fd3cc6fd6545d27bea6c3a6b5b903ffd25fb5240667ec0f338aa5036aba4d0b1

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe
Size

180KB
MD5

4282167648e14cea70a49448c37abe18
SHA1

dcc8193f63726750c70fb7ab158f432277a66ed7
SHA256

fd3cc6fd6545d27bea6c3a6b5b903ffd25fb5240667ec0f338aa5036aba4d0b1
SHA512

cbf38932bd61d065632eecf6e97ec97d738c29eb08738ca58fb8fca7240eefe1fd6ee412df9073b4e7075709a40d525048a8fd2a2947ed5e142336d12e906643
SSDEEP

3072:jEGh0oplfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGzl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002334b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002334c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023107-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023361-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023107-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023361-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023107-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023361-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023381-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023361-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023351-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002336f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}\stubpath = "C:\\Windows\\{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe"	{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6191169D-742C-4abf-A5BE-CA991FDFFBD3}	{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}	{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6191169D-742C-4abf-A5BE-CA991FDFFBD3}\stubpath = "C:\\Windows\\{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe"	{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E1076E-6055-44b8-87F0-CF1E26A8D985}\stubpath = "C:\\Windows\\{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe"	{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}	{9EBB62D8-9110-4373-91BA-2C488C798664}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22702BAB-A5A8-425b-BFC0-DEF1239544AD}\stubpath = "C:\\Windows\\{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe"	{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}	{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}\stubpath = "C:\\Windows\\{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe"	{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E93B8C6-7F32-4d56-A24D-0B3143717E69}\stubpath = "C:\\Windows\\{6E93B8C6-7F32-4d56-A24D-0B3143717E69}.exe"	{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}	{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}	{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}\stubpath = "C:\\Windows\\{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe"	{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1E1076E-6055-44b8-87F0-CF1E26A8D985}	{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}\stubpath = "C:\\Windows\\{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe"	{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}	{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}\stubpath = "C:\\Windows\\{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe"	{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E93B8C6-7F32-4d56-A24D-0B3143717E69}	{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBB62D8-9110-4373-91BA-2C488C798664}	2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBB62D8-9110-4373-91BA-2C488C798664}\stubpath = "C:\\Windows\\{9EBB62D8-9110-4373-91BA-2C488C798664}.exe"	2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}\stubpath = "C:\\Windows\\{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe"	{9EBB62D8-9110-4373-91BA-2C488C798664}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22702BAB-A5A8-425b-BFC0-DEF1239544AD}	{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B538F42A-28EE-4f37-BB9B-72F18CC06417}	{6E93B8C6-7F32-4d56-A24D-0B3143717E69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B538F42A-28EE-4f37-BB9B-72F18CC06417}\stubpath = "C:\\Windows\\{B538F42A-28EE-4f37-BB9B-72F18CC06417}.exe"	{6E93B8C6-7F32-4d56-A24D-0B3143717E69}.exe

Executes dropped EXE 12 IoCs

pid	Process
3992	{9EBB62D8-9110-4373-91BA-2C488C798664}.exe
3440	{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe
800	{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe
3992	{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe
2268	{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe
2840	{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe
2884	{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe
1908	{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe
2268	{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe
4284	{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe
636	{6E93B8C6-7F32-4d56-A24D-0B3143717E69}.exe
3620	{B538F42A-28EE-4f37-BB9B-72F18CC06417}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9EBB62D8-9110-4373-91BA-2C488C798664}.exe	2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe
File created	C:\Windows\{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe	{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe
File created	C:\Windows\{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe	{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe
File created	C:\Windows\{B538F42A-28EE-4f37-BB9B-72F18CC06417}.exe	{6E93B8C6-7F32-4d56-A24D-0B3143717E69}.exe
File created	C:\Windows\{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe	{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe
File created	C:\Windows\{6E93B8C6-7F32-4d56-A24D-0B3143717E69}.exe	{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe
File created	C:\Windows\{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe	{9EBB62D8-9110-4373-91BA-2C488C798664}.exe
File created	C:\Windows\{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe	{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe
File created	C:\Windows\{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe	{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe
File created	C:\Windows\{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe	{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe
File created	C:\Windows\{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe	{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe
File created	C:\Windows\{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe	{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1964	2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3992	{9EBB62D8-9110-4373-91BA-2C488C798664}.exe
Token: SeIncBasePriorityPrivilege	3440	{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe
Token: SeIncBasePriorityPrivilege	800	{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe
Token: SeIncBasePriorityPrivilege	3992	{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe
Token: SeIncBasePriorityPrivilege	2268	{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe
Token: SeIncBasePriorityPrivilege	2840	{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe
Token: SeIncBasePriorityPrivilege	2884	{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe
Token: SeIncBasePriorityPrivilege	1908	{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe
Token: SeIncBasePriorityPrivilege	2268	{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe
Token: SeIncBasePriorityPrivilege	4284	{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe
Token: SeIncBasePriorityPrivilege	636	{6E93B8C6-7F32-4d56-A24D-0B3143717E69}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 3992	1964	2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe	101
PID 1964 wrote to memory of 3992	1964	2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe	101
PID 1964 wrote to memory of 3992	1964	2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe	101
PID 1964 wrote to memory of 2280	1964	2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe	102
PID 1964 wrote to memory of 2280	1964	2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe	102
PID 1964 wrote to memory of 2280	1964	2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe	102
PID 3992 wrote to memory of 3440	3992	{9EBB62D8-9110-4373-91BA-2C488C798664}.exe	108
PID 3992 wrote to memory of 3440	3992	{9EBB62D8-9110-4373-91BA-2C488C798664}.exe	108
PID 3992 wrote to memory of 3440	3992	{9EBB62D8-9110-4373-91BA-2C488C798664}.exe	108
PID 3992 wrote to memory of 4088	3992	{9EBB62D8-9110-4373-91BA-2C488C798664}.exe	109
PID 3992 wrote to memory of 4088	3992	{9EBB62D8-9110-4373-91BA-2C488C798664}.exe	109
PID 3992 wrote to memory of 4088	3992	{9EBB62D8-9110-4373-91BA-2C488C798664}.exe	109
PID 3440 wrote to memory of 800	3440	{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe	114
PID 3440 wrote to memory of 800	3440	{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe	114
PID 3440 wrote to memory of 800	3440	{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe	114
PID 3440 wrote to memory of 1048	3440	{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe	115
PID 3440 wrote to memory of 1048	3440	{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe	115
PID 3440 wrote to memory of 1048	3440	{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe	115
PID 800 wrote to memory of 3992	800	{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe	117
PID 800 wrote to memory of 3992	800	{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe	117
PID 800 wrote to memory of 3992	800	{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe	117
PID 800 wrote to memory of 1336	800	{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe	118
PID 800 wrote to memory of 1336	800	{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe	118
PID 800 wrote to memory of 1336	800	{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe	118
PID 3992 wrote to memory of 2268	3992	{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe	119
PID 3992 wrote to memory of 2268	3992	{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe	119
PID 3992 wrote to memory of 2268	3992	{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe	119
PID 3992 wrote to memory of 3428	3992	{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe	120
PID 3992 wrote to memory of 3428	3992	{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe	120
PID 3992 wrote to memory of 3428	3992	{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe	120
PID 2268 wrote to memory of 2840	2268	{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe	122
PID 2268 wrote to memory of 2840	2268	{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe	122
PID 2268 wrote to memory of 2840	2268	{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe	122
PID 2268 wrote to memory of 5104	2268	{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe	123
PID 2268 wrote to memory of 5104	2268	{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe	123
PID 2268 wrote to memory of 5104	2268	{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe	123
PID 2840 wrote to memory of 2884	2840	{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe	124
PID 2840 wrote to memory of 2884	2840	{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe	124
PID 2840 wrote to memory of 2884	2840	{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe	124
PID 2840 wrote to memory of 4368	2840	{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe	125
PID 2840 wrote to memory of 4368	2840	{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe	125
PID 2840 wrote to memory of 4368	2840	{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe	125
PID 2884 wrote to memory of 1908	2884	{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe	126
PID 2884 wrote to memory of 1908	2884	{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe	126
PID 2884 wrote to memory of 1908	2884	{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe	126
PID 2884 wrote to memory of 3988	2884	{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe	127
PID 2884 wrote to memory of 3988	2884	{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe	127
PID 2884 wrote to memory of 3988	2884	{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe	127
PID 1908 wrote to memory of 2268	1908	{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe	131
PID 1908 wrote to memory of 2268	1908	{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe	131
PID 1908 wrote to memory of 2268	1908	{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe	131
PID 1908 wrote to memory of 2812	1908	{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe	132
PID 1908 wrote to memory of 2812	1908	{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe	132
PID 1908 wrote to memory of 2812	1908	{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe	132
PID 2268 wrote to memory of 4284	2268	{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe	133
PID 2268 wrote to memory of 4284	2268	{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe	133
PID 2268 wrote to memory of 4284	2268	{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe	133
PID 2268 wrote to memory of 3808	2268	{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe	134
PID 2268 wrote to memory of 3808	2268	{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe	134
PID 2268 wrote to memory of 3808	2268	{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe	134
PID 4284 wrote to memory of 636	4284	{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe	135
PID 4284 wrote to memory of 636	4284	{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe	135
PID 4284 wrote to memory of 636	4284	{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe	135
PID 4284 wrote to memory of 64	4284	{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe	136

C:\Users\Admin\AppData\Local\Temp\2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-18_4282167648e14cea70a49448c37abe18_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\{9EBB62D8-9110-4373-91BA-2C488C798664}.exe
  C:\Windows\{9EBB62D8-9110-4373-91BA-2C488C798664}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe
    C:\Windows\{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe
      C:\Windows\{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:800
    - - C:\Windows\{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe
        
        C:\Windows\{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
      - C:\Windows\{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe
        
        C:\Windows\{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe
        
        C:\Windows\{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe
        
        C:\Windows\{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe
        
        C:\Windows\{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe
        
        C:\Windows\{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe
        
        C:\Windows\{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\{6E93B8C6-7F32-4d56-A24D-0B3143717E69}.exe
        
        C:\Windows\{6E93B8C6-7F32-4d56-A24D-0B3143717E69}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\{B538F42A-28EE-4f37-BB9B-72F18CC06417}.exe
        
        C:\Windows\{B538F42A-28EE-4f37-BB9B-72F18CC06417}.exe
        13⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E93B~1.EXE > nul
        13⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1E10~1.EXE > nul
        12⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4183~1.EXE > nul
        11⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFE8B~1.EXE > nul
        10⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61911~1.EXE > nul
        9⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7143C~1.EXE > nul
        8⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE8F9~1.EXE > nul
        7⤵
        
        PID:5104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32948~1.EXE > nul
        6⤵
        
        PID:3428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22702~1.EXE > nul
        5⤵
        
        PID:1336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9963C~1.EXE > nul
      4⤵
      PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9EBB6~1.EXE > nul
    3⤵
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5308 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22702BAB-A5A8-425b-BFC0-DEF1239544AD}.exe

Filesize
180KB

MD5
2872987d42b0e4118a44d76df47adcd8

SHA1
bad94b436833611832ebd7e59e90e879365898e8

SHA256
8797e667c82675c8807c1177d1af86d42b0282dc42df36bded07fd9afaae6db8

SHA512
5a7e1d9517ed51a6fd9e604e0b125608d9d1f59f1c1dbd7ed262c063bfc34072f2ae6fb47a980aab9e73c414634ef9439a3726069bd0a5c078ba3c844d544154

Download Submit
C:\Windows\{32948DD7-6312-4948-8BAB-1FF90FBFD4A1}.exe

Filesize
180KB

MD5
38b11b8eec9a1ad21cf346ad42de9c45

SHA1
8f142aa3f45657fc5cd28f30ab5fe50dd87e1ff6

SHA256
0b75b8fab1369d062297b7583563eebf79948a62d0f5fadbb05fe0f2520be907

SHA512
2ecb74a65289d554d6f1135e41c3ae21db0b84b424b146b81b3c58e8af1472b49b8a8552aa8d99ae73e71326d9d0d62e6aa992723a6b2e46b3b2c8b1df47478a

Download Submit
C:\Windows\{6191169D-742C-4abf-A5BE-CA991FDFFBD3}.exe

Filesize
180KB

MD5
4cae37b08b521f6487e24efe466ed370

SHA1
1f0cb7ea7346fa92b5829a796ecac22f4964e751

SHA256
839586c69639dceb569412a893e3de7161acc6028088a8099c61348c5cf069e2

SHA512
fa48049d9f353b4934b80e2f9d055f3b2bc6ab2c08dd603a58407f885963d4c2523c1ae7468182a79dd5ecfe86ba77454ebd195109212b855344ebb171ae6f66

Download Submit
C:\Windows\{6E93B8C6-7F32-4d56-A24D-0B3143717E69}.exe

Filesize
180KB

MD5
e546ea6cb1d6de84fd330a3da0f9510e

SHA1
a866810a36691ec61900b0b4f6fdf903c1bd4d52

SHA256
cc633c10fbe9f292e576946b10c71ee58aa53f93f4ba0f6bbb896c86d35b1ad1

SHA512
9e05bf24239dee2821f1d0b018215716d70fdcc7129c3ac8c08f71adfbb9469850e85fdf56f45ff3e639fec2bec390cc5101dcace46a18eaf29b038a7d82b5f7

Download Submit
C:\Windows\{7143C3AA-C45C-4e9b-8E35-EA8B28281A82}.exe

Filesize
180KB

MD5
37468519aeb082b5b97fdc6b1cb7e155

SHA1
86af866fdfb3ecdbee2333f649e8b57c7fb68a51

SHA256
caedef9a1e3a7464f913153763ea31a1d441b3cff18b81ef5af99d509ef03e48

SHA512
989fb1a85a6c22447b44b0bd84c4c93ffa656625614536449d7d60d5e6c39e4fc60eb71a24f8b99149540cd07142da08694a7d97e7827bc11cac18d922341101

Download Submit
C:\Windows\{9963CFDA-BDF8-497f-9E91-D0AAFF3C2228}.exe

Filesize
180KB

MD5
a3ea10e34364809a43aeec6edcd5ec07

SHA1
1aab99ef074426cf152a24e83316d4ea0e3f31ad

SHA256
82dec79b8e12c0b4091d2c8e080147fb205826fd6fe5d842ddd8d7804f9eea53

SHA512
2bfc93d97e921e537216a3012dc9449dbafce991440bee34e44107783e9d0317ad7d999b50d6fdd7bdc1e9cc0da88b2c3a829687d95eefd23fbed584d705d426

Download Submit
C:\Windows\{9EBB62D8-9110-4373-91BA-2C488C798664}.exe

Filesize
180KB

MD5
0f7affa9745c778b481c6d01c28c49ab

SHA1
28f6d9bb30a378e2ef148ffcec15859f17b13124

SHA256
b781889da7faf70eabdccdd43c45077fa1e2a0ae23b9dac122dc0473a9369723

SHA512
77ca9a6c4c31d38ba4639e3a08fd16090c633aeb41cac8ee17baa7f897ee41215258e3daf2ddeebbe2c3eef42bf444ca3fedba0c46ae4279bc8a75fe10f35372

Download Submit
C:\Windows\{AE8F99BC-4A0E-41d8-918B-7F1E044E1603}.exe

Filesize
180KB

MD5
0dfadbacec29a4b45ec07c27d34d768a

SHA1
fe5ec80ee8e423a1ab1588499ea226933ddafaeb

SHA256
4db052d5d9467270fd3242966ca0feb063eaf5f1a2b21731a503a00e2815bd49

SHA512
57320ebcbb928c71849623970e18df8a1aa8485d55289bcc802df6fee17258bb008f74a8c47ba60127388696a6ef5b8cb6eb6aaaf9e0a846927da24655aa240a

Download Submit
C:\Windows\{B538F42A-28EE-4f37-BB9B-72F18CC06417}.exe

Filesize
180KB

MD5
1e2ffc26c1e871d2ed4d1b85b6da44b6

SHA1
b585c9619682f3035cf0396d19e628d0fc6ed956

SHA256
7994b46b83d30bb6ac1ca1deca194b14054211cecf4491385b2f9149a8981460

SHA512
ce08498cc708f7243b1f1fb8a6080b655559ea528bdaf2f675b8fb6f11d6a27b8b8e79b43661f8aee3451d60f4b2e9b082c0bf3706a3d01d23fe3b9dfae5690a

Download Submit
C:\Windows\{BFE8B9BC-9089-42c3-AA85-DD388268C6DB}.exe

Filesize
180KB

MD5
6a50a8d0fbb426ef0cd0daf4b15cfd04

SHA1
52d2213c8b9370bc3a28e0275ec5515475a5dd0e

SHA256
a2353f147cbc35dbbd7a37cc3de76e246841e9018fbde9fc8fd896abab3883be

SHA512
f6001c393d8ce7ceff960f0649c7717479db24c7ea437c597955fdb38aa269f1f0fa88df1a073e78457a7a53da653fb2d463552662e3c6d241994f3e29cf669a

Download Submit
C:\Windows\{D4183302-F3F4-4b21-9A0E-7ABF733D9F2E}.exe

Filesize
180KB

MD5
e40df9396ec1e939733203a4115f859f

SHA1
a9852d08e203986579c09fea1389e54a6f2655aa

SHA256
ca824e8c0e4709ecbdf4707ff451efd8b3aa2cbd0b994d7d64677a6203f8a9c5

SHA512
f0b8b0cde0afac323ea0f4c3507d01a7846844fca6bba4dd691687997187d5ebd35126e78a411da144f49889384c1e741eb0f1c74f887c8bbd9f027472af2eac

Download Submit
C:\Windows\{E1E1076E-6055-44b8-87F0-CF1E26A8D985}.exe

Filesize
180KB

MD5
6fa2bbb1ce02daaa53403b4e20c9e9e2

SHA1
a299baebf2f04da5a693f3537e5b3ae072d36fa3

SHA256
d4464964430205f1bef11e84283fb4ce9577840829325d0bfe9f1d7b0ed26ae7

SHA512
b0ec93ad72c1efa1bc2b5dc3b40eb8d02dbf6a09c297d459f71131b28f6e85eb7ffb4ab81c6d1918db67e6abed292d4c1311691b86916a08d27d0935e720226f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads