97536e9a7b9be3d59549addc3fc20d2b288cc9ad83f303667b21e82c71927890

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 06:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe
Size

197KB
MD5

6f81cf87d4ad5d4ee85a28df38a1a26c
SHA1

4aca64d71a6f6fa30ca4f97de7e712620fca79c3
SHA256

97536e9a7b9be3d59549addc3fc20d2b288cc9ad83f303667b21e82c71927890
SHA512

b5a9a58e6328c1b19ddd5e0cf646a975f405131e45802ae316a25e7a634f9b21412c3eabc3555888b6d55cdfe6dca40e5b7dac6080b38c0691b10c1bada4424d
SSDEEP

3072:jEGh0oYl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG2lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022ea3-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002326d-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023274-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002326d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023274-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001400000002326d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023274-28.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-32.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000741-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000735-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}\stubpath = "C:\\Windows\\{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe"	2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}	{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCAE64AA-2190-442c-9C73-3F82C15D16F5}\stubpath = "C:\\Windows\\{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe"	{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}\stubpath = "C:\\Windows\\{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe"	{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4EC2803-48C0-4388-B338-B0B04D211832}\stubpath = "C:\\Windows\\{E4EC2803-48C0-4388-B338-B0B04D211832}.exe"	{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1428505-34B9-463e-875C-30B07AAC7BDF}\stubpath = "C:\\Windows\\{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe"	{E4EC2803-48C0-4388-B338-B0B04D211832}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6709529F-46B6-489a-8E97-260283A90C32}\stubpath = "C:\\Windows\\{6709529F-46B6-489a-8E97-260283A90C32}.exe"	{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F007F806-01C8-4a50-A9B5-98A2F9B1B297}	{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F007F806-01C8-4a50-A9B5-98A2F9B1B297}\stubpath = "C:\\Windows\\{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe"	{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D597586-8D75-4450-AD1C-EC2338F2E1AE}	{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D597586-8D75-4450-AD1C-EC2338F2E1AE}\stubpath = "C:\\Windows\\{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe"	{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}	{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1428505-34B9-463e-875C-30B07AAC7BDF}	{E4EC2803-48C0-4388-B338-B0B04D211832}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}\stubpath = "C:\\Windows\\{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}.exe"	{6709529F-46B6-489a-8E97-260283A90C32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88BFEF32-5B3C-42e4-B74F-EDB1D6F7A734}	{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}	2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{352F5267-E4CD-4a7a-A226-E1D2248D7762}	{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{352F5267-E4CD-4a7a-A226-E1D2248D7762}\stubpath = "C:\\Windows\\{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe"	{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4EC2803-48C0-4388-B338-B0B04D211832}	{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6709529F-46B6-489a-8E97-260283A90C32}	{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}\stubpath = "C:\\Windows\\{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe"	{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCAE64AA-2190-442c-9C73-3F82C15D16F5}	{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}	{6709529F-46B6-489a-8E97-260283A90C32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88BFEF32-5B3C-42e4-B74F-EDB1D6F7A734}\stubpath = "C:\\Windows\\{88BFEF32-5B3C-42e4-B74F-EDB1D6F7A734}.exe"	{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}.exe

Executes dropped EXE 12 IoCs

pid	Process
3548	{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe
2296	{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe
1444	{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe
1460	{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe
872	{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe
3684	{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe
2176	{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe
3944	{E4EC2803-48C0-4388-B338-B0B04D211832}.exe
2136	{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe
2296	{6709529F-46B6-489a-8E97-260283A90C32}.exe
4772	{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}.exe
1460	{88BFEF32-5B3C-42e4-B74F-EDB1D6F7A734}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe	{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe
File created	C:\Windows\{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe	{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe
File created	C:\Windows\{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe	{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe
File created	C:\Windows\{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe	{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe
File created	C:\Windows\{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe	{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe
File created	C:\Windows\{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe	{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe
File created	C:\Windows\{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}.exe	{6709529F-46B6-489a-8E97-260283A90C32}.exe
File created	C:\Windows\{88BFEF32-5B3C-42e4-B74F-EDB1D6F7A734}.exe	{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}.exe
File created	C:\Windows\{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe	2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe
File created	C:\Windows\{E4EC2803-48C0-4388-B338-B0B04D211832}.exe	{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe
File created	C:\Windows\{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe	{E4EC2803-48C0-4388-B338-B0B04D211832}.exe
File created	C:\Windows\{6709529F-46B6-489a-8E97-260283A90C32}.exe	{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1652	2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3548	{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe
Token: SeIncBasePriorityPrivilege	2296	{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe
Token: SeIncBasePriorityPrivilege	1444	{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe
Token: SeIncBasePriorityPrivilege	1460	{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe
Token: SeIncBasePriorityPrivilege	872	{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe
Token: SeIncBasePriorityPrivilege	3684	{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe
Token: SeIncBasePriorityPrivilege	2176	{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe
Token: SeIncBasePriorityPrivilege	3944	{E4EC2803-48C0-4388-B338-B0B04D211832}.exe
Token: SeIncBasePriorityPrivilege	2136	{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe
Token: SeIncBasePriorityPrivilege	2296	{6709529F-46B6-489a-8E97-260283A90C32}.exe
Token: SeIncBasePriorityPrivilege	4772	{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 3548	1652	2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe	100
PID 1652 wrote to memory of 3548	1652	2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe	100
PID 1652 wrote to memory of 3548	1652	2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe	100
PID 1652 wrote to memory of 1952	1652	2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe	101
PID 1652 wrote to memory of 1952	1652	2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe	101
PID 1652 wrote to memory of 1952	1652	2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe	101
PID 3548 wrote to memory of 2296	3548	{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe	104
PID 3548 wrote to memory of 2296	3548	{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe	104
PID 3548 wrote to memory of 2296	3548	{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe	104
PID 3548 wrote to memory of 4372	3548	{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe	105
PID 3548 wrote to memory of 4372	3548	{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe	105
PID 3548 wrote to memory of 4372	3548	{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe	105
PID 2296 wrote to memory of 1444	2296	{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe	107
PID 2296 wrote to memory of 1444	2296	{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe	107
PID 2296 wrote to memory of 1444	2296	{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe	107
PID 2296 wrote to memory of 1736	2296	{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe	108
PID 2296 wrote to memory of 1736	2296	{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe	108
PID 2296 wrote to memory of 1736	2296	{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe	108
PID 1444 wrote to memory of 1460	1444	{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe	110
PID 1444 wrote to memory of 1460	1444	{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe	110
PID 1444 wrote to memory of 1460	1444	{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe	110
PID 1444 wrote to memory of 1752	1444	{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe	111
PID 1444 wrote to memory of 1752	1444	{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe	111
PID 1444 wrote to memory of 1752	1444	{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe	111
PID 1460 wrote to memory of 872	1460	{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe	112
PID 1460 wrote to memory of 872	1460	{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe	112
PID 1460 wrote to memory of 872	1460	{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe	112
PID 1460 wrote to memory of 1236	1460	{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe	113
PID 1460 wrote to memory of 1236	1460	{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe	113
PID 1460 wrote to memory of 1236	1460	{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe	113
PID 872 wrote to memory of 3684	872	{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe	114
PID 872 wrote to memory of 3684	872	{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe	114
PID 872 wrote to memory of 3684	872	{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe	114
PID 872 wrote to memory of 3272	872	{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe	115
PID 872 wrote to memory of 3272	872	{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe	115
PID 872 wrote to memory of 3272	872	{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe	115
PID 3684 wrote to memory of 2176	3684	{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe	116
PID 3684 wrote to memory of 2176	3684	{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe	116
PID 3684 wrote to memory of 2176	3684	{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe	116
PID 3684 wrote to memory of 1792	3684	{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe	117
PID 3684 wrote to memory of 1792	3684	{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe	117
PID 3684 wrote to memory of 1792	3684	{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe	117
PID 2176 wrote to memory of 3944	2176	{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe	118
PID 2176 wrote to memory of 3944	2176	{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe	118
PID 2176 wrote to memory of 3944	2176	{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe	118
PID 2176 wrote to memory of 3568	2176	{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe	119
PID 2176 wrote to memory of 3568	2176	{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe	119
PID 2176 wrote to memory of 3568	2176	{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe	119
PID 3944 wrote to memory of 2136	3944	{E4EC2803-48C0-4388-B338-B0B04D211832}.exe	120
PID 3944 wrote to memory of 2136	3944	{E4EC2803-48C0-4388-B338-B0B04D211832}.exe	120
PID 3944 wrote to memory of 2136	3944	{E4EC2803-48C0-4388-B338-B0B04D211832}.exe	120
PID 3944 wrote to memory of 4812	3944	{E4EC2803-48C0-4388-B338-B0B04D211832}.exe	121
PID 3944 wrote to memory of 4812	3944	{E4EC2803-48C0-4388-B338-B0B04D211832}.exe	121
PID 3944 wrote to memory of 4812	3944	{E4EC2803-48C0-4388-B338-B0B04D211832}.exe	121
PID 2136 wrote to memory of 2296	2136	{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe	122
PID 2136 wrote to memory of 2296	2136	{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe	122
PID 2136 wrote to memory of 2296	2136	{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe	122
PID 2136 wrote to memory of 3304	2136	{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe	123
PID 2136 wrote to memory of 3304	2136	{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe	123
PID 2136 wrote to memory of 3304	2136	{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe	123
PID 2296 wrote to memory of 4772	2296	{6709529F-46B6-489a-8E97-260283A90C32}.exe	124
PID 2296 wrote to memory of 4772	2296	{6709529F-46B6-489a-8E97-260283A90C32}.exe	124
PID 2296 wrote to memory of 4772	2296	{6709529F-46B6-489a-8E97-260283A90C32}.exe	124
PID 2296 wrote to memory of 3068	2296	{6709529F-46B6-489a-8E97-260283A90C32}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_6f81cf87d4ad5d4ee85a28df38a1a26c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe
  C:\Windows\{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe
    C:\Windows\{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe
      C:\Windows\{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Windows\{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe
        
        C:\Windows\{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe
        
        C:\Windows\{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe
        
        C:\Windows\{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe
        
        C:\Windows\{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{E4EC2803-48C0-4388-B338-B0B04D211832}.exe
        
        C:\Windows\{E4EC2803-48C0-4388-B338-B0B04D211832}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe
        
        C:\Windows\{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{6709529F-46B6-489a-8E97-260283A90C32}.exe
        
        C:\Windows\{6709529F-46B6-489a-8E97-260283A90C32}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}.exe
        
        C:\Windows\{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
        
        C:\Windows\{88BFEF32-5B3C-42e4-B74F-EDB1D6F7A734}.exe
        
        C:\Windows\{88BFEF32-5B3C-42e4-B74F-EDB1D6F7A734}.exe
        13⤵
        Executes dropped EXE
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1C9A~1.EXE > nul
        13⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67095~1.EXE > nul
        12⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1428~1.EXE > nul
        11⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4EC2~1.EXE > nul
        10⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA4A0~1.EXE > nul
        9⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D597~1.EXE > nul
        8⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCAE6~1.EXE > nul
        7⤵
        
        PID:3272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{352F5~1.EXE > nul
        6⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F007F~1.EXE > nul
        5⤵
        
        PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5C137~1.EXE > nul
      4⤵
      PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5CDEF~1.EXE > nul
    3⤵
    PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{352F5267-E4CD-4a7a-A226-E1D2248D7762}.exe

Filesize
197KB

MD5
be08acc481bcdf0fbede35c95a42bffc

SHA1
e70efa47991b37ce50bdf77ab10ab4e8bc67fc4b

SHA256
8772d23dfdcb28e40d6c5d7bbc3f952220f99cd897138588e0e5714c67e9736e

SHA512
8e41249b16d072cdc0dda44cce4ffd6dd4c2fddabfc0fb834ac634b38e308b2cd59a9855c23da943c235eaf6d5b1ee9ebf087b9c945648d9fa583546a8ae195b

Download Submit
C:\Windows\{5C137CC2-142F-433d-B1A9-07F28B2D7C9F}.exe

Filesize
197KB

MD5
7d1266d40feee4d9b9c6b2fb298ca5af

SHA1
6706d4a60c869de8c9394504ad281c6ccee21a0a

SHA256
dc1d640f410e32849d3bb5842b5059ae73a4fb68836bb053d26f21f8bc6c2fbf

SHA512
3697e9b3df52e571ceec8c341999be11ab4e711cadbb519cc98bd9d9e02fcce27a72400a71ca2a3e047d75532f922c9ee9bf67d567a0c4e2d9414e5e6cfe5a0d

Download Submit
C:\Windows\{5CDEF2F3-0BAB-48b4-9A11-371F7C508EAB}.exe

Filesize
197KB

MD5
6a49c96ee86247dd22c81f4a9772a42f

SHA1
5e5eb1f7a158e46444537c0eae018dd0464a098c

SHA256
385771bc60fdef8e33357cb762a2453b735cee31cabd3281501fc752a0fe95ae

SHA512
3321bd04ba9700c8b1e58b26e4ac0f715556b50ed4cb7a0cff013f97b7b0a1dccabf25c51a8c4836f18cada0fc2725e45111ef424f9489ec1890c01cc65251b8

Download Submit
C:\Windows\{5D597586-8D75-4450-AD1C-EC2338F2E1AE}.exe

Filesize
197KB

MD5
6cd1100f42951bb052a3ab80526e8753

SHA1
ebd0c357b318485da68f11558bb2f42815fb1c7d

SHA256
7b8c2dbfb345184674e3d1f142ed4c2d790b1e22b609c54b6f2cf51e919cb254

SHA512
37576ea967445bc7486c46cbd8ee0650998f9644728f8c16d9d458013377f7e9f299f493baedd98daab653979e0da8462e13843d5c0b4d27fc595f459f161a56

Download Submit
C:\Windows\{6709529F-46B6-489a-8E97-260283A90C32}.exe

Filesize
197KB

MD5
a2804109a78b8147e7acb24ba5f52e9a

SHA1
c9a3ee781c2b88e4e6eccda70d3818439683e6a5

SHA256
0d072847a40f08b50573aebcb6001ade67b2885268634cd808fd281c0836ca1c

SHA512
eb4a8da23ab58e2d4d5d256c95cd322750aa251ad186a8425222cfcd0b7d1504da69c0be5f5d4ea2922bc2798e2fa59eca3b07869871d3eccd49e0044d03571e

Download Submit
C:\Windows\{88BFEF32-5B3C-42e4-B74F-EDB1D6F7A734}.exe

Filesize
197KB

MD5
f2d17155d56ed51d909eac981109be50

SHA1
cc46fb35f16d178efd7764279f8372835077f1ce

SHA256
efd9daabcd11b7254ba50a298ea750225b976a4521d3dd6a5794ef6cae368c49

SHA512
0bce30ef823d7484602abceea30bb5bca7858c15d4fe9393ef62bf55024a248c79f08b3e17913fcd2ed6b3e0c9cfec053156b3163b9e7115223e7a4799fb0a60

Download Submit
C:\Windows\{AA4A0A75-5F9B-4d26-B18D-558C111B10DA}.exe

Filesize
197KB

MD5
83e8e3dfd01b45b12ce53b4a753559c5

SHA1
c19c28d781b082693525ffd77b7f292b80a2e37b

SHA256
cb33c26dfe378a8d3b6672f6edafb9830dae58a5ba088b095aa33a50b7afe738

SHA512
be7c9d16b32a929213e18b0c6973dba27d357777ad8e0ed9b5eb03014cff0c3e31d9f27016e8c46b7e04f94602f862e5893fe14bf8bfb37cbb8241355a0beae5

Download Submit
C:\Windows\{CCAE64AA-2190-442c-9C73-3F82C15D16F5}.exe

Filesize
197KB

MD5
909d1a32fc62527cf4c5d319bf4de5dc

SHA1
d2f993e1089c4ca5e7df128727dba25b3fb25573

SHA256
070678a3434e8826d89e440d883f020690a750f9cc5559343c64c30dcde4b06c

SHA512
d398d4ae0e27e5b6a8a13a23530a53d37f5c182a16ebd47e4b436da35d5978549f7682b61661cac7cf1d5524c679ea33ba976d7c6fd9268ffe0df5cb4b59cddb

Download Submit
C:\Windows\{D1428505-34B9-463e-875C-30B07AAC7BDF}.exe

Filesize
197KB

MD5
00ded4ba0adc20554c15691d405a783b

SHA1
2089a31463ab1bd10ce85e6bf6945a651992502d

SHA256
52ab5c219de15981f76fa907e9a60c8b072cdf6390920e13671fac73350ebfbe

SHA512
e94bfef900f83c727e0d0b2cff14ec1495a79bf35c11ad93fde6e4d5213308ad0cee30bf21944d584afb69a3c9561b5bba2667a50faf817bd9319df4804320c6

Download Submit
C:\Windows\{E4EC2803-48C0-4388-B338-B0B04D211832}.exe

Filesize
197KB

MD5
4310d287669d0b0ced3acf5083a6ff64

SHA1
9547282c6ae5e59a97ce6d592758b2edeb2ea0d4

SHA256
bae8bea8243895c4476a294a09ec1de221ea5d9ec264158a6d14c694100db3dc

SHA512
f27c8b5884e974847a7dccb88e3c13fbb2b403914d11419b4012835b4d65d27d361debd3cec7b95bdc269d229cddee818bf81164de98406714c01c936aac2cc4

Download Submit
C:\Windows\{F007F806-01C8-4a50-A9B5-98A2F9B1B297}.exe

Filesize
197KB

MD5
006af25614bd04f5a879552d9dac1104

SHA1
f023bb631be7dc7a7df357fec1e0ad29acb5f1b7

SHA256
d7d5cd98377fbf3d366caccaca67a587a88a45a67c5c5f1a4651f1f7ed9261a5

SHA512
78b107fe3dc2713d11848d9d4728a04b55183d05bb1726c421b414d71094965ae590538e07b6070951ea03a6ed248c500230f75d0d6ee83389d5ba2e8dfb48b8

Download Submit
C:\Windows\{F1C9ABAE-931B-4821-9254-1FAD7D7A7038}.exe

Filesize
197KB

MD5
c112fbb5c8ac5d373ec6e7c7979e9d62

SHA1
195a9033104638ee074990dd2685b1e26e86333d

SHA256
d7c6b31078857bc4279c26621b43fc0b9367431d5f09349914ec5ea930ad4965

SHA512
d4d6e97ceb8516e773981b1e3c5201d9e1a4139ebce5d6e6d39689c575e2cd39b7422e6f9a9f84ab35ab595b990d66e3d640954468440c2ac0ba2d9eaaf85215

Download Submit
memory/3684-24-0x0000000075ECD000-0x0000000075ECE000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads