993a902c6a4ca8105457c241f0df8e4628422d28ef09a1859822c20c8bf9c93f

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 17:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
Size

408KB
MD5

bdbade173d5e08d397afb9f906920746
SHA1

6c1c48fb220b03df58275eb3659bb248c0064e9b
SHA256

993a902c6a4ca8105457c241f0df8e4628422d28ef09a1859822c20c8bf9c93f
SHA512

4b5214b085c89f09f7ac02fa2feb12ac444d393b3f3b0c1d9b75dddc4e1450b1f6cff4197221371532f658fd96e34bf8fc6cac2448fc4c86dfced9f288163341
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGwldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023161-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002323e-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023161-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002323e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023161-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002323e-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023161-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002323e-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023161-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002323e-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023161-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002323e-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}	{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}	{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}\stubpath = "C:\\Windows\\{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe"	{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65C639E-C752-4476-903D-567F2B3E6983}	{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65C639E-C752-4476-903D-567F2B3E6983}\stubpath = "C:\\Windows\\{B65C639E-C752-4476-903D-567F2B3E6983}.exe"	{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02EE60AC-B10C-4f9a-9A33-078C41849BE8}	{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}\stubpath = "C:\\Windows\\{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe"	{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}\stubpath = "C:\\Windows\\{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe"	{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AEAF569-6AD3-47d0-85B3-192DA19B4B00}	{02EE60AC-B10C-4f9a-9A33-078C41849BE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AEAF569-6AD3-47d0-85B3-192DA19B4B00}\stubpath = "C:\\Windows\\{7AEAF569-6AD3-47d0-85B3-192DA19B4B00}.exe"	{02EE60AC-B10C-4f9a-9A33-078C41849BE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}\stubpath = "C:\\Windows\\{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe"	{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}	{74346A44-516E-45a6-B516-1A59B11C8867}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9573F163-71DC-48ca-908F-0C8A818E7961}	{B65C639E-C752-4476-903D-567F2B3E6983}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}	{9573F163-71DC-48ca-908F-0C8A818E7961}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59219D46-AB1F-4455-BDE4-D2D9D12C4404}\stubpath = "C:\\Windows\\{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe"	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}	{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74346A44-516E-45a6-B516-1A59B11C8867}\stubpath = "C:\\Windows\\{74346A44-516E-45a6-B516-1A59B11C8867}.exe"	{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}\stubpath = "C:\\Windows\\{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe"	{74346A44-516E-45a6-B516-1A59B11C8867}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9573F163-71DC-48ca-908F-0C8A818E7961}\stubpath = "C:\\Windows\\{9573F163-71DC-48ca-908F-0C8A818E7961}.exe"	{B65C639E-C752-4476-903D-567F2B3E6983}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}	{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74346A44-516E-45a6-B516-1A59B11C8867}	{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02EE60AC-B10C-4f9a-9A33-078C41849BE8}\stubpath = "C:\\Windows\\{02EE60AC-B10C-4f9a-9A33-078C41849BE8}.exe"	{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59219D46-AB1F-4455-BDE4-D2D9D12C4404}	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}\stubpath = "C:\\Windows\\{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe"	{9573F163-71DC-48ca-908F-0C8A818E7961}.exe

Executes dropped EXE 12 IoCs

pid	Process
2684	{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe
4896	{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe
4716	{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe
3232	{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe
4784	{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe
2828	{74346A44-516E-45a6-B516-1A59B11C8867}.exe
4672	{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe
1420	{B65C639E-C752-4476-903D-567F2B3E6983}.exe
4460	{9573F163-71DC-48ca-908F-0C8A818E7961}.exe
3500	{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe
2036	{02EE60AC-B10C-4f9a-9A33-078C41849BE8}.exe
4652	{7AEAF569-6AD3-47d0-85B3-192DA19B4B00}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{74346A44-516E-45a6-B516-1A59B11C8867}.exe	{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe
File created	C:\Windows\{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe	{74346A44-516E-45a6-B516-1A59B11C8867}.exe
File created	C:\Windows\{7AEAF569-6AD3-47d0-85B3-192DA19B4B00}.exe	{02EE60AC-B10C-4f9a-9A33-078C41849BE8}.exe
File created	C:\Windows\{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
File created	C:\Windows\{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe	{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe
File created	C:\Windows\{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe	{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe
File created	C:\Windows\{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe	{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe
File created	C:\Windows\{02EE60AC-B10C-4f9a-9A33-078C41849BE8}.exe	{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe
File created	C:\Windows\{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe	{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe
File created	C:\Windows\{B65C639E-C752-4476-903D-567F2B3E6983}.exe	{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe
File created	C:\Windows\{9573F163-71DC-48ca-908F-0C8A818E7961}.exe	{B65C639E-C752-4476-903D-567F2B3E6983}.exe
File created	C:\Windows\{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe	{9573F163-71DC-48ca-908F-0C8A818E7961}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2268	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2684	{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe
Token: SeIncBasePriorityPrivilege	4896	{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe
Token: SeIncBasePriorityPrivilege	4716	{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe
Token: SeIncBasePriorityPrivilege	3232	{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe
Token: SeIncBasePriorityPrivilege	4784	{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe
Token: SeIncBasePriorityPrivilege	2828	{74346A44-516E-45a6-B516-1A59B11C8867}.exe
Token: SeIncBasePriorityPrivilege	4672	{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe
Token: SeIncBasePriorityPrivilege	1420	{B65C639E-C752-4476-903D-567F2B3E6983}.exe
Token: SeIncBasePriorityPrivilege	4460	{9573F163-71DC-48ca-908F-0C8A818E7961}.exe
Token: SeIncBasePriorityPrivilege	3500	{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe
Token: SeIncBasePriorityPrivilege	2036	{02EE60AC-B10C-4f9a-9A33-078C41849BE8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2684	2268	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	85
PID 2268 wrote to memory of 2684	2268	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	85
PID 2268 wrote to memory of 2684	2268	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	85
PID 2268 wrote to memory of 4580	2268	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	86
PID 2268 wrote to memory of 4580	2268	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	86
PID 2268 wrote to memory of 4580	2268	2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe	86
PID 2684 wrote to memory of 4896	2684	{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe	87
PID 2684 wrote to memory of 4896	2684	{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe	87
PID 2684 wrote to memory of 4896	2684	{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe	87
PID 2684 wrote to memory of 2244	2684	{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe	88
PID 2684 wrote to memory of 2244	2684	{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe	88
PID 2684 wrote to memory of 2244	2684	{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe	88
PID 4896 wrote to memory of 4716	4896	{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe	91
PID 4896 wrote to memory of 4716	4896	{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe	91
PID 4896 wrote to memory of 4716	4896	{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe	91
PID 4896 wrote to memory of 4472	4896	{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe	90
PID 4896 wrote to memory of 4472	4896	{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe	90
PID 4896 wrote to memory of 4472	4896	{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe	90
PID 4716 wrote to memory of 3232	4716	{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe	92
PID 4716 wrote to memory of 3232	4716	{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe	92
PID 4716 wrote to memory of 3232	4716	{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe	92
PID 4716 wrote to memory of 3112	4716	{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe	93
PID 4716 wrote to memory of 3112	4716	{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe	93
PID 4716 wrote to memory of 3112	4716	{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe	93
PID 3232 wrote to memory of 4784	3232	{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe	94
PID 3232 wrote to memory of 4784	3232	{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe	94
PID 3232 wrote to memory of 4784	3232	{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe	94
PID 3232 wrote to memory of 1744	3232	{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe	95
PID 3232 wrote to memory of 1744	3232	{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe	95
PID 3232 wrote to memory of 1744	3232	{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe	95
PID 4784 wrote to memory of 2828	4784	{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe	96
PID 4784 wrote to memory of 2828	4784	{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe	96
PID 4784 wrote to memory of 2828	4784	{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe	96
PID 4784 wrote to memory of 2972	4784	{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe	97
PID 4784 wrote to memory of 2972	4784	{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe	97
PID 4784 wrote to memory of 2972	4784	{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe	97
PID 2828 wrote to memory of 4672	2828	{74346A44-516E-45a6-B516-1A59B11C8867}.exe	98
PID 2828 wrote to memory of 4672	2828	{74346A44-516E-45a6-B516-1A59B11C8867}.exe	98
PID 2828 wrote to memory of 4672	2828	{74346A44-516E-45a6-B516-1A59B11C8867}.exe	98
PID 2828 wrote to memory of 1832	2828	{74346A44-516E-45a6-B516-1A59B11C8867}.exe	99
PID 2828 wrote to memory of 1832	2828	{74346A44-516E-45a6-B516-1A59B11C8867}.exe	99
PID 2828 wrote to memory of 1832	2828	{74346A44-516E-45a6-B516-1A59B11C8867}.exe	99
PID 4672 wrote to memory of 1420	4672	{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe	100
PID 4672 wrote to memory of 1420	4672	{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe	100
PID 4672 wrote to memory of 1420	4672	{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe	100
PID 4672 wrote to memory of 540	4672	{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe	101
PID 4672 wrote to memory of 540	4672	{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe	101
PID 4672 wrote to memory of 540	4672	{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe	101
PID 1420 wrote to memory of 4460	1420	{B65C639E-C752-4476-903D-567F2B3E6983}.exe	102
PID 1420 wrote to memory of 4460	1420	{B65C639E-C752-4476-903D-567F2B3E6983}.exe	102
PID 1420 wrote to memory of 4460	1420	{B65C639E-C752-4476-903D-567F2B3E6983}.exe	102
PID 1420 wrote to memory of 3164	1420	{B65C639E-C752-4476-903D-567F2B3E6983}.exe	103
PID 1420 wrote to memory of 3164	1420	{B65C639E-C752-4476-903D-567F2B3E6983}.exe	103
PID 1420 wrote to memory of 3164	1420	{B65C639E-C752-4476-903D-567F2B3E6983}.exe	103
PID 4460 wrote to memory of 3500	4460	{9573F163-71DC-48ca-908F-0C8A818E7961}.exe	104
PID 4460 wrote to memory of 3500	4460	{9573F163-71DC-48ca-908F-0C8A818E7961}.exe	104
PID 4460 wrote to memory of 3500	4460	{9573F163-71DC-48ca-908F-0C8A818E7961}.exe	104
PID 4460 wrote to memory of 3720	4460	{9573F163-71DC-48ca-908F-0C8A818E7961}.exe	105
PID 4460 wrote to memory of 3720	4460	{9573F163-71DC-48ca-908F-0C8A818E7961}.exe	105
PID 4460 wrote to memory of 3720	4460	{9573F163-71DC-48ca-908F-0C8A818E7961}.exe	105
PID 3500 wrote to memory of 2036	3500	{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe	106
PID 3500 wrote to memory of 2036	3500	{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe	106
PID 3500 wrote to memory of 2036	3500	{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe	106
PID 3500 wrote to memory of 4272	3500	{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_bdbade173d5e08d397afb9f906920746_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe
  C:\Windows\{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe
    C:\Windows\{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE75B~1.EXE > nul
      4⤵
      PID:4472
  - - C:\Windows\{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe
      C:\Windows\{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Windows\{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe
        
        C:\Windows\{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe
        
        C:\Windows\{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\{74346A44-516E-45a6-B516-1A59B11C8867}.exe
        
        C:\Windows\{74346A44-516E-45a6-B516-1A59B11C8867}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe
        
        C:\Windows\{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\{B65C639E-C752-4476-903D-567F2B3E6983}.exe
        
        C:\Windows\{B65C639E-C752-4476-903D-567F2B3E6983}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\{9573F163-71DC-48ca-908F-0C8A818E7961}.exe
        
        C:\Windows\{9573F163-71DC-48ca-908F-0C8A818E7961}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe
        
        C:\Windows\{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\{02EE60AC-B10C-4f9a-9A33-078C41849BE8}.exe
        
        C:\Windows\{02EE60AC-B10C-4f9a-9A33-078C41849BE8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{7AEAF569-6AD3-47d0-85B3-192DA19B4B00}.exe
        
        C:\Windows\{7AEAF569-6AD3-47d0-85B3-192DA19B4B00}.exe
        13⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02EE6~1.EXE > nul
        13⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50F25~1.EXE > nul
        12⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9573F~1.EXE > nul
        11⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B65C6~1.EXE > nul
        10⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3979~1.EXE > nul
        9⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74346~1.EXE > nul
        8⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4923E~1.EXE > nul
        7⤵
        
        PID:2972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72A38~1.EXE > nul
        6⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AA87~1.EXE > nul
        5⤵
        
        PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{59219~1.EXE > nul
    3⤵
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02EE60AC-B10C-4f9a-9A33-078C41849BE8}.exe

Filesize
408KB

MD5
6342f0101861878d11cc19209cda3fd9

SHA1
452f945dd0879ad461930c14bddff68b83a4b370

SHA256
6609e0f0a75e90e5458c9e74dcc38873c23861f9ddf89158fe48ba357c42e327

SHA512
10d29111d5c537689a3be9aa011e96539a8677e65866234ee08f940bb2820651d55c73318c40af4cac57ca6db7a85e5c4c5fb5f497ace850de28e366d78f99b6

Download Submit
C:\Windows\{4923E2ED-BB58-4b3b-A432-1ECB60F4DF0E}.exe

Filesize
408KB

MD5
3ecc7c84f57c24d56667f2f167451f4f

SHA1
b0b6bdc08fe582f8a2a227762f41be49c186d67a

SHA256
2ed7224c688c40da1cceae6862a2e3fb3c3605c28d754d58eca1ad2189c44b62

SHA512
26b2496d64b6ef7de9bec663dcc09bfa4c315609723c9519b6a89f027d6dad5a76f2dd8c52b67aa7a6c26093fcde2b626281581478c0729f23597bbc258e87b6

Download Submit
C:\Windows\{50F257E9-3BA6-49ed-A400-CA2CBDB39E90}.exe

Filesize
408KB

MD5
2b4e38f0204934b0ceae84339aca3bfb

SHA1
e590d584e41cf0824fc2e62d29240b8ca53c3319

SHA256
645bfae2b2e2fcbd54fa19a74ad185270270bd0fe2c4339bd5d219ec5a4f8096

SHA512
17ca2b174f2d6514d5f5735125e5a15bf3839470a4433743580ce8fcd55a4e1307ec4c22ac13816139f6be2f85b6e2c839c0f751058c5ffd7b970e08a3c19f84

Download Submit
C:\Windows\{59219D46-AB1F-4455-BDE4-D2D9D12C4404}.exe

Filesize
408KB

MD5
75a2aa9db50a02116310b7f1472a28ad

SHA1
0e00b9342f10d759e7805aed3c2b009cd4ea78fc

SHA256
406e8eed3cd37adfb8cab43694f3da14adea0f1ba0867a7eb9f91389a216f022

SHA512
3031538f2edb765f8f760a03eee01fb7fc3885c84e1367112518a22db381027a51fcb33c9ae02702964ce3b8eb8af6a9c8cc87773f3b3e3964a1c5aea4825551

Download Submit
C:\Windows\{72A38EF9-E4E0-461a-BF01-4EAE968BDBAF}.exe

Filesize
408KB

MD5
674fd3d0b40df6047b2be55b14860ffa

SHA1
527ab0d6aebd76dc615b758bb9c5c1755d988e08

SHA256
6be5223767ac88c9013c16b674481238d73d8d2d0cf2344631f51b62cc7f74de

SHA512
d856b0889a404c5eea8d5ca8dc02af94ecfac588486a2640cbc29477543ac3e4e06af1440563ecb9d9336e74ac5a2b36e44fdd80fa7b8f848cea60dd80eeaa3b

Download Submit
C:\Windows\{74346A44-516E-45a6-B516-1A59B11C8867}.exe

Filesize
408KB

MD5
b9e988aac3de78f51b9bf8f6cabdc4ac

SHA1
26f1d24ead7ee14834e89845d6234a7324bfe5b7

SHA256
f6ce5b4fa6833eb329edf18ff63285ac87b9db27354f3f6ad2a8ffcfecfc6055

SHA512
2950432639d847856ee23734944186e595eebf26b8737980737d9c635153571cbe10a160012122e3e0b76d74d60570b253d54e1a566d39515a90cc2c12cbc9be

Download Submit
C:\Windows\{7AEAF569-6AD3-47d0-85B3-192DA19B4B00}.exe

Filesize
408KB

MD5
cff943f803bc352a620bee32e136c611

SHA1
3907bc7ff6270a04218dd13ff5055a0745c8b744

SHA256
a8731a9913a6063738cd56d4c0516c8a42b3971218156f3fbe5d32c5955a6d96

SHA512
8755146f174c40bafbe33700c6e223d12e585968a97fb7de4b3a536daaabd367b6cb00a656ededb2874358d8870687e1f0ace6bfe530c03725227f3eec0bf70d

Download Submit
C:\Windows\{8AA87BB4-3938-4c69-A04F-73F6E7D0BE63}.exe

Filesize
408KB

MD5
b93ae8acc451da82f6e83ee7ce93e918

SHA1
7ec5f7827e14119c0d59fffdfe5f9238f72d1ea4

SHA256
eefaa235aa30f49ad3cd0122d2d2072059a82f70db39d9cb603690c54ff277ad

SHA512
e9f3d50aefa916ee093a8e35187d01e036c7bec5c12ecdae6e007987e1b9272a8b42b735d41efe998873ab5d9b618e77e5dec27f9b28cdc81afc29872ecfc35a

Download Submit
C:\Windows\{9573F163-71DC-48ca-908F-0C8A818E7961}.exe

Filesize
408KB

MD5
25d6f3d53b6014b4507beffbec640992

SHA1
c480d581034bece7c8d0e8eec41970a83c83f068

SHA256
cbbd1379390681074b30890c10fc813aae3e1b70a88620c720f090b6425850fb

SHA512
4e9a4501fd1436498c0efc9966e603be24075456c2a1327249ad466b4ef811eb82cd112f409ab2c22e7773212720a9643afaba004978d0dbb6b7b4f8288d90b7

Download Submit
C:\Windows\{B65C639E-C752-4476-903D-567F2B3E6983}.exe

Filesize
408KB

MD5
4381ee5b02d638f686f13ad9f99ab644

SHA1
9c49aa83992afbdc85e79488a0d144a44d01ddfd

SHA256
5a87de08fe53c38cdbd91c58c289c090d5eacffe197abca2b1e4bfdff4f0b3d6

SHA512
de6cef343af7420bee091af239c6d59f3a2a46a433392a6cc9f96ecb72bc3a019a746f147b81f4a4cf886fe97e04a08a03342d1b95e82c1f3000690bb72db759

Download Submit
C:\Windows\{D3979D38-0320-4ce7-B606-A5CE6DD6C66A}.exe

Filesize
408KB

MD5
6186a369ec9355c3c1dbd2a8b1c583d8

SHA1
9e195b74987e6f5dd5df79d8902a431d3e97a834

SHA256
0f780687460461c804d97262d7d4605d87d01dc2a6c7b3e07be665a9e85bab52

SHA512
3fe13d1806812628a50812bb935c798671f8f8f90109d80833061768ad37dce83f23b3a38010358d80bafaf6d691a7c218d9cdf40ea303f22b7cda126100ffb5

Download Submit
C:\Windows\{EE75B6F9-B209-47f1-8CD3-9630F05AD86A}.exe

Filesize
408KB

MD5
9a12555237076782c69bc2c0d85cbd78

SHA1
d2a243cd578acc46c524f15cdd77a13d1c4acc11

SHA256
7a722dfede928ec774c9134068088f1c3496055603945989c27aa0c7c6315670

SHA512
808b091e81c0473df277015f524a7978837ba4ae4f2110a2e080354a1edef2f925eb0fb6a75b3c19d8111677e60112c823d96a5cd9f6d6f3c1c66c19b9228f12

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads