ba9a6575c90a30d9fdd341b1f4041875b19d1f1d5a7f35c7fbfb61040fa6bb3b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
Size

168KB
MD5

0d0c28313c2195f013f5cbd0e10ebb1e
SHA1

f13a210d833cfdebcee62cd9e314c25bf6b031e7
SHA256

ba9a6575c90a30d9fdd341b1f4041875b19d1f1d5a7f35c7fbfb61040fa6bb3b
SHA512

75c10011d3ba0253bd7dc6a28edc9e58c6cf579fd6d8f75b752c9864cab9af05c669af1b8d64e9040dd6f8bf713eb799e058b8d3004a32475cc5c0d182616619
SSDEEP

1536:1EGh0oslq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oslqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 18 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012232-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012232-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001224c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001224c-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012232-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015cd9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012232-20.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015cd9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012232-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012232-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012232-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012232-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7648341D-E732-4ac1-820F-DCB66549A64B}\stubpath = "C:\\Windows\\{7648341D-E732-4ac1-820F-DCB66549A64B}.exe"	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}\stubpath = "C:\\Windows\\{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe"	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69522D59-2468-44a7-9851-7798BB849F6D}	{FB83121B-667C-4ee4-8FBD-44EE0495423B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69522D59-2468-44a7-9851-7798BB849F6D}\stubpath = "C:\\Windows\\{69522D59-2468-44a7-9851-7798BB849F6D}.exe"	{FB83121B-667C-4ee4-8FBD-44EE0495423B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F286854-7405-4a09-A0F5-A716E2E4D513}\stubpath = "C:\\Windows\\{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe"	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}\stubpath = "C:\\Windows\\{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe"	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}\stubpath = "C:\\Windows\\{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe"	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22032A6A-16D8-44e4-935E-C9572BF74023}	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22032A6A-16D8-44e4-935E-C9572BF74023}\stubpath = "C:\\Windows\\{22032A6A-16D8-44e4-935E-C9572BF74023}.exe"	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F286854-7405-4a09-A0F5-A716E2E4D513}	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F3E5285-5838-42ca-8DB8-AD45D8148788}\stubpath = "C:\\Windows\\{1F3E5285-5838-42ca-8DB8-AD45D8148788}.exe"	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB83121B-667C-4ee4-8FBD-44EE0495423B}	{1F3E5285-5838-42ca-8DB8-AD45D8148788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB83121B-667C-4ee4-8FBD-44EE0495423B}\stubpath = "C:\\Windows\\{FB83121B-667C-4ee4-8FBD-44EE0495423B}.exe"	{1F3E5285-5838-42ca-8DB8-AD45D8148788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D4508B5-7BD0-4871-BF25-6E9AAC8E52CB}	{69522D59-2468-44a7-9851-7798BB849F6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D4508B5-7BD0-4871-BF25-6E9AAC8E52CB}\stubpath = "C:\\Windows\\{5D4508B5-7BD0-4871-BF25-6E9AAC8E52CB}.exe"	{69522D59-2468-44a7-9851-7798BB849F6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7648341D-E732-4ac1-820F-DCB66549A64B}	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F3E5285-5838-42ca-8DB8-AD45D8148788}	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}\stubpath = "C:\\Windows\\{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe"	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2284	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe
2244	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe
2816	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe
2880	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe
2396	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe
1508	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe
1596	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe
1520	{1F3E5285-5838-42ca-8DB8-AD45D8148788}.exe
1804	{FB83121B-667C-4ee4-8FBD-44EE0495423B}.exe
536	{69522D59-2468-44a7-9851-7798BB849F6D}.exe
572	{5D4508B5-7BD0-4871-BF25-6E9AAC8E52CB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{22032A6A-16D8-44e4-935E-C9572BF74023}.exe	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe
File created	C:\Windows\{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe
File created	C:\Windows\{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
File created	C:\Windows\{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe
File created	C:\Windows\{7648341D-E732-4ac1-820F-DCB66549A64B}.exe	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe
File created	C:\Windows\{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe
File created	C:\Windows\{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe
File created	C:\Windows\{1F3E5285-5838-42ca-8DB8-AD45D8148788}.exe	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe
File created	C:\Windows\{FB83121B-667C-4ee4-8FBD-44EE0495423B}.exe	{1F3E5285-5838-42ca-8DB8-AD45D8148788}.exe
File created	C:\Windows\{69522D59-2468-44a7-9851-7798BB849F6D}.exe	{FB83121B-667C-4ee4-8FBD-44EE0495423B}.exe
File created	C:\Windows\{5D4508B5-7BD0-4871-BF25-6E9AAC8E52CB}.exe	{69522D59-2468-44a7-9851-7798BB849F6D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2516	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2284	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe
Token: SeIncBasePriorityPrivilege	2244	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe
Token: SeIncBasePriorityPrivilege	2816	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe
Token: SeIncBasePriorityPrivilege	2880	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe
Token: SeIncBasePriorityPrivilege	2396	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe
Token: SeIncBasePriorityPrivilege	1508	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe
Token: SeIncBasePriorityPrivilege	1596	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe
Token: SeIncBasePriorityPrivilege	1520	{1F3E5285-5838-42ca-8DB8-AD45D8148788}.exe
Token: SeIncBasePriorityPrivilege	1804	{FB83121B-667C-4ee4-8FBD-44EE0495423B}.exe
Token: SeIncBasePriorityPrivilege	536	{69522D59-2468-44a7-9851-7798BB849F6D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2284	2516	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	29
PID 2516 wrote to memory of 2284	2516	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	29
PID 2516 wrote to memory of 2284	2516	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	29
PID 2516 wrote to memory of 2284	2516	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	29
PID 2516 wrote to memory of 2692	2516	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	28
PID 2516 wrote to memory of 2692	2516	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	28
PID 2516 wrote to memory of 2692	2516	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	28
PID 2516 wrote to memory of 2692	2516	2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe	28
PID 2284 wrote to memory of 2244	2284	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe	31
PID 2284 wrote to memory of 2244	2284	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe	31
PID 2284 wrote to memory of 2244	2284	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe	31
PID 2284 wrote to memory of 2244	2284	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe	31
PID 2284 wrote to memory of 2004	2284	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe	30
PID 2284 wrote to memory of 2004	2284	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe	30
PID 2284 wrote to memory of 2004	2284	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe	30
PID 2284 wrote to memory of 2004	2284	{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe	30
PID 2244 wrote to memory of 2816	2244	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe	33
PID 2244 wrote to memory of 2816	2244	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe	33
PID 2244 wrote to memory of 2816	2244	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe	33
PID 2244 wrote to memory of 2816	2244	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe	33
PID 2244 wrote to memory of 292	2244	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe	32
PID 2244 wrote to memory of 292	2244	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe	32
PID 2244 wrote to memory of 292	2244	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe	32
PID 2244 wrote to memory of 292	2244	{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe	32
PID 2816 wrote to memory of 2880	2816	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe	37
PID 2816 wrote to memory of 2880	2816	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe	37
PID 2816 wrote to memory of 2880	2816	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe	37
PID 2816 wrote to memory of 2880	2816	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe	37
PID 2816 wrote to memory of 2940	2816	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe	36
PID 2816 wrote to memory of 2940	2816	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe	36
PID 2816 wrote to memory of 2940	2816	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe	36
PID 2816 wrote to memory of 2940	2816	{7648341D-E732-4ac1-820F-DCB66549A64B}.exe	36
PID 2880 wrote to memory of 2396	2880	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe	39
PID 2880 wrote to memory of 2396	2880	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe	39
PID 2880 wrote to memory of 2396	2880	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe	39
PID 2880 wrote to memory of 2396	2880	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe	39
PID 2880 wrote to memory of 2488	2880	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe	38
PID 2880 wrote to memory of 2488	2880	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe	38
PID 2880 wrote to memory of 2488	2880	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe	38
PID 2880 wrote to memory of 2488	2880	{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe	38
PID 2396 wrote to memory of 1508	2396	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe	41
PID 2396 wrote to memory of 1508	2396	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe	41
PID 2396 wrote to memory of 1508	2396	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe	41
PID 2396 wrote to memory of 1508	2396	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe	41
PID 2396 wrote to memory of 2868	2396	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe	40
PID 2396 wrote to memory of 2868	2396	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe	40
PID 2396 wrote to memory of 2868	2396	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe	40
PID 2396 wrote to memory of 2868	2396	{22032A6A-16D8-44e4-935E-C9572BF74023}.exe	40
PID 1508 wrote to memory of 1596	1508	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe	43
PID 1508 wrote to memory of 1596	1508	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe	43
PID 1508 wrote to memory of 1596	1508	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe	43
PID 1508 wrote to memory of 1596	1508	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe	43
PID 1508 wrote to memory of 2908	1508	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe	42
PID 1508 wrote to memory of 2908	1508	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe	42
PID 1508 wrote to memory of 2908	1508	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe	42
PID 1508 wrote to memory of 2908	1508	{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe	42
PID 1596 wrote to memory of 1520	1596	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe	45
PID 1596 wrote to memory of 1520	1596	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe	45
PID 1596 wrote to memory of 1520	1596	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe	45
PID 1596 wrote to memory of 1520	1596	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe	45
PID 1596 wrote to memory of 1360	1596	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe	44
PID 1596 wrote to memory of 1360	1596	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe	44
PID 1596 wrote to memory of 1360	1596	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe	44
PID 1596 wrote to memory of 1360	1596	{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_0d0c28313c2195f013f5cbd0e10ebb1e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2692
- C:\Windows\{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe
  C:\Windows\{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8F286~1.EXE > nul
    3⤵
    PID:2004
- - C:\Windows\{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe
    C:\Windows\{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5E43D~1.EXE > nul
      4⤵
      PID:292
  - - C:\Windows\{7648341D-E732-4ac1-820F-DCB66549A64B}.exe
      C:\Windows\{7648341D-E732-4ac1-820F-DCB66549A64B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76483~1.EXE > nul
        5⤵
        
        PID:2940
    - - C:\Windows\{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe
        
        C:\Windows\{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F2A7~1.EXE > nul
        6⤵
        
        PID:2488
      - C:\Windows\{22032A6A-16D8-44e4-935E-C9572BF74023}.exe
        
        C:\Windows\{22032A6A-16D8-44e4-935E-C9572BF74023}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22032~1.EXE > nul
        7⤵
        
        PID:2868
        
        C:\Windows\{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe
        
        C:\Windows\{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12B26~1.EXE > nul
        8⤵
        
        PID:2908
        
        C:\Windows\{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe
        
        C:\Windows\{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B50A4~1.EXE > nul
        9⤵
        
        PID:1360
        
        C:\Windows\{1F3E5285-5838-42ca-8DB8-AD45D8148788}.exe
        
        C:\Windows\{1F3E5285-5838-42ca-8DB8-AD45D8148788}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F3E5~1.EXE > nul
        10⤵
        
        PID:2928
        
        C:\Windows\{FB83121B-667C-4ee4-8FBD-44EE0495423B}.exe
        
        C:\Windows\{FB83121B-667C-4ee4-8FBD-44EE0495423B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB831~1.EXE > nul
        11⤵
        
        PID:268
        
        C:\Windows\{69522D59-2468-44a7-9851-7798BB849F6D}.exe
        
        C:\Windows\{69522D59-2468-44a7-9851-7798BB849F6D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69522~1.EXE > nul
        12⤵
        
        PID:812
        
        C:\Windows\{5D4508B5-7BD0-4871-BF25-6E9AAC8E52CB}.exe
        
        C:\Windows\{5D4508B5-7BD0-4871-BF25-6E9AAC8E52CB}.exe
        12⤵
        Executes dropped EXE
        
        PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe

Filesize
33KB

MD5
cc728976e38e6aba0fab6a6824a138f0

SHA1
d3b3e3f2ffb5ce386c1393a983a77eafcc619b7f

SHA256
2bb4db1b7ca1daf1af1fa1722958eb62cb09f45028b8f062338dc45d3abe99f2

SHA512
e81fa86d79601826abc5ec360070614d115de15439618bbf4b0ddc69b7f3a753a3927fb8f375c812e014bd124d690f436ed5792741917939436e48cfaa9471cc

Download Submit
C:\Windows\{12B26CBA-7B6F-45ab-A3DD-CDE8BFBE9C71}.exe

Filesize
168KB

MD5
46b108f6404c8e63f9d8a9b4711e1708

SHA1
0f31d36efdf736ec337f161bfec9c3ab67002883

SHA256
89941e7d3a83f8b8120cbb74f6953c9b327b20baed164d132ee1f15181f9c231

SHA512
c8f2728f8df53fc2aa9ca9195a24639837f04416b10ec6254eeb63ae62be0ac601296da64305f81614ce0417b29c2f3ce28f6aa64d96df61f77b3493dd1101d7

Download Submit
C:\Windows\{1F3E5285-5838-42ca-8DB8-AD45D8148788}.exe

Filesize
168KB

MD5
e317a5059c0dbebbf7de57384f58024c

SHA1
01876ece6a65e29c2b36e37f80b3a97ebb5e0df7

SHA256
6a5ba283da77a5b6ed6ff879c66f1a85198cfc8079f64e1917821979529c7945

SHA512
7acb83649efd33bff5cf16593e3921dcefe6d8cb3007877aebc3a43b02cd114b5a68ec61170b2e1caad080bcaf468f290019cc602919c97d109e6fbde4bd273f

Download Submit
C:\Windows\{22032A6A-16D8-44e4-935E-C9572BF74023}.exe

Filesize
1KB

MD5
b228397504b8fc94b59ced1aa1106388

SHA1
ae8b4968e5f828aa7b8f4895a9ad359b0f7ba1ff

SHA256
10c558a88626acfc67baee1f538772c101dfa71d0600a9d08841878f906a835d

SHA512
007e971715f32664e618c6ee7500bc8befcfcf413d9b900eeeb14c2e8cebb65d2f96d271882541fcfc540f1e53f6414c4073b0858b9ff7ad9b64de61fee22ec2

Download Submit
C:\Windows\{22032A6A-16D8-44e4-935E-C9572BF74023}.exe

Filesize
124KB

MD5
4cb168be9cbde08c032474e3c175e6b8

SHA1
8203aab7a4f1a914ad92904d4e1bc055c4634303

SHA256
668cab170113e618a6675aef12fa888425b97751749576cd25154152feea4025

SHA512
8f0ba411c49cfbe3ecb54b280335d0eefae5582ca307fb9288e1cc10e1d6467eb60dc40d7afe27ea285a44cef7b67acff68f0268e76e0e43ea5c38621bd7c526

Download Submit
C:\Windows\{5D4508B5-7BD0-4871-BF25-6E9AAC8E52CB}.exe

Filesize
168KB

MD5
c561fcce1258f3d6e310110563c5f8ac

SHA1
d9686e77c53baf0bba0021331f96fa4ca168e682

SHA256
5edfbca2a9c865155ab37094dd34492b64cdae447c1ddde14916f2567366a7f3

SHA512
1f0cddb6b87dfced540fd566d1f8db2b1dcb2e324444760df3bf133d52476e271c1c2404b895d76621e14ab249d7ff85681ff72c67103a07f851d1bc66ae148d

Download Submit
C:\Windows\{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe

Filesize
35KB

MD5
f03a8401c8aefdc9736ee5190898cb3f

SHA1
80fcfddb68a06d53f46cc9186bec0d7552d9dcdf

SHA256
a52321724578b003da10a37a83edefefcdcb4b8fe49b197f8c8cb03d0832397e

SHA512
0fa061896723df3339dd0d9c243a4296c85b6c8487d12b88398b2b8e5897ec1b7f556d62fec9127aa6f653abe39519251ae9b2a649c45136e5d166f4dfa2bac8

Download Submit
C:\Windows\{5E43D9D0-6E09-4e23-A5CC-472B59DC8356}.exe

Filesize
92KB

MD5
b15626793dbe4d37edb1264d0faca753

SHA1
ae21cdafda73941b2708770ddc12e321f444684b

SHA256
205a15955eb9f331816753b4ecfa977ab70d34541f4ccde1752fbe01d92f8622

SHA512
04bb6a42a015a7dd1b8250d854c98f047473b09af5ed14c668e03fe10f266a040f6aac354f72140b2d753b4faea9b576db3a4a84cec691f18204ecdcac436fb2

Download Submit
C:\Windows\{69522D59-2468-44a7-9851-7798BB849F6D}.exe

Filesize
168KB

MD5
df6bb2def68b7e3f4d81fe2af71edc41

SHA1
709b7cbf232a95cdab4efc6961dc952abd734667

SHA256
6b54c525c6b986e7c12ad61212fb89f26b7e5008ae05000143b7b09743073f75

SHA512
6f2fb0e4041a257ccc05e5db9ace526cd02f667418539942ad4c2a0339d7c57b6304fb7fa8bb10e349f085506ab0d8212982bc02ef784ec24f98eba227907706

Download Submit
C:\Windows\{7648341D-E732-4ac1-820F-DCB66549A64B}.exe

Filesize
92KB

MD5
2aed19dc25ce74099d4250d1a515b61e

SHA1
fa2e4781ea81887be9f94710aec4377240a2c4f9

SHA256
56f367bcd4da56f34abf5b585b4b60a277e6f8dfad2ff746ac9a9c733e45fa5a

SHA512
cc95b03a77883ac8c73c38c348219e42f343e7745e1eec9d4e69a291570f2d7e53c86dcfb345d573046541b7e77237fbaeed4615c4b664ef27af8e0e62304092

Download Submit
C:\Windows\{7648341D-E732-4ac1-820F-DCB66549A64B}.exe

Filesize
57KB

MD5
cb11cbb69af7238b55a5480ad5ce414a

SHA1
34e1483875594d06bf0814151f6ef27a0dca0be4

SHA256
cbb7bd331c662daa32a5ac676b49d21a41b8668c1924809bae69b861d9b10213

SHA512
e836a6d72451e6b27d779e994d8d146921e5734ff2b91ae7d6ff067b20c50b85ea2d0a6b6cfa643ef3a8839d641e3e694324b7e1244d4a653eb19a186b78b03e

Download Submit
C:\Windows\{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe

Filesize
168KB

MD5
d845fc7c2beb18cbd62859687ab6eb75

SHA1
f581ddb4cf7ce3d4ab8a221031df3087f031062b

SHA256
526f108510d4ec778be149afa0df7b85eadf917c9ea4d4030d340b9fe38845a0

SHA512
bb9d75f4f0c3e1ed642fb12870b98bf5c920cfa865ebecebd61373ec977e7a9c4bd8c092cb33ffc313c9ff90d0dd03c25078127ae119715c29f7ece215f67110

Download Submit
C:\Windows\{8F286854-7405-4a09-A0F5-A716E2E4D513}.exe

Filesize
62KB

MD5
553d1af63103a8472c35cab3adcfedc1

SHA1
70f2e5d25c7bdcd3242dbf65fb3d5863ac4d4c2c

SHA256
49875c6e827e58e90f1c5b7892b4ee21c73b0615b312ad6bfc81d9f535550e33

SHA512
2f605fc2f8bbc4d6bacd27d1b46e0d996e999e7cf98ac2622c06a1c44ade654103bf565c4cdc4a5115aaf4f3a3d3584ea00e2306c0c86c3f58affd358e8989fa

Download Submit
C:\Windows\{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe

Filesize
148KB

MD5
0163b19b56a7586b27ff432b99bab95f

SHA1
5c60fc05360bac0cdddc7824f2a0790cac0e8bb9

SHA256
1bfa11690bf2909ac02c163ca387a3c8b1b18701694760e7ce75ec956e2e018f

SHA512
d9593f47d71c18bc63b8ca63c87305dd01f00e9ff6d2e36447115d9c35b6663e06e5f633ac0086b86aaff74f97817302d08671552ab5f1c7e21e226f4947adac

Download Submit
C:\Windows\{8F2A705D-D22A-4dcd-9667-7B43EE1F7513}.exe

Filesize
29KB

MD5
9a17a8309c341c79336eb9b22f5f0757

SHA1
568e0cdf6090f660c8ae63a3d31c344b81f96868

SHA256
c2a705bf2aaa876a2cb209e0c8f49bd09480f59f3029f9e58af7b98561a5335d

SHA512
3e88060911c17a969cd17e9b98cd06ec084073a851f9d92af68b709bc857abb4ffeef43dec7f2cfdf81df790b4fa49e4586550b29f95ad683b04853fb96908b3

Download Submit
C:\Windows\{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe

Filesize
142KB

MD5
cb9960e8b70945d087c8756c5b765dbd

SHA1
93385215f520f255dcb561f70939ced4f784da9a

SHA256
354b0cce2565676481beb7ad50728838d46e87c90a74fd8b8109ee56c2e22bf0

SHA512
3cbc77175e8cb40e3de1fb66bebb0291e838db65fdf8b702f1f5f2c240b804af9b4eeba0ee64acf86508edfcf9f2a85c68e309355fda8e7b1d6b60e62841258b

Download Submit
C:\Windows\{B50A4BD6-13AB-45fd-A724-5DCE3C4AD279}.exe

Filesize
168KB

MD5
684e8da31c6b8f453959738bd80e9de5

SHA1
8f49ac8c48d91ff03bed283f0f3b22c2a348b358

SHA256
9c84c9b425c2afb4c34a2bc29018736881879e0d3c3815fc733b0db3eccf9838

SHA512
c8202064b39fd6b1ab84359f6c584f33d4682d78a29b8a4aa96fc441cca61057f588f200f3dd7f10adde446fd2e58c8225de6db18e92aa74f6983de58fd69360

Download Submit
C:\Windows\{FB83121B-667C-4ee4-8FBD-44EE0495423B}.exe

Filesize
168KB

MD5
f96c57c28243f4e9641e35a27bb2f460

SHA1
1b59d363ff889680b9b7d6f0e4fb2fb5ebed3121

SHA256
6e33ac01ef317675690aa2c54dc6a5da5be111e0cf038b019b307b73678c200b

SHA512
e0d64c67443387470ef39d2a8593a58bd84c3a4a25b8724a2d667ba40ede7b80d9ac80723dccf3aff2fbe8e765ed38655bb3cdbd4dbaa69303317657950fc7c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads