6ec5d25dbc6d6660a7e9198c4cc385fc1e4af5ff5d1b24e82ef68bad9790074c

Analysis

max time kernel
151s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Size

408KB
MD5

f505d3e7ca60e7462c7bebb3cc2e217f
SHA1

f99e476cf714ac9b066fee8da25859f44bbf85b7
SHA256

6ec5d25dbc6d6660a7e9198c4cc385fc1e4af5ff5d1b24e82ef68bad9790074c
SHA512

9a0cda05ef092b71ef583e0630606ff19e7515782f0ff1997db1a360ccad964111add0d946c27bf95aff9992128e0fbf578533a60461dd298c7236a8d2b3873c
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGqldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023258-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023264-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002326b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023119-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002326b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023119-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002326b-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023119-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d09-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022d0c-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022d09-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022d0c-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}\stubpath = "C:\\Windows\\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe"	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{593C204C-C5F6-49d1-83CC-07384BFE83FB}	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45DAC629-13A2-4c37-A6B6-C45491950DF3}	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96E114C2-2965-4f45-85ED-5741AE2C0173}\stubpath = "C:\\Windows\\{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe"	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D725C91B-7C59-4128-BA04-59181A2C5CA2}	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D725C91B-7C59-4128-BA04-59181A2C5CA2}\stubpath = "C:\\Windows\\{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe"	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D346106-5EE9-46ea-887D-129F74815BA6}\stubpath = "C:\\Windows\\{8D346106-5EE9-46ea-887D-129F74815BA6}.exe"	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}	{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}\stubpath = "C:\\Windows\\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe"	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{593C204C-C5F6-49d1-83CC-07384BFE83FB}\stubpath = "C:\\Windows\\{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe"	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D346106-5EE9-46ea-887D-129F74815BA6}	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}\stubpath = "C:\\Windows\\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe"	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}\stubpath = "C:\\Windows\\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe"	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45DAC629-13A2-4c37-A6B6-C45491950DF3}\stubpath = "C:\\Windows\\{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe"	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}\stubpath = "C:\\Windows\\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe"	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96E114C2-2965-4f45-85ED-5741AE2C0173}	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}\stubpath = "C:\\Windows\\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe"	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}\stubpath = "C:\\Windows\\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe"	{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
1684	{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe
1456	{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
File created	C:\Windows\{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
File created	C:\Windows\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
File created	C:\Windows\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
File created	C:\Windows\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe	{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe
File created	C:\Windows\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
File created	C:\Windows\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
File created	C:\Windows\{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
File created	C:\Windows\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
File created	C:\Windows\{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
File created	C:\Windows\{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
File created	C:\Windows\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
Token: SeIncBasePriorityPrivilege	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
Token: SeIncBasePriorityPrivilege	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
Token: SeIncBasePriorityPrivilege	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
Token: SeIncBasePriorityPrivilege	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
Token: SeIncBasePriorityPrivilege	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
Token: SeIncBasePriorityPrivilege	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
Token: SeIncBasePriorityPrivilege	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
Token: SeIncBasePriorityPrivilege	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
Token: SeIncBasePriorityPrivilege	3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
Token: SeIncBasePriorityPrivilege	1684	{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1964	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	101
PID 4744 wrote to memory of 1964	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	101
PID 4744 wrote to memory of 1964	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	101
PID 4744 wrote to memory of 4784	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	102
PID 4744 wrote to memory of 4784	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	102
PID 4744 wrote to memory of 4784	4744	2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe	102
PID 1964 wrote to memory of 4608	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	108
PID 1964 wrote to memory of 4608	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	108
PID 1964 wrote to memory of 4608	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	108
PID 1964 wrote to memory of 4500	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	109
PID 1964 wrote to memory of 4500	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	109
PID 1964 wrote to memory of 4500	1964	{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe	109
PID 4608 wrote to memory of 1868	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	111
PID 4608 wrote to memory of 1868	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	111
PID 4608 wrote to memory of 1868	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	111
PID 4608 wrote to memory of 2964	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	112
PID 4608 wrote to memory of 2964	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	112
PID 4608 wrote to memory of 2964	4608	{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe	112
PID 1868 wrote to memory of 216	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	115
PID 1868 wrote to memory of 216	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	115
PID 1868 wrote to memory of 216	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	115
PID 1868 wrote to memory of 2300	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	116
PID 1868 wrote to memory of 2300	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	116
PID 1868 wrote to memory of 2300	1868	{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe	116
PID 216 wrote to memory of 3116	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	117
PID 216 wrote to memory of 3116	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	117
PID 216 wrote to memory of 3116	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	117
PID 216 wrote to memory of 4912	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	118
PID 216 wrote to memory of 4912	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	118
PID 216 wrote to memory of 4912	216	{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe	118
PID 3116 wrote to memory of 224	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	120
PID 3116 wrote to memory of 224	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	120
PID 3116 wrote to memory of 224	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	120
PID 3116 wrote to memory of 1352	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	121
PID 3116 wrote to memory of 1352	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	121
PID 3116 wrote to memory of 1352	3116	{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe	121
PID 224 wrote to memory of 2704	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	122
PID 224 wrote to memory of 2704	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	122
PID 224 wrote to memory of 2704	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	122
PID 224 wrote to memory of 2288	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	123
PID 224 wrote to memory of 2288	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	123
PID 224 wrote to memory of 2288	224	{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe	123
PID 2704 wrote to memory of 2880	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	124
PID 2704 wrote to memory of 2880	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	124
PID 2704 wrote to memory of 2880	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	124
PID 2704 wrote to memory of 972	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	125
PID 2704 wrote to memory of 972	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	125
PID 2704 wrote to memory of 972	2704	{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe	125
PID 2880 wrote to memory of 224	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	133
PID 2880 wrote to memory of 224	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	133
PID 2880 wrote to memory of 224	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	133
PID 2880 wrote to memory of 1924	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	134
PID 2880 wrote to memory of 1924	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	134
PID 2880 wrote to memory of 1924	2880	{8D346106-5EE9-46ea-887D-129F74815BA6}.exe	134
PID 224 wrote to memory of 3736	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	136
PID 224 wrote to memory of 3736	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	136
PID 224 wrote to memory of 3736	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	136
PID 224 wrote to memory of 4308	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	137
PID 224 wrote to memory of 4308	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	137
PID 224 wrote to memory of 4308	224	{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe	137
PID 3736 wrote to memory of 1684	3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe	138
PID 3736 wrote to memory of 1684	3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe	138
PID 3736 wrote to memory of 1684	3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe	138
PID 3736 wrote to memory of 3956	3736	{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe	139

C:\Users\Admin\AppData\Local\Temp\2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-09_f505d3e7ca60e7462c7bebb3cc2e217f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
  C:\Windows\{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
    C:\Windows\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
      C:\Windows\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
        
        C:\Windows\{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
      - C:\Windows\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
        
        C:\Windows\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
        
        C:\Windows\{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
        
        C:\Windows\{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
        
        C:\Windows\{8D346106-5EE9-46ea-887D-129F74815BA6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
        
        C:\Windows\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
        
        C:\Windows\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe
        
        C:\Windows\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe
        
        C:\Windows\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe
        13⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D923~1.EXE > nul
        13⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EE00~1.EXE > nul
        12⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C1AD~1.EXE > nul
        11⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D346~1.EXE > nul
        10⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D725C~1.EXE > nul
        9⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{593C2~1.EXE > nul
        8⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E49C7~1.EXE > nul
        7⤵
        
        PID:1352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96E11~1.EXE > nul
        6⤵
        
        PID:4912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEA5C~1.EXE > nul
        5⤵
        
        PID:2300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9B7AD~1.EXE > nul
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{45DAC~1.EXE > nul
    3⤵
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D9237F3-F504-4c4c-8B92-52E71AA8176C}.exe

Filesize
408KB

MD5
e84caee5874bd104e6a4ccc1dad4d229

SHA1
a8afb8d209d2cb32b67cc7dc624b7f1aebcda601

SHA256
a73c4e3aaf531c99936be21fe949df0e21fe57741afd6114d033be3a96f21c86

SHA512
acb1c49b7fb25787c70a69d3191d8048783bddc84e9cb7f82835fcfb1f237f418aacab74cc222c65ebe90fed97a624101fe18dfbeb30c233cb593745ee991af9

Download Submit
C:\Windows\{2EE00AC7-BD5D-4f14-BF3A-C70EF9562EBD}.exe

Filesize
408KB

MD5
de641b397cec687c0c00e5f74d8cde1e

SHA1
1ff36cb861caaf5629fd36ef4d83535cee5c699b

SHA256
596245ebdad1e900c9819bd90b17378628a9a11332564121b01c83bdd5cd9187

SHA512
5423490fa0a2f5a6e16e96a5ffc0d8b0c492b542f48435ec52e8759adff66dfff32019944b8adfa3c88043cd6d72657d36d7e581827157f67c7924506e6130fe

Download Submit
C:\Windows\{45DAC629-13A2-4c37-A6B6-C45491950DF3}.exe

Filesize
408KB

MD5
8863acffb19e9134cfa97ac122a30ed6

SHA1
42bfc8e08f55137e476b8a722f09eeb84d548d0c

SHA256
becdb2fea5cebb610eadc3eb386298be6dceb10c49adca33751b1cb003d06d63

SHA512
940ad2c8e124f226f8b5f1e9a0b10b8e17ebbd65dfec22d303063b21cbb26d6e927140900381d75ec44f7bcfed2f48a1421f76a94193894b84792d369497d7f5

Download Submit
C:\Windows\{593C204C-C5F6-49d1-83CC-07384BFE83FB}.exe

Filesize
408KB

MD5
2c691bbeb8d30e6b6de68667ff753b22

SHA1
739aa18b660cd989feef2110887d28403051b23a

SHA256
5cf50622668b7c8f4f6202297ff3d5046a105406293019842c88ecacef9954fb

SHA512
ed79f26aa13c37295fe07bce9ee60cd91c6e58f9cd085e8bc0109ffc41e3566e1e6e83d9ce974f0bdd407f29b3b908fd65bcc9684ffd84e868911c3050204f29

Download Submit
C:\Windows\{8D346106-5EE9-46ea-887D-129F74815BA6}.exe

Filesize
408KB

MD5
fc8c59e2f2323eff2c5ca3ec746a72ad

SHA1
c85cc6f7bec9c739b3c155ec9b1ca163c1d9e114

SHA256
297323dfe68675bafdba95174cecba0f389d5d1c10ccb3b2de72d255600dc3db

SHA512
d8f179c77b84e5dbee855d1df879dbe215b66fbec102158205b00ed71a81d51c2aad177017d6d38ce896638fbc326cd0111fbb7fe5c82c606dd0511d2274f354

Download Submit
C:\Windows\{96E114C2-2965-4f45-85ED-5741AE2C0173}.exe

Filesize
408KB

MD5
1d7b06e29cb18cd00d6692cfcdd8c887

SHA1
b5df65f3a2d52cbc07ef760a9ca3540b304c518c

SHA256
9d7a90ea10ec9957c26249e8d00e155000738ada2037a375647ae2f07392ca7d

SHA512
6e702e73e63fa1d19408d6ce31ada6a1bdfad4fb9f355fc03e8bb101da77bec782fc0c667aff180ee7d490c0a4ee5f26fe725c3f6f93d706d9ad1ac471a50464

Download Submit
C:\Windows\{9B7AD13C-14E1-4f89-8A26-6AA3A0EE0DC3}.exe

Filesize
408KB

MD5
9adde507cd431b021a6de1e592a70c22

SHA1
59f36e22ad888cd31bbc7c6f73ac52310d1e278a

SHA256
ab3c9b8995cc987f92a42ac446b139c96b1212824ceaf0e3b301d1eec7693fbf

SHA512
37e8df0ba0d0665ec04adaca8f65eb9789ff983e691ec3b60bbae97094ddfd63e79fbd6dfa557dc18597aedb9002dbaa71d4b3d836e7697b290e4ec3244ed643

Download Submit
C:\Windows\{9C1ADAC3-228F-4e7c-B870-AD7123F42271}.exe

Filesize
408KB

MD5
68706bf07f98926de08840013074c2e2

SHA1
f748d84ca40fb95518ab9a8ad64644ed770f6911

SHA256
2b36be5770846346d6638e69fd4184c5723b50143832c992071fdb08beaa4243

SHA512
bcbe221b9751302c8c91ab723d0aeed69ffab9c8c8909590eaa30a6085ddf8600595007b92ec9ea645e42fa20c04d1efa4289833776b7e4baa17ffd55f2b8d84

Download Submit
C:\Windows\{D725C91B-7C59-4128-BA04-59181A2C5CA2}.exe

Filesize
408KB

MD5
964fb47b721a19c98d48cb615f0a7664

SHA1
399dd6e91da94a9611ff0f2c5b2ac394c67853bb

SHA256
0f99f97ce1d405965496dd34b1c49f2c3b9308879d864e8284cc3399aabdbb5b

SHA512
4919b9f8cc833568abf0765ce89927a7c85e52bc16ed602e683052d3d36170b7ec6eff13aa8c53057069fbbfc7395797ac2ac385e1fb1bad05e9282ed8d3e4b7

Download Submit
C:\Windows\{D7B47277-2E60-43cf-B1E8-3DECF4FC85C7}.exe

Filesize
408KB

MD5
3361db5ef1fcc70095167b7857f88306

SHA1
2b4871b0e5862647e1ee37d565b68d9805c380ec

SHA256
0efbd38e2aca27b6972d4b91a7757cfb7fa528a9f41182071664b11a7fa1d6a0

SHA512
703124b06b1d50636874b64e97e95f2b9b64492bdd0463532a28f1339399542937b8a14bc4ac921a0d0ce9ce291188c599bf05c0cdc2c461e3e8b58ec842437c

Download Submit
C:\Windows\{DEA5CDDA-8F73-444e-8CBE-CBC6F416C8EA}.exe

Filesize
408KB

MD5
f41c672f944ee00d5ca3972c297ba91f

SHA1
f63309fe1ef7511fe928021f60fbbb3b3b934b9f

SHA256
1ab400edb8757711c21619b6233baf7985f2a9c69e91b4937936edac2cce8fec

SHA512
e9bd58a003e6bc1fc11c74e440eca51a039b4350edb6f915f60440dff9fe9bcb4f9942a7e9642b329625e40a168d3e4c6227b2ea49681ec94adc54a15eced15e

Download Submit
C:\Windows\{E49C7CCA-8C6B-4a97-A9CE-4528D39AF898}.exe

Filesize
408KB

MD5
b56ddf7167eaffde947276095bb880d8

SHA1
019fc2b3acee9f76cba54d0fb6a339802ef582cb

SHA256
3f443d12f5d2c1556a80263cb274f5887312434cea8ad63f2f2901d8670ceb0a

SHA512
c7b58d80ea55bac2c626f1895b1413d70d14ab05a80a1cda4ae089e69de18d45148072742dc2a610ab118097bdb75a8adb1a2aabc8123303226c7e1bbdae3d37

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads