9c69ced1b56da01d58b22be224094f7b0c9d9a9140f5a080514a94e27d80a2d8

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 12:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe
Size

408KB
MD5

80c0f06622524dc427c0dcace513f9ac
SHA1

1bf68a079d5727beb7d5cf4a397c4da1baf0d928
SHA256

9c69ced1b56da01d58b22be224094f7b0c9d9a9140f5a080514a94e27d80a2d8
SHA512

11fb8d53ab487e7614334dd805d3e4b851d38d9d6005a037e6b8a0d5d33d56e35b0711166816f5dc358ee75639c80205b91ee2d8e88ea17029ae5f172eb6a4bc
SSDEEP

3072:CEGh0oLl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGlldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231b9-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000231bd-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231c4-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231bd-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000215d0-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e7-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B597BA5B-163E-4e76-A794-12D36E326F62}	{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B597BA5B-163E-4e76-A794-12D36E326F62}\stubpath = "C:\\Windows\\{B597BA5B-163E-4e76-A794-12D36E326F62}.exe"	{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54F5D79A-513E-44c5-9ED9-00FAD303D734}	{B597BA5B-163E-4e76-A794-12D36E326F62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54F5D79A-513E-44c5-9ED9-00FAD303D734}\stubpath = "C:\\Windows\\{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe"	{B597BA5B-163E-4e76-A794-12D36E326F62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}	{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}\stubpath = "C:\\Windows\\{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe"	2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FF7F026-E951-4136-9A1D-12E92CCD5590}\stubpath = "C:\\Windows\\{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe"	{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{295E9CE7-96DF-42c1-8931-970187A5FA02}	{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}	{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}\stubpath = "C:\\Windows\\{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe"	{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F7F9BD1-3623-4a11-9071-C5610DB187A4}	{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F7F9BD1-3623-4a11-9071-C5610DB187A4}\stubpath = "C:\\Windows\\{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe"	{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}\stubpath = "C:\\Windows\\{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe"	{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FF7F026-E951-4136-9A1D-12E92CCD5590}	{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{295E9CE7-96DF-42c1-8931-970187A5FA02}\stubpath = "C:\\Windows\\{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe"	{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CC92335-33AF-472b-9F64-77409B60FEB3}	{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}\stubpath = "C:\\Windows\\{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe"	{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A290A66-F3AA-4c0b-A0F4-624B37FC1325}\stubpath = "C:\\Windows\\{1A290A66-F3AA-4c0b-A0F4-624B37FC1325}.exe"	{0CC92335-33AF-472b-9F64-77409B60FEB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CC92335-33AF-472b-9F64-77409B60FEB3}\stubpath = "C:\\Windows\\{0CC92335-33AF-472b-9F64-77409B60FEB3}.exe"	{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}	{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{765D6421-A670-49a4-ADEE-EFFC044EA962}	{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{765D6421-A670-49a4-ADEE-EFFC044EA962}\stubpath = "C:\\Windows\\{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe"	{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A290A66-F3AA-4c0b-A0F4-624B37FC1325}	{0CC92335-33AF-472b-9F64-77409B60FEB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}	2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
3264	{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe
2772	{B597BA5B-163E-4e76-A794-12D36E326F62}.exe
2496	{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe
3812	{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe
4524	{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe
2136	{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe
3996	{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe
2668	{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe
1664	{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe
3484	{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe
2116	{0CC92335-33AF-472b-9F64-77409B60FEB3}.exe
4492	{1A290A66-F3AA-4c0b-A0F4-624B37FC1325}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe	2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe
File created	C:\Windows\{B597BA5B-163E-4e76-A794-12D36E326F62}.exe	{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe
File created	C:\Windows\{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe	{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe
File created	C:\Windows\{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe	{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe
File created	C:\Windows\{0CC92335-33AF-472b-9F64-77409B60FEB3}.exe	{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe
File created	C:\Windows\{1A290A66-F3AA-4c0b-A0F4-624B37FC1325}.exe	{0CC92335-33AF-472b-9F64-77409B60FEB3}.exe
File created	C:\Windows\{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe	{B597BA5B-163E-4e76-A794-12D36E326F62}.exe
File created	C:\Windows\{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe	{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe
File created	C:\Windows\{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe	{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe
File created	C:\Windows\{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe	{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe
File created	C:\Windows\{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe	{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe
File created	C:\Windows\{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe	{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	536	2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3264	{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe
Token: SeIncBasePriorityPrivilege	2772	{B597BA5B-163E-4e76-A794-12D36E326F62}.exe
Token: SeIncBasePriorityPrivilege	2496	{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe
Token: SeIncBasePriorityPrivilege	3812	{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe
Token: SeIncBasePriorityPrivilege	4524	{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe
Token: SeIncBasePriorityPrivilege	2136	{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe
Token: SeIncBasePriorityPrivilege	3996	{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe
Token: SeIncBasePriorityPrivilege	2668	{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe
Token: SeIncBasePriorityPrivilege	1664	{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe
Token: SeIncBasePriorityPrivilege	3484	{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe
Token: SeIncBasePriorityPrivilege	2116	{0CC92335-33AF-472b-9F64-77409B60FEB3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 3264	536	2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe	86
PID 536 wrote to memory of 3264	536	2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe	86
PID 536 wrote to memory of 3264	536	2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe	86
PID 536 wrote to memory of 4692	536	2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe	87
PID 536 wrote to memory of 4692	536	2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe	87
PID 536 wrote to memory of 4692	536	2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe	87
PID 3264 wrote to memory of 2772	3264	{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe	88
PID 3264 wrote to memory of 2772	3264	{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe	88
PID 3264 wrote to memory of 2772	3264	{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe	88
PID 3264 wrote to memory of 2064	3264	{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe	89
PID 3264 wrote to memory of 2064	3264	{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe	89
PID 3264 wrote to memory of 2064	3264	{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe	89
PID 2772 wrote to memory of 2496	2772	{B597BA5B-163E-4e76-A794-12D36E326F62}.exe	92
PID 2772 wrote to memory of 2496	2772	{B597BA5B-163E-4e76-A794-12D36E326F62}.exe	92
PID 2772 wrote to memory of 2496	2772	{B597BA5B-163E-4e76-A794-12D36E326F62}.exe	92
PID 2772 wrote to memory of 4108	2772	{B597BA5B-163E-4e76-A794-12D36E326F62}.exe	91
PID 2772 wrote to memory of 4108	2772	{B597BA5B-163E-4e76-A794-12D36E326F62}.exe	91
PID 2772 wrote to memory of 4108	2772	{B597BA5B-163E-4e76-A794-12D36E326F62}.exe	91
PID 2496 wrote to memory of 3812	2496	{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe	93
PID 2496 wrote to memory of 3812	2496	{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe	93
PID 2496 wrote to memory of 3812	2496	{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe	93
PID 2496 wrote to memory of 1280	2496	{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe	94
PID 2496 wrote to memory of 1280	2496	{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe	94
PID 2496 wrote to memory of 1280	2496	{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe	94
PID 3812 wrote to memory of 4524	3812	{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe	95
PID 3812 wrote to memory of 4524	3812	{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe	95
PID 3812 wrote to memory of 4524	3812	{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe	95
PID 3812 wrote to memory of 2252	3812	{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe	96
PID 3812 wrote to memory of 2252	3812	{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe	96
PID 3812 wrote to memory of 2252	3812	{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe	96
PID 4524 wrote to memory of 2136	4524	{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe	97
PID 4524 wrote to memory of 2136	4524	{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe	97
PID 4524 wrote to memory of 2136	4524	{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe	97
PID 4524 wrote to memory of 3476	4524	{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe	98
PID 4524 wrote to memory of 3476	4524	{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe	98
PID 4524 wrote to memory of 3476	4524	{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe	98
PID 2136 wrote to memory of 3996	2136	{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe	99
PID 2136 wrote to memory of 3996	2136	{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe	99
PID 2136 wrote to memory of 3996	2136	{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe	99
PID 2136 wrote to memory of 2264	2136	{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe	100
PID 2136 wrote to memory of 2264	2136	{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe	100
PID 2136 wrote to memory of 2264	2136	{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe	100
PID 3996 wrote to memory of 2668	3996	{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe	101
PID 3996 wrote to memory of 2668	3996	{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe	101
PID 3996 wrote to memory of 2668	3996	{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe	101
PID 3996 wrote to memory of 5012	3996	{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe	102
PID 3996 wrote to memory of 5012	3996	{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe	102
PID 3996 wrote to memory of 5012	3996	{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe	102
PID 2668 wrote to memory of 1664	2668	{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe	103
PID 2668 wrote to memory of 1664	2668	{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe	103
PID 2668 wrote to memory of 1664	2668	{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe	103
PID 2668 wrote to memory of 2956	2668	{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe	104
PID 2668 wrote to memory of 2956	2668	{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe	104
PID 2668 wrote to memory of 2956	2668	{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe	104
PID 1664 wrote to memory of 3484	1664	{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe	105
PID 1664 wrote to memory of 3484	1664	{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe	105
PID 1664 wrote to memory of 3484	1664	{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe	105
PID 1664 wrote to memory of 3388	1664	{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe	106
PID 1664 wrote to memory of 3388	1664	{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe	106
PID 1664 wrote to memory of 3388	1664	{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe	106
PID 3484 wrote to memory of 2116	3484	{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe	107
PID 3484 wrote to memory of 2116	3484	{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe	107
PID 3484 wrote to memory of 2116	3484	{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe	107
PID 3484 wrote to memory of 3268	3484	{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_80c0f06622524dc427c0dcace513f9ac_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe
  C:\Windows\{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\{B597BA5B-163E-4e76-A794-12D36E326F62}.exe
    C:\Windows\{B597BA5B-163E-4e76-A794-12D36E326F62}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B597B~1.EXE > nul
      4⤵
      PID:4108
  - - C:\Windows\{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe
      C:\Windows\{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe
        
        C:\Windows\{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Windows\{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe
        
        C:\Windows\{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe
        
        C:\Windows\{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe
        
        C:\Windows\{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe
        
        C:\Windows\{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe
        
        C:\Windows\{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe
        
        C:\Windows\{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\{0CC92335-33AF-472b-9F64-77409B60FEB3}.exe
        
        C:\Windows\{0CC92335-33AF-472b-9F64-77409B60FEB3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{1A290A66-F3AA-4c0b-A0F4-624B37FC1325}.exe
        
        C:\Windows\{1A290A66-F3AA-4c0b-A0F4-624B37FC1325}.exe
        13⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CC92~1.EXE > nul
        13⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{765D6~1.EXE > nul
        12⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{295E9~1.EXE > nul
        11⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FF7F~1.EXE > nul
        10⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9374~1.EXE > nul
        9⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F7F9~1.EXE > nul
        8⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B2EC~1.EXE > nul
        7⤵
        
        PID:3476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84A7B~1.EXE > nul
        6⤵
        
        PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54F5D~1.EXE > nul
        5⤵
        
        PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{59D83~1.EXE > nul
    3⤵
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CC92335-33AF-472b-9F64-77409B60FEB3}.exe

Filesize
408KB

MD5
88c3fa20a477e14c42a3c2d78ffb1236

SHA1
8ca3038d871534aae0a2ebb2c28af82bbf7e4159

SHA256
c40d54abc0dc5fbbb91a823ea85e095baa692b3b34731761b2a23143f67d3dc8

SHA512
471b72755afa77d3881efa0bc0a5a04f84db2a1899a2de404dff2ea2c79e4c0e50908ff2dc7d3cd233a040eb0d08dc102863d9c438eec53d0644758bbe38c15f

Download Submit
C:\Windows\{1A290A66-F3AA-4c0b-A0F4-624B37FC1325}.exe

Filesize
408KB

MD5
a2ec64974598a9dbe587f4872d4e9bc9

SHA1
a46e56343437d5c474b987fd2328be6c169adb1c

SHA256
d84f77c9bdc63d1b51744f35df4ac29dc0680e010da49a87909790c314c36054

SHA512
7e4fa885a2e37179a30a764b716db1b5f2ce99db3b0074cdb531cc60ec9788c2eed4832db6094da036767cd5749a68d895ce3c0d6e79c9cda44830cbb7923f19

Download Submit
C:\Windows\{295E9CE7-96DF-42c1-8931-970187A5FA02}.exe

Filesize
408KB

MD5
b05889f16016a6f05ff60cff5838accd

SHA1
30b9880ec420d5c9cec78f4d560afdfadd3bc7b6

SHA256
3b69562fd184e3265d0100ccb0d2a8cbfa04ad76220b5861ec2ebc793a1c2c19

SHA512
4219eaee33b85fa3e74e12868708e6ea8afe1d5016ce04a9fe55787deeae7b6fc36da0493f8a4f360899e7cd69d32d3fcb9df2d9984bbd7f935fb79c88d1227d

Download Submit
C:\Windows\{54F5D79A-513E-44c5-9ED9-00FAD303D734}.exe

Filesize
408KB

MD5
f08a14b0449c9362f511f4810ca1f490

SHA1
47a4d32587716975eb6946afaefa5fa3db27732f

SHA256
12fad4fc36060c1517cd1be8337e0cca8e8914c82d1a0d4ea69c4952ae617179

SHA512
00a8ae3ca4bb57810b5796b5caba8957374cc4236819fbfd159fdc78ef81ed5fd0255a313ebcd776638109d6aff39397ebc82d0f75404a2b454773ae5686707c

Download Submit
C:\Windows\{59D83C0E-0CC1-4165-85E8-B9A99A49FB43}.exe

Filesize
408KB

MD5
62c334ebbf99bc53ca823867daa4588f

SHA1
db4213c93f6671ef2aeb13f7d230866898a5bdde

SHA256
25df7b561d1f495aee1cad6e9ccdfe30f0f3f539c12848c710f3a00e340f0c0a

SHA512
113969b214002f7c96e26b7efd583dec3eca7c8959ca875b8afa6949958de74feaf720369589bc458f310167e31242ab59a36fdf5b05df59e415715b71677bfb

Download Submit
C:\Windows\{5B2ECC39-1277-46ef-B9A0-D12CE68B2769}.exe

Filesize
408KB

MD5
29aedf66251d5ece3bde6f22e57db1f4

SHA1
739e6dd8a1c2161fc574c5d3d5bb6389f4d2c00d

SHA256
97ffd2b05d7c70c4c8b080582c3d73025d3c31efa068f4349d1bab2f4dd236ec

SHA512
6a6d5557be156f2ccb4f6d9963410b1945bfde80e5603b7f193af0459e6dfd7e7afa765554086c93a81f76c5373b4174d53a76c062c58cbe933f0166766a0d22

Download Submit
C:\Windows\{6F7F9BD1-3623-4a11-9071-C5610DB187A4}.exe

Filesize
408KB

MD5
a9f86516d142675a2f118dd15ef8ae97

SHA1
58083eb5eee1cec8877ccb355b96c8155ced98f4

SHA256
e66702ae767d19eb66639ee7c3bdfb22e4537e649cc797d9888d96808cb38192

SHA512
8d41def6d7169ad3e219f16a4660ddda01373507641440c566ffc7f00662a76972c497920fa7982468adf825fa0aca604368a29c62f5d7ab9b578963487d72a2

Download Submit
C:\Windows\{765D6421-A670-49a4-ADEE-EFFC044EA962}.exe

Filesize
408KB

MD5
aa95947735a8eba836c4fe9dba1e95fc

SHA1
7ade1a8a0238bcd3e5807c3f61b4acec5400920c

SHA256
b81f7378c2e78decd6b2d119a6258ff795dda68ba7ae832aa178ab96722cbcc5

SHA512
d92607c994da63eb9663b8bab70c304f17dbda8aca9176bc95dd17ab2c0acd65b433e2f03a2ec1bc4f1724f3eccd65622d82b6ca18d32d764ddb4992c53bdc59

Download Submit
C:\Windows\{7FF7F026-E951-4136-9A1D-12E92CCD5590}.exe

Filesize
408KB

MD5
5f9c6ad82250e9f020eb59b2291510e9

SHA1
19ce3cb72025d649118fc595e70c5846b7ce33fb

SHA256
6b6ec1b6c3704cbfa776a07594143c677c9b6aa5f74878ec09797d1ff529a5ec

SHA512
fa600c8e5e2be04616b8baaf4772b06962f36ac6e1b1f6cde09fedc613f6dd5861cf005e37e00258ac0b5082a683ff722f79b23f028d807c1b410e76cb4d643a

Download Submit
C:\Windows\{84A7B4E6-F81F-40a8-98F6-CFE7EA5F1C34}.exe

Filesize
408KB

MD5
7541811cc2253e4c4537b1ff9c0716f8

SHA1
03a06702c007072ceb3edb8fecea5be4a0158f11

SHA256
b8eedc7d23a94307bc2e07def3b8a64f64ae3ff7e548ccb9cfd8ee447b6ac864

SHA512
b8ce41c6176e9b72b78636ae786073929a32f21bbed896e91f025dcaa9de23c241bce7dcae6752520aaa1b80c4ec6efe56031215749047c908299b22f8387a01

Download Submit
C:\Windows\{B597BA5B-163E-4e76-A794-12D36E326F62}.exe

Filesize
408KB

MD5
9771e6a650bfe5487b4b9786a9ab4a82

SHA1
c618623e76667bab8e42ef65c3e71e0996218fcd

SHA256
0fe7cdf1126cc5bb7bfcfd4c9317c44e1d9560e02e7c8ee452e59f0a6eaf49db

SHA512
d7a13896804e13365ee58f8806b6ec6021d9525cf2ed453d3bcf816f22c01fe4f5f8b66f4e44aaf805cd68a11fd5b7bfcced6cd67fbb6b0ba1bb982514c1c24e

Download Submit
C:\Windows\{D9374E56-B0F7-4d0d-A9F3-FA6E21184458}.exe

Filesize
408KB

MD5
dd31ea5b77ed12d41de3ec474f0cb85f

SHA1
6918b09efcc53a6941a16591fec8a859f8482ad1

SHA256
81f45235b4e9934350a78eb659ce85a5b47ff7507486999240286a7415ee20b0

SHA512
ea0954d999461c31f72aff3b49d9a19991916702f861c4acd10b4270aa3087008954ac0808c284f3fc81bbafbdb7be2d1e199c5f1a16303eaad8afbff80a021d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads