0fa816b4bb7fb2eefaff5a02506a76d21435e1575dabe03ca593cbd5a339385f

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
Size

168KB
MD5

08152c85d9bd8b77a9121e07bbb0f10e
SHA1

bd1ff68cc613910114893e9e6c5b5730e0816999
SHA256

0fa816b4bb7fb2eefaff5a02506a76d21435e1575dabe03ca593cbd5a339385f
SHA512

f2f4f3bd4e5f8df5a4501406df5d74095efb1482e89f800e0c77063212558f7ca765ae8951c025bf238e7b4781ec4d54ccb3d34e9f357a04827c1374ba6ef71d
SSDEEP

1536:1EGh0oElq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oElqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023239-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023346-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023351-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023346-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db1f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001db4d-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233df-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234cc-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002314a-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023150-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002314a-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023151-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}	{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FABEE4B-3651-4ebb-9752-080795672F82}\stubpath = "C:\\Windows\\{2FABEE4B-3651-4ebb-9752-080795672F82}.exe"	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43EF8076-82F2-48ad-AA38-50A1E7B079A7}	{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A892AC46-0C33-4a02-976F-7EA93357F80B}	{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A98277B-602B-498c-8CEB-7BE5D1D027CA}\stubpath = "C:\\Windows\\{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe"	{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}\stubpath = "C:\\Windows\\{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe"	{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}	{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{021CE0E9-1799-425c-8356-09AE8AAF9195}	{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{021CE0E9-1799-425c-8356-09AE8AAF9195}\stubpath = "C:\\Windows\\{021CE0E9-1799-425c-8356-09AE8AAF9195}.exe"	{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7019B15C-FC75-4e45-9FE7-952934CC7C77}	{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7019B15C-FC75-4e45-9FE7-952934CC7C77}\stubpath = "C:\\Windows\\{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe"	{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA21DCB7-FB75-4076-89CB-96742F480C49}	{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA21DCB7-FB75-4076-89CB-96742F480C49}\stubpath = "C:\\Windows\\{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe"	{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}	{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}\stubpath = "C:\\Windows\\{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe"	{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}\stubpath = "C:\\Windows\\{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe"	{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}\stubpath = "C:\\Windows\\{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}.exe"	{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FABEE4B-3651-4ebb-9752-080795672F82}	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}	{2FABEE4B-3651-4ebb-9752-080795672F82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}\stubpath = "C:\\Windows\\{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe"	{2FABEE4B-3651-4ebb-9752-080795672F82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43EF8076-82F2-48ad-AA38-50A1E7B079A7}\stubpath = "C:\\Windows\\{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe"	{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A892AC46-0C33-4a02-976F-7EA93357F80B}\stubpath = "C:\\Windows\\{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe"	{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A98277B-602B-498c-8CEB-7BE5D1D027CA}	{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}	{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe

Executes dropped EXE 12 IoCs

pid	Process
3100	{2FABEE4B-3651-4ebb-9752-080795672F82}.exe
3552	{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe
2660	{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe
2320	{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe
5056	{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe
3640	{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe
3964	{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe
1508	{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe
3576	{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe
3964	{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe
4456	{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}.exe
4772	{021CE0E9-1799-425c-8356-09AE8AAF9195}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2FABEE4B-3651-4ebb-9752-080795672F82}.exe	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
File created	C:\Windows\{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe	{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe
File created	C:\Windows\{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe	{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe
File created	C:\Windows\{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe	{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe
File created	C:\Windows\{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe	{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe
File created	C:\Windows\{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe	{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe
File created	C:\Windows\{021CE0E9-1799-425c-8356-09AE8AAF9195}.exe	{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}.exe
File created	C:\Windows\{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe	{2FABEE4B-3651-4ebb-9752-080795672F82}.exe
File created	C:\Windows\{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe	{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe
File created	C:\Windows\{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe	{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe
File created	C:\Windows\{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe	{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe
File created	C:\Windows\{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}.exe	{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3460	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3100	{2FABEE4B-3651-4ebb-9752-080795672F82}.exe
Token: SeIncBasePriorityPrivilege	3552	{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe
Token: SeIncBasePriorityPrivilege	2660	{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe
Token: SeIncBasePriorityPrivilege	2320	{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe
Token: SeIncBasePriorityPrivilege	5056	{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe
Token: SeIncBasePriorityPrivilege	3640	{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe
Token: SeIncBasePriorityPrivilege	3964	{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe
Token: SeIncBasePriorityPrivilege	1508	{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe
Token: SeIncBasePriorityPrivilege	3576	{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe
Token: SeIncBasePriorityPrivilege	3964	{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe
Token: SeIncBasePriorityPrivilege	4456	{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 3100	3460	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	98
PID 3460 wrote to memory of 3100	3460	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	98
PID 3460 wrote to memory of 3100	3460	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	98
PID 3460 wrote to memory of 1692	3460	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	99
PID 3460 wrote to memory of 1692	3460	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	99
PID 3460 wrote to memory of 1692	3460	2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe	99
PID 3100 wrote to memory of 3552	3100	{2FABEE4B-3651-4ebb-9752-080795672F82}.exe	102
PID 3100 wrote to memory of 3552	3100	{2FABEE4B-3651-4ebb-9752-080795672F82}.exe	102
PID 3100 wrote to memory of 3552	3100	{2FABEE4B-3651-4ebb-9752-080795672F82}.exe	102
PID 3100 wrote to memory of 4744	3100	{2FABEE4B-3651-4ebb-9752-080795672F82}.exe	103
PID 3100 wrote to memory of 4744	3100	{2FABEE4B-3651-4ebb-9752-080795672F82}.exe	103
PID 3100 wrote to memory of 4744	3100	{2FABEE4B-3651-4ebb-9752-080795672F82}.exe	103
PID 3552 wrote to memory of 2660	3552	{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe	107
PID 3552 wrote to memory of 2660	3552	{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe	107
PID 3552 wrote to memory of 2660	3552	{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe	107
PID 3552 wrote to memory of 3880	3552	{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe	108
PID 3552 wrote to memory of 3880	3552	{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe	108
PID 3552 wrote to memory of 3880	3552	{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe	108
PID 2660 wrote to memory of 2320	2660	{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe	109
PID 2660 wrote to memory of 2320	2660	{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe	109
PID 2660 wrote to memory of 2320	2660	{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe	109
PID 2660 wrote to memory of 5100	2660	{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe	110
PID 2660 wrote to memory of 5100	2660	{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe	110
PID 2660 wrote to memory of 5100	2660	{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe	110
PID 2320 wrote to memory of 5056	2320	{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe	111
PID 2320 wrote to memory of 5056	2320	{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe	111
PID 2320 wrote to memory of 5056	2320	{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe	111
PID 2320 wrote to memory of 4868	2320	{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe	112
PID 2320 wrote to memory of 4868	2320	{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe	112
PID 2320 wrote to memory of 4868	2320	{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe	112
PID 5056 wrote to memory of 3640	5056	{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe	114
PID 5056 wrote to memory of 3640	5056	{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe	114
PID 5056 wrote to memory of 3640	5056	{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe	114
PID 5056 wrote to memory of 5048	5056	{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe	115
PID 5056 wrote to memory of 5048	5056	{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe	115
PID 5056 wrote to memory of 5048	5056	{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe	115
PID 3640 wrote to memory of 3964	3640	{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe	116
PID 3640 wrote to memory of 3964	3640	{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe	116
PID 3640 wrote to memory of 3964	3640	{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe	116
PID 3640 wrote to memory of 2936	3640	{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe	117
PID 3640 wrote to memory of 2936	3640	{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe	117
PID 3640 wrote to memory of 2936	3640	{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe	117
PID 3964 wrote to memory of 1508	3964	{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe	119
PID 3964 wrote to memory of 1508	3964	{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe	119
PID 3964 wrote to memory of 1508	3964	{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe	119
PID 3964 wrote to memory of 2836	3964	{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe	120
PID 3964 wrote to memory of 2836	3964	{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe	120
PID 3964 wrote to memory of 2836	3964	{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe	120
PID 1508 wrote to memory of 3576	1508	{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe	128
PID 1508 wrote to memory of 3576	1508	{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe	128
PID 1508 wrote to memory of 3576	1508	{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe	128
PID 1508 wrote to memory of 216	1508	{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe	129
PID 1508 wrote to memory of 216	1508	{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe	129
PID 1508 wrote to memory of 216	1508	{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe	129
PID 3576 wrote to memory of 3964	3576	{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe	130
PID 3576 wrote to memory of 3964	3576	{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe	130
PID 3576 wrote to memory of 3964	3576	{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe	130
PID 3576 wrote to memory of 3524	3576	{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe	131
PID 3576 wrote to memory of 3524	3576	{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe	131
PID 3576 wrote to memory of 3524	3576	{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe	131
PID 3964 wrote to memory of 4456	3964	{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe	132
PID 3964 wrote to memory of 4456	3964	{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe	132
PID 3964 wrote to memory of 4456	3964	{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe	132
PID 3964 wrote to memory of 3860	3964	{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_08152c85d9bd8b77a9121e07bbb0f10e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\{2FABEE4B-3651-4ebb-9752-080795672F82}.exe
  C:\Windows\{2FABEE4B-3651-4ebb-9752-080795672F82}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe
    C:\Windows\{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe
      C:\Windows\{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe
        
        C:\Windows\{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe
        
        C:\Windows\{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe
        
        C:\Windows\{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe
        
        C:\Windows\{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe
        
        C:\Windows\{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe
        
        C:\Windows\{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe
        
        C:\Windows\{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}.exe
        
        C:\Windows\{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Windows\{021CE0E9-1799-425c-8356-09AE8AAF9195}.exe
        
        C:\Windows\{021CE0E9-1799-425c-8356-09AE8AAF9195}.exe
        13⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8211~1.EXE > nul
        13⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD439~1.EXE > nul
        12⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA21D~1.EXE > nul
        11⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAFE6~1.EXE > nul
        10⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A982~1.EXE > nul
        9⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A892A~1.EXE > nul
        8⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B0D4~1.EXE > nul
        7⤵
        
        PID:5048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7019B~1.EXE > nul
        6⤵
        
        PID:4868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43EF8~1.EXE > nul
        5⤵
        
        PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8F75A~1.EXE > nul
      4⤵
      PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2FABE~1.EXE > nul
    3⤵
    PID:4744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{021CE0E9-1799-425c-8356-09AE8AAF9195}.exe

Filesize
168KB

MD5
019a8893cfbf8c5a5c557aa1ede74595

SHA1
cb76b5b61ddc7ffe9cf13bd5d98c0c91ee229e96

SHA256
bef2c2825423b5283023e493262894e3390506d68f0abb368d756fa72e946496

SHA512
c5fcbc15cb8be384d808a02a51ae445eb90300d54a18bd2a5f1d860b9ea2198109a53d8e4000cf99d1d16f89a5fdf878fb55b1526cecc1f5f67046ae39e54ea0

Download Submit
C:\Windows\{2FABEE4B-3651-4ebb-9752-080795672F82}.exe

Filesize
168KB

MD5
c1fd22543af84cf272aa1f84af6bb6b4

SHA1
4c48149a47736e16b779f249b12b6b2790406c72

SHA256
80c158abca082e4f340a4a607985cc022d3ebd0e9a07f61e2949aa38796656b4

SHA512
6b78fb816ac0e6a2f2e43aa11bfd4737dc96add38387949a21942abd3964b0011414af276a4fccc5892751903a1a3e5807baea2d3e9ab99afeededc10644db74

Download Submit
C:\Windows\{43EF8076-82F2-48ad-AA38-50A1E7B079A7}.exe

Filesize
168KB

MD5
329b957e019cbdf510d8dfc224aabf38

SHA1
f7d3b4b28a8e38e8f3b0fd05a042542bc769788d

SHA256
eac5c08601af17f563c3d6e2a4ab097750ac33bbd88c14d498f71868c6912b18

SHA512
8433f07ae35378a526f660c469b6d0c00a07e44109caaaae7a2f24c22d17ae15ada5aa7ab1c063339dd00f9f0bdf79c4575dbc70462e7fefdd8394365abb0e4f

Download Submit
C:\Windows\{6B0D48CE-2365-4c70-BBAC-7610CFE010A2}.exe

Filesize
168KB

MD5
d1da2cf535fa1eddb103d071a24a556d

SHA1
26f02bf2b262864372668266be3b3f1275b4e463

SHA256
f45306825701c8fe21d25413fde672774bf6e38175ede3c7bff9e206d4a9c5d9

SHA512
bbb81f1f06e0993f7b63aeadea9665968c6f0c8be390f370f3ca5c069203c00d33f25fb3339a82efecc242368ef5fa37bab35f8c93aa88f2b94040ad116e1c08

Download Submit
C:\Windows\{7019B15C-FC75-4e45-9FE7-952934CC7C77}.exe

Filesize
168KB

MD5
f3f12e6ce3196c1232247392c2ec90ec

SHA1
f9044bfe3fea32f3634262ef290a607a94f214e9

SHA256
b25e5261a51edb1ba57e68cc5be2875d5c26308478cdb7393af357c1334a9b54

SHA512
e86e582e0bf16c524cd93c81b8e4c54be6d56613dfbd8f91e1a25c212ef8b6361e1c611a48f59bad237c26927b6633a643e967327d8ce30a465573a6289ea002

Download Submit
C:\Windows\{8A98277B-602B-498c-8CEB-7BE5D1D027CA}.exe

Filesize
168KB

MD5
35bfe715464ef7683382e56d76f9dcbd

SHA1
9534baa9f7bf923d197fb96cc7840512c5dd05d9

SHA256
8acfb5a71aceba56a80d4caff2e268740d05a3add2283bea100436db7cc0ea38

SHA512
da48d8b58f26c15a543bb2906bf8eeea19d527a495649f0b42f443563b7e3750fbe598ce8e8d669ba6cba238e26b9e56cbbe1cff1a0d72321d288303a6ee08f4

Download Submit
C:\Windows\{8F75AC67-CA90-4125-BF86-8A27F1EF0F38}.exe

Filesize
168KB

MD5
d3d2651bb72a7d19288f489eed8906af

SHA1
40fdda3eadfad3dede6ce97be8024dca13947a43

SHA256
74c89f7056bd44bc77145adc96813b4c51c001bc37b3fd8c61f85c073460ebe3

SHA512
9febe2e565121e82056d11dbae49cd35e20e2fc8bc8235e860ebb8f3d1c55c219565526125c8d1a5d8ec2e81b520da21c65e140b12e08aa2e316ddc0897f008a

Download Submit
C:\Windows\{A892AC46-0C33-4a02-976F-7EA93357F80B}.exe

Filesize
168KB

MD5
f0951c0dfb1c664c25b9aec0b6c948cf

SHA1
a72840a19bf7e85087bccd2e20e5dd2fa690dc87

SHA256
bbb99d15eac268dfbe16a5243b645797eb68e49e2bf3010b464f181b15687dbe

SHA512
ad8dc90fe0b62a9da7621649ac107dee3c66eb669a5fbd7cf69cebf5cba725fcf4e0a531ee46398f149487e62ce9f4b82883fcaa16e35716c16b2e9d3ba1d44e

Download Submit
C:\Windows\{AA21DCB7-FB75-4076-89CB-96742F480C49}.exe

Filesize
168KB

MD5
bd3568ac480e43853603b21c4492ec06

SHA1
fe5286cfea942fe9bb9a00f664146570dac07e93

SHA256
1c8b210c51f75cb58f2e29455279ace192d0eb240c00ff8b46d0cf4a85b3c16a

SHA512
f1bc2a7fa226cd8cf4ccaea42e65d7c01ec8c6700e5ff8d87f15b1b7345486554cc68f90ecf41eab376d2707d09c02bbfbe0798c934359bcc2cde8da574ea500

Download Submit
C:\Windows\{BAFE6ABD-1D3A-4da0-820C-DB3568C5449C}.exe

Filesize
168KB

MD5
230203b201ac01cbfc8aa871f422a1fe

SHA1
882677a6b9d64e3338b99b7cd4b4941f7ffaad68

SHA256
c05b782f40de276bc9f632396a2ea73232097fc3119070546ca2b3ec496176b2

SHA512
4a3cbae58b7483b6d8836b64192eaf457d2e5ad4a351f1847214159ca15ea6806449346d51ce39475aee8185a843917420fc8eda0556481c0942f3917e8b3179

Download Submit
C:\Windows\{C8211EDD-CD9B-450b-ADCC-D6C3492B509D}.exe

Filesize
168KB

MD5
b3dfdddbced3f5a75f4c1410982f4f44

SHA1
e443f686e5b945cd3aa7cc0751f5e792f2328d7a

SHA256
d1820184b76ff39f0dfae1efb7b09d60eaf98f1265c2450cc096de1f2f16e054

SHA512
331caf2f4457d62d8a3650ef2b7be44963bbd539627a38099ec54b55d08fdf99b73528865f3d4669c2ce82ed566884e59a630e14c8a8006b402f4b0fe0068350

Download Submit
C:\Windows\{CD439C97-25F8-4b94-A031-C5D2DDE8CA39}.exe

Filesize
168KB

MD5
a3f0bf1b25f2033d07dcd28e52e18bce

SHA1
e03343d672ba36b44a5bc79b317d655d59854389

SHA256
b10162f5df468661a69feaa2f92874a66dde25f009ec2767549b1f6e72a760ca

SHA512
e7787be5ff66108d7f8f90787691b4f94105e88627d3ef5a6cc98a7ba41982a3a8ab2819755b93183af3b672d797e52d15805b8edcdb16bd5597057606be8929

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads