944	4884	{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe	105
PID 4660 wrote to memory of 4908	4660	{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe	107
PID 4660 wrote to memory of 4908	4660	{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe	107
PID 4660 wrote to memory of 4908	4660	{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe	107
PID 4660 wrote to memory of 3952	4660	{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe	106
PID 4660 wrote to memory of 3952	4660	{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe	106
PID 4660 wrote to memory of 3952	4660	{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe	106
PID 4908 wrote to memory of 1344	4908	{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe	109
PID 4908 wrote to memory of 1344	4908	{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe	109
PID 4908 wrote to memory of 1344	4908	{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe	109
PID 4908 wrote to memory of 2436	4908	{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe	108
PID 4908 wrote to memory of 2436	4908	{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe	108
PID 4908 wrote to memory of 2436	4908	{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe	108
PID 1344 wrote to memory of 1232	1344	{5AD0A775-D336-4317-9981-5A9097377B68}.exe	110
PID 1344 wrote to memory of 1232	1344	{5AD0A775-D336-4317-9981-5A9097377B68}.exe	110
PID 1344 wrote to memory of 1232	1344	{5AD0A775-D336-4317-9981-5A9097377B68}.exe	110
PID 1344 wrote to memory of 2380	1344	{5AD0A775-D336-4317-9981-5A9097377B68}.exe	111
PID 1344 wrote to memory of 2380	1344	{5AD0A775-D336-4317-9981-5A9097377B68}.exe	111
PID 1344 wrote to memory of 2380	1344	{5AD0A775-D336-4317-9981-5A9097377B68}.exe	111
PID 1232 wrote to memory of 4748	1232	{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe	113
PID 1232 wrote to memory of 4748	1232	{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe	113
PID 1232 wrote to memory of 4748	1232	{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe	113
PID 1232 wrote to memory of 4616	1232	{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_e8a81dbe4934882bfcd2ec8cbfb7686f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe
  C:\Windows\{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe
    C:\Windows\{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe
      C:\Windows\{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Windows\{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe
        
        C:\Windows\{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Windows\{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe
        
        C:\Windows\{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FE82~1.EXE > nul
        7⤵
        
        PID:3432
        
        C:\Windows\{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe
        
        C:\Windows\{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe
        
        C:\Windows\{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE79F~1.EXE > nul
        9⤵
        
        PID:3952
        
        C:\Windows\{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe
        
        C:\Windows\{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D1F9~1.EXE > nul
        10⤵
        
        PID:2436
        
        C:\Windows\{5AD0A775-D336-4317-9981-5A9097377B68}.exe
        
        C:\Windows\{5AD0A775-D336-4317-9981-5A9097377B68}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe
        
        C:\Windows\{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63EFE~1.EXE > nul
        12⤵
        
        PID:4616
        
        C:\Windows\{FA8A74F5-4762-421e-9213-58E4D7077F25}.exe
        
        C:\Windows\{FA8A74F5-4762-421e-9213-58E4D7077F25}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
        
        C:\Windows\{E00398E8-07BA-423c-9906-4142342B012E}.exe
        
        C:\Windows\{E00398E8-07BA-423c-9906-4142342B012E}.exe
        13⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA8A7~1.EXE > nul
        13⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AD0A~1.EXE > nul
        11⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EDAB~1.EXE > nul
        8⤵
        
        PID:1944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DFA5~1.EXE > nul
        6⤵
        
        PID:3560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC209~1.EXE > nul
        5⤵
        
        PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2CE3F~1.EXE > nul
      4⤵
      PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{256F3~1.EXE > nul
    3⤵
    PID:4256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D1F9FC2-E28E-45f7-9B3F-C94DC5C38B6D}.exe

Filesize
192KB

MD5
42d15c5f552b713ed20dd368ca3cad25

SHA1
e1ec70ac84090bc6925a100d3d16d446881987c0

SHA256
158b84252d5235558a568bb3ff0e5d7aee2d48861e66cd849f41b39ba9944af5

SHA512
28eb6075939a0eab2c986aa028055f54bf3e3a404e717bf56055dc790e6124ad0d8b35b718004e0e2372b3b718d547436c4fb95d30328ecb1864a08fcf16ded8

Download Submit
C:\Windows\{256F3903-EBFD-4f9c-A472-742B2C1F2AF2}.exe

Filesize
192KB

MD5
f41eb43b0f45b979dc91c4b1795da441

SHA1
e10dbdef92c6501233af60bd7d381083f7a17303

SHA256
cae5dace770aa857de83cebedb7081fe4363577643fde5ad19297f335ad334c7

SHA512
132f0736a94414316ece51f82245b09627c3a804e930aa52f8e611099eb909e0af08685efc6ad0c886a3d74b8126fc567f9e2a27a662969dcb11ea51a544b5fe

Download Submit
C:\Windows\{2CE3F51C-4FFD-43da-818B-16BB0BA3E282}.exe

Filesize
192KB

MD5
db8f8610ecb1c235494cf77f0727aa9a

SHA1
bb7b1314c46ac8621845837d46895d417a43e232

SHA256
8a58d4946d7d799bfc86ddff0e0ea13503de8c32e1f0bfe3ee817c96cf8b9ba0

SHA512
f141b669c25c1de47f412b6f372f9c8844a65c071ae369e4eee97be8b3f312c22b1d34ec9ceaccbf5de6475d78bf8fb8b67248e84e3a345ad92527c4c1b308a3

Download Submit
C:\Windows\{2DFA5B43-00AE-4f4c-B5E6-E12F73E05F26}.exe

Filesize
192KB

MD5
d0be878eae027a04d4156f33ed51c1d6

SHA1
010f59b85072132556e25aad2baf670d18479eca

SHA256
d773d0d7efc059b9a87a2071262d865b0323352a97d9926ff22de9f21ea9f03c

SHA512
ebc66bfa5697d821654829010e26fd49a5035f3f0d1f283c638009dd5fb88f8581ffe818b012c0948d347e099eefceeaf49d6b8ac496d29f4a51b9ed5aa518b1

Download Submit
C:\Windows\{3EDAB4EB-C050-4e33-AD9B-E163EFDE5131}.exe

Filesize
192KB

MD5
65c399329dd0e78621bc61deb589244b

SHA1
b3f853b224a7822a4a2f9b0f1a7d0c03fa227ca9

SHA256
f2e64c11613c526b05608dca2091dff2cd8f558e0ae6b49453f5dfde61832240

SHA512
894d675eb80374a86b2d46dd1b3dba8f9b89b154fd96bc24b22fe9be8ecb60d878b6299f9bdd30f3bb8ab6e08a3f9d5b41e50c2d1d819c1030a4d0edf0a9662c

Download Submit
C:\Windows\{5AD0A775-D336-4317-9981-5A9097377B68}.exe

Filesize
192KB

MD5
74d9ddca1b77fa96088155dd440ce27b

SHA1
556aeacf6a5f797320281ff5109fd57f1fcb2d1a

SHA256
3d2148f934d7ce80471019fb7e2113e5be45710673731a9d9c6b2f2637e7868c

SHA512
fe80b116d398ee47fd4f62e17667f5bcf5c4f88ef7fc8027b1576913f0ad19ed55ef4badf927b78d00f8356f4c5be5804132cd90598fbc9c1792effd49496872

Download Submit
C:\Windows\{63EFEE5B-D8E2-4242-AF0A-9D3B0B17B36D}.exe

Filesize
192KB

MD5
f7a09360e51c4847fc4f99261a97831d

SHA1
7b976ede1812f361267f97d7dbc8d4b4e297ccce

SHA256
67b7e837f47c92c257494513f15e4c2eac18104f1153725b48ed9403f5cc468f

SHA512
ebfc153e59ca6935975d105fa9c364f6d5299f59b8a8c63dc27a00e1fee44cf937c3fdc090b00a93de593f74e2376a1f30e2ccca501be762846d9cc143643e32

Download Submit
C:\Windows\{9FE82B8A-CE47-42b7-98E4-36311423ECFE}.exe

Filesize
192KB

MD5
56e19668fd53069542a8e804cc5043f8

SHA1
54be5804f973474cbed609f667a5111d81ecdea0

SHA256
020ae72729bf7184172f2000a9aa6537b49cc740a2559df00acd89d3ace7f352

SHA512
088ffa8c7a5cfff4a376982e311f9e11bec97a66f0d4e3c97b44249542e0c0d6abc5e72fecff8f43f14a82a1ac61e85a76095c7750c985c66a73de9420c4ca99

Download Submit
C:\Windows\{AE79FD92-4D2D-40f1-A834-4E8010855FC1}.exe

Filesize
192KB

MD5
eb28949eff616e862ab20ed9e856f216

SHA1
276662d785f68f382c12f70674c02198fa4af67f

SHA256
e8e8b8803acc1f19abd6704e61ee2739a39b54c99b01abdccfed2afb799e9a48

SHA512
9dc35b19e9af5d3e2fbc7058984a38a9cd5d9b60d17c57d623a9b8843abc4a2a2dd42054d46c2342179acfc2e6dc5eb58957fed5292d421662f65c2718f91921

Download Submit
C:\Windows\{E00398E8-07BA-423c-9906-4142342B012E}.exe

Filesize
192KB

MD5
a2dbfff32aefd6a00c92aff3e47962dd

SHA1
c64ae7fa57dac9a834e92cb4fe5e1d23a9ffdf97

SHA256
dad0897b50245a54de5f49dcd5eb4ade476c20859ead9c7de466db01b2fbe871

SHA512
b0bdcbc2da18b009a9158dff47a93faf9581e454d3a9fcb49ad310aee25353fcdf864592c3f2992dee6e1801bcd8f649343d41e7e17ea4938787bf56fa198ded

Download Submit
C:\Windows\{FA8A74F5-4762-421e-9213-58E4D7077F25}.exe

Filesize
192KB

MD5
e35a550f8075aa3b9139c9b8022993fe

SHA1
66ff28c00869cc800bc5b1f0c5703e38ff518382

SHA256
31bd1f6985d4b6b49887260d9cb322a38f0117bdc36666d612914f27083ccfb7

SHA512
35534b607dc7507ad2e86c7e9bc3c5919600a0107bf024d36c799e296d06f4765b37a127f88522c1caaeeb0240e8800e4479978714da842751a7aba120700a6e

Download Submit
C:\Windows\{FC209676-78D8-4dd5-A3F1-1C692ECE6935}.exe

Filesize
192KB

MD5
264e5426f893319c4a4b6b169471436a

SHA1
2cf008be362a652112f928f17c74d8f722491a1c

SHA256
8e49b0d6f757e5482392a69713b9ce32d7f10391e89195742ae5a7d8d285aefc

SHA512
d4072caf7857a4da06dfed44cd154beb37c530077ee5d812a56d40b422a604c68279e82b58b67a0450f9db07eed44c63d12bac5f8655fe0306921f987a576bcd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads