3283dcd16452f7369d2ae736dc09182f21c64955662d288d9ee38af8ff924ccd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
Size

372KB
MD5

ca0cebf8acbac11b2c27076f75497092
SHA1

94ff4c41972f913a8948c9ad342a7cda0b3c390b
SHA256

3283dcd16452f7369d2ae736dc09182f21c64955662d288d9ee38af8ff924ccd
SHA512

ae4396f527c7a1f7e99efa70f436d66929f7f6f477d79f9a812a2272dc74d685ec6b13b1b16efb89004202430d8b517b61566a04e329d5d08ae9ed8265b65b2c
SSDEEP

3072:CEGh0o8lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGClkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022d26-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022ea1-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022ea1-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023251-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002310b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023251-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002310b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023251-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002310b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023251-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002322e-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023250-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002322e-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76898E91-4F6B-4925-9F8E-36584EB90A36}\stubpath = "C:\\Windows\\{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe"	{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02588001-71D6-4463-908B-9338E4388530}	{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5241DC2D-2835-4670-B5A0-3122D4855527}\stubpath = "C:\\Windows\\{5241DC2D-2835-4670-B5A0-3122D4855527}.exe"	{02588001-71D6-4463-908B-9338E4388530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8496E167-8B46-4306-AB42-1586213F4DB9}	{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{660707C6-87A0-4022-9135-F33FBB00E3E6}\stubpath = "C:\\Windows\\{660707C6-87A0-4022-9135-F33FBB00E3E6}.exe"	{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39DD1BB0-8B44-4d2e-AE76-91EEE6965636}\stubpath = "C:\\Windows\\{39DD1BB0-8B44-4d2e-AE76-91EEE6965636}.exe"	{660707C6-87A0-4022-9135-F33FBB00E3E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76898E91-4F6B-4925-9F8E-36584EB90A36}	{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}	{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C9A2904-2B40-4de9-84E2-2BE266846AC7}	{5241DC2D-2835-4670-B5A0-3122D4855527}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C9A2904-2B40-4de9-84E2-2BE266846AC7}\stubpath = "C:\\Windows\\{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe"	{5241DC2D-2835-4670-B5A0-3122D4855527}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34E68C0C-0DDB-421f-A4BA-946CC5381536}	{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34E68C0C-0DDB-421f-A4BA-946CC5381536}\stubpath = "C:\\Windows\\{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe"	{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55868F79-DB02-4ca2-AE83-C0FDB80CE687}\stubpath = "C:\\Windows\\{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe"	{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}\stubpath = "C:\\Windows\\{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe"	{8496E167-8B46-4306-AB42-1586213F4DB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39DD1BB0-8B44-4d2e-AE76-91EEE6965636}	{660707C6-87A0-4022-9135-F33FBB00E3E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}\stubpath = "C:\\Windows\\{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe"	{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8496E167-8B46-4306-AB42-1586213F4DB9}\stubpath = "C:\\Windows\\{8496E167-8B46-4306-AB42-1586213F4DB9}.exe"	{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}	{8496E167-8B46-4306-AB42-1586213F4DB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{660707C6-87A0-4022-9135-F33FBB00E3E6}	{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}\stubpath = "C:\\Windows\\{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe"	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5241DC2D-2835-4670-B5A0-3122D4855527}	{02588001-71D6-4463-908B-9338E4388530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55868F79-DB02-4ca2-AE83-C0FDB80CE687}	{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02588001-71D6-4463-908B-9338E4388530}\stubpath = "C:\\Windows\\{02588001-71D6-4463-908B-9338E4388530}.exe"	{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe

Executes dropped EXE 12 IoCs

pid	Process
2920	{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe
3376	{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe
348	{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe
776	{02588001-71D6-4463-908B-9338E4388530}.exe
4492	{5241DC2D-2835-4670-B5A0-3122D4855527}.exe
4504	{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe
3752	{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe
2120	{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe
1856	{8496E167-8B46-4306-AB42-1586213F4DB9}.exe
4256	{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe
3440	{660707C6-87A0-4022-9135-F33FBB00E3E6}.exe
4416	{39DD1BB0-8B44-4d2e-AE76-91EEE6965636}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe	{5241DC2D-2835-4670-B5A0-3122D4855527}.exe
File created	C:\Windows\{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe	{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe
File created	C:\Windows\{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe	{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe
File created	C:\Windows\{8496E167-8B46-4306-AB42-1586213F4DB9}.exe	{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe
File created	C:\Windows\{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
File created	C:\Windows\{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe	{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe
File created	C:\Windows\{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe	{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe
File created	C:\Windows\{02588001-71D6-4463-908B-9338E4388530}.exe	{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe
File created	C:\Windows\{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe	{8496E167-8B46-4306-AB42-1586213F4DB9}.exe
File created	C:\Windows\{5241DC2D-2835-4670-B5A0-3122D4855527}.exe	{02588001-71D6-4463-908B-9338E4388530}.exe
File created	C:\Windows\{660707C6-87A0-4022-9135-F33FBB00E3E6}.exe	{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe
File created	C:\Windows\{39DD1BB0-8B44-4d2e-AE76-91EEE6965636}.exe	{660707C6-87A0-4022-9135-F33FBB00E3E6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3836	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2920	{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe
Token: SeIncBasePriorityPrivilege	3376	{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe
Token: SeIncBasePriorityPrivilege	348	{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe
Token: SeIncBasePriorityPrivilege	776	{02588001-71D6-4463-908B-9338E4388530}.exe
Token: SeIncBasePriorityPrivilege	4492	{5241DC2D-2835-4670-B5A0-3122D4855527}.exe
Token: SeIncBasePriorityPrivilege	4504	{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe
Token: SeIncBasePriorityPrivilege	3752	{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe
Token: SeIncBasePriorityPrivilege	2120	{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe
Token: SeIncBasePriorityPrivilege	1856	{8496E167-8B46-4306-AB42-1586213F4DB9}.exe
Token: SeIncBasePriorityPrivilege	4256	{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe
Token: SeIncBasePriorityPrivilege	3440	{660707C6-87A0-4022-9135-F33FBB00E3E6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 2920	3836	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	98
PID 3836 wrote to memory of 2920	3836	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	98
PID 3836 wrote to memory of 2920	3836	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	98
PID 3836 wrote to memory of 4364	3836	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	99
PID 3836 wrote to memory of 4364	3836	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	99
PID 3836 wrote to memory of 4364	3836	2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe	99
PID 2920 wrote to memory of 3376	2920	{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe	100
PID 2920 wrote to memory of 3376	2920	{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe	100
PID 2920 wrote to memory of 3376	2920	{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe	100
PID 2920 wrote to memory of 4876	2920	{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe	101
PID 2920 wrote to memory of 4876	2920	{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe	101
PID 2920 wrote to memory of 4876	2920	{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe	101
PID 3376 wrote to memory of 348	3376	{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe	105
PID 3376 wrote to memory of 348	3376	{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe	105
PID 3376 wrote to memory of 348	3376	{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe	105
PID 3376 wrote to memory of 1568	3376	{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe	104
PID 3376 wrote to memory of 1568	3376	{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe	104
PID 3376 wrote to memory of 1568	3376	{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe	104
PID 348 wrote to memory of 776	348	{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe	109
PID 348 wrote to memory of 776	348	{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe	109
PID 348 wrote to memory of 776	348	{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe	109
PID 348 wrote to memory of 5012	348	{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe	108
PID 348 wrote to memory of 5012	348	{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe	108
PID 348 wrote to memory of 5012	348	{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe	108
PID 776 wrote to memory of 4492	776	{02588001-71D6-4463-908B-9338E4388530}.exe	110
PID 776 wrote to memory of 4492	776	{02588001-71D6-4463-908B-9338E4388530}.exe	110
PID 776 wrote to memory of 4492	776	{02588001-71D6-4463-908B-9338E4388530}.exe	110
PID 776 wrote to memory of 3952	776	{02588001-71D6-4463-908B-9338E4388530}.exe	111
PID 776 wrote to memory of 3952	776	{02588001-71D6-4463-908B-9338E4388530}.exe	111
PID 776 wrote to memory of 3952	776	{02588001-71D6-4463-908B-9338E4388530}.exe	111
PID 4492 wrote to memory of 4504	4492	{5241DC2D-2835-4670-B5A0-3122D4855527}.exe	112
PID 4492 wrote to memory of 4504	4492	{5241DC2D-2835-4670-B5A0-3122D4855527}.exe	112
PID 4492 wrote to memory of 4504	4492	{5241DC2D-2835-4670-B5A0-3122D4855527}.exe	112
PID 4492 wrote to memory of 1408	4492	{5241DC2D-2835-4670-B5A0-3122D4855527}.exe	113
PID 4492 wrote to memory of 1408	4492	{5241DC2D-2835-4670-B5A0-3122D4855527}.exe	113
PID 4492 wrote to memory of 1408	4492	{5241DC2D-2835-4670-B5A0-3122D4855527}.exe	113
PID 4504 wrote to memory of 3752	4504	{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe	114
PID 4504 wrote to memory of 3752	4504	{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe	114
PID 4504 wrote to memory of 3752	4504	{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe	114
PID 4504 wrote to memory of 2440	4504	{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe	115
PID 4504 wrote to memory of 2440	4504	{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe	115
PID 4504 wrote to memory of 2440	4504	{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe	115
PID 3752 wrote to memory of 2120	3752	{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe	116
PID 3752 wrote to memory of 2120	3752	{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe	116
PID 3752 wrote to memory of 2120	3752	{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe	116
PID 3752 wrote to memory of 2356	3752	{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe	117
PID 3752 wrote to memory of 2356	3752	{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe	117
PID 3752 wrote to memory of 2356	3752	{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe	117
PID 2120 wrote to memory of 1856	2120	{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe	118
PID 2120 wrote to memory of 1856	2120	{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe	118
PID 2120 wrote to memory of 1856	2120	{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe	118
PID 2120 wrote to memory of 3376	2120	{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe	119
PID 2120 wrote to memory of 3376	2120	{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe	119
PID 2120 wrote to memory of 3376	2120	{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe	119
PID 1856 wrote to memory of 4256	1856	{8496E167-8B46-4306-AB42-1586213F4DB9}.exe	120
PID 1856 wrote to memory of 4256	1856	{8496E167-8B46-4306-AB42-1586213F4DB9}.exe	120
PID 1856 wrote to memory of 4256	1856	{8496E167-8B46-4306-AB42-1586213F4DB9}.exe	120
PID 1856 wrote to memory of 2124	1856	{8496E167-8B46-4306-AB42-1586213F4DB9}.exe	121
PID 1856 wrote to memory of 2124	1856	{8496E167-8B46-4306-AB42-1586213F4DB9}.exe	121
PID 1856 wrote to memory of 2124	1856	{8496E167-8B46-4306-AB42-1586213F4DB9}.exe	121
PID 4256 wrote to memory of 3440	4256	{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe	122
PID 4256 wrote to memory of 3440	4256	{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe	122
PID 4256 wrote to memory of 3440	4256	{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe	122
PID 4256 wrote to memory of 348	4256	{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe	123

C:\Users\Admin\AppData\Local\Temp\2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-27_ca0cebf8acbac11b2c27076f75497092_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe
  C:\Windows\{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe
    C:\Windows\{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AC767~1.EXE > nul
      4⤵
      PID:1568
  - - C:\Windows\{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe
      C:\Windows\{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76898~1.EXE > nul
        5⤵
        
        PID:5012
    - - C:\Windows\{02588001-71D6-4463-908B-9338E4388530}.exe
        
        C:\Windows\{02588001-71D6-4463-908B-9338E4388530}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
      - C:\Windows\{5241DC2D-2835-4670-B5A0-3122D4855527}.exe
        
        C:\Windows\{5241DC2D-2835-4670-B5A0-3122D4855527}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe
        
        C:\Windows\{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe
        
        C:\Windows\{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe
        
        C:\Windows\{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\{8496E167-8B46-4306-AB42-1586213F4DB9}.exe
        
        C:\Windows\{8496E167-8B46-4306-AB42-1586213F4DB9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe
        
        C:\Windows\{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\{660707C6-87A0-4022-9135-F33FBB00E3E6}.exe
        
        C:\Windows\{660707C6-87A0-4022-9135-F33FBB00E3E6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Windows\{39DD1BB0-8B44-4d2e-AE76-91EEE6965636}.exe
        
        C:\Windows\{39DD1BB0-8B44-4d2e-AE76-91EEE6965636}.exe
        13⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66070~1.EXE > nul
        13⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F965~1.EXE > nul
        12⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8496E~1.EXE > nul
        11⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55868~1.EXE > nul
        10⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34E68~1.EXE > nul
        9⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C9A2~1.EXE > nul
        8⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5241D~1.EXE > nul
        7⤵
        
        PID:1408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02588~1.EXE > nul
        6⤵
        
        PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EDDAB~1.EXE > nul
    3⤵
    PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02588001-71D6-4463-908B-9338E4388530}.exe

Filesize
372KB

MD5
a1eaded05ba17e5d7af97295f4ebda05

SHA1
c4156e9df1e1c20b7bdcb9ab3cfd99608c55c246

SHA256
a98207e075083e13a11d37f2c3e1a5a1f8c47a0bfb8cc6b8cce58c3ac946f0ca

SHA512
4e596c99fced74f72417f7bba0b4c775c2e7dda6708d8cf9889f7e06f3c2e5f48ef74e4064a677cdd7a720309c4cb8ce7a483bb8f16a040cd52ecf26eabae328

Download Submit
C:\Windows\{34E68C0C-0DDB-421f-A4BA-946CC5381536}.exe

Filesize
372KB

MD5
bc0397fc0a7c5aaa1b78a3833364c492

SHA1
21826d3ee319dc522a80819ddf7f58dcc6b6df68

SHA256
a12b6c52c4760b99b0a3e1f3320d08914c86f5908ce12311caaf9dd14be110ac

SHA512
49095b654d5d540c9de75f46a5f3dd6714415eb882a8dea7f90e156b096d4f366ed68a1fdcc46628e8693412ec9422a3f3f9e688c385bc2bb40d3ec8b10a10ad

Download Submit
C:\Windows\{39DD1BB0-8B44-4d2e-AE76-91EEE6965636}.exe

Filesize
372KB

MD5
ec12eb67856366e5e239df97ffc145c4

SHA1
ac8bb4d50c0511e3d27e49012f86b284f612c5aa

SHA256
1265b1218fd885e17a3424b26810bcb4de782396c88dfc12c304029f8b4cf83c

SHA512
62aa93d7ae21626288f68152448d06c74f4223f5080fbf4e4bd6dcd49198679d1cafc5d81b5f8fc9a4e7658b173dd6221298c3c0fdfa0ea6c6c058b6f03f9a50

Download Submit
C:\Windows\{4F96547E-48A1-480e-81F6-E1B6B3A0E5C5}.exe

Filesize
372KB

MD5
8dc78b426e992192f18731428e7608ca

SHA1
6e4b47021aa23fd5d0e216448d0340f0498c4dbb

SHA256
82d00b77347322401a1e682cfe0ce7c23acba1e8b849a6f92fc1a04e0c9b0913

SHA512
7374989aedfb80d3902d51f0f72dec17e4bcedcfce2032a9915f45c6c85703989ec7c3df10aacd0b61e8126504024d98d6100df74ca6e52ff596c52f14cfb3ed

Download Submit
C:\Windows\{5241DC2D-2835-4670-B5A0-3122D4855527}.exe

Filesize
372KB

MD5
520146db3305e9768a12247937c2b136

SHA1
822fb552c616c6f4104365baa20a019385decf57

SHA256
5b43fcad37b67123fd2506c39d6cecd66ddf9d810f4d6ed7f01e4c694c8934a9

SHA512
cd4c1dc5b107505f348f8a8dd15221fc9bedca7ddc159b320c59d7aae7ed9e2dafa5ef00ffd60790003cc4e3d1259d1a78b3e81d23e0eeb35621f2908bdf88b6

Download Submit
C:\Windows\{55868F79-DB02-4ca2-AE83-C0FDB80CE687}.exe

Filesize
372KB

MD5
e2272e1c03bee78be17d9e494812f0ad

SHA1
f191685895a02a06c8efa72606d2c58adbded913

SHA256
403d2ea2f82c5bf8318cc17adb9a244ff6c5bd61807e1e5fd39bc402766df003

SHA512
d06ca990dba53be37f686f0b4e1be555f9ab537f826fe4be46c2a277ee8689e6b36af9f35fb0173044ad5571a199626d5f4c0a2f9f04f1335c8a368908ff35e2

Download Submit
C:\Windows\{660707C6-87A0-4022-9135-F33FBB00E3E6}.exe

Filesize
64KB

MD5
aac71cbef1b9aa2d1b026b7a301efcf0

SHA1
bb67a078812ad9e12e4b0da556a7432bc56b57dd

SHA256
0f548fbbc75f292fa38913aadf8b4dd8b510ede79cf2f54f83a10ed8425c2f76

SHA512
e96cab79032a92db0e52d8bc8f51d2b8c43e5b1d1010505c459fb60f1d8e6d1d78ba0c7d98f49f3fee0d64a7ddc4cd0071a78b889046d1d771f6fc1d92ec41f1

Download Submit
C:\Windows\{76898E91-4F6B-4925-9F8E-36584EB90A36}.exe

Filesize
372KB

MD5
3cffdcd5f7df7fc247b2f4e4c0028e2a

SHA1
af7316d7f1ce6a5d95ff393c7197c10cde6b8042

SHA256
43ee8279ebd0fa5b78063ecd018392a6f77cf7f5d2d1f85c6aecea0fb8812c0a

SHA512
71917141e03a5a2a33cda68a0089cad110181ad1f6162adc6651b6a3c580c79220e0d34bf8f46dc41ae035cf0dcadcba538b20bfe02369b0dc480fee03ce4dd7

Download Submit
C:\Windows\{8496E167-8B46-4306-AB42-1586213F4DB9}.exe

Filesize
372KB

MD5
ce71ef443de439882240961086df6afb

SHA1
179a6cd82a63bb14c61f2d412b909a5544602d96

SHA256
a976d1d794cc1c464d58872db1fdf78df0ffa4ee5648fb062e5b9e5a3979d5ad

SHA512
aea44caf03a32e45c6128a9ee56dc5e11882b341bf7d0fb3503445dace2b581324d4036d7d8de8334a925ceac0f8a8daa6c3ef1f766d8848ace36cd22ecfd20e

Download Submit
C:\Windows\{9C9A2904-2B40-4de9-84E2-2BE266846AC7}.exe

Filesize
372KB

MD5
1fa3150e1ab4ef5d70021ac807a3271d

SHA1
42c1480bbb7accac61b019cbd881d55983ef39b3

SHA256
b525146d1d0c94d5ad728b40df9b32178530488f8f791e4b5e927e948f630b72

SHA512
253fd7e3e86fe8bfb6f51b66ea54007aa225b703d0b0527aceed8f2a0e6ced33b6a5e68a4aeb218cee8713fd62cc88977325cf52acaad96f83c448fe2ca0bfa4

Download Submit
C:\Windows\{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe

Filesize
372KB

MD5
92ec9c024571b93b29e66605d8f18202

SHA1
e8703c468f94026cc2d1c1932e8d2fe7b9970e95

SHA256
f68465bae6989b2d001bec8925bbacf3a32c0dbf41b8fc6ee60bf94a7d790874

SHA512
d537d79ac4835c470b90bb33630ff795a9f42cbd78837fb60916e459749744a47b1cc7a54fef9b03cfc269755b1d24b9b4c96aaaf854bcc419e517d6bc0fe259

Download Submit
C:\Windows\{AC767063-CA0E-4b32-B2E9-9F6AEEDA4FB8}.exe

Filesize
185KB

MD5
bd45bf3db9654275b66538e8e93e6d36

SHA1
79e0d54ff3d6ba5b488de66ef4ae07fdebdb864e

SHA256
6ee6480ff2c2a8e4a5bc55884900eaf5f3789c66fe5b5e5cd6513b8888682aa0

SHA512
64521bdf54f8a2f0fe2c6231bd52599fda7b5bdc3670e050c13b7ccba8f9e3409077141819fa6e55d4f407b92cbfbeb340b743c071bce8d1f7876a26536868b6

Download Submit
C:\Windows\{EDDAB143-671C-4eb2-A1AC-D57B45BAAE8E}.exe

Filesize
372KB

MD5
800d1b0518d856e04819b3418c996f2d

SHA1
27b68eec844aaa82c5c40003e524fb3de77c7d54

SHA256
bcecddc7b13fff270c0dddaa07e49fab94673f737d6e80ce5edc53fd6744613f

SHA512
6670b118aeff5735d45f8cd0747a7cf4ac3131607339fc71f9dcfc2998d44f1947cb985de47b3446b4732b36a186518d7104acea21050ef4340acc9e1cb39765

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads