cf53726f2a21abfd10b84bddfed1dfb5e2e01317dbfe69103c3946461e0fea74

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe
Size

372KB
MD5

a21859979d0c14c0b578e0d17d02e1a0
SHA1

37aa9875b3265454ee2741c6ed61d2829a57c12d
SHA256

cf53726f2a21abfd10b84bddfed1dfb5e2e01317dbfe69103c3946461e0fea74
SHA512

7d797a6745dc9eac9d596facf1191460f790dc187fcc52a10dc4894953908a50cbcb3f11f244fb1373f4f0d4e1fc0c39d377b70d45c4fdc17fedb9429519a2d2
SSDEEP

3072:CEGh0o7lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG9lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022d20-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023251-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023257-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023251-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023257-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023251-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023257-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000733-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2606F907-ECDB-41f1-8056-90A317ACD753}	2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}	{993A3669-4071-49cb-922C-69F74CFECD41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}\stubpath = "C:\\Windows\\{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe"	{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}	{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}\stubpath = "C:\\Windows\\{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe"	{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}\stubpath = "C:\\Windows\\{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe"	{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D90A4850-B996-4741-9779-4C13A7E41BCB}\stubpath = "C:\\Windows\\{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe"	{227C133A-3EC3-44b7-9098-28450B9706D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2606F907-ECDB-41f1-8056-90A317ACD753}\stubpath = "C:\\Windows\\{2606F907-ECDB-41f1-8056-90A317ACD753}.exe"	2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34877E66-470B-45c6-A85A-E07B8C675F45}\stubpath = "C:\\Windows\\{34877E66-470B-45c6-A85A-E07B8C675F45}.exe"	{2606F907-ECDB-41f1-8056-90A317ACD753}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{993A3669-4071-49cb-922C-69F74CFECD41}\stubpath = "C:\\Windows\\{993A3669-4071-49cb-922C-69F74CFECD41}.exe"	{34877E66-470B-45c6-A85A-E07B8C675F45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}\stubpath = "C:\\Windows\\{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe"	{993A3669-4071-49cb-922C-69F74CFECD41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}	{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}	{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84A55C06-F859-49fb-BF38-A157F0E419D1}\stubpath = "C:\\Windows\\{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe"	{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{227C133A-3EC3-44b7-9098-28450B9706D3}\stubpath = "C:\\Windows\\{227C133A-3EC3-44b7-9098-28450B9706D3}.exe"	{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D90A4850-B996-4741-9779-4C13A7E41BCB}	{227C133A-3EC3-44b7-9098-28450B9706D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}\stubpath = "C:\\Windows\\{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}.exe"	{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{381CDB52-ADBF-4563-BF21-3CC920935F0F}	{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{381CDB52-ADBF-4563-BF21-3CC920935F0F}\stubpath = "C:\\Windows\\{381CDB52-ADBF-4563-BF21-3CC920935F0F}.exe"	{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34877E66-470B-45c6-A85A-E07B8C675F45}	{2606F907-ECDB-41f1-8056-90A317ACD753}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{993A3669-4071-49cb-922C-69F74CFECD41}	{34877E66-470B-45c6-A85A-E07B8C675F45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}	{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84A55C06-F859-49fb-BF38-A157F0E419D1}	{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{227C133A-3EC3-44b7-9098-28450B9706D3}	{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3000	{2606F907-ECDB-41f1-8056-90A317ACD753}.exe
4800	{34877E66-470B-45c6-A85A-E07B8C675F45}.exe
2448	{993A3669-4071-49cb-922C-69F74CFECD41}.exe
836	{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe
952	{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe
1620	{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe
4076	{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe
964	{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe
4060	{227C133A-3EC3-44b7-9098-28450B9706D3}.exe
3288	{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe
3472	{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}.exe
3148	{381CDB52-ADBF-4563-BF21-3CC920935F0F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe	{993A3669-4071-49cb-922C-69F74CFECD41}.exe
File created	C:\Windows\{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe	{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe
File created	C:\Windows\{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe	{227C133A-3EC3-44b7-9098-28450B9706D3}.exe
File created	C:\Windows\{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}.exe	{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe
File created	C:\Windows\{2606F907-ECDB-41f1-8056-90A317ACD753}.exe	2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe
File created	C:\Windows\{993A3669-4071-49cb-922C-69F74CFECD41}.exe	{34877E66-470B-45c6-A85A-E07B8C675F45}.exe
File created	C:\Windows\{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe	{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe
File created	C:\Windows\{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe	{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe
File created	C:\Windows\{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe	{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe
File created	C:\Windows\{227C133A-3EC3-44b7-9098-28450B9706D3}.exe	{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe
File created	C:\Windows\{381CDB52-ADBF-4563-BF21-3CC920935F0F}.exe	{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}.exe
File created	C:\Windows\{34877E66-470B-45c6-A85A-E07B8C675F45}.exe	{2606F907-ECDB-41f1-8056-90A317ACD753}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3480	2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3000	{2606F907-ECDB-41f1-8056-90A317ACD753}.exe
Token: SeIncBasePriorityPrivilege	4800	{34877E66-470B-45c6-A85A-E07B8C675F45}.exe
Token: SeIncBasePriorityPrivilege	2448	{993A3669-4071-49cb-922C-69F74CFECD41}.exe
Token: SeIncBasePriorityPrivilege	836	{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe
Token: SeIncBasePriorityPrivilege	952	{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe
Token: SeIncBasePriorityPrivilege	1620	{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe
Token: SeIncBasePriorityPrivilege	4076	{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe
Token: SeIncBasePriorityPrivilege	964	{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe
Token: SeIncBasePriorityPrivilege	4060	{227C133A-3EC3-44b7-9098-28450B9706D3}.exe
Token: SeIncBasePriorityPrivilege	3288	{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe
Token: SeIncBasePriorityPrivilege	3472	{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 3000	3480	2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe	99
PID 3480 wrote to memory of 3000	3480	2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe	99
PID 3480 wrote to memory of 3000	3480	2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe	99
PID 3480 wrote to memory of 4880	3480	2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe	100
PID 3480 wrote to memory of 4880	3480	2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe	100
PID 3480 wrote to memory of 4880	3480	2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe	100
PID 3000 wrote to memory of 4800	3000	{2606F907-ECDB-41f1-8056-90A317ACD753}.exe	106
PID 3000 wrote to memory of 4800	3000	{2606F907-ECDB-41f1-8056-90A317ACD753}.exe	106
PID 3000 wrote to memory of 4800	3000	{2606F907-ECDB-41f1-8056-90A317ACD753}.exe	106
PID 3000 wrote to memory of 964	3000	{2606F907-ECDB-41f1-8056-90A317ACD753}.exe	107
PID 3000 wrote to memory of 964	3000	{2606F907-ECDB-41f1-8056-90A317ACD753}.exe	107
PID 3000 wrote to memory of 964	3000	{2606F907-ECDB-41f1-8056-90A317ACD753}.exe	107
PID 4800 wrote to memory of 2448	4800	{34877E66-470B-45c6-A85A-E07B8C675F45}.exe	109
PID 4800 wrote to memory of 2448	4800	{34877E66-470B-45c6-A85A-E07B8C675F45}.exe	109
PID 4800 wrote to memory of 2448	4800	{34877E66-470B-45c6-A85A-E07B8C675F45}.exe	109
PID 4800 wrote to memory of 1764	4800	{34877E66-470B-45c6-A85A-E07B8C675F45}.exe	110
PID 4800 wrote to memory of 1764	4800	{34877E66-470B-45c6-A85A-E07B8C675F45}.exe	110
PID 4800 wrote to memory of 1764	4800	{34877E66-470B-45c6-A85A-E07B8C675F45}.exe	110
PID 2448 wrote to memory of 836	2448	{993A3669-4071-49cb-922C-69F74CFECD41}.exe	112
PID 2448 wrote to memory of 836	2448	{993A3669-4071-49cb-922C-69F74CFECD41}.exe	112
PID 2448 wrote to memory of 836	2448	{993A3669-4071-49cb-922C-69F74CFECD41}.exe	112
PID 2448 wrote to memory of 4084	2448	{993A3669-4071-49cb-922C-69F74CFECD41}.exe	113
PID 2448 wrote to memory of 4084	2448	{993A3669-4071-49cb-922C-69F74CFECD41}.exe	113
PID 2448 wrote to memory of 4084	2448	{993A3669-4071-49cb-922C-69F74CFECD41}.exe	113
PID 836 wrote to memory of 952	836	{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe	114
PID 836 wrote to memory of 952	836	{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe	114
PID 836 wrote to memory of 952	836	{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe	114
PID 836 wrote to memory of 1452	836	{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe	115
PID 836 wrote to memory of 1452	836	{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe	115
PID 836 wrote to memory of 1452	836	{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe	115
PID 952 wrote to memory of 1620	952	{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe	116
PID 952 wrote to memory of 1620	952	{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe	116
PID 952 wrote to memory of 1620	952	{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe	116
PID 952 wrote to memory of 2716	952	{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe	117
PID 952 wrote to memory of 2716	952	{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe	117
PID 952 wrote to memory of 2716	952	{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe	117
PID 1620 wrote to memory of 4076	1620	{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe	118
PID 1620 wrote to memory of 4076	1620	{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe	118
PID 1620 wrote to memory of 4076	1620	{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe	118
PID 1620 wrote to memory of 2660	1620	{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe	119
PID 1620 wrote to memory of 2660	1620	{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe	119
PID 1620 wrote to memory of 2660	1620	{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe	119
PID 4076 wrote to memory of 964	4076	{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe	120
PID 4076 wrote to memory of 964	4076	{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe	120
PID 4076 wrote to memory of 964	4076	{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe	120
PID 4076 wrote to memory of 4140	4076	{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe	121
PID 4076 wrote to memory of 4140	4076	{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe	121
PID 4076 wrote to memory of 4140	4076	{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe	121
PID 964 wrote to memory of 4060	964	{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe	122
PID 964 wrote to memory of 4060	964	{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe	122
PID 964 wrote to memory of 4060	964	{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe	122
PID 964 wrote to memory of 3036	964	{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe	123
PID 964 wrote to memory of 3036	964	{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe	123
PID 964 wrote to memory of 3036	964	{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe	123
PID 4060 wrote to memory of 3288	4060	{227C133A-3EC3-44b7-9098-28450B9706D3}.exe	124
PID 4060 wrote to memory of 3288	4060	{227C133A-3EC3-44b7-9098-28450B9706D3}.exe	124
PID 4060 wrote to memory of 3288	4060	{227C133A-3EC3-44b7-9098-28450B9706D3}.exe	124
PID 4060 wrote to memory of 2948	4060	{227C133A-3EC3-44b7-9098-28450B9706D3}.exe	125
PID 4060 wrote to memory of 2948	4060	{227C133A-3EC3-44b7-9098-28450B9706D3}.exe	125
PID 4060 wrote to memory of 2948	4060	{227C133A-3EC3-44b7-9098-28450B9706D3}.exe	125
PID 3288 wrote to memory of 3472	3288	{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe	126
PID 3288 wrote to memory of 3472	3288	{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe	126
PID 3288 wrote to memory of 3472	3288	{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe	126
PID 3288 wrote to memory of 4968	3288	{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_a21859979d0c14c0b578e0d17d02e1a0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\{2606F907-ECDB-41f1-8056-90A317ACD753}.exe
  C:\Windows\{2606F907-ECDB-41f1-8056-90A317ACD753}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\{34877E66-470B-45c6-A85A-E07B8C675F45}.exe
    C:\Windows\{34877E66-470B-45c6-A85A-E07B8C675F45}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\{993A3669-4071-49cb-922C-69F74CFECD41}.exe
      C:\Windows\{993A3669-4071-49cb-922C-69F74CFECD41}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe
        
        C:\Windows\{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\Windows\{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe
        
        C:\Windows\{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe
        
        C:\Windows\{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe
        
        C:\Windows\{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe
        
        C:\Windows\{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\{227C133A-3EC3-44b7-9098-28450B9706D3}.exe
        
        C:\Windows\{227C133A-3EC3-44b7-9098-28450B9706D3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe
        
        C:\Windows\{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}.exe
        
        C:\Windows\{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Windows\{381CDB52-ADBF-4563-BF21-3CC920935F0F}.exe
        
        C:\Windows\{381CDB52-ADBF-4563-BF21-3CC920935F0F}.exe
        13⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F8C8~1.EXE > nul
        13⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D90A4~1.EXE > nul
        12⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{227C1~1.EXE > nul
        11⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84A55~1.EXE > nul
        10⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DD15~1.EXE > nul
        9⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAF32~1.EXE > nul
        8⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0CD1~1.EXE > nul
        7⤵
        
        PID:2716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7972C~1.EXE > nul
        6⤵
        
        PID:1452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{993A3~1.EXE > nul
        5⤵
        
        PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{34877~1.EXE > nul
      4⤵
      PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2606F~1.EXE > nul
    3⤵
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F8C8B73-FBE3-4fb6-97F3-9693338EA453}.exe

Filesize
372KB

MD5
14ed79d45f46be2cb99a0cec3be407b4

SHA1
7efa2e5bb8ab8ffe0f3f5373795a55835ca49318

SHA256
128e1f6f4f1affd9b230cb4e51dbaa3ac169d36f842eddeaf3e40e0981a0631a

SHA512
05ebcce052216728d7dfcce70127d2443f35dae6c8591fdd103dbb9f08c29ea238e1d2fb7c2024c589bc3adacb3b98cfc1a52f1cf752796feb294df13b4128da

Download Submit
C:\Windows\{227C133A-3EC3-44b7-9098-28450B9706D3}.exe

Filesize
372KB

MD5
bd290ef6e7665813979993d577bf1938

SHA1
d4df15365641e9ba1ac425c1363b0c1598d4d43b

SHA256
7206a145409ae98cc4726d4427b12ab3e20492cab4b22c53a4f9fd3eca1c3044

SHA512
7b51c1afceb3952433308386216ce25d5632bf2ebe326f48ccd73f1c622c3aae877a3998ba3d6740e65e889c792a17af739d6e27d553b2bc1faa3dc24176b00b

Download Submit
C:\Windows\{2606F907-ECDB-41f1-8056-90A317ACD753}.exe

Filesize
372KB

MD5
ab7c0f7a47ed49e79d8155b94e7c0244

SHA1
90f6702299b8acc8bd1ab29d34dc91a6b38b65b2

SHA256
d6aa3fce01694d0fc54a0829f18fa06170ab2570c319c330f5ac024eb5442820

SHA512
94250e2fe01061ddd41d52cdaa1debb32db0d5219938be5a1d22bea86045102978f7ab262bfe544466da36617b523dcbcf6945bf22d08f2e13a3caadaad8b685

Download Submit
C:\Windows\{34877E66-470B-45c6-A85A-E07B8C675F45}.exe

Filesize
372KB

MD5
047cc03f1bde17103d498e7ac9910cd8

SHA1
082d40745e2700efc867a149980aacddb0622239

SHA256
6dfb90d8f25b3b8c05027e64ee477a245aee3795801588e8ff93627e9e39191e

SHA512
bd3e4a88da8bef7031c0bc41e67c85a3c1e75235922f7f47091f91ea19633d8561b4c8f6add52f1143d0d4e919aa6377d960eaf9ab66cfd81ee09ebdd71c0c50

Download Submit
C:\Windows\{381CDB52-ADBF-4563-BF21-3CC920935F0F}.exe

Filesize
372KB

MD5
d32240514dd9d31f08df7cacfebcbdba

SHA1
4026b13e8d2256880786877014f8cac2ec47d896

SHA256
4b471d13cf1aa92d0f61a4f5bf053f26f73eba54d2000ffe99df4d9f5be9bf64

SHA512
cb6e5458eb1b2a93fd5f21590aa5be1c732112c44e354ec854db75752c682187e95c5c3040300aaefc4f8d96395cdbd613f5f606c41c50f12e17a14d64993e4b

Download Submit
C:\Windows\{4DD1551F-CDC2-4a9b-AF96-82E3EAC76CA1}.exe

Filesize
372KB

MD5
353d082d35f52c6e370510d4e9eb36b3

SHA1
7981b98215cc54f891bd432994e4b0704081e234

SHA256
4076da3c49fdcf3ddb0848a0d9dacebef0e9c1d9c0a513106f2849a18066987b

SHA512
6393eeb12f4f2acfcf6bdb635f19c3e39943990d10d47d51a999459a578984124067bc1c6333f948f1d4697e193695ba50e0c0536293d1a6bfd9915c332c7d2d

Download Submit
C:\Windows\{7972C394-E6E5-47a4-89BE-BF1817C6BA8A}.exe

Filesize
372KB

MD5
90ecf735e01daa315397f4a2aa7f8ce7

SHA1
4da1758bc5435eea87eabae52c6e81ae346b5743

SHA256
1adc00adf78342c2d96168cbe67b47f58486766e32414221c678490974aa7b62

SHA512
65a4b0182cc7b98c71e2634258a23154863e6053e4c5d12d38b3e6c78c3284dfdc3a9af21444873bc6e1039d6223b1cb7a40553e5f1f3f27915c13999350b151

Download Submit
C:\Windows\{84A55C06-F859-49fb-BF38-A157F0E419D1}.exe

Filesize
372KB

MD5
5d0168e2afe876c40642084beecc2bef

SHA1
b3c9e0bffea2501f696429946acfae0f19f83f75

SHA256
84fe3a16f667cf49ec651aabb3e6743ea214f835a9781a2cc06d13341fcad37d

SHA512
a76bdf0af2070feb22c81e67b61c4fc3626c61c417223849b417b05a73f83d9dcbe3cfa1291c734a2eaa5eded90962ffdab7039ad4ae024ee6d41229a7e4797d

Download Submit
C:\Windows\{993A3669-4071-49cb-922C-69F74CFECD41}.exe

Filesize
372KB

MD5
26a3f8d0758b3d774b45475fb3e87223

SHA1
1ec90978f2946f6ffd0e13288c4fe58a2c6f0de9

SHA256
4c5f31e448c276c1440fdd68d439448d8ddbe78788ff4b7568e635599d81ef23

SHA512
7e809bf35951b0b4f0d4a4eaca72d242ef722adf1c8779fc759e07d1a21f28d01ebe9f0af87a31cb68bcbf64502006b3def28931542472e7c9f51ee6171e1b80

Download Submit
C:\Windows\{B0CD1B3C-10D2-41dd-BEB8-8CF3C8D0E5E6}.exe

Filesize
372KB

MD5
6e6bae91c540d4b09ebb4fff303c12c8

SHA1
beb2bbe204299c5ff2962e042a9fd1c099826fc7

SHA256
f956141806142a23c0eacfb1d0a3742cdbd832ae5367c9599b310f6baf8cc7c4

SHA512
c16d861d871df64b36064c3894a5724b59635956d7e6b843c0dbb60432b346880568a53c10e88b4cb376972aa79f00411cdedc52cbe90bbd4e27ffe8660c9b2c

Download Submit
C:\Windows\{D90A4850-B996-4741-9779-4C13A7E41BCB}.exe

Filesize
372KB

MD5
6281ce38cbd7196a8c37555fda75a1f0

SHA1
a37fe97fd3a2acf5ad9ef90d1650989cb4c8f1cd

SHA256
f13c55e203978ead1fc9e9fd1f2a560a42f0af1790c59737f5baf9874f99023c

SHA512
b9a23999a14397c53aa5d10a935c00720fb9a026c278f3ed549dc4534b02b070c606c6f1e576637a57e4fd08ce062850cd40e996d3adc3b42fc58834c3fb9160

Download Submit
C:\Windows\{EAF32BA2-98B4-4cca-8D3F-5B2A817B207C}.exe

Filesize
372KB

MD5
40c8867519bc0efbeb8323fb67023b30

SHA1
a52f7d5b78ee56bfb269139816ee91185eb2b722

SHA256
35645ce2b1bf8b7ccadb0d6f28a5a1786b1c0d8da4de814ae23fd1c4a5c0de3e

SHA512
c85d9affdbfa10390b9d2d30b9c28b8bd8d9720e9b23b1ece16f7ff1e0f1d7294baca9dae1a85f28721d79f28177e6cd2612579684d5a6121f77237d6a31a1b1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads