cba8c7a97ad1bacaac00578d4d5d422b82064ff9b3b9b6c0e67083e6948ef82a

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 12:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
Size

168KB
MD5

a73f9620b650cad8be84fea4b2ce1565
SHA1

02a108e425dda8043a4af1fcc0686c3abcbe6061
SHA256

cba8c7a97ad1bacaac00578d4d5d422b82064ff9b3b9b6c0e67083e6948ef82a
SHA512

d0b676caae9a7edb4b85273a1c8937706fcfb317b810b317cbf4c7cb0ca26c0771513a289a6dbd13658653edf43f8e0364e46cb110682948771ed201c9318560
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022974-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022aa4-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233bc-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233c0-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233c5-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233c0-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233c5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233c0-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233c5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233c0-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233c5-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233c0-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D606094-A357-4ced-96DC-A7D0251D868B}\stubpath = "C:\\Windows\\{8D606094-A357-4ced-96DC-A7D0251D868B}.exe"	{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3538EA9-FE83-46a2-9862-34F9B94405E7}\stubpath = "C:\\Windows\\{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe"	{8D606094-A357-4ced-96DC-A7D0251D868B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42267F45-D719-4fd8-B798-0CF8D73B7ABB}	{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}	{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}\stubpath = "C:\\Windows\\{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe"	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5719A49-C19F-45bf-B8DF-6C818AD7261E}	{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1673A26A-D8A3-4642-9322-DEE53CA2D888}	{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1673A26A-D8A3-4642-9322-DEE53CA2D888}\stubpath = "C:\\Windows\\{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe"	{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}\stubpath = "C:\\Windows\\{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe"	{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A27B2171-D5E3-42a9-96B2-FFE623AE3330}	{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}\stubpath = "C:\\Windows\\{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}.exe"	{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E5A17F-2A44-4996-A77F-C4933538C4AB}	{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}	{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A27B2171-D5E3-42a9-96B2-FFE623AE3330}\stubpath = "C:\\Windows\\{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe"	{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B084615F-71F0-4570-BFDA-BF452DCA0049}	{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E5A17F-2A44-4996-A77F-C4933538C4AB}\stubpath = "C:\\Windows\\{56E5A17F-2A44-4996-A77F-C4933538C4AB}.exe"	{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D606094-A357-4ced-96DC-A7D0251D868B}	{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}	{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}\stubpath = "C:\\Windows\\{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe"	{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B084615F-71F0-4570-BFDA-BF452DCA0049}\stubpath = "C:\\Windows\\{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe"	{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5719A49-C19F-45bf-B8DF-6C818AD7261E}\stubpath = "C:\\Windows\\{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe"	{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3538EA9-FE83-46a2-9862-34F9B94405E7}	{8D606094-A357-4ced-96DC-A7D0251D868B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42267F45-D719-4fd8-B798-0CF8D73B7ABB}\stubpath = "C:\\Windows\\{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe"	{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe

Executes dropped EXE 12 IoCs

pid	Process
4800	{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe
3776	{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe
4980	{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe
1412	{8D606094-A357-4ced-96DC-A7D0251D868B}.exe
3340	{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe
4988	{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe
3844	{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe
376	{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe
3472	{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe
924	{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe
3492	{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}.exe
996	{56E5A17F-2A44-4996-A77F-C4933538C4AB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe	{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe
File created	C:\Windows\{8D606094-A357-4ced-96DC-A7D0251D868B}.exe	{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe
File created	C:\Windows\{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe	{8D606094-A357-4ced-96DC-A7D0251D868B}.exe
File created	C:\Windows\{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe	{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe
File created	C:\Windows\{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe	{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe
File created	C:\Windows\{56E5A17F-2A44-4996-A77F-C4933538C4AB}.exe	{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}.exe
File created	C:\Windows\{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
File created	C:\Windows\{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe	{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe
File created	C:\Windows\{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe	{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe
File created	C:\Windows\{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe	{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe
File created	C:\Windows\{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe	{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe
File created	C:\Windows\{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}.exe	{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2872	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4800	{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe
Token: SeIncBasePriorityPrivilege	3776	{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe
Token: SeIncBasePriorityPrivilege	4980	{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe
Token: SeIncBasePriorityPrivilege	1412	{8D606094-A357-4ced-96DC-A7D0251D868B}.exe
Token: SeIncBasePriorityPrivilege	3340	{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe
Token: SeIncBasePriorityPrivilege	4988	{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe
Token: SeIncBasePriorityPrivilege	3844	{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe
Token: SeIncBasePriorityPrivilege	376	{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe
Token: SeIncBasePriorityPrivilege	3472	{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe
Token: SeIncBasePriorityPrivilege	924	{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe
Token: SeIncBasePriorityPrivilege	3492	{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4800	2872	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	84
PID 2872 wrote to memory of 4800	2872	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	84
PID 2872 wrote to memory of 4800	2872	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	84
PID 2872 wrote to memory of 4232	2872	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	85
PID 2872 wrote to memory of 4232	2872	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	85
PID 2872 wrote to memory of 4232	2872	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	85
PID 4800 wrote to memory of 3776	4800	{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe	86
PID 4800 wrote to memory of 3776	4800	{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe	86
PID 4800 wrote to memory of 3776	4800	{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe	86
PID 4800 wrote to memory of 3624	4800	{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe	87
PID 4800 wrote to memory of 3624	4800	{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe	87
PID 4800 wrote to memory of 3624	4800	{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe	87
PID 3776 wrote to memory of 4980	3776	{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe	90
PID 3776 wrote to memory of 4980	3776	{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe	90
PID 3776 wrote to memory of 4980	3776	{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe	90
PID 3776 wrote to memory of 868	3776	{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe	91
PID 3776 wrote to memory of 868	3776	{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe	91
PID 3776 wrote to memory of 868	3776	{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe	91
PID 4980 wrote to memory of 1412	4980	{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe	96
PID 4980 wrote to memory of 1412	4980	{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe	96
PID 4980 wrote to memory of 1412	4980	{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe	96
PID 4980 wrote to memory of 1116	4980	{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe	97
PID 4980 wrote to memory of 1116	4980	{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe	97
PID 4980 wrote to memory of 1116	4980	{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe	97
PID 1412 wrote to memory of 3340	1412	{8D606094-A357-4ced-96DC-A7D0251D868B}.exe	99
PID 1412 wrote to memory of 3340	1412	{8D606094-A357-4ced-96DC-A7D0251D868B}.exe	99
PID 1412 wrote to memory of 3340	1412	{8D606094-A357-4ced-96DC-A7D0251D868B}.exe	99
PID 1412 wrote to memory of 2856	1412	{8D606094-A357-4ced-96DC-A7D0251D868B}.exe	100
PID 1412 wrote to memory of 2856	1412	{8D606094-A357-4ced-96DC-A7D0251D868B}.exe	100
PID 1412 wrote to memory of 2856	1412	{8D606094-A357-4ced-96DC-A7D0251D868B}.exe	100
PID 3340 wrote to memory of 4988	3340	{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe	101
PID 3340 wrote to memory of 4988	3340	{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe	101
PID 3340 wrote to memory of 4988	3340	{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe	101
PID 3340 wrote to memory of 1632	3340	{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe	102
PID 3340 wrote to memory of 1632	3340	{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe	102
PID 3340 wrote to memory of 1632	3340	{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe	102
PID 4988 wrote to memory of 3844	4988	{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe	103
PID 4988 wrote to memory of 3844	4988	{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe	103
PID 4988 wrote to memory of 3844	4988	{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe	103
PID 4988 wrote to memory of 1096	4988	{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe	104
PID 4988 wrote to memory of 1096	4988	{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe	104
PID 4988 wrote to memory of 1096	4988	{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe	104
PID 3844 wrote to memory of 376	3844	{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe	105
PID 3844 wrote to memory of 376	3844	{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe	105
PID 3844 wrote to memory of 376	3844	{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe	105
PID 3844 wrote to memory of 3608	3844	{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe	106
PID 3844 wrote to memory of 3608	3844	{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe	106
PID 3844 wrote to memory of 3608	3844	{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe	106
PID 376 wrote to memory of 3472	376	{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe	107
PID 376 wrote to memory of 3472	376	{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe	107
PID 376 wrote to memory of 3472	376	{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe	107
PID 376 wrote to memory of 4780	376	{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe	108
PID 376 wrote to memory of 4780	376	{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe	108
PID 376 wrote to memory of 4780	376	{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe	108
PID 3472 wrote to memory of 924	3472	{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe	109
PID 3472 wrote to memory of 924	3472	{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe	109
PID 3472 wrote to memory of 924	3472	{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe	109
PID 3472 wrote to memory of 4368	3472	{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe	110
PID 3472 wrote to memory of 4368	3472	{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe	110
PID 3472 wrote to memory of 4368	3472	{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe	110
PID 924 wrote to memory of 3492	924	{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe	111
PID 924 wrote to memory of 3492	924	{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe	111
PID 924 wrote to memory of 3492	924	{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe	111
PID 924 wrote to memory of 2932	924	{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe
  C:\Windows\{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe
    C:\Windows\{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe
      C:\Windows\{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Windows\{8D606094-A357-4ced-96DC-A7D0251D868B}.exe
        
        C:\Windows\{8D606094-A357-4ced-96DC-A7D0251D868B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Windows\{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe
        
        C:\Windows\{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe
        
        C:\Windows\{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe
        
        C:\Windows\{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe
        
        C:\Windows\{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe
        
        C:\Windows\{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe
        
        C:\Windows\{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}.exe
        
        C:\Windows\{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
        
        C:\Windows\{56E5A17F-2A44-4996-A77F-C4933538C4AB}.exe
        
        C:\Windows\{56E5A17F-2A44-4996-A77F-C4933538C4AB}.exe
        13⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2ACD6~1.EXE > nul
        13⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0846~1.EXE > nul
        12⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A27B2~1.EXE > nul
        11⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F30C~1.EXE > nul
        10⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEF31~1.EXE > nul
        9⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42267~1.EXE > nul
        8⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3538~1.EXE > nul
        7⤵
        
        PID:1632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D606~1.EXE > nul
        6⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1673A~1.EXE > nul
        5⤵
        
        PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5719~1.EXE > nul
      4⤵
      PID:868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{88DAF~1.EXE > nul
    3⤵
    PID:3624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1673A26A-D8A3-4642-9322-DEE53CA2D888}.exe

Filesize
168KB

MD5
62c4dd46f47c0f0115d0ccfa40f3a49b

SHA1
3200c8fc92df29880c52b4129d247698db3001d6

SHA256
c2f1e3156ab73ee1355fdeda6146f147181f04b28c044462ce44b77d6612b6a5

SHA512
45e1d812a67099cfedab28eecd3c270677f0515e82578a2e3eff3d7932e5449308f8204aca3476b0b8fcdb6cbc18f22a292733c1032a51a0a6a1e1aad255590b

Download Submit
C:\Windows\{2ACD6D25-9E0A-4bcf-8E71-0F5278666057}.exe

Filesize
168KB

MD5
3fe10c96580d53b7bba2c630f5c0b98c

SHA1
e50882e53824d362c5d732c762bfe80d6c12f74e

SHA256
250549c2030882fc49043fe1ad4fc5cfb5d7454ad96d8a751d29606f4bb71a98

SHA512
df7036f9028f2169412d03853c05c3b1634393ee2bb65332b38d1f2ae4553df44a30a27a5c678ff09ecf63fccfb06bf1928dee707f81b54c96704272fe78ad39

Download Submit
C:\Windows\{42267F45-D719-4fd8-B798-0CF8D73B7ABB}.exe

Filesize
168KB

MD5
2484b1eebe93202630e4bf5d6d8353a3

SHA1
9d8cf7c38fec1a39ffc43fa88a11242898aa8d53

SHA256
541c5bc2692991c7daa7c951613eb570351e13ca4d132b99b51fe39bb52a5a0b

SHA512
b3a7488729bc1ec4cb1ef03a4376df21f3a7dda5f66387f18b6b7cf4c2dfa711a87dbfcf7a8a00edc4d87032374cbde827f485e1286402c9648a8aaebf19548c

Download Submit
C:\Windows\{56E5A17F-2A44-4996-A77F-C4933538C4AB}.exe

Filesize
168KB

MD5
2e024ee44dcbb5594f10f170d5c58c38

SHA1
1bc365a57405c9601863a34a637788753bcb609c

SHA256
fbb0060797137183116c5fca7207b8616d9ff53d403642e3bad367a0651740d5

SHA512
fb881ead96de9c05b6711e7ece5a4629c902f958a0b1eef0e72a47ad14be2fee12a28dcd9c4c84216c7a785ed138f8520ed69202521a028e4bf16a2f821a9d4a

Download Submit
C:\Windows\{88DAF64C-9F9F-47c4-B24C-60B1675ED7BE}.exe

Filesize
168KB

MD5
954f652475e0b483be897814e7a08631

SHA1
109e7716e5c17251961744f5dc72e4f7ced10494

SHA256
23925ef02b284d4a88f8334e51ffc966ffe3a69e5785664d57dffcae75b62c79

SHA512
4f841806789dedac75e7c2d94ada02d6d95d4f70c5a46ecd0ab8d43e0f3877c808db9c1940af9ffe5dd73391c79c3d56e46e2da8697396a189e64ecdff2ae323

Download Submit
C:\Windows\{8D606094-A357-4ced-96DC-A7D0251D868B}.exe

Filesize
168KB

MD5
a44b33c086d18512c527aa7cd20dc81b

SHA1
912de8112a01ad54874eedf144518255892afdb6

SHA256
de08cff286cd677efc218a824cc4ba054bc8a7549f0fb99ca0edcfc1fdc2fabe

SHA512
5dae5f889e43260d14a0431e07fe17879f65ef22c4edb65e17d870d84fda2b56bd43323b68f75ece6b55e5137a4ad06a5b343cdb852ff55846d56daa32853a73

Download Submit
C:\Windows\{9F30CC53-4A12-4ef8-BE2E-EEFF4BF44966}.exe

Filesize
168KB

MD5
71b713369b6751aac8a98cb8f4d2563d

SHA1
313d8146566bb84b7f77a114a9693081c44e2301

SHA256
18c116656fed106da480a75a6bb28f89fb89c45ff91f25afa77f50bf84b88746

SHA512
bc52e0ad67ef8a75ce4411ae4a071c58a64ca6cbdc35ca662af26a27a8eec634188b42e3ba9433eb1ea12aa5fb2af8e1b361670d8709d9cc6862db776c444b99

Download Submit
C:\Windows\{A27B2171-D5E3-42a9-96B2-FFE623AE3330}.exe

Filesize
168KB

MD5
7b285f2acd96e73b5fcfba46337b29b9

SHA1
878e2f9c6b579000f12e18cb3bcb1dce223513e8

SHA256
900f0834687536064f36404decfe029dd24ccb2882f8c1bf781ac35667612a8a

SHA512
e5273d1a130349e2ab7b8f647fec9bda1f9bd4b5509c09dbfde124368982fbcfe7702c204aaecf9140b672934847580f1f1700281ea65308791167c918596285

Download Submit
C:\Windows\{B084615F-71F0-4570-BFDA-BF452DCA0049}.exe

Filesize
168KB

MD5
12af850505c690a191230533288953c1

SHA1
530d98586a6c150e3bb16f51e54c0862f85934fe

SHA256
3c76826139c7595ac4db96726fffc36f46aa4cbd10974a17ca6f37bd34d88f61

SHA512
4f8340f8e53a82cc7a85d948c4699bf0eed4dbe367f8757fe8c6772121fb45042dcdde8652642bafb4df500895596c9ca6c4918dffd9991e2dc36b509ad83f8f

Download Submit
C:\Windows\{B3538EA9-FE83-46a2-9862-34F9B94405E7}.exe

Filesize
168KB

MD5
a6cbb919736c0da950bc5e8e7ade3ba4

SHA1
70cc4286a23b9def6ddfc9435fcee569174ee66d

SHA256
286029e92f9affafd1971f66a2d8d51d539efdc1d3fc6a84355916149019b8be

SHA512
a6a8b66cf7a586e64acfe509bb7acd01378d51fd656a091010215d4e697a46eb1812128371a39c6dfd44dcf2b1dcdd9d3999a90748c2e7417f68af4bf12e8c0c

Download Submit
C:\Windows\{BEF31F6D-B4AD-4c9d-A52A-CC201B986104}.exe

Filesize
168KB

MD5
229da09d085b62ad8c42dab01a052d6d

SHA1
1f012be46118031e7954564aff0581d4d7115ce9

SHA256
cf65529be614d0648ebe9c4b00b0c543625144c474806e7aff83e88e5e04aacc

SHA512
3586527875001f6dc89c76c802db2a4a42059d17c48f0a978c696126aef37371d98b83807fc1dd2929ff11f5fb6b709590118616f19249958d44dee4e4bc6647

Download Submit
C:\Windows\{F5719A49-C19F-45bf-B8DF-6C818AD7261E}.exe

Filesize
168KB

MD5
a1c80960612d6923748b98f02628dbf2

SHA1
1e277bc73c178614418f5358ec7b7df2cdebbda2

SHA256
76ee481f27170680eca032320a0f97dc21ec528a7ea7f20b505eb1b03691efcf

SHA512
34d474073a922106f794550019582e75a7629c45762799901e102b4ecf8a61d8e330179cb9225d06b192540942de57fb9b0310b0c18416131af8e12f1849a9ce

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads