e61f010f2f8e4e654ad1cd06ccffa17eedde75f3e5e0344fc4b6d632b0632516

Analysis

max time kernel
157s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe
Size

180KB
MD5

c0cc9f2a196d6040261cd5a1d955ae58
SHA1

d684214c89e431e91fcccd0c9a77ba49eb24fdb6
SHA256

e61f010f2f8e4e654ad1cd06ccffa17eedde75f3e5e0344fc4b6d632b0632516
SHA512

a4785dd04a67ec0115a1c4b050849b6cfb2611110087729c578a9b409014af1cc034d0b3e4990b6058b4a3a33c9e6796c805baa06f0765a1e0135427d7ef65c2
SSDEEP

3072:jEGh0oNlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGrl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023238-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002324c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002325a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002325b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022e9f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002325a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022e9f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002325a-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022e9f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002326c-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023274-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023274-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002327c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E619A8-9411-49c6-9202-45E9DF575C79}\stubpath = "C:\\Windows\\{95E619A8-9411-49c6-9202-45E9DF575C79}.exe"	{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F135B20F-0536-4a24-A0D4-4555472F2B50}	{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B886FD27-68BC-4940-BA44-06B6763EA72F}	{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}	{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}\stubpath = "C:\\Windows\\{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe"	{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD5C8071-629A-4be2-A620-D0B5D575676C}	{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{795D187C-BE90-4bf5-8DF3-703B9B3C3514}	{E90834F7-E609-47cb-AF80-8C277252EB80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CA22631-D372-4b39-83AD-B282DDE39D0D}\stubpath = "C:\\Windows\\{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe"	{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0B3C5CF-E54D-49d6-9B64-2879B9106801}\stubpath = "C:\\Windows\\{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe"	2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F451B8BB-926F-46e4-81D2-3001D37EE194}\stubpath = "C:\\Windows\\{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe"	{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B886FD27-68BC-4940-BA44-06B6763EA72F}\stubpath = "C:\\Windows\\{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe"	{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD5C8071-629A-4be2-A620-D0B5D575676C}\stubpath = "C:\\Windows\\{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe"	{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E90834F7-E609-47cb-AF80-8C277252EB80}	{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E90834F7-E609-47cb-AF80-8C277252EB80}\stubpath = "C:\\Windows\\{E90834F7-E609-47cb-AF80-8C277252EB80}.exe"	{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CA22631-D372-4b39-83AD-B282DDE39D0D}	{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95E619A8-9411-49c6-9202-45E9DF575C79}	{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DCAD61-C536-4d84-9B37-6A617C237EC0}	{95E619A8-9411-49c6-9202-45E9DF575C79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0B3C5CF-E54D-49d6-9B64-2879B9106801}	2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F135B20F-0536-4a24-A0D4-4555472F2B50}\stubpath = "C:\\Windows\\{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe"	{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F451B8BB-926F-46e4-81D2-3001D37EE194}	{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}	{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}\stubpath = "C:\\Windows\\{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe"	{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{795D187C-BE90-4bf5-8DF3-703B9B3C3514}\stubpath = "C:\\Windows\\{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe"	{E90834F7-E609-47cb-AF80-8C277252EB80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98DCAD61-C536-4d84-9B37-6A617C237EC0}\stubpath = "C:\\Windows\\{98DCAD61-C536-4d84-9B37-6A617C237EC0}.exe"	{95E619A8-9411-49c6-9202-45E9DF575C79}.exe

Executes dropped EXE 12 IoCs

pid	Process
2164	{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe
4144	{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe
4364	{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe
3920	{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe
4216	{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe
4528	{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe
1752	{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe
3932	{E90834F7-E609-47cb-AF80-8C277252EB80}.exe
2904	{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe
2652	{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe
3152	{95E619A8-9411-49c6-9202-45E9DF575C79}.exe
1872	{98DCAD61-C536-4d84-9B37-6A617C237EC0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe	{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe
File created	C:\Windows\{95E619A8-9411-49c6-9202-45E9DF575C79}.exe	{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe
File created	C:\Windows\{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe	2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe
File created	C:\Windows\{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe	{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe
File created	C:\Windows\{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe	{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe
File created	C:\Windows\{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe	{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe
File created	C:\Windows\{E90834F7-E609-47cb-AF80-8C277252EB80}.exe	{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe
File created	C:\Windows\{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe	{E90834F7-E609-47cb-AF80-8C277252EB80}.exe
File created	C:\Windows\{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe	{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe
File created	C:\Windows\{98DCAD61-C536-4d84-9B37-6A617C237EC0}.exe	{95E619A8-9411-49c6-9202-45E9DF575C79}.exe
File created	C:\Windows\{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe	{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe
File created	C:\Windows\{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe	{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3396	2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2164	{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe
Token: SeIncBasePriorityPrivilege	4144	{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe
Token: SeIncBasePriorityPrivilege	4364	{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe
Token: SeIncBasePriorityPrivilege	3920	{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe
Token: SeIncBasePriorityPrivilege	4216	{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe
Token: SeIncBasePriorityPrivilege	4528	{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe
Token: SeIncBasePriorityPrivilege	1752	{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe
Token: SeIncBasePriorityPrivilege	3932	{E90834F7-E609-47cb-AF80-8C277252EB80}.exe
Token: SeIncBasePriorityPrivilege	2904	{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe
Token: SeIncBasePriorityPrivilege	2652	{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe
Token: SeIncBasePriorityPrivilege	3152	{95E619A8-9411-49c6-9202-45E9DF575C79}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 2164	3396	2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe	97
PID 3396 wrote to memory of 2164	3396	2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe	97
PID 3396 wrote to memory of 2164	3396	2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe	97
PID 3396 wrote to memory of 2920	3396	2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe	98
PID 3396 wrote to memory of 2920	3396	2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe	98
PID 3396 wrote to memory of 2920	3396	2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe	98
PID 2164 wrote to memory of 4144	2164	{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe	106
PID 2164 wrote to memory of 4144	2164	{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe	106
PID 2164 wrote to memory of 4144	2164	{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe	106
PID 2164 wrote to memory of 2172	2164	{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe	107
PID 2164 wrote to memory of 2172	2164	{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe	107
PID 2164 wrote to memory of 2172	2164	{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe	107
PID 4144 wrote to memory of 4364	4144	{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe	111
PID 4144 wrote to memory of 4364	4144	{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe	111
PID 4144 wrote to memory of 4364	4144	{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe	111
PID 4144 wrote to memory of 2548	4144	{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe	112
PID 4144 wrote to memory of 2548	4144	{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe	112
PID 4144 wrote to memory of 2548	4144	{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe	112
PID 4364 wrote to memory of 3920	4364	{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe	115
PID 4364 wrote to memory of 3920	4364	{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe	115
PID 4364 wrote to memory of 3920	4364	{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe	115
PID 4364 wrote to memory of 3988	4364	{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe	116
PID 4364 wrote to memory of 3988	4364	{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe	116
PID 4364 wrote to memory of 3988	4364	{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe	116
PID 3920 wrote to memory of 4216	3920	{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe	117
PID 3920 wrote to memory of 4216	3920	{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe	117
PID 3920 wrote to memory of 4216	3920	{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe	117
PID 3920 wrote to memory of 4300	3920	{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe	118
PID 3920 wrote to memory of 4300	3920	{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe	118
PID 3920 wrote to memory of 4300	3920	{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe	118
PID 4216 wrote to memory of 4528	4216	{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe	119
PID 4216 wrote to memory of 4528	4216	{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe	119
PID 4216 wrote to memory of 4528	4216	{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe	119
PID 4216 wrote to memory of 3556	4216	{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe	120
PID 4216 wrote to memory of 3556	4216	{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe	120
PID 4216 wrote to memory of 3556	4216	{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe	120
PID 4528 wrote to memory of 1752	4528	{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe	122
PID 4528 wrote to memory of 1752	4528	{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe	122
PID 4528 wrote to memory of 1752	4528	{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe	122
PID 4528 wrote to memory of 1724	4528	{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe	123
PID 4528 wrote to memory of 1724	4528	{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe	123
PID 4528 wrote to memory of 1724	4528	{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe	123
PID 1752 wrote to memory of 3932	1752	{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe	124
PID 1752 wrote to memory of 3932	1752	{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe	124
PID 1752 wrote to memory of 3932	1752	{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe	124
PID 1752 wrote to memory of 3976	1752	{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe	125
PID 1752 wrote to memory of 3976	1752	{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe	125
PID 1752 wrote to memory of 3976	1752	{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe	125
PID 3932 wrote to memory of 2904	3932	{E90834F7-E609-47cb-AF80-8C277252EB80}.exe	126
PID 3932 wrote to memory of 2904	3932	{E90834F7-E609-47cb-AF80-8C277252EB80}.exe	126
PID 3932 wrote to memory of 2904	3932	{E90834F7-E609-47cb-AF80-8C277252EB80}.exe	126
PID 3932 wrote to memory of 3092	3932	{E90834F7-E609-47cb-AF80-8C277252EB80}.exe	127
PID 3932 wrote to memory of 3092	3932	{E90834F7-E609-47cb-AF80-8C277252EB80}.exe	127
PID 3932 wrote to memory of 3092	3932	{E90834F7-E609-47cb-AF80-8C277252EB80}.exe	127
PID 2904 wrote to memory of 2652	2904	{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe	132
PID 2904 wrote to memory of 2652	2904	{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe	132
PID 2904 wrote to memory of 2652	2904	{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe	132
PID 2904 wrote to memory of 3968	2904	{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe	133
PID 2904 wrote to memory of 3968	2904	{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe	133
PID 2904 wrote to memory of 3968	2904	{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe	133
PID 2652 wrote to memory of 3152	2652	{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe	134
PID 2652 wrote to memory of 3152	2652	{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe	134
PID 2652 wrote to memory of 3152	2652	{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe	134
PID 2652 wrote to memory of 1236	2652	{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe	135

C:\Users\Admin\AppData\Local\Temp\2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_c0cc9f2a196d6040261cd5a1d955ae58_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe
  C:\Windows\{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe
    C:\Windows\{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe
      C:\Windows\{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe
        
        C:\Windows\{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3920
      - C:\Windows\{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe
        
        C:\Windows\{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe
        
        C:\Windows\{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe
        
        C:\Windows\{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{E90834F7-E609-47cb-AF80-8C277252EB80}.exe
        
        C:\Windows\{E90834F7-E609-47cb-AF80-8C277252EB80}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe
        
        C:\Windows\{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe
        
        C:\Windows\{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{95E619A8-9411-49c6-9202-45E9DF575C79}.exe
        
        C:\Windows\{95E619A8-9411-49c6-9202-45E9DF575C79}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
        
        C:\Windows\{98DCAD61-C536-4d84-9B37-6A617C237EC0}.exe
        
        C:\Windows\{98DCAD61-C536-4d84-9B37-6A617C237EC0}.exe
        13⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95E61~1.EXE > nul
        13⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CA22~1.EXE > nul
        12⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{795D1~1.EXE > nul
        11⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9083~1.EXE > nul
        10⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75217~1.EXE > nul
        9⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD5C8~1.EXE > nul
        8⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DF46~1.EXE > nul
        7⤵
        
        PID:3556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B886F~1.EXE > nul
        6⤵
        
        PID:4300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F451B~1.EXE > nul
        5⤵
        
        PID:3988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F135B~1.EXE > nul
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B0B3C~1.EXE > nul
    3⤵
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{6CA22631-D372-4b39-83AD-B282DDE39D0D}.exe

Filesize
180KB

MD5
3c80559e501b4256e63e8309a4a657bc

SHA1
97c20a110b209d22ad894a1702daa61139b610d0

SHA256
11b08c3f276dffb9f77baee5a7acfbaadba0366b1393f55ab66c1e2c44d6a847

SHA512
d950a3b08767354ac873ce27d0097b2d50b6e5dbe8aba63927c07193a51d3310d7ae0f5157212b2913b7c8cb50ab80e4ca1ac8764bf252c9ba48d216ecfebb2c

Download Submit
C:\Windows\{75217AC4-82F9-4c99-A1D0-ECDFF4AB393F}.exe

Filesize
180KB

MD5
51a159a6032052752714bcca1516a49f

SHA1
f493d171ccff6c92cd25983c0cd35202eee09650

SHA256
2fd8e45b0418e3753a4a2d71dd9ba03c7b5bad1471037f7fdfeb12b14d8f1da5

SHA512
90d1c8acc52366c9cd055d3a920f7f355f9740db61325779fd6792bd0857bde53f4fc325e2c6e60c173177707e2628f8aa8cfae4ef520c5f642c74746d58ca41

Download Submit
C:\Windows\{795D187C-BE90-4bf5-8DF3-703B9B3C3514}.exe

Filesize
180KB

MD5
72a1a69bbfe4050c78589f62e2ee9b7d

SHA1
38bf11b47835544705558c32a338f5d35b8ffcde

SHA256
aa2a7a1349f8153f8c2a4e301e508ec0537151f97c06efde8da8e2f63f685548

SHA512
9af3739a348b7ae00b36c202cb2c76463e67226fc0775fe15d344ec2e5db69802b025631455da7b1299d6246cd7ff75f81f3e0e02959c010e3e9dbf796a5838c

Download Submit
C:\Windows\{95E619A8-9411-49c6-9202-45E9DF575C79}.exe

Filesize
180KB

MD5
df3145e9d1cc7c3fd1070290c9052c37

SHA1
73a0a71d1be341c5fa6e5fc8618977eceedc5705

SHA256
7aa5e2c160eadbcceacafab3eff98589cde2f5b065f2fd12b2b1e0d92fc2ada8

SHA512
93fbbfd927c5a3f85ae9b7f83e31bd7da5c429f3d5c69cd7919ca365e5780719166c4de0415f90f6709f0200796cd3f992b1994bbfc30036a35f841fcaeb969c

Download Submit
C:\Windows\{95E619A8-9411-49c6-9202-45E9DF575C79}.exe

Filesize
22KB

MD5
654c1dfefa84e03789a8921dcd0ba2fc

SHA1
518228e8ab5c52c669154adcfd681c165553b56c

SHA256
0d1028c2408f54aff8d73f6cac60dcf828d6e2a8ca7e48e977bd38e7c1a5e76c

SHA512
57720f699362b028a2edd4efed4dd17d3361aeaa4010f071f126b9eb00b4ed2115b2edf2a24e0a23c112882df4a99379775c6597be683cce2b7310100acd6dee

Download Submit
C:\Windows\{98DCAD61-C536-4d84-9B37-6A617C237EC0}.exe

Filesize
180KB

MD5
22db3374a0e6ef7ec465618057a7f823

SHA1
14415e2d81a07cdfd9d51fc1134716578ab34db1

SHA256
d39574c5c91b2b75ec0a6d08abfd314bf54fe08b3dfb7ba15090532b50170bd4

SHA512
baeb56a749f4b31d1aec791a181729831982b9719ad279fd428acb4f704a2ee9a1033a4592e75a0e25c4a6efaea57ffd07cf79883144bb2cc7526eceaac242d8

Download Submit
C:\Windows\{9DF46D1E-C4A9-4411-A355-A4C04A8C3D93}.exe

Filesize
180KB

MD5
ee56c8cce8d1d80be5c1c0231b6cc5fd

SHA1
9e0a03497e416d77608c16ba9d66a24fba8b45a8

SHA256
82358af8e0770cfabedc1fb25635bc7af9a023fb0a55f6309dbbe7a0e2850a2e

SHA512
957de13dbe605043ceb44878856fad0ce9fc2e3b02979f6b1bfab79726a526ad38233dbb1e3eae39e717209f4a4045bf79947bf8ccba33b9a459aa84ee2aa0a1

Download Submit
C:\Windows\{B0B3C5CF-E54D-49d6-9B64-2879B9106801}.exe

Filesize
180KB

MD5
0eb9cd385ed25bd82147b5d8dd855665

SHA1
1bf8841fcebad5fdfa506c507f67c140054706ac

SHA256
7485bf2fe6736be1fceade2be1c23dd0871ff7002da7e8e8518b5c108920f8d6

SHA512
8b79bcb3d27c5eef1f766930490a41204e315e5dc2f5263525e6f148b95c87c935660886ed3757b4bdd28e9cfba640a674a982787e8f5a5858343c38f49e020f

Download Submit
C:\Windows\{B886FD27-68BC-4940-BA44-06B6763EA72F}.exe

Filesize
180KB

MD5
ae4ba470bb740adb2557dbd492dae6eb

SHA1
4754a7c31efc2484715722e2ae641c936fdad7c4

SHA256
2eaa802dbe7eb8749ce2123b9d096587f75acf6f8faa704c0e3b112ba9add97e

SHA512
f57095b48b421d5c26db8da03daf3f6260a418bea565e147359ac3456548797a7c7ef5b9df4f32bfb6a2eb94b431d3d57c432b50b4602088767070bc0699f3e3

Download Submit
C:\Windows\{E90834F7-E609-47cb-AF80-8C277252EB80}.exe

Filesize
180KB

MD5
2283db91cfb26e2e19e7d40810b99ac2

SHA1
337b9420078c413b9db9903a8fe45bbda752dc00

SHA256
f0a824bdc7ae833d7308a8185e107ee32f8566ba545d2a310dfc2e3c98ab2bc6

SHA512
ecf5e9b986f0ae74941b81d143e9fe25369f0402abcf9d2680ca22c6245a56de21252a7ccc285bb7d35ea3ae554beb976ae9b518d35af08f8f95fc6248dd1981

Download Submit
C:\Windows\{F135B20F-0536-4a24-A0D4-4555472F2B50}.exe

Filesize
180KB

MD5
f63a199135b38de97fb80a7148169bdc

SHA1
27cfca83566e2ece36d91422d0e26a49003c8bb6

SHA256
1f501cae590484ecf213a966ce69c42f0b26431b7d7a2abddd3f67ecb650970a

SHA512
0e6433eaba7b97c235bbc551e4c566bf2d3d00250cef4d7bda0a1bfa9cf5846407dcca8934942ffe1a037d7d84d63c34b1e53e12116e6e9cb49af8d6e2a6966a

Download Submit
C:\Windows\{F451B8BB-926F-46e4-81D2-3001D37EE194}.exe

Filesize
180KB

MD5
711c5d8579bcdeb1cd347ea9efa6bddd

SHA1
83627d734c2115c63def896c1632aee6d4178a38

SHA256
bda25f0c8fc2a6bf614f137c82c180c1c3bede2d75026a969528b53eb6530832

SHA512
1394a19c6e1f8701c7c8b74bb8e2d0e26b88e7abe5f617f1664e9155220808c1716ddb9a2bbc7857c42ae240adb102ffc4771a410fe28222fc5568e292458fdd

Download Submit
C:\Windows\{FD5C8071-629A-4be2-A620-D0B5D575676C}.exe

Filesize
180KB

MD5
549c705f9f56af76f2adbc78c2f44baf

SHA1
3505be6fdf4d23e928b0a25c1a3a2028d3e76788

SHA256
a678efa42ef38e56908c7a63bd1ad420dc02cfa4597d5e75cd46e9c4bcbe5c10

SHA512
979cb1d141603773b253085f2d5c2f33f3924c995b2cedf5352bc5e4d4f092b428d8434d5c3893c96916b00018123b36eb5247a0d0fe8d3dffad5c871d5737a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads