ba9a6575c90a30d9fdd341b1f4041875b19d1f1d5a7f35c7fbfb61040fa6bb3b

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
Size

168KB
MD5

0d0c28313c2195f013f5cbd0e10ebb1e
SHA1

f13a210d833cfdebcee62cd9e314c25bf6b031e7
SHA256

ba9a6575c90a30d9fdd341b1f4041875b19d1f1d5a7f35c7fbfb61040fa6bb3b
SHA512

75c10011d3ba0253bd7dc6a28edc9e58c6cf579fd6d8f75b752c9864cab9af05c669af1b8d64e9040dd6f8bf713eb799e058b8d3004a32475cc5c0d182616619
SSDEEP

1536:1EGh0oslq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oslqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f4-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000231fb-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023202-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231fb-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023202-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04E9B211-26A7-42fb-A33E-54FA3F732976}\stubpath = "C:\\Windows\\{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe"	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}	{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}	{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}\stubpath = "C:\\Windows\\{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe"	{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}\stubpath = "C:\\Windows\\{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe"	{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}	{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32A03AAB-3FE3-4473-A7B1-6E940610F333}\stubpath = "C:\\Windows\\{32A03AAB-3FE3-4473-A7B1-6E940610F333}.exe"	{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04E9B211-26A7-42fb-A33E-54FA3F732976}	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD94B9C3-1F34-47a2-98BC-81765724B46B}\stubpath = "C:\\Windows\\{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe"	{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}	{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CA4A405-3062-414b-AB39-817FAAA681A1}	{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0D753F-9DD2-4781-B27B-47D85F2B0407}	{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3CD17A5-C8D5-4f23-A13E-6151E928B0A9}	{32A03AAB-3FE3-4473-A7B1-6E940610F333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}\stubpath = "C:\\Windows\\{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe"	{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CA4A405-3062-414b-AB39-817FAAA681A1}\stubpath = "C:\\Windows\\{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe"	{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}	{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32A03AAB-3FE3-4473-A7B1-6E940610F333}	{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3CD17A5-C8D5-4f23-A13E-6151E928B0A9}\stubpath = "C:\\Windows\\{D3CD17A5-C8D5-4f23-A13E-6151E928B0A9}.exe"	{32A03AAB-3FE3-4473-A7B1-6E940610F333}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD94B9C3-1F34-47a2-98BC-81765724B46B}	{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}\stubpath = "C:\\Windows\\{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe"	{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E2399C0-B0C9-4a41-935F-42E98065866F}	{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E2399C0-B0C9-4a41-935F-42E98065866F}\stubpath = "C:\\Windows\\{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe"	{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0D753F-9DD2-4781-B27B-47D85F2B0407}\stubpath = "C:\\Windows\\{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe"	{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}\stubpath = "C:\\Windows\\{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe"	{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe

Executes dropped EXE 12 IoCs

pid	Process
2864	{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe
3696	{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe
1752	{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe
1848	{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe
3428	{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe
4616	{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe
1780	{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe
3280	{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe
672	{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe
1504	{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe
1680	{32A03AAB-3FE3-4473-A7B1-6E940610F333}.exe
676	{D3CD17A5-C8D5-4f23-A13E-6151E928B0A9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe	{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe
File created	C:\Windows\{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe	{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe
File created	C:\Windows\{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe	{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe
File created	C:\Windows\{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe	{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe
File created	C:\Windows\{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe	{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe
File created	C:\Windows\{D3CD17A5-C8D5-4f23-A13E-6151E928B0A9}.exe	{32A03AAB-3FE3-4473-A7B1-6E940610F333}.exe
File created	C:\Windows\{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
File created	C:\Windows\{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe	{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe
File created	C:\Windows\{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe	{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe
File created	C:\Windows\{32A03AAB-3FE3-4473-A7B1-6E940610F333}.exe	{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe
File created	C:\Windows\{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe	{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe
File created	C:\Windows\{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe	{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3012	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2864	{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe
Token: SeIncBasePriorityPrivilege	3696	{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe
Token: SeIncBasePriorityPrivilege	1752	{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe
Token: SeIncBasePriorityPrivilege	1848	{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe
Token: SeIncBasePriorityPrivilege	3428	{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe
Token: SeIncBasePriorityPrivilege	4616	{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe
Token: SeIncBasePriorityPrivilege	1780	{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe
Token: SeIncBasePriorityPrivilege	3280	{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe
Token: SeIncBasePriorityPrivilege	672	{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe
Token: SeIncBasePriorityPrivilege	1504	{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe
Token: SeIncBasePriorityPrivilege	1680	{32A03AAB-3FE3-4473-A7B1-6E940610F333}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2864	3012	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	96
PID 3012 wrote to memory of 2864	3012	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	96
PID 3012 wrote to memory of 2864	3012	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	96
PID 3012 wrote to memory of 1088	3012	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	97
PID 3012 wrote to memory of 1088	3012	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	97
PID 3012 wrote to memory of 1088	3012	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	97
PID 2864 wrote to memory of 3696	2864	{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe	98
PID 2864 wrote to memory of 3696	2864	{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe	98
PID 2864 wrote to memory of 3696	2864	{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe	98
PID 2864 wrote to memory of 4136	2864	{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe	99
PID 2864 wrote to memory of 4136	2864	{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe	99
PID 2864 wrote to memory of 4136	2864	{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe	99
PID 3696 wrote to memory of 1752	3696	{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe	102
PID 3696 wrote to memory of 1752	3696	{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe	102
PID 3696 wrote to memory of 1752	3696	{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe	102
PID 3696 wrote to memory of 4888	3696	{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe	101
PID 3696 wrote to memory of 4888	3696	{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe	101
PID 3696 wrote to memory of 4888	3696	{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe	101
PID 1752 wrote to memory of 1848	1752	{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe	104
PID 1752 wrote to memory of 1848	1752	{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe	104
PID 1752 wrote to memory of 1848	1752	{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe	104
PID 1752 wrote to memory of 2748	1752	{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe	103
PID 1752 wrote to memory of 2748	1752	{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe	103
PID 1752 wrote to memory of 2748	1752	{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe	103
PID 1848 wrote to memory of 3428	1848	{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe	105
PID 1848 wrote to memory of 3428	1848	{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe	105
PID 1848 wrote to memory of 3428	1848	{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe	105
PID 1848 wrote to memory of 4940	1848	{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe	106
PID 1848 wrote to memory of 4940	1848	{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe	106
PID 1848 wrote to memory of 4940	1848	{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe	106
PID 3428 wrote to memory of 4616	3428	{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe	107
PID 3428 wrote to memory of 4616	3428	{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe	107
PID 3428 wrote to memory of 4616	3428	{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe	107
PID 3428 wrote to memory of 3488	3428	{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe	108
PID 3428 wrote to memory of 3488	3428	{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe	108
PID 3428 wrote to memory of 3488	3428	{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe	108
PID 4616 wrote to memory of 1780	4616	{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe	110
PID 4616 wrote to memory of 1780	4616	{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe	110
PID 4616 wrote to memory of 1780	4616	{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe	110
PID 4616 wrote to memory of 5000	4616	{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe	109
PID 4616 wrote to memory of 5000	4616	{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe	109
PID 4616 wrote to memory of 5000	4616	{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe	109
PID 1780 wrote to memory of 3280	1780	{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe	111
PID 1780 wrote to memory of 3280	1780	{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe	111
PID 1780 wrote to memory of 3280	1780	{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe	111
PID 1780 wrote to memory of 4380	1780	{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe	112
PID 1780 wrote to memory of 4380	1780	{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe	112
PID 1780 wrote to memory of 4380	1780	{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe	112
PID 3280 wrote to memory of 672	3280	{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe	113
PID 3280 wrote to memory of 672	3280	{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe	113
PID 3280 wrote to memory of 672	3280	{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe	113
PID 3280 wrote to memory of 3528	3280	{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe	114
PID 3280 wrote to memory of 3528	3280	{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe	114
PID 3280 wrote to memory of 3528	3280	{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe	114
PID 672 wrote to memory of 1504	672	{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe	115
PID 672 wrote to memory of 1504	672	{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe	115
PID 672 wrote to memory of 1504	672	{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe	115
PID 672 wrote to memory of 4652	672	{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe	116
PID 672 wrote to memory of 4652	672	{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe	116
PID 672 wrote to memory of 4652	672	{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe	116
PID 1504 wrote to memory of 1680	1504	{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe	117
PID 1504 wrote to memory of 1680	1504	{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe	117
PID 1504 wrote to memory of 1680	1504	{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe	117
PID 1504 wrote to memory of 1688	1504	{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe
  C:\Windows\{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe
    C:\Windows\{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CD94B~1.EXE > nul
      4⤵
      PID:4888
  - - C:\Windows\{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe
      C:\Windows\{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54DBF~1.EXE > nul
        5⤵
        
        PID:2748
    - - C:\Windows\{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe
        
        C:\Windows\{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Windows\{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe
        
        C:\Windows\{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe
        
        C:\Windows\{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CA4A~1.EXE > nul
        8⤵
        
        PID:5000
        
        C:\Windows\{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe
        
        C:\Windows\{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe
        
        C:\Windows\{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe
        
        C:\Windows\{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe
        
        C:\Windows\{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{32A03AAB-3FE3-4473-A7B1-6E940610F333}.exe
        
        C:\Windows\{32A03AAB-3FE3-4473-A7B1-6E940610F333}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\{D3CD17A5-C8D5-4f23-A13E-6151E928B0A9}.exe
        
        C:\Windows\{D3CD17A5-C8D5-4f23-A13E-6151E928B0A9}.exe
        13⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32A03~1.EXE > nul
        13⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A805~1.EXE > nul
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2E15~1.EXE > nul
        11⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E0D7~1.EXE > nul
        10⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2542A~1.EXE > nul
        9⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E239~1.EXE > nul
        7⤵
        
        PID:3488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7980E~1.EXE > nul
        6⤵
        
        PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{04E9B~1.EXE > nul
    3⤵
    PID:4136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04E9B211-26A7-42fb-A33E-54FA3F732976}.exe

Filesize
168KB

MD5
179a401581e9cf0c84ccd1ffb2dbc65b

SHA1
7330ab23a2ee15bc11b88f7c85f486610634fc4b

SHA256
ee121ce37f5fa4bd57bb861a2c18fc82b387927d647cfc77b350798eac8ec9b4

SHA512
93070e2ad7e85d21ed1f23bc2fd6ce6d0c6c0136e0b87a37c321a24f5706a6ae6263a968095953013b4878e60e80436a5e7658a99b29cc67bde7a70857e76919

Download Submit
C:\Windows\{2542AF77-8D50-4a23-AF82-B5B6EB6B9D5D}.exe

Filesize
168KB

MD5
16bc11898232735c96e89e443f49cdec

SHA1
f93e485d5e7cab5eeb7256e0a715422b0efe7c6e

SHA256
10febef192c8a28e542ed2d8d72b85053950b35bb99d85eca2ae8181ab45162c

SHA512
c856891c2378b79a728f68112ea217238de7468e332f07e8cbd2eee2ecffe7f05e47e4f0db63df6c2dd8b1a84e03a0e4e22d00115393ab1cf20b367b9c871794

Download Submit
C:\Windows\{2CA4A405-3062-414b-AB39-817FAAA681A1}.exe

Filesize
168KB

MD5
6da7efb33b037a92a5a69965f2569776

SHA1
b82c5cf8c5ad305b49d828bdfb3c5252aa389d99

SHA256
889c98b36ddb568f316c51c9a5f4784e5a3e7f68d52f7ce33891db666cef8d2d

SHA512
823749e42f643ad9171247832ffcc51a2ad603cc0b77457a9386c41fd9332518cf4296b9f1aa7f2a9463b7a30a9f1cd9ec58c3792cbec296d189f788ebfb73bc

Download Submit
C:\Windows\{2E2399C0-B0C9-4a41-935F-42E98065866F}.exe

Filesize
168KB

MD5
e6ed0897529eb71bc3993e680b98bc26

SHA1
e7a1737f2765962858954e080831c38b7c5a5928

SHA256
a5d96808573b109c88dd95bfdd3746562708465245186d802230d41dea4b1643

SHA512
31cb264f089738783178596e69ff484b7bafa695fde24ff167b125a83a5136652e0c1546f060501e910802966ee91c2f73f8adcda2297803e5becd83a18c4329

Download Submit
C:\Windows\{32A03AAB-3FE3-4473-A7B1-6E940610F333}.exe

Filesize
168KB

MD5
f811779a0699d314b8f89f3f25d66af7

SHA1
30186d6e3bdfb68d582e74d375128742d15c49be

SHA256
7276c452be5c1c2b04be89a42b87e5f310a9b717c8e0d3ba9c47f0025b6d5123

SHA512
d3cc578efdcc65f76ded2ed1091afab0bb88ee656a70a03dc2b3c6e51092c27b0d31fe35f807dd2a45e9b8f4474a0dca3638f6533e2c993fc3fa20b71b55a816

Download Submit
C:\Windows\{54DBF671-5CB7-4cf5-9344-AE0F49BFB184}.exe

Filesize
168KB

MD5
3ae95d031da6e13e12406d864b9298c7

SHA1
354ad47f15da22857fd2c26a9e9cf58eb42fc057

SHA256
601bc260a035c558f3a63100a6ac39ec44b5de8f5de4f239e15b72ee00c89629

SHA512
4d731053727bae53d78b9b27253f47ca94f8c7e2f92ae0b6170157deee2cf5d38d8b8d2798d7ce2cca0f7cb8edfa2918921152ee730ac5d90ea39b82630bfb31

Download Submit
C:\Windows\{5E0D753F-9DD2-4781-B27B-47D85F2B0407}.exe

Filesize
168KB

MD5
c9b485d3235740da12fa39363caf340a

SHA1
f5afc99b2472827cfc60b59947b6a52928a83794

SHA256
06f2b24ad41400b1c21c7555a1bd58c3330cb8e56b846ab6e864f907f7b191c4

SHA512
9726d9249e9505b3e6ee2390521999fd5382e257a16385d3d46d06ad7379435cca57e9334cfb2e69cc4b293ea2ffd47d55b02bc4aa9eb6580b1ae286bc3a68bd

Download Submit
C:\Windows\{6A805E0D-473A-4c17-B3D1-234AEF5C6DFA}.exe

Filesize
168KB

MD5
7f47f2397d5f2626e3b0ac57b5fe1394

SHA1
11db6085530af2ca8d35f71400b64c147f84479f

SHA256
a27317e0d4c66ef4e60ad93711219d72e422a427a0b1f3e52774a1ff2745e3cc

SHA512
62abf4dba263737d8d33cb5e7444daa8a0bcc782fd733e0af925a2824e9aa6d26f14b2d86a1ea034e600698d68cd0e23a56f1957e384396e24dae6049bb23c89

Download Submit
C:\Windows\{7980EEEB-B4E8-46ca-AE2E-AC1393077A93}.exe

Filesize
168KB

MD5
07e027b61449dfd728a1959b0dbdf0dc

SHA1
f79826c71fd2f5b2e75a75493e2403c630f863dd

SHA256
772e8a6d0f4869c79cfd75070e8aca9cf704de0247a1c3214e9441b4e8c18b67

SHA512
b6361c97f73e44cec01df76531b66df85658b3347a1a22d3e8be9d852136c8367119e196dd510eaf7ec04210326cbc7cbaf78229520868c624abe4839f2b24ee

Download Submit
C:\Windows\{CD94B9C3-1F34-47a2-98BC-81765724B46B}.exe

Filesize
168KB

MD5
70c947d333105b3bdc77ab4637add139

SHA1
2942b3cda3cfa58c70cdd12aeb7fdfe1adece326

SHA256
b5f75ab280ecf7d518594765c4b6d6eac45a44e2cd3cf8181285b2920ac130ad

SHA512
0afebc625388455cc6efa84740c005f8872f38d40a5fcc42403a151a8e6ef14d3657a8a7300cc1a8521e4c82125a0bd405f93f20413d7efad5b6323cac0a448c

Download Submit
C:\Windows\{D3CD17A5-C8D5-4f23-A13E-6151E928B0A9}.exe

Filesize
168KB

MD5
fce4a19dc8a8b23b1909995bc1071ff8

SHA1
abeef9cbbb18986f39dec90e195feebeaee2faa1

SHA256
708660234de87543e0036006a60230e46847d9a27e879a093c270030518f89fc

SHA512
f360373607215ca71bef1ae900666fbb526463c973e27d9ff60dc516a5c96a639c04c5aa9438fa235aab3e745749840dbb2566bb26425f261022f6acf5b22cf8

Download Submit
C:\Windows\{E2E150DA-55DF-4fe5-8EAB-E510C52B8F07}.exe

Filesize
168KB

MD5
4f75c6fb1efe9d71f152bbbca2bacfa1

SHA1
748cf5a4bbe64aa443ef84e64ef7eb799c39587a

SHA256
db01787e53ddaf5c297c8cc5c01a470a14d50364743757abb131be61a7055358

SHA512
62cae728b90d2d6e29b0dc458ff92f576d7740bc78acc3cf425d1a07583262c272b345c236d72798965dbedf723fd2d9650b4a6a00fb590bd8277cbc02c6d5d4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads