637e79041b2e3a238c80fbfc5202e45327f02667fd94f4ef62622fc8f19a5f3c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe
Size

216KB
MD5

786572ca4d42e88a1d44537c9487762d
SHA1

e64594ee1358fc262798bfb2139c6064d8a1cf1f
SHA256

637e79041b2e3a238c80fbfc5202e45327f02667fd94f4ef62622fc8f19a5f3c
SHA512

c3831968b55b7a236085f01c74690d9be7a417d9c3e180992e5ffeced8439365adc7435fb8884e3ab6499b2e446e999c609d67d63829c03a8e73df797b4664af
SSDEEP

3072:jEGh0oAl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGOlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023103-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023108-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231a5-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231a5-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231a5-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023108-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}	2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}\stubpath = "C:\\Windows\\{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe"	2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0BC702-49FC-4690-9206-7072BF82E19F}\stubpath = "C:\\Windows\\{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe"	{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}	{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90631D21-A189-43ec-AA75-83C6130E550F}	{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35BBD3C5-620F-4f57-9F63-34EFCC87C994}\stubpath = "C:\\Windows\\{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe"	{90631D21-A189-43ec-AA75-83C6130E550F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}\stubpath = "C:\\Windows\\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe"	{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}\stubpath = "C:\\Windows\\{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe"	{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}	{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6FE7F08-A774-4fd3-81DA-D07B34405004}\stubpath = "C:\\Windows\\{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe"	{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35BBD3C5-620F-4f57-9F63-34EFCC87C994}	{90631D21-A189-43ec-AA75-83C6130E550F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}	{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}	{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}	{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}\stubpath = "C:\\Windows\\{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe"	{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}\stubpath = "C:\\Windows\\{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe"	{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6FE7F08-A774-4fd3-81DA-D07B34405004}	{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DB5D7B9-14BC-43c8-B66E-F04D57996365}	{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0BC702-49FC-4690-9206-7072BF82E19F}	{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90631D21-A189-43ec-AA75-83C6130E550F}\stubpath = "C:\\Windows\\{90631D21-A189-43ec-AA75-83C6130E550F}.exe"	{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}\stubpath = "C:\\Windows\\{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe"	{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DB5D7B9-14BC-43c8-B66E-F04D57996365}\stubpath = "C:\\Windows\\{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe"	{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B897F23A-72E6-4f2e-83AC-19A83BBDD403}	{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B897F23A-72E6-4f2e-83AC-19A83BBDD403}\stubpath = "C:\\Windows\\{B897F23A-72E6-4f2e-83AC-19A83BBDD403}.exe"	{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe

Executes dropped EXE 12 IoCs

pid	Process
5052	{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe
856	{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe
1560	{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe
2516	{90631D21-A189-43ec-AA75-83C6130E550F}.exe
1660	{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe
4988	{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe
232	{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe
4436	{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe
4432	{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe
3248	{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe
1224	{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe
724	{B897F23A-72E6-4f2e-83AC-19A83BBDD403}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe	{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe
File created	C:\Windows\{90631D21-A189-43ec-AA75-83C6130E550F}.exe	{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe
File created	C:\Windows\{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe	{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe
File created	C:\Windows\{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe	{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe
File created	C:\Windows\{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe	{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe
File created	C:\Windows\{B897F23A-72E6-4f2e-83AC-19A83BBDD403}.exe	{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe
File created	C:\Windows\{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe	{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe
File created	C:\Windows\{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe	{90631D21-A189-43ec-AA75-83C6130E550F}.exe
File created	C:\Windows\{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe	{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe
File created	C:\Windows\{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe	{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe
File created	C:\Windows\{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe	{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe
File created	C:\Windows\{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe	2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1572	2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5052	{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe
Token: SeIncBasePriorityPrivilege	856	{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe
Token: SeIncBasePriorityPrivilege	1560	{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe
Token: SeIncBasePriorityPrivilege	2516	{90631D21-A189-43ec-AA75-83C6130E550F}.exe
Token: SeIncBasePriorityPrivilege	1660	{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe
Token: SeIncBasePriorityPrivilege	4988	{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe
Token: SeIncBasePriorityPrivilege	232	{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe
Token: SeIncBasePriorityPrivilege	4436	{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe
Token: SeIncBasePriorityPrivilege	4432	{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe
Token: SeIncBasePriorityPrivilege	3248	{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe
Token: SeIncBasePriorityPrivilege	1224	{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 5052	1572	2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe	96
PID 1572 wrote to memory of 5052	1572	2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe	96
PID 1572 wrote to memory of 5052	1572	2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe	96
PID 1572 wrote to memory of 2488	1572	2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe	95
PID 1572 wrote to memory of 2488	1572	2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe	95
PID 1572 wrote to memory of 2488	1572	2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe	95
PID 5052 wrote to memory of 856	5052	{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe	98
PID 5052 wrote to memory of 856	5052	{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe	98
PID 5052 wrote to memory of 856	5052	{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe	98
PID 5052 wrote to memory of 4676	5052	{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe	97
PID 5052 wrote to memory of 4676	5052	{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe	97
PID 5052 wrote to memory of 4676	5052	{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe	97
PID 856 wrote to memory of 1560	856	{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe	101
PID 856 wrote to memory of 1560	856	{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe	101
PID 856 wrote to memory of 1560	856	{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe	101
PID 856 wrote to memory of 1032	856	{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe	100
PID 856 wrote to memory of 1032	856	{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe	100
PID 856 wrote to memory of 1032	856	{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe	100
PID 1560 wrote to memory of 2516	1560	{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe	103
PID 1560 wrote to memory of 2516	1560	{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe	103
PID 1560 wrote to memory of 2516	1560	{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe	103
PID 1560 wrote to memory of 4792	1560	{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe	102
PID 1560 wrote to memory of 4792	1560	{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe	102
PID 1560 wrote to memory of 4792	1560	{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe	102
PID 2516 wrote to memory of 1660	2516	{90631D21-A189-43ec-AA75-83C6130E550F}.exe	105
PID 2516 wrote to memory of 1660	2516	{90631D21-A189-43ec-AA75-83C6130E550F}.exe	105
PID 2516 wrote to memory of 1660	2516	{90631D21-A189-43ec-AA75-83C6130E550F}.exe	105
PID 2516 wrote to memory of 4932	2516	{90631D21-A189-43ec-AA75-83C6130E550F}.exe	104
PID 2516 wrote to memory of 4932	2516	{90631D21-A189-43ec-AA75-83C6130E550F}.exe	104
PID 2516 wrote to memory of 4932	2516	{90631D21-A189-43ec-AA75-83C6130E550F}.exe	104
PID 1660 wrote to memory of 4988	1660	{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe	106
PID 1660 wrote to memory of 4988	1660	{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe	106
PID 1660 wrote to memory of 4988	1660	{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe	106
PID 1660 wrote to memory of 1192	1660	{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe	107
PID 1660 wrote to memory of 1192	1660	{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe	107
PID 1660 wrote to memory of 1192	1660	{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe	107
PID 4988 wrote to memory of 232	4988	{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe	109
PID 4988 wrote to memory of 232	4988	{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe	109
PID 4988 wrote to memory of 232	4988	{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe	109
PID 4988 wrote to memory of 4152	4988	{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe	108
PID 4988 wrote to memory of 4152	4988	{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe	108
PID 4988 wrote to memory of 4152	4988	{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe	108
PID 232 wrote to memory of 4436	232	{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe	111
PID 232 wrote to memory of 4436	232	{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe	111
PID 232 wrote to memory of 4436	232	{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe	111
PID 232 wrote to memory of 852	232	{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe	110
PID 232 wrote to memory of 852	232	{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe	110
PID 232 wrote to memory of 852	232	{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe	110
PID 4436 wrote to memory of 4432	4436	{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe	113
PID 4436 wrote to memory of 4432	4436	{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe	113
PID 4436 wrote to memory of 4432	4436	{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe	113
PID 4436 wrote to memory of 1504	4436	{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe	112
PID 4436 wrote to memory of 1504	4436	{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe	112
PID 4436 wrote to memory of 1504	4436	{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe	112
PID 4432 wrote to memory of 3248	4432	{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe	114
PID 4432 wrote to memory of 3248	4432	{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe	114
PID 4432 wrote to memory of 3248	4432	{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe	114
PID 4432 wrote to memory of 4544	4432	{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe	115
PID 4432 wrote to memory of 4544	4432	{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe	115
PID 4432 wrote to memory of 4544	4432	{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe	115
PID 3248 wrote to memory of 1224	3248	{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe	116
PID 3248 wrote to memory of 1224	3248	{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe	116
PID 3248 wrote to memory of 1224	3248	{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe	116
PID 3248 wrote to memory of 4292	3248	{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_786572ca4d42e88a1d44537c9487762d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2488
- C:\Windows\{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe
  C:\Windows\{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB5D8~1.EXE > nul
    3⤵
    PID:4676
- - C:\Windows\{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe
    C:\Windows\{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DA0BC~1.EXE > nul
      4⤵
      PID:1032
  - - C:\Windows\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe
      C:\Windows\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E477F~1.EXE > nul
        5⤵
        
        PID:4792
    - - C:\Windows\{90631D21-A189-43ec-AA75-83C6130E550F}.exe
        
        C:\Windows\{90631D21-A189-43ec-AA75-83C6130E550F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90631~1.EXE > nul
        6⤵
        
        PID:4932
      - C:\Windows\{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe
        
        C:\Windows\{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe
        
        C:\Windows\{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDBFE~1.EXE > nul
        8⤵
        
        PID:4152
        
        C:\Windows\{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe
        
        C:\Windows\{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A166A~1.EXE > nul
        9⤵
        
        PID:852
        
        C:\Windows\{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe
        
        C:\Windows\{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69D3D~1.EXE > nul
        10⤵
        
        PID:1504
        
        C:\Windows\{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe
        
        C:\Windows\{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe
        
        C:\Windows\{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe
        
        C:\Windows\{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\{B897F23A-72E6-4f2e-83AC-19A83BBDD403}.exe
        
        C:\Windows\{B897F23A-72E6-4f2e-83AC-19A83BBDD403}.exe
        13⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DB5D~1.EXE > nul
        13⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6FE7~1.EXE > nul
        12⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82CA3~1.EXE > nul
        11⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35BBD~1.EXE > nul
        7⤵
        
        PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{35BBD3C5-620F-4f57-9F63-34EFCC87C994}.exe

Filesize
216KB

MD5
c7a10765fa0432cd63557cca32966972

SHA1
978b11261dba10f2db09865b4647baf1f89ad690

SHA256
ab12e9c3531168282032d8ed1cb6536c1d4b833e762abd0548dfbe187214bdf3

SHA512
3f190792a3737ea64bfc60f16e5adbe45c78b36afc957445ed1acf3e29e4ab659a35577b7a62ace3f17350eb8de97e99e02a889a6a019826fd00e5ef78b4127e

Download Submit
C:\Windows\{3DB5D7B9-14BC-43c8-B66E-F04D57996365}.exe

Filesize
216KB

MD5
09b92c8016f3e1ff7db42b9001914157

SHA1
f24e9b80597864f9dca6dcfde2028769ad207de6

SHA256
3f903acf73cc6653c76bbfa98f48131074549dc6ba2e10af5b85d4ca12b27c2b

SHA512
0a205a4be90b754a49a0153759e056f4ceb973491ff7971569f23f2574c5db31c07c23d4b99b4a44772cf72042c8acc8c8d90a12fa508cd718c95c9ac6e6c50e

Download Submit
C:\Windows\{69D3DCCD-CA3A-4862-8412-D0B11C906EE3}.exe

Filesize
216KB

MD5
10b19607917c08a4220c7ba5c618d900

SHA1
e3ff788fda9638d3540000ca2ea25fb86bf745ef

SHA256
98c39adb7648fbc847d4cf1e2a12ef398ce952cad371fbd84194ac94786bc099

SHA512
31e8d5fa648f66676e3342ca6497ff439dfba613991949c0fea2d08383e6978108c34ae5fa7513ef14af20ceadf67ad8f290e89f8ce8023bd44f6ad2af7052f9

Download Submit
C:\Windows\{82CA3E2D-4CA1-4e93-8755-7E669CC4F810}.exe

Filesize
216KB

MD5
362f57fea95a20d4a1be0e30cc2166ea

SHA1
305f89a7b6fb11197d968c5044010ea149481dac

SHA256
d49fcd0e23bf4ba978a94a150f539590910271be723fc8a71ad1d976eabafd0d

SHA512
0af7324bc2d74760d053f7bdd85d11ac004444be04c9a86dac2b3b6f532bd3fab9573230a0c5ab320fddc8df9c77bf2f59b6d8cc720c51f005820d62164da975

Download Submit
C:\Windows\{90631D21-A189-43ec-AA75-83C6130E550F}.exe

Filesize
216KB

MD5
0a0547263d38bd17eaebaf02a0faa40e

SHA1
75b4ed47746ad219c0aad17769ef76841e055179

SHA256
ba4bc10e0b8c9a26398a1c57cffdfcbf095b70d6aaf34c00e0aa9d79954b7383

SHA512
1a34c7d2570da912dca25e564b436e86fa5e6da1fda1ad5883ffd782ead5a5bb8c4da93cecfc31c1932db71355e8874411eda9849567ef9d1649885cc22b3921

Download Submit
C:\Windows\{A166AEB1-2F4E-40cc-AF0E-E0E43D06F9EE}.exe

Filesize
216KB

MD5
eff1ec3d2c05eb1d04ee47cf144e05e7

SHA1
f5c99b2a9da6dc92285859887cf5b94264702ec9

SHA256
52e31f7de723a04565533bb22799aeede8477e80eddaa198d1942fd8302712ce

SHA512
63980307d70a7f354b0b3b0b3967476d6a6224117d95cf700dcbb9cecac584c57e8806838f7998fc8d76d09a9909797e89037aba2d2b45b8369e4147ab490bf4

Download Submit
C:\Windows\{B897F23A-72E6-4f2e-83AC-19A83BBDD403}.exe

Filesize
216KB

MD5
b31ee961b9d04486dfdac832fc53d198

SHA1
e76eb159c9704c49b7c0e69baaaaed98221fffe6

SHA256
e0b391729ebac2fa326d0ddcebd05064a75822a935db887019e23af0d0c070d2

SHA512
331fb23131cdfa97509a80b1732f9e12f2cd52dd6ba854a26b1a9d7f7cdc62fadf5d1d2a0908f30569f0c34b3c8a39975de2c7db896256535d47f229928ffbe3

Download Submit
C:\Windows\{C6FE7F08-A774-4fd3-81DA-D07B34405004}.exe

Filesize
216KB

MD5
c4a73008ec858442fa2e304b72959179

SHA1
dbc3b545952b48747a29b71f648f98c1f313d0b8

SHA256
124170ab45717ec69c58d1b19e69ccb3d2879882a1929beb8388933e86a27b4b

SHA512
2943f202ea889f6c2eb9463e985e52a1a24a29e3320f2956212468aa13783fcde3c657d9e9c231791ca216811e5601860e764dcaa6b545147df1fcf9353f528d

Download Submit
C:\Windows\{CB5D805D-AA9C-4a55-963C-5AE773B70B6D}.exe

Filesize
216KB

MD5
c06708a7ee3d9beaf40b5e1fa9887819

SHA1
853266e2d352a459afd5f2646185644c94537695

SHA256
b440fff7c2ad175b3fadaa2a59afc812acb5aa14ea97f084ba3306684313e7ba

SHA512
a0219566290261bab446bc68a4223b3ec575baa4b6a1041c27a15940601379799f98af6c203325378fe2e3a10e7ab4093ada06064fe19dae91bb914ce415aecf

Download Submit
C:\Windows\{DA0BC702-49FC-4690-9206-7072BF82E19F}.exe

Filesize
216KB

MD5
fa74123c4d42ccb29b5eddbb644fec92

SHA1
b28abaa264ffb025a9fd2b17b01718d6bfaaeeaa

SHA256
36456212b84774971e4b8a3f5143c49a0ad63b4ab9870ff523ab790631a2bc7c

SHA512
3e906f81efbfc460eef219baf430d96b280a52b9544cebd54f708728808f3ae2a9b0b1b7a0093fc9e3070e0c1863ff914acd03ac5ddcf5ff837ff349006c7d7e

Download Submit
C:\Windows\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe

Filesize
149KB

MD5
ab4251560d591a16595d57fafbec3f23

SHA1
d4a0327b571e72632cab1f62ec1abbcff5ee3fcb

SHA256
ca398c6e58be97b8c5067e66f7cae8d13469958c931e8a298009839fc8e16c4e

SHA512
a36309be9b1a6ef6bc714af04990713dad6e13ff63015566536ef1ebcd2f061ab61aec4b4b4a03c9a184cd9ccb0b9f0606264d99e7e8a063075f30a6780ec279

Download Submit
C:\Windows\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe

Filesize
193KB

MD5
a05e2d4ab667e304fc6fc9d2d033fde2

SHA1
95363472c7d8bb7ffa9498301ea6265b782fdab2

SHA256
6a8782c24a59012f65cb820084e79f9398fc0d65b753f0c8a36ef5bac2918802

SHA512
71b87119bd7d2f394e4c12646e7b19a4b473d7aeb4fbe4ed7620497d170ad4c1de7ae7f15a4ffff9e35123a016b4dd32e437393527e30c350b13b7dae3a18e00

Download Submit
C:\Windows\{E477F9BF-07C0-4c93-BAEC-3B3864ABF61F}.exe

Filesize
184KB

MD5
c162c79643acba6aa8a7f58b648d44ee

SHA1
346575c368cc83ed62044595c9d575fcefadeecb

SHA256
60cd348c6434edd8ca9309bdb6f34e4503b27e98747a061c6e93b54fa3b21829

SHA512
22b85531b6f5cb910a96ead443fec4918b4281b8533d8766b6f51ca1032a7c5300c31cfc4a2e3d1da36a708a54d6f5ca914dd00b3cbff2adab6c6dc8a8692b79

Download Submit
C:\Windows\{FDBFE3A7-EF5D-4bff-A475-08584BB4964D}.exe

Filesize
216KB

MD5
6e01c83d6ed1417feff6d51e632af5b4

SHA1
cfbf15359be83bf02e22dd01792175cf3e9a253e

SHA256
ccb1480e31dc4f3d14b1b2b2054e153fd522632dc64bf576789b9c1eb788b438

SHA512
fb6ddd3ba63176fd7316ba2e7ec2cb4b0480d7e877530822f69764b861db0019b2df8020d451c26ea8e85919a2a50a6ffd6ade5d4c830ff791ac64e92ac96c9a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads