212cc114d9790ff9fb9151efeab6762b5cba801ae1272558775610b6499834de

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe
Size

168KB
MD5

bafd6b087076442235ce04315d5adca1
SHA1

7545c7589940a123426203640891461f14a3f587
SHA256

212cc114d9790ff9fb9151efeab6762b5cba801ae1272558775610b6499834de
SHA512

5986c3223c09d35d761149cb46a23d27c23f8d8a7b2fe93af6b1e5fd2d05fd04928f87c64848586eff9e12343e32905ebe57efdef980cd2b616351a194c9d3bc
SSDEEP

1536:1EGh0oLlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oLlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023205-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002312b-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023210-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002312b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2069DFCC-CF74-4324-BA1C-903C825E58C4}\stubpath = "C:\\Windows\\{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe"	2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{285075B3-FB38-4c40-94F8-F10437BC8E1D}	{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}\stubpath = "C:\\Windows\\{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe"	{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}	{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}\stubpath = "C:\\Windows\\{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe"	{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B812FCA8-2582-4336-B2EF-33F5C3AC0759}	{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07F21A27-9892-4da6-BB49-9143106DEB58}	{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67B84946-A4A6-4e6b-A7D7-8870BF01D282}\stubpath = "C:\\Windows\\{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe"	{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}	{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}	{07F21A27-9892-4da6-BB49-9143106DEB58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}\stubpath = "C:\\Windows\\{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe"	{07F21A27-9892-4da6-BB49-9143106DEB58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}	{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D19E857-72B7-4514-B2F4-F0A41A299189}\stubpath = "C:\\Windows\\{7D19E857-72B7-4514-B2F4-F0A41A299189}.exe"	{2AE11695-95E2-46c0-899F-EF4EA660FC39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2069DFCC-CF74-4324-BA1C-903C825E58C4}	2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B812FCA8-2582-4336-B2EF-33F5C3AC0759}\stubpath = "C:\\Windows\\{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe"	{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07F21A27-9892-4da6-BB49-9143106DEB58}\stubpath = "C:\\Windows\\{07F21A27-9892-4da6-BB49-9143106DEB58}.exe"	{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D19E857-72B7-4514-B2F4-F0A41A299189}	{2AE11695-95E2-46c0-899F-EF4EA660FC39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67B84946-A4A6-4e6b-A7D7-8870BF01D282}	{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}\stubpath = "C:\\Windows\\{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe"	{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{285075B3-FB38-4c40-94F8-F10437BC8E1D}\stubpath = "C:\\Windows\\{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe"	{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}	{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}\stubpath = "C:\\Windows\\{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe"	{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AE11695-95E2-46c0-899F-EF4EA660FC39}	{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AE11695-95E2-46c0-899F-EF4EA660FC39}\stubpath = "C:\\Windows\\{2AE11695-95E2-46c0-899F-EF4EA660FC39}.exe"	{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe

Executes dropped EXE 12 IoCs

pid	Process
3980	{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe
116	{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe
1612	{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe
1512	{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe
3304	{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe
3988	{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe
3248	{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe
2556	{07F21A27-9892-4da6-BB49-9143106DEB58}.exe
3240	{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe
2676	{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe
3184	{2AE11695-95E2-46c0-899F-EF4EA660FC39}.exe
1292	{7D19E857-72B7-4514-B2F4-F0A41A299189}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7D19E857-72B7-4514-B2F4-F0A41A299189}.exe	{2AE11695-95E2-46c0-899F-EF4EA660FC39}.exe
File created	C:\Windows\{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe	{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe
File created	C:\Windows\{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe	{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe
File created	C:\Windows\{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe	{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe
File created	C:\Windows\{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe	{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe
File created	C:\Windows\{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe	{07F21A27-9892-4da6-BB49-9143106DEB58}.exe
File created	C:\Windows\{2AE11695-95E2-46c0-899F-EF4EA660FC39}.exe	{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe
File created	C:\Windows\{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe	2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe
File created	C:\Windows\{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe	{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe
File created	C:\Windows\{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe	{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe
File created	C:\Windows\{07F21A27-9892-4da6-BB49-9143106DEB58}.exe	{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe
File created	C:\Windows\{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe	{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1164	2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3980	{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe
Token: SeIncBasePriorityPrivilege	116	{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe
Token: SeIncBasePriorityPrivilege	1612	{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe
Token: SeIncBasePriorityPrivilege	1512	{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe
Token: SeIncBasePriorityPrivilege	3304	{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe
Token: SeIncBasePriorityPrivilege	3988	{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe
Token: SeIncBasePriorityPrivilege	3248	{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe
Token: SeIncBasePriorityPrivilege	2556	{07F21A27-9892-4da6-BB49-9143106DEB58}.exe
Token: SeIncBasePriorityPrivilege	3240	{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe
Token: SeIncBasePriorityPrivilege	2676	{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe
Token: SeIncBasePriorityPrivilege	3184	{2AE11695-95E2-46c0-899F-EF4EA660FC39}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 3980	1164	2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe	92
PID 1164 wrote to memory of 3980	1164	2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe	92
PID 1164 wrote to memory of 3980	1164	2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe	92
PID 1164 wrote to memory of 4628	1164	2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe	93
PID 1164 wrote to memory of 4628	1164	2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe	93
PID 1164 wrote to memory of 4628	1164	2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe	93
PID 3980 wrote to memory of 116	3980	{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe	95
PID 3980 wrote to memory of 116	3980	{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe	95
PID 3980 wrote to memory of 116	3980	{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe	95
PID 3980 wrote to memory of 1352	3980	{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe	94
PID 3980 wrote to memory of 1352	3980	{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe	94
PID 3980 wrote to memory of 1352	3980	{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe	94
PID 116 wrote to memory of 1612	116	{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe	98
PID 116 wrote to memory of 1612	116	{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe	98
PID 116 wrote to memory of 1612	116	{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe	98
PID 116 wrote to memory of 3496	116	{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe	97
PID 116 wrote to memory of 3496	116	{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe	97
PID 116 wrote to memory of 3496	116	{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe	97
PID 1612 wrote to memory of 1512	1612	{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe	99
PID 1612 wrote to memory of 1512	1612	{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe	99
PID 1612 wrote to memory of 1512	1612	{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe	99
PID 1612 wrote to memory of 452	1612	{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe	100
PID 1612 wrote to memory of 452	1612	{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe	100
PID 1612 wrote to memory of 452	1612	{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe	100
PID 1512 wrote to memory of 3304	1512	{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe	101
PID 1512 wrote to memory of 3304	1512	{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe	101
PID 1512 wrote to memory of 3304	1512	{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe	101
PID 1512 wrote to memory of 1556	1512	{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe	102
PID 1512 wrote to memory of 1556	1512	{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe	102
PID 1512 wrote to memory of 1556	1512	{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe	102
PID 3304 wrote to memory of 3988	3304	{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe	103
PID 3304 wrote to memory of 3988	3304	{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe	103
PID 3304 wrote to memory of 3988	3304	{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe	103
PID 3304 wrote to memory of 412	3304	{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe	104
PID 3304 wrote to memory of 412	3304	{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe	104
PID 3304 wrote to memory of 412	3304	{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe	104
PID 3988 wrote to memory of 3248	3988	{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe	105
PID 3988 wrote to memory of 3248	3988	{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe	105
PID 3988 wrote to memory of 3248	3988	{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe	105
PID 3988 wrote to memory of 3528	3988	{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe	106
PID 3988 wrote to memory of 3528	3988	{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe	106
PID 3988 wrote to memory of 3528	3988	{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe	106
PID 3248 wrote to memory of 2556	3248	{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe	107
PID 3248 wrote to memory of 2556	3248	{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe	107
PID 3248 wrote to memory of 2556	3248	{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe	107
PID 3248 wrote to memory of 4700	3248	{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe	108
PID 3248 wrote to memory of 4700	3248	{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe	108
PID 3248 wrote to memory of 4700	3248	{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe	108
PID 2556 wrote to memory of 3240	2556	{07F21A27-9892-4da6-BB49-9143106DEB58}.exe	109
PID 2556 wrote to memory of 3240	2556	{07F21A27-9892-4da6-BB49-9143106DEB58}.exe	109
PID 2556 wrote to memory of 3240	2556	{07F21A27-9892-4da6-BB49-9143106DEB58}.exe	109
PID 2556 wrote to memory of 3300	2556	{07F21A27-9892-4da6-BB49-9143106DEB58}.exe	110
PID 2556 wrote to memory of 3300	2556	{07F21A27-9892-4da6-BB49-9143106DEB58}.exe	110
PID 2556 wrote to memory of 3300	2556	{07F21A27-9892-4da6-BB49-9143106DEB58}.exe	110
PID 3240 wrote to memory of 2676	3240	{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe	111
PID 3240 wrote to memory of 2676	3240	{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe	111
PID 3240 wrote to memory of 2676	3240	{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe	111
PID 3240 wrote to memory of 1008	3240	{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe	112
PID 3240 wrote to memory of 1008	3240	{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe	112
PID 3240 wrote to memory of 1008	3240	{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe	112
PID 2676 wrote to memory of 3184	2676	{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe	113
PID 2676 wrote to memory of 3184	2676	{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe	113
PID 2676 wrote to memory of 3184	2676	{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe	113
PID 2676 wrote to memory of 400	2676	{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_bafd6b087076442235ce04315d5adca1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe
  C:\Windows\{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2069D~1.EXE > nul
    3⤵
    PID:1352
- - C:\Windows\{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe
    C:\Windows\{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{67B84~1.EXE > nul
      4⤵
      PID:3496
  - - C:\Windows\{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe
      C:\Windows\{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe
        
        C:\Windows\{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe
        
        C:\Windows\{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe
        
        C:\Windows\{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe
        
        C:\Windows\{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{07F21A27-9892-4da6-BB49-9143106DEB58}.exe
        
        C:\Windows\{07F21A27-9892-4da6-BB49-9143106DEB58}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe
        
        C:\Windows\{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe
        
        C:\Windows\{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{2AE11695-95E2-46c0-899F-EF4EA660FC39}.exe
        
        C:\Windows\{2AE11695-95E2-46c0-899F-EF4EA660FC39}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
        
        C:\Windows\{7D19E857-72B7-4514-B2F4-F0A41A299189}.exe
        
        C:\Windows\{7D19E857-72B7-4514-B2F4-F0A41A299189}.exe
        13⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AE11~1.EXE > nul
        13⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30290~1.EXE > nul
        12⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57D0B~1.EXE > nul
        11⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07F21~1.EXE > nul
        10⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B812F~1.EXE > nul
        9⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAB06~1.EXE > nul
        8⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC97F~1.EXE > nul
        7⤵
        
        PID:412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28507~1.EXE > nul
        6⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF1AB~1.EXE > nul
        5⤵
        
        PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07F21A27-9892-4da6-BB49-9143106DEB58}.exe

Filesize
168KB

MD5
318531eac3b3e519a41163f13f43f041

SHA1
79d3adba2d8a5dc6b22835a7769d7d5e5c2336d5

SHA256
47cf02c6006d0e1f77f199950d2f18052e102fb5aab6b59ca0d0ecdd5175a14a

SHA512
17b6d8c1b9004036b6cbe320dc15bf83115655a9b073d1da67d027d82420f3056aa36a0d7e7691edeaa365958ca3276c57275a926e764bdf9c43b2ad0e8835a5

Download Submit
C:\Windows\{2069DFCC-CF74-4324-BA1C-903C825E58C4}.exe

Filesize
168KB

MD5
39a6703da2d838fa7752d95edf7c9a41

SHA1
65a207e80a62587eebd3da9d0c0439577cdc7261

SHA256
20990c14625a851355146d9bfe5ec0b5b77f15796dde17abc2bd914f7b6efe81

SHA512
95bf56f8e0318d6c9ca0d860d4cb1a6fcb172df574bff70c7cc23d1b00358babc481cf01d27cae4a77918aa03c292566ce503c29614669e9b78f3f863377a3fc

Download Submit
C:\Windows\{285075B3-FB38-4c40-94F8-F10437BC8E1D}.exe

Filesize
168KB

MD5
25038f447694cc03df7b7749f9b8dcc3

SHA1
f09aa40ff2438be50bd0c8287d3bcbdf8fd78e35

SHA256
b6ddce9b4646c200429fecf5b836c8a3189428a4bd52d75a36bb278fc714aa01

SHA512
0431f48f0738e6aec1cda5c65db9b54cb3d7c41771763a36378425fb41cfb449f4b2228247d0d4d644570a8174c739ef8f3363b547722c1ae4b49a5698320220

Download Submit
C:\Windows\{2AE11695-95E2-46c0-899F-EF4EA660FC39}.exe

Filesize
168KB

MD5
07d31fca468b09f7f3b483cc051bc1e2

SHA1
8a3707800fde855680de2a06d12910b013be8eb2

SHA256
c4ee9f0457aecbb79ffa1a8866873fff82923dd5d16c442635ddfe4b8a0eee75

SHA512
8948c73856284615b045503389f153e5147921071f08ffa5ab7e274c6ef8ad6682a3ea45db9b5d646b487ca0cace80aa0853c95156f15863e35adea39102130e

Download Submit
C:\Windows\{30290AC0-4C33-4ae6-91F8-78BBF210BEC2}.exe

Filesize
168KB

MD5
256173f360253aaafa9a6c5c368c4b12

SHA1
f2c4d8c1f8d113c0722fad158dc850a1dad931c0

SHA256
83b96c116ba0651f88a696315edfb5e69353e48d2647fd5265b7b1080762a9fb

SHA512
790a0dd817eba804c7aced65ac26977da811455ff8da1856a620c457b80f15cc791014a7d10c89a2ae4ec7393b443bde9c45f76c16755fc9504daefb9cdf90b4

Download Submit
C:\Windows\{57D0BD2B-F226-49e3-AE82-AF6B27A399C4}.exe

Filesize
168KB

MD5
606dac0029f77b6dca0fa28ae071aed7

SHA1
19337e030705f984ef6fe08516c69e588ba8d20c

SHA256
d00b57e497faec9cddc60a96009ff19b6d5fd3e4cd1800be89a4975e141ef26d

SHA512
47f32015203f036fb2abe1a3b8663ee0a9d2122bd1fce037f0cdf1ea3a4e190b70d3ea3b3ee585faca1bab5ad02fc207bd35cb9dd938afa1a68a3423b3e39dfb

Download Submit
C:\Windows\{67B84946-A4A6-4e6b-A7D7-8870BF01D282}.exe

Filesize
168KB

MD5
d1767248a60d3753f159dd92090c04a4

SHA1
67dd38eb82b4594b2fb1caad85865ece97cd076c

SHA256
75249971647ffd05b28dd37efb1f9db30547f36d37811119a62332847862deb3

SHA512
7db5d9738870a72db33dd89c4da3c89ad7be75187669c7b5f7adc63c2df7ae97a94dc5b17a0a01c19222db4794b36c5f2e014f7fa5ea1ab4cc0c632547231d14

Download Submit
C:\Windows\{7D19E857-72B7-4514-B2F4-F0A41A299189}.exe

Filesize
168KB

MD5
de31f373f95b2c2e3b71dd958198e459

SHA1
27977e46fbcca8f66b72a054d13b67a0f74a26bb

SHA256
b0f13ea83fc1037556aba4ef81db73690866ec57ad4a7d664aa08ff63b425336

SHA512
6020c23696a6c44a52e1015c28140bcd1efe2776972e423b9c003f60089d90b3489a757245aa4716ce2e29b4cbd76b372753fd18a484c26bf675d3526fa237f7

Download Submit
C:\Windows\{B812FCA8-2582-4336-B2EF-33F5C3AC0759}.exe

Filesize
168KB

MD5
5c014f608b502cfd665bd524f7ecae4d

SHA1
88dd2b5f49351fe7253007db61f2c5a2ee3c701a

SHA256
080d6434f9cffc67227bcdd4ceaa94d0c0d7cb239e7ebe0aec362db29a84638e

SHA512
2c2d0a9833e12cebb43e276518e7a2c4642fe92c79cdba077f698c8d0bdb185b5d1e81b41b5bccc955a81bfe1ecd03b6582cc7a6215665fa0683c3866e9024c9

Download Submit
C:\Windows\{BC97F8ED-6D8E-4eab-BE4B-22B4BCEEACC9}.exe

Filesize
168KB

MD5
91367ece411f19dd8db05d8c7f12ee6e

SHA1
2690f7a36f03d9960168c1eaa4d1fc8b52925748

SHA256
2da2d8c07374ab8d0bd7734ecab20944e60a3a7ac109ca663e870edc65fadabc

SHA512
fa59d37efb4a6c8c5b52e7178e4a915c763d20133c2b089b24f9a5ca00b42b4c1a2dc2e8c1f46629f63323c5028d76b3f06a2742cb0503eb85d19784482a358e

Download Submit
C:\Windows\{DF1AB5CA-032D-4171-A5AE-A802670B7BE7}.exe

Filesize
168KB

MD5
a00a1cf0a0adf61b929f6dd817e61410

SHA1
b67970fbdf44e8fd69c573a9e3fe78b3e6c3f88a

SHA256
28df843bb7b4a032f87cd6dc4b8c9146d29586e67bfe6f3b14be6582856bdd0b

SHA512
04cf89c759d223416030d2a9d7d6044ad26c9f565a193d7fa7cc1fa094d5d839d18e5e62c1a7d5aba9fe8146ff089148237b1a34b8c3d76a265221b5869b4f0c

Download Submit
C:\Windows\{FAB06C1E-BD49-40cf-9622-50FA6BEA22BE}.exe

Filesize
168KB

MD5
13920e37fa909b5d7a7fce4a7b8aa995

SHA1
71faf83b1b8cb9028cb23385aa8b0a441b0617d6

SHA256
92bee66a240fc14a564b1e012695b56b1a69f8b5ab66b23933401d265916ea6a

SHA512
d20a66529ae5a282bb3491a942751bee6c7d58f4225318e61b6d037e961372b1e66acd1ab90b5e53c0353e02c9d15fd57204486793725b383ee95fa41c440827

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads