4bdd08111a81a78be786b92d72a3f1bd4a9ad9ca809b5884d436f6422f4c2248

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
Size

408KB
MD5

ef6dec01330953c607ab3ce3c52790ee
SHA1

263ef5a31766854b957bf2a999b317fb58390853
SHA256

4bdd08111a81a78be786b92d72a3f1bd4a9ad9ca809b5884d436f6422f4c2248
SHA512

42aca68c2cf625a6f03aef3faf82fd7d49fb46cf0b822e594a19510e4cdd556aac7dd036091d0d78a64d31d7d794c00d19d70284f86fd88028224fe645ce85f5
SSDEEP

3072:CEGh0oTl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGBldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023297-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023299-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000232a1-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002314e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000232a1-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002314e-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000232a1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002314e-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000232a1-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002314e-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000016fa5-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002314e-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D1AF14A-9060-4635-AEC1-C41DE16E2547}	{90DA0555-5299-4426-84E5-D581100CB27F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}	{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A59A2F1-4660-44d8-BF83-0832DAAAF445}\stubpath = "C:\\Windows\\{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe"	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C3E909E-F382-4236-A24A-CED30818F241}\stubpath = "C:\\Windows\\{7C3E909E-F382-4236-A24A-CED30818F241}.exe"	{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1B28289-E9FC-45cb-BA42-F541BE85827D}\stubpath = "C:\\Windows\\{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe"	{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}\stubpath = "C:\\Windows\\{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}.exe"	{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}	{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97C363FA-5817-466e-BEF4-0D4DBC31664A}	{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97C363FA-5817-466e-BEF4-0D4DBC31664A}\stubpath = "C:\\Windows\\{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe"	{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C3E909E-F382-4236-A24A-CED30818F241}	{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}	{7C3E909E-F382-4236-A24A-CED30818F241}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}\stubpath = "C:\\Windows\\{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe"	{7C3E909E-F382-4236-A24A-CED30818F241}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90DA0555-5299-4426-84E5-D581100CB27F}	{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D1AF14A-9060-4635-AEC1-C41DE16E2547}\stubpath = "C:\\Windows\\{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe"	{90DA0555-5299-4426-84E5-D581100CB27F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}\stubpath = "C:\\Windows\\{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe"	{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1B28289-E9FC-45cb-BA42-F541BE85827D}	{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E8B51A4-9DFF-4bc7-B8B8-022FDFE41836}	{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E8B51A4-9DFF-4bc7-B8B8-022FDFE41836}\stubpath = "C:\\Windows\\{8E8B51A4-9DFF-4bc7-B8B8-022FDFE41836}.exe"	{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A59A2F1-4660-44d8-BF83-0832DAAAF445}	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72599F70-8B40-4df5-BEDD-BCADE334E340}	{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72599F70-8B40-4df5-BEDD-BCADE334E340}\stubpath = "C:\\Windows\\{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe"	{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90DA0555-5299-4426-84E5-D581100CB27F}\stubpath = "C:\\Windows\\{90DA0555-5299-4426-84E5-D581100CB27F}.exe"	{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59420DB9-3D54-4182-AFF9-2E2344D5F43A}	{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59420DB9-3D54-4182-AFF9-2E2344D5F43A}\stubpath = "C:\\Windows\\{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe"	{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe

Executes dropped EXE 12 IoCs

pid	Process
1436	{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe
4688	{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe
984	{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe
2876	{7C3E909E-F382-4236-A24A-CED30818F241}.exe
1672	{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe
3520	{90DA0555-5299-4426-84E5-D581100CB27F}.exe
1436	{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe
940	{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe
2000	{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe
4108	{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe
5088	{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}.exe
2656	{8E8B51A4-9DFF-4bc7-B8B8-022FDFE41836}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
File created	C:\Windows\{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe	{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe
File created	C:\Windows\{7C3E909E-F382-4236-A24A-CED30818F241}.exe	{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe
File created	C:\Windows\{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe	{7C3E909E-F382-4236-A24A-CED30818F241}.exe
File created	C:\Windows\{90DA0555-5299-4426-84E5-D581100CB27F}.exe	{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe
File created	C:\Windows\{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe	{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe
File created	C:\Windows\{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}.exe	{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe
File created	C:\Windows\{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe	{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe
File created	C:\Windows\{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe	{90DA0555-5299-4426-84E5-D581100CB27F}.exe
File created	C:\Windows\{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe	{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe
File created	C:\Windows\{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe	{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe
File created	C:\Windows\{8E8B51A4-9DFF-4bc7-B8B8-022FDFE41836}.exe	{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3808	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1436	{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe
Token: SeIncBasePriorityPrivilege	4688	{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe
Token: SeIncBasePriorityPrivilege	984	{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe
Token: SeIncBasePriorityPrivilege	2876	{7C3E909E-F382-4236-A24A-CED30818F241}.exe
Token: SeIncBasePriorityPrivilege	1672	{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe
Token: SeIncBasePriorityPrivilege	3520	{90DA0555-5299-4426-84E5-D581100CB27F}.exe
Token: SeIncBasePriorityPrivilege	1436	{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe
Token: SeIncBasePriorityPrivilege	940	{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe
Token: SeIncBasePriorityPrivilege	2000	{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe
Token: SeIncBasePriorityPrivilege	4108	{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe
Token: SeIncBasePriorityPrivilege	5088	{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 1436	3808	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	98
PID 3808 wrote to memory of 1436	3808	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	98
PID 3808 wrote to memory of 1436	3808	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	98
PID 3808 wrote to memory of 4996	3808	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	99
PID 3808 wrote to memory of 4996	3808	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	99
PID 3808 wrote to memory of 4996	3808	2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe	99
PID 1436 wrote to memory of 4688	1436	{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe	100
PID 1436 wrote to memory of 4688	1436	{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe	100
PID 1436 wrote to memory of 4688	1436	{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe	100
PID 1436 wrote to memory of 4492	1436	{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe	101
PID 1436 wrote to memory of 4492	1436	{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe	101
PID 1436 wrote to memory of 4492	1436	{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe	101
PID 4688 wrote to memory of 984	4688	{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe	105
PID 4688 wrote to memory of 984	4688	{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe	105
PID 4688 wrote to memory of 984	4688	{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe	105
PID 4688 wrote to memory of 904	4688	{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe	104
PID 4688 wrote to memory of 904	4688	{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe	104
PID 4688 wrote to memory of 904	4688	{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe	104
PID 984 wrote to memory of 2876	984	{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe	108
PID 984 wrote to memory of 2876	984	{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe	108
PID 984 wrote to memory of 2876	984	{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe	108
PID 984 wrote to memory of 828	984	{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe	109
PID 984 wrote to memory of 828	984	{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe	109
PID 984 wrote to memory of 828	984	{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe	109
PID 2876 wrote to memory of 1672	2876	{7C3E909E-F382-4236-A24A-CED30818F241}.exe	110
PID 2876 wrote to memory of 1672	2876	{7C3E909E-F382-4236-A24A-CED30818F241}.exe	110
PID 2876 wrote to memory of 1672	2876	{7C3E909E-F382-4236-A24A-CED30818F241}.exe	110
PID 2876 wrote to memory of 540	2876	{7C3E909E-F382-4236-A24A-CED30818F241}.exe	111
PID 2876 wrote to memory of 540	2876	{7C3E909E-F382-4236-A24A-CED30818F241}.exe	111
PID 2876 wrote to memory of 540	2876	{7C3E909E-F382-4236-A24A-CED30818F241}.exe	111
PID 1672 wrote to memory of 3520	1672	{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe	112
PID 1672 wrote to memory of 3520	1672	{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe	112
PID 1672 wrote to memory of 3520	1672	{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe	112
PID 1672 wrote to memory of 1688	1672	{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe	113
PID 1672 wrote to memory of 1688	1672	{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe	113
PID 1672 wrote to memory of 1688	1672	{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe	113
PID 3520 wrote to memory of 1436	3520	{90DA0555-5299-4426-84E5-D581100CB27F}.exe	115
PID 3520 wrote to memory of 1436	3520	{90DA0555-5299-4426-84E5-D581100CB27F}.exe	115
PID 3520 wrote to memory of 1436	3520	{90DA0555-5299-4426-84E5-D581100CB27F}.exe	115
PID 3520 wrote to memory of 4316	3520	{90DA0555-5299-4426-84E5-D581100CB27F}.exe	114
PID 3520 wrote to memory of 4316	3520	{90DA0555-5299-4426-84E5-D581100CB27F}.exe	114
PID 3520 wrote to memory of 4316	3520	{90DA0555-5299-4426-84E5-D581100CB27F}.exe	114
PID 1436 wrote to memory of 940	1436	{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe	116
PID 1436 wrote to memory of 940	1436	{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe	116
PID 1436 wrote to memory of 940	1436	{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe	116
PID 1436 wrote to memory of 536	1436	{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe	117
PID 1436 wrote to memory of 536	1436	{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe	117
PID 1436 wrote to memory of 536	1436	{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe	117
PID 940 wrote to memory of 2000	940	{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe	118
PID 940 wrote to memory of 2000	940	{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe	118
PID 940 wrote to memory of 2000	940	{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe	118
PID 940 wrote to memory of 4728	940	{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe	119
PID 940 wrote to memory of 4728	940	{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe	119
PID 940 wrote to memory of 4728	940	{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe	119
PID 2000 wrote to memory of 4108	2000	{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe	120
PID 2000 wrote to memory of 4108	2000	{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe	120
PID 2000 wrote to memory of 4108	2000	{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe	120
PID 2000 wrote to memory of 4428	2000	{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe	121
PID 2000 wrote to memory of 4428	2000	{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe	121
PID 2000 wrote to memory of 4428	2000	{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe	121
PID 4108 wrote to memory of 5088	4108	{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe	122
PID 4108 wrote to memory of 5088	4108	{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe	122
PID 4108 wrote to memory of 5088	4108	{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe	122
PID 4108 wrote to memory of 3168	4108	{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe	123

C:\Users\Admin\AppData\Local\Temp\2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_ef6dec01330953c607ab3ce3c52790ee_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe
  C:\Windows\{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe
    C:\Windows\{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{72599~1.EXE > nul
      4⤵
      PID:904
  - - C:\Windows\{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe
      C:\Windows\{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Windows\{7C3E909E-F382-4236-A24A-CED30818F241}.exe
        
        C:\Windows\{7C3E909E-F382-4236-A24A-CED30818F241}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe
        
        C:\Windows\{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{90DA0555-5299-4426-84E5-D581100CB27F}.exe
        
        C:\Windows\{90DA0555-5299-4426-84E5-D581100CB27F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90DA0~1.EXE > nul
        8⤵
        
        PID:4316
        
        C:\Windows\{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe
        
        C:\Windows\{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe
        
        C:\Windows\{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe
        
        C:\Windows\{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe
        
        C:\Windows\{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}.exe
        
        C:\Windows\{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
        
        C:\Windows\{8E8B51A4-9DFF-4bc7-B8B8-022FDFE41836}.exe
        
        C:\Windows\{8E8B51A4-9DFF-4bc7-B8B8-022FDFE41836}.exe
        13⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BB81~1.EXE > nul
        13⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1B28~1.EXE > nul
        12⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28F3E~1.EXE > nul
        11⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59420~1.EXE > nul
        10⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D1AF~1.EXE > nul
        9⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2F9A~1.EXE > nul
        7⤵
        
        PID:1688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C3E9~1.EXE > nul
        6⤵
        
        PID:540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97C36~1.EXE > nul
        5⤵
        
        PID:828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2A59A~1.EXE > nul
    3⤵
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{28F3EB6E-4737-48d9-BC59-C1FEBA5040B0}.exe

Filesize
408KB

MD5
4aa7e5a0254c46ac742a7fe4d9261735

SHA1
f597f7217efa42cdf2ef7411d9f4e4397df3ccc6

SHA256
689c3337c2add7a6d76ed325fc9055c23eb0a66efbdb51508eef7888eca3555d

SHA512
4f27cc4d2a88fd0d9cd0043e96c5819cd1da188185732cdee932945dd60f0aec4e2c7c5b706a29d83a17dab1f7ac0904f7ab9e5112aaa92df61b42fa4e31f0b2

Download Submit
C:\Windows\{2A59A2F1-4660-44d8-BF83-0832DAAAF445}.exe

Filesize
408KB

MD5
c1bd6f2113ae0d4cd9aacbc98c7043e3

SHA1
e71aa8a9d382640254ba0ff98f912f87dadd7682

SHA256
75fff4a403fed02d6fc7928c7845b7c4d01c96c4e3f76c2ee4878785d8a45597

SHA512
0b3f37af96c7f73b8753a07a6bc21a12ff5c6b73f5175b670ffd8288a21545709496a59d9263aef7be8a7e2f9b23f1e55390b2e76b1693e10d961ef20cef16d8

Download Submit
C:\Windows\{59420DB9-3D54-4182-AFF9-2E2344D5F43A}.exe

Filesize
408KB

MD5
1db08ebe5f0319730fec9899b609563f

SHA1
f7d72d8111498149dd0e8e082f8a111d3b73c9dc

SHA256
2440f8f44ef8fe238802dcd4f66fd5a2b7432180239c083e7648ac50e8ddd592

SHA512
bbcb79e1b063edeb1350510bbf14f846bf19777720fa4d34a0aba6c51b172140930f3f14c7395adaf7b7ef15e5784289fb3657acf8235faf5fc68b71fcae65de

Download Submit
C:\Windows\{6BB81576-FAC9-4eee-AC79-D82EDD621DE5}.exe

Filesize
408KB

MD5
73c44c78c8da6819a83ab34e1161bee4

SHA1
e36bd2a8baab6063b7a4093116b510ebc64a2871

SHA256
c483a06af1eb0b7e7758ec7a7abb5894b67f0b083b29f4a641a08580901ab234

SHA512
398a6628f2752867043d307c46848f8f91c9141ed4f660782dccd9e05beb37aa3c75f39192545d73ba09875b2e8b98cb482cd0534202f453fe1bd595eea3ef90

Download Submit
C:\Windows\{72599F70-8B40-4df5-BEDD-BCADE334E340}.exe

Filesize
408KB

MD5
b4628021f6c0d59ca60649e4c6eaa187

SHA1
469eeb13461e4fe4f1308970edfc5fd318ddd0e6

SHA256
e82dccddcdbde7144532c826827f17363d89dcdb453678e88748edffc3cdc489

SHA512
11f8d7f193a0e293273d8ae323707fa94bb206fe7adbc75de4e0b2ca8d29c6c4590f14195d53d06cf4dc4244e92a092e9671d1f05ad0f4320140787cd0ecb773

Download Submit
C:\Windows\{7C3E909E-F382-4236-A24A-CED30818F241}.exe

Filesize
408KB

MD5
8188ed3b23bfd25d57902e9035285d57

SHA1
462b97fb72dee0b1774d15d237dd3996493fc472

SHA256
a11500aa89e0467cb4b0b38093f145aa815e4ba7bc5c024b0068c583ae5a3841

SHA512
e3b31f97ef03077839c0162242941711493bf95387dda9249404e37c747ef25189dec91db9fa89002b65607a2a27a8df11ce062ab0d777949dcef51d5085ac00

Download Submit
C:\Windows\{7D1AF14A-9060-4635-AEC1-C41DE16E2547}.exe

Filesize
408KB

MD5
0e464389624d19a903e2fde25df1cdee

SHA1
76ca56d4f8662f61670939057c0deb03693238c7

SHA256
0f32e9f3ba5769e200aa1226ccc9c8bbb7b7977cec8b16f1b528cf4a0a22f999

SHA512
da54aaff2c1151e80298d889b0340cb3cc684cb3959368ef24fb8a15e2cafac375080567af63012aef3f87cd03228cd2b976e332dd301ef4ac822126fc6e3d79

Download Submit
C:\Windows\{8E8B51A4-9DFF-4bc7-B8B8-022FDFE41836}.exe

Filesize
408KB

MD5
84e23e8764327e4442708d712144533d

SHA1
4f30aaecbf7d4095ab243ab32563dbbfbd9cc6e9

SHA256
3c91998c43ed232fc0eeb8de7f0a57fa46e7756241f5cb11d97277bd1afd72c2

SHA512
fe24ce5836120bb602bafeb303fed8f52508f2f2f96fa1eb61b0841a1d9116693855d4521ae406285e2ac741e088ab04df1a629d84851fafc8cbb44dd9682f1f

Download Submit
C:\Windows\{90DA0555-5299-4426-84E5-D581100CB27F}.exe

Filesize
408KB

MD5
3b3a00c9c9f1e3f3b1a7eb27515dc8ed

SHA1
d92ee62c691f6faa714b7ae6390c1facb8e0a85e

SHA256
49a52d215c8fc959b8a3cb8a5d6d78c7a9cbd35f7187e08a3fae5a6ad1db7d3d

SHA512
abfbd6916a3c03f18e3f12cb450a006d1d1f6eb4b48d70077bf5b099c1ee23e79e9bae03bbb0f7c971f6275ca928c8fd54af36f2637eec6b4515445deccb3a16

Download Submit
C:\Windows\{97C363FA-5817-466e-BEF4-0D4DBC31664A}.exe

Filesize
408KB

MD5
7ad364909acf300ec5b52e49240e3559

SHA1
539f82241720dcadc1231d80928fffa55842d4f4

SHA256
666cce3ad13abca499e230ca2e528606b9d52e2281786d8a4dfc732991dddfb6

SHA512
1febc45b0dc4a28eacf25a70691017e99e0e5ccac076a2132d64d8042f4acbbce1fb69508faf71237c3678ca268a8b8ea8e04763c102880777c744689b7a470c

Download Submit
C:\Windows\{E2F9A88E-B8F4-4b0c-B802-74039CBB439F}.exe

Filesize
408KB

MD5
6d592f152c4cf97ce0dff8a9e208f2b2

SHA1
7fcca1c77c8cb3f1ffe8d332c4c80e64115f3378

SHA256
b05ce8bb5160cca195209ee374eac13f0c886b8b301329a8cf59f8ed5b473ea0

SHA512
543fabec537d8544e8c6e7fc1348cf162fe562757a74654b8bc6be7761bcb45ed2f40ed77c41c2754663d579d56a54b9bf7b192b94033184220a8a6f6c6c03c1

Download Submit
C:\Windows\{F1B28289-E9FC-45cb-BA42-F541BE85827D}.exe

Filesize
408KB

MD5
f83d5af9ce3ceb60eea012dd11ff2e67

SHA1
51cf2b65abd8a9677de952d4dc84a27b37acab06

SHA256
593cf93e3d4c550312bea88e14b6d486a6d2d1f5192f478ed426f81ba46382cf

SHA512
196900ceb401aa912175b7ee85bfa1bcba9639d85eadfe359d9b7806b6b868d9bdfb26a0e9e2b8c9e1116d4c3f6d78558c2571c47fbcf4e0b3603288964a836a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads