d123adee4fb8542703a07c71c3f6c1b211a157ad2e21d2164ab988f753cece03

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
Size

344KB
MD5

ba35306ca555582e0af9679beb877cae
SHA1

dc8e44ee00412be9474eb6bdbb4b45d8c96d4cf3
SHA256

d123adee4fb8542703a07c71c3f6c1b211a157ad2e21d2164ab988f753cece03
SHA512

2da0b38d6c361983f35d4de553bf3db3331b3ffbaf3b73d25ca098de94522ab7a81105e96eb26d440303742083bd5a6b2c6a83671dea3fa4623d8203392a869e
SSDEEP

3072:mEGh0oLlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGFlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023381-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023382-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023388-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002335e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023388-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023403-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023388-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023417-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023388-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023408-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023388-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002336b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4540A478-07CD-470a-BC20-1B266F66E49F}\stubpath = "C:\\Windows\\{4540A478-07CD-470a-BC20-1B266F66E49F}.exe"	{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}	{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6C48336-7599-4260-8905-1E9D6A7E488B}	{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}\stubpath = "C:\\Windows\\{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe"	{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2499D8-6F49-4fcf-B203-349D9782B134}\stubpath = "C:\\Windows\\{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe"	{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBE8E52B-CD88-438e-A02F-0523A8708A8F}\stubpath = "C:\\Windows\\{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe"	{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EBED9CD-6804-44cc-B157-DF6CC46267A2}\stubpath = "C:\\Windows\\{2EBED9CD-6804-44cc-B157-DF6CC46267A2}.exe"	{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4540A478-07CD-470a-BC20-1B266F66E49F}	{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}\stubpath = "C:\\Windows\\{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe"	{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{165E37EA-9813-4304-9F25-9F8AF51FAD0E}\stubpath = "C:\\Windows\\{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe"	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}	{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}\stubpath = "C:\\Windows\\{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe"	{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F30B85FC-B3C4-43d0-84F5-14D762131221}	{4540A478-07CD-470a-BC20-1B266F66E49F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6C48336-7599-4260-8905-1E9D6A7E488B}\stubpath = "C:\\Windows\\{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe"	{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2499D8-6F49-4fcf-B203-349D9782B134}	{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBE8E52B-CD88-438e-A02F-0523A8708A8F}	{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{165E37EA-9813-4304-9F25-9F8AF51FAD0E}	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CD9AB09-5EFC-42d7-B67E-008A14771126}\stubpath = "C:\\Windows\\{9CD9AB09-5EFC-42d7-B67E-008A14771126}.exe"	{2EBED9CD-6804-44cc-B157-DF6CC46267A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F30B85FC-B3C4-43d0-84F5-14D762131221}\stubpath = "C:\\Windows\\{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe"	{4540A478-07CD-470a-BC20-1B266F66E49F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}\stubpath = "C:\\Windows\\{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe"	{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}	{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EBED9CD-6804-44cc-B157-DF6CC46267A2}	{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CD9AB09-5EFC-42d7-B67E-008A14771126}	{2EBED9CD-6804-44cc-B157-DF6CC46267A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}	{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe

Executes dropped EXE 12 IoCs

pid	Process
1760	{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe
3344	{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe
3016	{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe
4452	{4540A478-07CD-470a-BC20-1B266F66E49F}.exe
1516	{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe
4960	{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe
3996	{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe
3992	{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe
3092	{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe
4940	{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe
4092	{2EBED9CD-6804-44cc-B157-DF6CC46267A2}.exe
3976	{9CD9AB09-5EFC-42d7-B67E-008A14771126}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe	{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe
File created	C:\Windows\{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe	{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe
File created	C:\Windows\{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe	{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe
File created	C:\Windows\{4540A478-07CD-470a-BC20-1B266F66E49F}.exe	{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe
File created	C:\Windows\{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe	{4540A478-07CD-470a-BC20-1B266F66E49F}.exe
File created	C:\Windows\{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe	{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe
File created	C:\Windows\{2EBED9CD-6804-44cc-B157-DF6CC46267A2}.exe	{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe
File created	C:\Windows\{9CD9AB09-5EFC-42d7-B67E-008A14771126}.exe	{2EBED9CD-6804-44cc-B157-DF6CC46267A2}.exe
File created	C:\Windows\{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
File created	C:\Windows\{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe	{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe
File created	C:\Windows\{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe	{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe
File created	C:\Windows\{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe	{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2564	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1760	{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe
Token: SeIncBasePriorityPrivilege	3344	{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe
Token: SeIncBasePriorityPrivilege	3016	{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe
Token: SeIncBasePriorityPrivilege	4452	{4540A478-07CD-470a-BC20-1B266F66E49F}.exe
Token: SeIncBasePriorityPrivilege	1516	{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe
Token: SeIncBasePriorityPrivilege	4960	{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe
Token: SeIncBasePriorityPrivilege	3996	{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe
Token: SeIncBasePriorityPrivilege	3992	{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe
Token: SeIncBasePriorityPrivilege	3092	{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe
Token: SeIncBasePriorityPrivilege	4940	{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe
Token: SeIncBasePriorityPrivilege	4092	{2EBED9CD-6804-44cc-B157-DF6CC46267A2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1760	2564	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	98
PID 2564 wrote to memory of 1760	2564	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	98
PID 2564 wrote to memory of 1760	2564	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	98
PID 2564 wrote to memory of 2456	2564	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	99
PID 2564 wrote to memory of 2456	2564	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	99
PID 2564 wrote to memory of 2456	2564	2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe	99
PID 1760 wrote to memory of 3344	1760	{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe	100
PID 1760 wrote to memory of 3344	1760	{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe	100
PID 1760 wrote to memory of 3344	1760	{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe	100
PID 1760 wrote to memory of 2148	1760	{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe	101
PID 1760 wrote to memory of 2148	1760	{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe	101
PID 1760 wrote to memory of 2148	1760	{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe	101
PID 3344 wrote to memory of 3016	3344	{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe	104
PID 3344 wrote to memory of 3016	3344	{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe	104
PID 3344 wrote to memory of 3016	3344	{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe	104
PID 3344 wrote to memory of 1268	3344	{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe	105
PID 3344 wrote to memory of 1268	3344	{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe	105
PID 3344 wrote to memory of 1268	3344	{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe	105
PID 3016 wrote to memory of 4452	3016	{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe	106
PID 3016 wrote to memory of 4452	3016	{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe	106
PID 3016 wrote to memory of 4452	3016	{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe	106
PID 3016 wrote to memory of 4196	3016	{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe	107
PID 3016 wrote to memory of 4196	3016	{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe	107
PID 3016 wrote to memory of 4196	3016	{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe	107
PID 4452 wrote to memory of 1516	4452	{4540A478-07CD-470a-BC20-1B266F66E49F}.exe	108
PID 4452 wrote to memory of 1516	4452	{4540A478-07CD-470a-BC20-1B266F66E49F}.exe	108
PID 4452 wrote to memory of 1516	4452	{4540A478-07CD-470a-BC20-1B266F66E49F}.exe	108
PID 4452 wrote to memory of 4416	4452	{4540A478-07CD-470a-BC20-1B266F66E49F}.exe	109
PID 4452 wrote to memory of 4416	4452	{4540A478-07CD-470a-BC20-1B266F66E49F}.exe	109
PID 4452 wrote to memory of 4416	4452	{4540A478-07CD-470a-BC20-1B266F66E49F}.exe	109
PID 1516 wrote to memory of 4960	1516	{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe	111
PID 1516 wrote to memory of 4960	1516	{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe	111
PID 1516 wrote to memory of 4960	1516	{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe	111
PID 1516 wrote to memory of 3280	1516	{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe	112
PID 1516 wrote to memory of 3280	1516	{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe	112
PID 1516 wrote to memory of 3280	1516	{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe	112
PID 4960 wrote to memory of 3996	4960	{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe	113
PID 4960 wrote to memory of 3996	4960	{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe	113
PID 4960 wrote to memory of 3996	4960	{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe	113
PID 4960 wrote to memory of 2024	4960	{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe	114
PID 4960 wrote to memory of 2024	4960	{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe	114
PID 4960 wrote to memory of 2024	4960	{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe	114
PID 3996 wrote to memory of 3992	3996	{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe	118
PID 3996 wrote to memory of 3992	3996	{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe	118
PID 3996 wrote to memory of 3992	3996	{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe	118
PID 3996 wrote to memory of 4048	3996	{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe	119
PID 3996 wrote to memory of 4048	3996	{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe	119
PID 3996 wrote to memory of 4048	3996	{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe	119
PID 3992 wrote to memory of 3092	3992	{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe	123
PID 3992 wrote to memory of 3092	3992	{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe	123
PID 3992 wrote to memory of 3092	3992	{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe	123
PID 3992 wrote to memory of 5100	3992	{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe	124
PID 3992 wrote to memory of 5100	3992	{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe	124
PID 3992 wrote to memory of 5100	3992	{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe	124
PID 3092 wrote to memory of 4940	3092	{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe	125
PID 3092 wrote to memory of 4940	3092	{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe	125
PID 3092 wrote to memory of 4940	3092	{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe	125
PID 3092 wrote to memory of 2796	3092	{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe	126
PID 3092 wrote to memory of 2796	3092	{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe	126
PID 3092 wrote to memory of 2796	3092	{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe	126
PID 4940 wrote to memory of 4092	4940	{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe	127
PID 4940 wrote to memory of 4092	4940	{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe	127
PID 4940 wrote to memory of 4092	4940	{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe	127
PID 4940 wrote to memory of 3768	4940	{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_ba35306ca555582e0af9679beb877cae_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe
  C:\Windows\{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe
    C:\Windows\{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe
      C:\Windows\{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\{4540A478-07CD-470a-BC20-1B266F66E49F}.exe
        
        C:\Windows\{4540A478-07CD-470a-BC20-1B266F66E49F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe
        
        C:\Windows\{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe
        
        C:\Windows\{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe
        
        C:\Windows\{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe
        
        C:\Windows\{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe
        
        C:\Windows\{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe
        
        C:\Windows\{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\{2EBED9CD-6804-44cc-B157-DF6CC46267A2}.exe
        
        C:\Windows\{2EBED9CD-6804-44cc-B157-DF6CC46267A2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\{9CD9AB09-5EFC-42d7-B67E-008A14771126}.exe
        
        C:\Windows\{9CD9AB09-5EFC-42d7-B67E-008A14771126}.exe
        13⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EBED~1.EXE > nul
        13⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBE8E~1.EXE > nul
        12⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A249~1.EXE > nul
        11⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACEBA~1.EXE > nul
        10⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6C48~1.EXE > nul
        9⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C7E5~1.EXE > nul
        8⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F30B8~1.EXE > nul
        7⤵
        
        PID:3280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4540A~1.EXE > nul
        6⤵
        
        PID:4416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29F9E~1.EXE > nul
        5⤵
        
        PID:4196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D4A52~1.EXE > nul
      4⤵
      PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{165E3~1.EXE > nul
    3⤵
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A2499D8-6F49-4fcf-B203-349D9782B134}.exe

Filesize
344KB

MD5
238b3eb4fdfffd3d4280760d4feecdd1

SHA1
665e85a83ca7a0cd9bfbd4837573421b536f0703

SHA256
673dab12b831e7554412198867e95d0f3a943a3016418d28d517e6ead3ce7fc0

SHA512
b9bb959969f5a4eb648156aab95ec60d0cd21aaab8bc7d39b95575b42bd2df0a0bb33e8218d50ac89407811cf06c0cd63996096f34ce0f23e91eba524da11d6d

Download Submit
C:\Windows\{165E37EA-9813-4304-9F25-9F8AF51FAD0E}.exe

Filesize
344KB

MD5
b6361f62e3507ac6af886a32506e16fa

SHA1
44587aaea27173cc72d13cf2bd9144e6108e9700

SHA256
07c2b356188a633e2c4571772849024d6e466a07805114125d6aa925faf18a9f

SHA512
5a3cc0eb16ca4673c42582db0d90a8f8a44da8a86887ee340369b3f0964582546280167737d1fd9f8e8df487a74e363cda0700472cdf3479393999169f8b7ce1

Download Submit
C:\Windows\{29F9ED13-F9A3-4504-B5C7-AC98F2024F10}.exe

Filesize
344KB

MD5
2981ec5415959e6807a191cc280af16a

SHA1
43be9d003177b3c467ddd7687d2d933c4a59db50

SHA256
9785096d40ace12c124af4a81ea8fe362ab65715b5915649ca4a158d56eb48a9

SHA512
738bbc78efeb23b086c97642e15954df50b1124af0924051a6dafff1ce22b3ee48668f12ebd1e0887cdec93f1a27d7778efafdff6d9aa99dd3d04cb87bb877b7

Download Submit
C:\Windows\{2EBED9CD-6804-44cc-B157-DF6CC46267A2}.exe

Filesize
344KB

MD5
83f1d8bd8cfc8c7142f52d4374ad6bb0

SHA1
dc83902f09d67a06a488c2012ca2aab742d2d8a4

SHA256
d7a9d49aaf46b748e6f24a9527a1e4bd5e2c894c32291d2f900cb75f6f9b771a

SHA512
8f15decc62e8382fa7713df068d6fff0d4c6d2a36a76ddb8f93da1c1909ce8083b42594f8ae7b0b4f3563f35d6bb13c2d8c241d382aa2c84409cea289d783474

Download Submit
C:\Windows\{4540A478-07CD-470a-BC20-1B266F66E49F}.exe

Filesize
344KB

MD5
2de42054450cda0c1a3386e54f026a0f

SHA1
5e0634c788ad81ed7b99d22a7ae2d265d456210c

SHA256
c6c00a67a4805ca673a8aaf7f0bd0f691355dba537cf71d8c78ada8081550112

SHA512
e3a1fe28523242e18bdae5764a084cf4c7b56964ea2926f9cc96fdc99deb0312609fc91cdcae4ec369236243fc4a43e53f2f69005f20c6ae93303b1ffcd3e9b4

Download Submit
C:\Windows\{6C7E5AF2-08AB-4f67-9990-ADEC6B134EA4}.exe

Filesize
344KB

MD5
84a6a57b8f807e6816095f335e278821

SHA1
09f45c2fbff96e5b4be5e8f8715b2d6652f255f8

SHA256
95939e05b78cc458f8f18cd311d1986dfa734f4c6a8203fca24f07a29fd908b2

SHA512
fb5211e63900574bdb5ff98e6f5aa0c3a9fca5994cafa990d928435963560c0aaa54424d58ab88d0848bcf81fc07497d79bd3336b0b13f3fc93a3c3b6decb84d

Download Submit
C:\Windows\{9CD9AB09-5EFC-42d7-B67E-008A14771126}.exe

Filesize
344KB

MD5
588310d80d3aaebb4612a4342e40530c

SHA1
8d11985d159f0f6045b3794a67d5e4d797b5c4d5

SHA256
fb3659cab41abd4abcf37ab475f0b9d1288396ba5bac83630e5a74a5ca782ede

SHA512
6a34a001d50456b7abcc706c5e563cbabf1cf3aa22eea6375e12df29f615905dc2996273608ab144e4f88078473edf86ea07a455addc2ea19c58e6bd36371560

Download Submit
C:\Windows\{ACEBA3FB-2B55-45f6-A140-1B99DB469E70}.exe

Filesize
344KB

MD5
38bc3198a5ccec15e30d8f990daf0cf0

SHA1
1aa1949ad4a4e9ba912675dcfa40ba250d1e8b74

SHA256
33131e7eeb75c67e955d8eeb65104ab4767f7dff67e7fd73ec7d579b5368a81f

SHA512
6e9916221518b53ee75d6ce637c5975de980d6f8310ab6a01e1d38d012d4c7363b32f542232ba3719e0613ee47f5462384609f9c88372e7af1eade569672b910

Download Submit
C:\Windows\{D4A52BF0-9BE0-45ad-ACEB-B408CB20C6AE}.exe

Filesize
344KB

MD5
e4255cfc0a4a78feb1db5afc736c66e5

SHA1
ee9aeb3437d4b390f3fb4ffb61fccfaaeda81114

SHA256
03141718450a9a289ae10dd3ba9f00d25290002f6dde4d778746f85359d30c6d

SHA512
aabc8be7b1ae4f98f89953693826aefcbccca6ba32f6365455fc5a204ff2793c5ac9b71d0f5a98ab0607b41ceacd6f2cd74237f3f44a846e637e21f9620e9616

Download Submit
C:\Windows\{DBE8E52B-CD88-438e-A02F-0523A8708A8F}.exe

Filesize
344KB

MD5
0b7e4f098e10481d6d2fa1229708355d

SHA1
a86da3678a373cf9cfd465f7af75be84c3ca546c

SHA256
d6c9c9af96eb8d372de1e1fb8083756a568718bf3f1b062113a2bc6638459bd1

SHA512
0a065e08e55db6aa16ab1feae02ed96347fcee4390ee325ee9da71e07affdf219e4b58a2504b3b003f00618290032d4c6ce5fb38ee89694a28ba4efa40dc8284

Download Submit
C:\Windows\{F30B85FC-B3C4-43d0-84F5-14D762131221}.exe

Filesize
344KB

MD5
9f2ba7e5c828291f50b08bace488183c

SHA1
3ed8c9b4e36646b75043a4c177a2675d926c5a53

SHA256
2277da53db0c57e8f086afc2fa3f79ffa8cde5cb8b7f2d29d7cc18aad324dc33

SHA512
19954970a09108edac67e7018ffe68a40e07c5ec88b3be0c14176a1e0a97fd873a5ebd7ac8f2ccdf1918f04a5603996e9a4d284059121f60afed238cfa486f66

Download Submit
C:\Windows\{F6C48336-7599-4260-8905-1E9D6A7E488B}.exe

Filesize
344KB

MD5
c1292e4b766e9a0223b56f6fe4951341

SHA1
cecc0dfd8169407c28777206924a14b043c6068a

SHA256
6e7bf27372a608a595bf26246a096b0344a4e27ef22ca41d0edc9869ee548c80

SHA512
873812e81c8714e321ff35f3dbd828fe72d324d136a6bbda2cd88746b2978638921640c93d1a24cac79b947c2986cf65ed342f1c86d0f811e2471822714c54ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads