0d9a78edf72938285785e9886912183afa6cf251878f7b6770e1baca85952a6d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe
Size

168KB
MD5

b5184c7ba399d0405ade877be567720b
SHA1

36021094763a6414bc93f9d3c812b14f9ba18d84
SHA256

0d9a78edf72938285785e9886912183afa6cf251878f7b6770e1baca85952a6d
SHA512

794df55331c228c03f768e19d61e0ca0d327adfea3ce04878ad792703c7dc7463b7de50ca352ba818bc829d4d3a39cefc7b3fc5476e70c9a7d3ba6f996a67999
SSDEEP

1536:1EGh0omlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0omlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023350-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002335a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023105-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002335a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023105-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002335a-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023105-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002335a-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002337f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002335a-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023353-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023373-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}	{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}\stubpath = "C:\\Windows\\{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe"	{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}	{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}	{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4369C08C-DA2F-4abb-9177-37577CEE2C58}	{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F82A14D1-7A13-4a6d-A994-BF237CF97811}\stubpath = "C:\\Windows\\{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe"	{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D1E5EB3-3789-40a3-A205-9055899B13AD}	{9E7BFADB-B775-4152-85BF-3789AB7018FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B843404-0C58-4a78-AFC7-5267E3401379}\stubpath = "C:\\Windows\\{3B843404-0C58-4a78-AFC7-5267E3401379}.exe"	2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}	{3B843404-0C58-4a78-AFC7-5267E3401379}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8531E30A-80F6-4843-B2B1-B254189EBF56}	{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8531E30A-80F6-4843-B2B1-B254189EBF56}\stubpath = "C:\\Windows\\{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe"	{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4369C08C-DA2F-4abb-9177-37577CEE2C58}\stubpath = "C:\\Windows\\{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe"	{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}\stubpath = "C:\\Windows\\{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe"	{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B843404-0C58-4a78-AFC7-5267E3401379}	2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}\stubpath = "C:\\Windows\\{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe"	{3B843404-0C58-4a78-AFC7-5267E3401379}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}\stubpath = "C:\\Windows\\{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe"	{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E7BFADB-B775-4152-85BF-3789AB7018FC}	{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E7BFADB-B775-4152-85BF-3789AB7018FC}\stubpath = "C:\\Windows\\{9E7BFADB-B775-4152-85BF-3789AB7018FC}.exe"	{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}\stubpath = "C:\\Windows\\{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe"	{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}	{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}	{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}\stubpath = "C:\\Windows\\{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe"	{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F82A14D1-7A13-4a6d-A994-BF237CF97811}	{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D1E5EB3-3789-40a3-A205-9055899B13AD}\stubpath = "C:\\Windows\\{9D1E5EB3-3789-40a3-A205-9055899B13AD}.exe"	{9E7BFADB-B775-4152-85BF-3789AB7018FC}.exe

Executes dropped EXE 12 IoCs

pid	Process
1584	{3B843404-0C58-4a78-AFC7-5267E3401379}.exe
1300	{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe
1588	{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe
2832	{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe
1676	{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe
2092	{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe
1436	{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe
1440	{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe
4556	{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe
1412	{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe
3408	{9E7BFADB-B775-4152-85BF-3789AB7018FC}.exe
2208	{9D1E5EB3-3789-40a3-A205-9055899B13AD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9E7BFADB-B775-4152-85BF-3789AB7018FC}.exe	{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe
File created	C:\Windows\{9D1E5EB3-3789-40a3-A205-9055899B13AD}.exe	{9E7BFADB-B775-4152-85BF-3789AB7018FC}.exe
File created	C:\Windows\{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe	{3B843404-0C58-4a78-AFC7-5267E3401379}.exe
File created	C:\Windows\{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe	{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe
File created	C:\Windows\{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe	{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe
File created	C:\Windows\{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe	{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe
File created	C:\Windows\{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe	{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe
File created	C:\Windows\{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe	{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe
File created	C:\Windows\{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe	{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe
File created	C:\Windows\{3B843404-0C58-4a78-AFC7-5267E3401379}.exe	2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe
File created	C:\Windows\{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe	{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe
File created	C:\Windows\{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe	{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5072	2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1584	{3B843404-0C58-4a78-AFC7-5267E3401379}.exe
Token: SeIncBasePriorityPrivilege	1300	{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe
Token: SeIncBasePriorityPrivilege	1588	{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe
Token: SeIncBasePriorityPrivilege	2832	{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe
Token: SeIncBasePriorityPrivilege	1676	{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe
Token: SeIncBasePriorityPrivilege	2092	{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe
Token: SeIncBasePriorityPrivilege	1436	{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe
Token: SeIncBasePriorityPrivilege	1440	{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe
Token: SeIncBasePriorityPrivilege	4556	{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe
Token: SeIncBasePriorityPrivilege	1412	{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe
Token: SeIncBasePriorityPrivilege	3408	{9E7BFADB-B775-4152-85BF-3789AB7018FC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1584	5072	2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe	105
PID 5072 wrote to memory of 1584	5072	2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe	105
PID 5072 wrote to memory of 1584	5072	2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe	105
PID 5072 wrote to memory of 2400	5072	2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe	106
PID 5072 wrote to memory of 2400	5072	2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe	106
PID 5072 wrote to memory of 2400	5072	2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe	106
PID 1584 wrote to memory of 1300	1584	{3B843404-0C58-4a78-AFC7-5267E3401379}.exe	109
PID 1584 wrote to memory of 1300	1584	{3B843404-0C58-4a78-AFC7-5267E3401379}.exe	109
PID 1584 wrote to memory of 1300	1584	{3B843404-0C58-4a78-AFC7-5267E3401379}.exe	109
PID 1584 wrote to memory of 1640	1584	{3B843404-0C58-4a78-AFC7-5267E3401379}.exe	110
PID 1584 wrote to memory of 1640	1584	{3B843404-0C58-4a78-AFC7-5267E3401379}.exe	110
PID 1584 wrote to memory of 1640	1584	{3B843404-0C58-4a78-AFC7-5267E3401379}.exe	110
PID 1300 wrote to memory of 1588	1300	{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe	113
PID 1300 wrote to memory of 1588	1300	{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe	113
PID 1300 wrote to memory of 1588	1300	{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe	113
PID 1300 wrote to memory of 3148	1300	{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe	114
PID 1300 wrote to memory of 3148	1300	{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe	114
PID 1300 wrote to memory of 3148	1300	{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe	114
PID 1588 wrote to memory of 2832	1588	{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe	116
PID 1588 wrote to memory of 2832	1588	{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe	116
PID 1588 wrote to memory of 2832	1588	{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe	116
PID 1588 wrote to memory of 3812	1588	{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe	117
PID 1588 wrote to memory of 3812	1588	{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe	117
PID 1588 wrote to memory of 3812	1588	{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe	117
PID 2832 wrote to memory of 1676	2832	{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe	118
PID 2832 wrote to memory of 1676	2832	{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe	118
PID 2832 wrote to memory of 1676	2832	{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe	118
PID 2832 wrote to memory of 4716	2832	{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe	119
PID 2832 wrote to memory of 4716	2832	{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe	119
PID 2832 wrote to memory of 4716	2832	{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe	119
PID 1676 wrote to memory of 2092	1676	{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe	121
PID 1676 wrote to memory of 2092	1676	{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe	121
PID 1676 wrote to memory of 2092	1676	{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe	121
PID 1676 wrote to memory of 3856	1676	{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe	122
PID 1676 wrote to memory of 3856	1676	{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe	122
PID 1676 wrote to memory of 3856	1676	{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe	122
PID 2092 wrote to memory of 1436	2092	{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe	123
PID 2092 wrote to memory of 1436	2092	{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe	123
PID 2092 wrote to memory of 1436	2092	{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe	123
PID 2092 wrote to memory of 1184	2092	{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe	124
PID 2092 wrote to memory of 1184	2092	{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe	124
PID 2092 wrote to memory of 1184	2092	{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe	124
PID 1436 wrote to memory of 1440	1436	{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe	125
PID 1436 wrote to memory of 1440	1436	{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe	125
PID 1436 wrote to memory of 1440	1436	{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe	125
PID 1436 wrote to memory of 2032	1436	{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe	126
PID 1436 wrote to memory of 2032	1436	{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe	126
PID 1436 wrote to memory of 2032	1436	{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe	126
PID 1440 wrote to memory of 4556	1440	{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe	130
PID 1440 wrote to memory of 4556	1440	{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe	130
PID 1440 wrote to memory of 4556	1440	{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe	130
PID 1440 wrote to memory of 1960	1440	{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe	131
PID 1440 wrote to memory of 1960	1440	{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe	131
PID 1440 wrote to memory of 1960	1440	{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe	131
PID 4556 wrote to memory of 1412	4556	{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe	135
PID 4556 wrote to memory of 1412	4556	{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe	135
PID 4556 wrote to memory of 1412	4556	{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe	135
PID 4556 wrote to memory of 3488	4556	{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe	136
PID 4556 wrote to memory of 3488	4556	{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe	136
PID 4556 wrote to memory of 3488	4556	{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe	136
PID 1412 wrote to memory of 3408	1412	{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe	137
PID 1412 wrote to memory of 3408	1412	{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe	137
PID 1412 wrote to memory of 3408	1412	{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe	137
PID 1412 wrote to memory of 3928	1412	{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe	138

C:\Users\Admin\AppData\Local\Temp\2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_b5184c7ba399d0405ade877be567720b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\{3B843404-0C58-4a78-AFC7-5267E3401379}.exe
  C:\Windows\{3B843404-0C58-4a78-AFC7-5267E3401379}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe
    C:\Windows\{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe
      C:\Windows\{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe
        
        C:\Windows\{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe
        
        C:\Windows\{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe
        
        C:\Windows\{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe
        
        C:\Windows\{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe
        
        C:\Windows\{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe
        
        C:\Windows\{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe
        
        C:\Windows\{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{9E7BFADB-B775-4152-85BF-3789AB7018FC}.exe
        
        C:\Windows\{9E7BFADB-B775-4152-85BF-3789AB7018FC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3408
        
        C:\Windows\{9D1E5EB3-3789-40a3-A205-9055899B13AD}.exe
        
        C:\Windows\{9D1E5EB3-3789-40a3-A205-9055899B13AD}.exe
        13⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E7BF~1.EXE > nul
        13⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F82A1~1.EXE > nul
        12⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{620D7~1.EXE > nul
        11⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EA65~1.EXE > nul
        10⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4369C~1.EXE > nul
        9⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8531E~1.EXE > nul
        8⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9C7E~1.EXE > nul
        7⤵
        
        PID:3856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1BAF~1.EXE > nul
        6⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF17B~1.EXE > nul
        5⤵
        
        PID:3812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EAACA~1.EXE > nul
      4⤵
      PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3B843~1.EXE > nul
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2256,i,9172343514068348080,519219714517961765,262144 --variations-seed-version /prefetch:8
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3B843404-0C58-4a78-AFC7-5267E3401379}.exe

Filesize
168KB

MD5
12470cc8fe54fe74bcaa2f3db03d877a

SHA1
be146158ed7dc1561ff63f0541da642571733a30

SHA256
ce5fbaebdbef88f6dd45efe190e00e3aedb4707a0c8e1b5151647b70cc6ed195

SHA512
e49dc7902dbef3d21c27954b5a2db1b1cf0254cb95b1930a6ca4d5f7a55f13eda7311fb398df1c2ad8746e57a79f58123f0bb1744d9954e6b660494fb5ac2912

Download Submit
C:\Windows\{4369C08C-DA2F-4abb-9177-37577CEE2C58}.exe

Filesize
168KB

MD5
70ab0365f4877b708bcec4593c6b370f

SHA1
a6881d3f803a68ad52abe01e656290fd15ed6b31

SHA256
af2bec12dd088dd4a097588c4bfb8da36d2ef573c00df264a5a5a7a04189fc11

SHA512
4beab4f9a6285ce24ad4922aa614fe1b620de0696fcfaf75ac0083a6a1cfe015a5ffd8154b82ceb9f2928ce2b3c399e7d169d659ef580439a8f344f2508f701a

Download Submit
C:\Windows\{4EA65E58-2F81-4c78-99BF-4A9766F3CEE0}.exe

Filesize
168KB

MD5
1f7740d1f613b1d75409cec1ed59917e

SHA1
706d41c24df6b21b51761ca647d45bd634a41498

SHA256
a441cb2baff003419000e804ab189eeada4519f6e2f4d7cf748c4f64c4666f45

SHA512
d868d597fcb003ea8fd758bad73ee2d9a964f8a568968065994c9b2c43626552edad1c6f200ac580cbcda0432c28e06c736ec32145652d3cd201ba206992f2fd

Download Submit
C:\Windows\{620D7C50-1F11-4d28-AC32-E5FE95FB9B2C}.exe

Filesize
168KB

MD5
11c816f9559adc2eabf1d3843172e0a0

SHA1
178b9284c1d14646b168618f531ccbebafcf59a4

SHA256
dac6881a0fee9d17ebb566ecf82517d56076b9355438add88ecd591adf31de32

SHA512
8bba1e6bf2243108c560e22c6716abefc35f6029c12cd3ec14e6bb2697891450363009a46c67afa2cca1f5a24ccfdf853992e6cc7121343525d0ab631f337e84

Download Submit
C:\Windows\{8531E30A-80F6-4843-B2B1-B254189EBF56}.exe

Filesize
168KB

MD5
ad30a9309c0534e4b87a4c1d7777f2cd

SHA1
736ea25ff8b843b51662ee9b6371552f1bfbe397

SHA256
9917d9f4dfc57fe61fa3e75aa166c264aeabfe0b24007d86dd5f32aa7babd55c

SHA512
02fb9d35128bfdecedabd84ebc55f4f1a9fbc3995aae48aa5c5e0266db91399a685812659d274e46976ca040b0db06783ff0ba28893bb926abfeef55f4247e63

Download Submit
C:\Windows\{9D1E5EB3-3789-40a3-A205-9055899B13AD}.exe

Filesize
168KB

MD5
300800825c7fbaaa24b2aca0e56ddd86

SHA1
253562d189dbb67b255c34cc99cbc399c54e2dd2

SHA256
c54cfcb8db31f9a1cf14408d80fd156c957d84998b04097cc07637182edf701d

SHA512
70dc84f3889dfcea486af3ced827ce0b5cd79693861bbc9e2a95ce46646aeed4daa0e68c62d4d0ba208abaaaba6bbcc85e157ff446b6ed715d5a17376ef57fe3

Download Submit
C:\Windows\{9E7BFADB-B775-4152-85BF-3789AB7018FC}.exe

Filesize
168KB

MD5
1e8f649ee9b0abbc55ed1cee7be3a47d

SHA1
0483e7b597814671ec5eee7ba68ba71b58df1a0c

SHA256
7b9a92db5b9e15418d05f288df41fb6b6b6af9b57b2d749d73b207ab94f9ca1e

SHA512
0818d0781254e1534e36cfc251c23bbd56c83e62c223c5df9ba01a71d69461f26ea0393488f07fe3a74e1e56ce1378ec64e93fd590a69e0141c26d25c3121e5b

Download Submit
C:\Windows\{A9C7EA9E-D693-4c88-BFF7-6D31922E1F3C}.exe

Filesize
168KB

MD5
1b7caccac913e1115688b5c06aa39a46

SHA1
2759c5b31c31c8abf429743b79c8e6220b836ef5

SHA256
23d4bf0a02d4c700c7d36d75e595fea1d57979b195eda56950694dfcde63712d

SHA512
5a1466af38a6f0317fe1c425144cbec79482df9c79d8f921dc93eaf2766e5c9b22416a40d34f945e91b37f1815a6c17635130cc9628855a1ac8658e3bf46a412

Download Submit
C:\Windows\{B1BAFF7B-DA31-4eb1-832A-2DA002833B34}.exe

Filesize
168KB

MD5
0fba5cdab24e041de48883e6ca32ef84

SHA1
8bf469dbf825627abbec1dcd90f0876ec05640ed

SHA256
a38f2ced270a301b68f18cab3197857c3c73c9cc090c2dfe5f44a4b6a0236bb5

SHA512
3215e08ea34ebcb274a12c51fe60428157c14667db56bb825520caecd41136131c1d27e6df36adb1eff7fe4a68fface38ca557ad502a2c01004a33356f01b65a

Download Submit
C:\Windows\{DF17BF97-2D1F-4d6c-888E-A1E173CD5C96}.exe

Filesize
168KB

MD5
3f03f395da481f589d78fe0967348cfb

SHA1
b1973f2950257eee2722fce3a6247882233efb0f

SHA256
9f6c7b06a6e24a5d7563f303c0e53e19b7665af47825b1b738acbb93440d86e4

SHA512
ff01d2d9895ed971c921e957b0a770e2721fe53b2bb407dad597804d6ee8eb69226f2fb280bce64f9f1c8564ed83a22426c8ab73e09bc045808d40d60aa745f2

Download Submit
C:\Windows\{EAACAC53-9A15-4bfe-AFD8-AB674216ECAF}.exe

Filesize
168KB

MD5
4b302d0471435844c6cbb9387761dd27

SHA1
88e59803dce36ba25e4058bca19d4f8da8cf6dae

SHA256
010b45a082854f73ab0b782df35e47d6d546695f1d0957098b399b48b0fb1965

SHA512
6ab8c2f3912bfa2b5b19710fed55e8fb2e1cb2407fbc2ccf12e40a805ae1ade40d4bba7a6c695df5a288111774cac73598f6cc13cb1a2abc80646113abbdfab4

Download Submit
C:\Windows\{F82A14D1-7A13-4a6d-A994-BF237CF97811}.exe

Filesize
168KB

MD5
690fe318a00dbbcb01b180af50649a61

SHA1
42bc615a6efadf0c8fe607d92d72fe979f6829cc

SHA256
8eec75a58773fcdf2f6630d436d0a5c64304e7bc3db9d956e7639417d682960e

SHA512
2d50fb44e5e5876ebf4da9eaf59f3713ce10d2191c14f653f84e65f13bef722f99d5190f7eab07123089b418362be47e3318830d4c86b2ed4aa9b9bc611d77ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads