9d5cc7a85e7dcf27b6489c8312ae10bb856ced98aaee12b7de2ce33e672cd969

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 01:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
Size

192KB
MD5

7bc9f8b3099be0d18cb06ab6f0a1e5f4
SHA1

f799e9c264f219e16ed91addcae7912c04a7b130
SHA256

9d5cc7a85e7dcf27b6489c8312ae10bb856ced98aaee12b7de2ce33e672cd969
SHA512

c8715c576753cc54a15f3d8a8ac733afab68a7d8c91887c52dde3621ccfef2bea961d7b76073a234ac4e15deaf3b40688a68ab1fc9040ed6611dd6d2c8f9a3c5
SSDEEP

1536:1EGh0oRl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oRl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002332c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023331-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000230dc-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000230df-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000230e2-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000230df-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230e2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000230df-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000230e2-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000230df-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000230ea-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231dd-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DC04634-4F90-4423-B28A-A2E30EF52A08}	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DC04634-4F90-4423-B28A-A2E30EF52A08}\stubpath = "C:\\Windows\\{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe"	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}\stubpath = "C:\\Windows\\{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe"	{72B1D977-04E3-448b-9379-011662A196F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C7C88EB-3995-4b7b-B72E-D70748DC609C}\stubpath = "C:\\Windows\\{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe"	{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09025DC6-3655-42c7-9C62-AF248650FE81}\stubpath = "C:\\Windows\\{09025DC6-3655-42c7-9C62-AF248650FE81}.exe"	{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D3784D0-2E48-46f5-A7AF-1F0C3B2D452C}	{09025DC6-3655-42c7-9C62-AF248650FE81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}\stubpath = "C:\\Windows\\{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe"	{BED8831B-1E6A-4987-81B2-C9688D474271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B1D977-04E3-448b-9379-011662A196F4}	{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C7C88EB-3995-4b7b-B72E-D70748DC609C}	{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57C00166-A89D-4975-A0B7-7439B87C4C44}	{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55CB5DCD-433B-4139-AE70-20ABCA66C303}	{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55CB5DCD-433B-4139-AE70-20ABCA66C303}\stubpath = "C:\\Windows\\{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe"	{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A296405C-23A4-4972-BA32-C55AFFFB5204}	{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A296405C-23A4-4972-BA32-C55AFFFB5204}\stubpath = "C:\\Windows\\{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe"	{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09025DC6-3655-42c7-9C62-AF248650FE81}	{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}	{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}\stubpath = "C:\\Windows\\{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe"	{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BED8831B-1E6A-4987-81B2-C9688D474271}	{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}	{BED8831B-1E6A-4987-81B2-C9688D474271}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B1D977-04E3-448b-9379-011662A196F4}\stubpath = "C:\\Windows\\{72B1D977-04E3-448b-9379-011662A196F4}.exe"	{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}	{72B1D977-04E3-448b-9379-011662A196F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57C00166-A89D-4975-A0B7-7439B87C4C44}\stubpath = "C:\\Windows\\{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe"	{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BED8831B-1E6A-4987-81B2-C9688D474271}\stubpath = "C:\\Windows\\{BED8831B-1E6A-4987-81B2-C9688D474271}.exe"	{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D3784D0-2E48-46f5-A7AF-1F0C3B2D452C}\stubpath = "C:\\Windows\\{2D3784D0-2E48-46f5-A7AF-1F0C3B2D452C}.exe"	{09025DC6-3655-42c7-9C62-AF248650FE81}.exe

Executes dropped EXE 12 IoCs

pid	Process
2904	{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe
4148	{72B1D977-04E3-448b-9379-011662A196F4}.exe
1444	{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe
3612	{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe
2676	{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe
5052	{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe
3596	{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe
972	{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe
4452	{BED8831B-1E6A-4987-81B2-C9688D474271}.exe
4824	{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe
1100	{09025DC6-3655-42c7-9C62-AF248650FE81}.exe
4412	{2D3784D0-2E48-46f5-A7AF-1F0C3B2D452C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe	{BED8831B-1E6A-4987-81B2-C9688D474271}.exe
File created	C:\Windows\{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
File created	C:\Windows\{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe	{72B1D977-04E3-448b-9379-011662A196F4}.exe
File created	C:\Windows\{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe	{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe
File created	C:\Windows\{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe	{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe
File created	C:\Windows\{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe	{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe
File created	C:\Windows\{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe	{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe
File created	C:\Windows\{BED8831B-1E6A-4987-81B2-C9688D474271}.exe	{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe
File created	C:\Windows\{72B1D977-04E3-448b-9379-011662A196F4}.exe	{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe
File created	C:\Windows\{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe	{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe
File created	C:\Windows\{09025DC6-3655-42c7-9C62-AF248650FE81}.exe	{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe
File created	C:\Windows\{2D3784D0-2E48-46f5-A7AF-1F0C3B2D452C}.exe	{09025DC6-3655-42c7-9C62-AF248650FE81}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3264	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2904	{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe
Token: SeIncBasePriorityPrivilege	4148	{72B1D977-04E3-448b-9379-011662A196F4}.exe
Token: SeIncBasePriorityPrivilege	1444	{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe
Token: SeIncBasePriorityPrivilege	3612	{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe
Token: SeIncBasePriorityPrivilege	2676	{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe
Token: SeIncBasePriorityPrivilege	5052	{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe
Token: SeIncBasePriorityPrivilege	3596	{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe
Token: SeIncBasePriorityPrivilege	972	{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe
Token: SeIncBasePriorityPrivilege	4452	{BED8831B-1E6A-4987-81B2-C9688D474271}.exe
Token: SeIncBasePriorityPrivilege	4824	{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe
Token: SeIncBasePriorityPrivilege	1100	{09025DC6-3655-42c7-9C62-AF248650FE81}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 2904	3264	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	107
PID 3264 wrote to memory of 2904	3264	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	107
PID 3264 wrote to memory of 2904	3264	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	107
PID 3264 wrote to memory of 4656	3264	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	108
PID 3264 wrote to memory of 4656	3264	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	108
PID 3264 wrote to memory of 4656	3264	2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe	108
PID 2904 wrote to memory of 4148	2904	{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe	109
PID 2904 wrote to memory of 4148	2904	{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe	109
PID 2904 wrote to memory of 4148	2904	{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe	109
PID 2904 wrote to memory of 3372	2904	{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe	110
PID 2904 wrote to memory of 3372	2904	{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe	110
PID 2904 wrote to memory of 3372	2904	{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe	110
PID 4148 wrote to memory of 1444	4148	{72B1D977-04E3-448b-9379-011662A196F4}.exe	114
PID 4148 wrote to memory of 1444	4148	{72B1D977-04E3-448b-9379-011662A196F4}.exe	114
PID 4148 wrote to memory of 1444	4148	{72B1D977-04E3-448b-9379-011662A196F4}.exe	114
PID 4148 wrote to memory of 1956	4148	{72B1D977-04E3-448b-9379-011662A196F4}.exe	115
PID 4148 wrote to memory of 1956	4148	{72B1D977-04E3-448b-9379-011662A196F4}.exe	115
PID 4148 wrote to memory of 1956	4148	{72B1D977-04E3-448b-9379-011662A196F4}.exe	115
PID 1444 wrote to memory of 3612	1444	{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe	116
PID 1444 wrote to memory of 3612	1444	{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe	116
PID 1444 wrote to memory of 3612	1444	{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe	116
PID 1444 wrote to memory of 3372	1444	{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe	117
PID 1444 wrote to memory of 3372	1444	{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe	117
PID 1444 wrote to memory of 3372	1444	{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe	117
PID 3612 wrote to memory of 2676	3612	{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe	119
PID 3612 wrote to memory of 2676	3612	{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe	119
PID 3612 wrote to memory of 2676	3612	{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe	119
PID 3612 wrote to memory of 3332	3612	{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe	120
PID 3612 wrote to memory of 3332	3612	{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe	120
PID 3612 wrote to memory of 3332	3612	{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe	120
PID 2676 wrote to memory of 5052	2676	{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe	122
PID 2676 wrote to memory of 5052	2676	{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe	122
PID 2676 wrote to memory of 5052	2676	{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe	122
PID 2676 wrote to memory of 4404	2676	{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe	123
PID 2676 wrote to memory of 4404	2676	{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe	123
PID 2676 wrote to memory of 4404	2676	{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe	123
PID 5052 wrote to memory of 3596	5052	{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe	124
PID 5052 wrote to memory of 3596	5052	{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe	124
PID 5052 wrote to memory of 3596	5052	{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe	124
PID 5052 wrote to memory of 1688	5052	{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe	125
PID 5052 wrote to memory of 1688	5052	{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe	125
PID 5052 wrote to memory of 1688	5052	{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe	125
PID 3596 wrote to memory of 972	3596	{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe	133
PID 3596 wrote to memory of 972	3596	{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe	133
PID 3596 wrote to memory of 972	3596	{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe	133
PID 3596 wrote to memory of 1544	3596	{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe	134
PID 3596 wrote to memory of 1544	3596	{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe	134
PID 3596 wrote to memory of 1544	3596	{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe	134
PID 972 wrote to memory of 4452	972	{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe	135
PID 972 wrote to memory of 4452	972	{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe	135
PID 972 wrote to memory of 4452	972	{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe	135
PID 972 wrote to memory of 3456	972	{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe	136
PID 972 wrote to memory of 3456	972	{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe	136
PID 972 wrote to memory of 3456	972	{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe	136
PID 4452 wrote to memory of 4824	4452	{BED8831B-1E6A-4987-81B2-C9688D474271}.exe	137
PID 4452 wrote to memory of 4824	4452	{BED8831B-1E6A-4987-81B2-C9688D474271}.exe	137
PID 4452 wrote to memory of 4824	4452	{BED8831B-1E6A-4987-81B2-C9688D474271}.exe	137
PID 4452 wrote to memory of 4544	4452	{BED8831B-1E6A-4987-81B2-C9688D474271}.exe	138
PID 4452 wrote to memory of 4544	4452	{BED8831B-1E6A-4987-81B2-C9688D474271}.exe	138
PID 4452 wrote to memory of 4544	4452	{BED8831B-1E6A-4987-81B2-C9688D474271}.exe	138
PID 4824 wrote to memory of 1100	4824	{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe	142
PID 4824 wrote to memory of 1100	4824	{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe	142
PID 4824 wrote to memory of 1100	4824	{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe	142
PID 4824 wrote to memory of 5104	4824	{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe	143

C:\Users\Admin\AppData\Local\Temp\2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_7bc9f8b3099be0d18cb06ab6f0a1e5f4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe
  C:\Windows\{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\{72B1D977-04E3-448b-9379-011662A196F4}.exe
    C:\Windows\{72B1D977-04E3-448b-9379-011662A196F4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe
      C:\Windows\{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Windows\{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe
        
        C:\Windows\{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
      - C:\Windows\{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe
        
        C:\Windows\{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe
        
        C:\Windows\{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe
        
        C:\Windows\{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe
        
        C:\Windows\{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\{BED8831B-1E6A-4987-81B2-C9688D474271}.exe
        
        C:\Windows\{BED8831B-1E6A-4987-81B2-C9688D474271}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe
        
        C:\Windows\{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\{09025DC6-3655-42c7-9C62-AF248650FE81}.exe
        
        C:\Windows\{09025DC6-3655-42c7-9C62-AF248650FE81}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\{2D3784D0-2E48-46f5-A7AF-1F0C3B2D452C}.exe
        
        C:\Windows\{2D3784D0-2E48-46f5-A7AF-1F0C3B2D452C}.exe
        13⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09025~1.EXE > nul
        13⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9CFA~1.EXE > nul
        12⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BED88~1.EXE > nul
        11⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2964~1.EXE > nul
        10⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55CB5~1.EXE > nul
        9⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57C00~1.EXE > nul
        8⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E70BF~1.EXE > nul
        7⤵
        
        PID:4404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C7C8~1.EXE > nul
        6⤵
        
        PID:3332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B11AD~1.EXE > nul
        5⤵
        
        PID:3372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{72B1D~1.EXE > nul
      4⤵
      PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4DC04~1.EXE > nul
    3⤵
    PID:3372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:8
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09025DC6-3655-42c7-9C62-AF248650FE81}.exe

Filesize
192KB

MD5
c707ad8dcddff8e48a0440c08c549276

SHA1
b2d9c0eb17fa4899a39d7c671076cc6dbad98b91

SHA256
822ec03deae00cb25c03b07ec941d46821b7cf30d9bb92561c1ec3516dd55f7e

SHA512
aaf0ed8db9c47c64a18250697db5da703b2905e96f1ad9b1c26b106b30bb5409610f4c99ebd6aa2a0fd61d70a4a31bf7114ac099621bf50fa60902c9c9a0b77a

Download Submit
C:\Windows\{0C7C88EB-3995-4b7b-B72E-D70748DC609C}.exe

Filesize
192KB

MD5
04778d663caa4606e46ceca8d61bf340

SHA1
759f51f08395a590f5c203fc9ae004fba86e500f

SHA256
b092cd342a105f12a61fefd31e459a88269b7c5cd2d2776a650700d76875be34

SHA512
763c47f2da114c53f5242b8d9754e12a2d730c97a3ada4b3addab4150f3f4f7437307d7cf624fbb819158498d5d672349716279ca24690a455e2def6a0a7a98e

Download Submit
C:\Windows\{2D3784D0-2E48-46f5-A7AF-1F0C3B2D452C}.exe

Filesize
192KB

MD5
ec98a12fe152f3b9a702ed2437cedf16

SHA1
0f283c8d83d55d1d97d94fded648d64b1ee6c4a7

SHA256
7805b311efafafde413732ffacd502d892f00df4b10a5ec75b37b98871531987

SHA512
7e096cf401c1d53c6852cbce06df35d5b3ba46e8c51a0b11ba1463e4833d4929af27907d8aad99ea31ff65efed34861b9c23bf58b677c3a612383b6dd1dead76

Download Submit
C:\Windows\{4DC04634-4F90-4423-B28A-A2E30EF52A08}.exe

Filesize
192KB

MD5
80647da53ee9fe0cd2fd7ad6afed3450

SHA1
8c6b85b45521292bcd21b7f87c4cc05f075e72a3

SHA256
c9869c5f2a0688bf2630fe2f86b19cbe33c00c311f8b49d7ebb8b9a24690a14b

SHA512
da980deae554d138aff35fa72f8dc34506ae9f8145c0f34a09279ca6a08199cdc3c73c99bd37667adc99855fe27468821e15c022334063abe91ab94e37ff950a

Download Submit
C:\Windows\{55CB5DCD-433B-4139-AE70-20ABCA66C303}.exe

Filesize
192KB

MD5
f82ce4ea985efe04befdbe5fa2578e8c

SHA1
70cfbb4922cabec0858b71a7be83e0e89e0730c7

SHA256
4f46af11aedf3775259122f70632175deedb6ccffd633fa523b14c130684e5e3

SHA512
fbfc37c7390395f6dbe437b9480af686ba2e4000bb5700f66f1a6bb9814cb3507b56860b394bbff95f28cf6d7a3a218187889022f10d413840463822a4bf364f

Download Submit
C:\Windows\{57C00166-A89D-4975-A0B7-7439B87C4C44}.exe

Filesize
192KB

MD5
6ab3b87626e1d72deabf0fa6ef41de02

SHA1
76076b825e246c6b0c7324cb10ec63b7e6712377

SHA256
afb5b844270e360ff95231a406861f8d9a6b5133ee7fca9026da295d7f380c7d

SHA512
2182466f18841d918036b423729d7708ff1d9d7b667089ff6bdcba636d917333d7ef99ab1eb522dc56a5fc03dd86420682dd0be6c2aa029075d5875f3a3e115b

Download Submit
C:\Windows\{72B1D977-04E3-448b-9379-011662A196F4}.exe

Filesize
192KB

MD5
4ac8141b37d8db9f804293ffb9101f3d

SHA1
c578e732a54f07b2d4aa312974a57049e65641a6

SHA256
a90d54073747058f875d37fd7a6934f0fbe60415c0540b50bef8f79bd5da2377

SHA512
774e3d3053754a1ce3a4a8477863c1feecd16778192fcb4e101eb5d1ece8ec0fea77aac00d4fe2aed0a7d7a226aad409509f44e60428892e74b91ac7b88e01df

Download Submit
C:\Windows\{A296405C-23A4-4972-BA32-C55AFFFB5204}.exe

Filesize
192KB

MD5
a4e349da32302404f7707dd3c82bc87d

SHA1
feca3cda1bada860a7787fc584a79e9e769abc87

SHA256
e71985069fde6eb1714b6867ccac229cdf56a4f309560a3956f530c15c0e3cdc

SHA512
8a13916e2aeb7e9936a523ecbdc5a8a2d04359fc2bbb407ccabb38f529af4de14b0c49d4a7debd13c9b07f563080acb10ec529a603dda99c28a4271757c2607c

Download Submit
C:\Windows\{B11ADBA0-1525-4fb7-BC4F-E07D28B5BDF4}.exe

Filesize
192KB

MD5
9397bf9d45fed97f2395afe631486cba

SHA1
e7f64140ff8b7dda2ffcdf9f826a079b4f3b6e4f

SHA256
30e6a9f2e07d1945ea88d175ee30bb913be94817a4e9f74589e69bd7b0058230

SHA512
666dca2c38881a08c703ac7e6ebca2a7a1d606d0f948a7d273756cffe4483135a1b30eb3d08edb66eb20e1d0569940cb442375af791fd782f3cd9d334b95ec3f

Download Submit
C:\Windows\{BED8831B-1E6A-4987-81B2-C9688D474271}.exe

Filesize
192KB

MD5
8cbc2e1336fdee5568bcd6d2ea7d2a20

SHA1
63cc5dfc3c456bbac9355e7820824d254a15165b

SHA256
319fdc3aa3ee7dafbf4e8d81a0441816dc1dc72d4ef160b45f4cb31523471784

SHA512
bba86060cd9a12ecbc5ba250735f8a9876c3d7a39c8f1c09dfda5880b7ea107092c673eaa338a323554ee4d39aa85fbf004dea3f835f4d8de9b29f9cd1e0fd3b

Download Submit
C:\Windows\{C9CFA320-452B-4bb7-B7BE-C9294D8482C5}.exe

Filesize
192KB

MD5
cf69876081f2f4e5fb2f74d4a4f30f9f

SHA1
739dd230d1b852fc0dd5a776122345b5f85d765a

SHA256
d48dbb943b1ecff26df5b25c0925a5463fbacc544baef8e845b83c8a51e19974

SHA512
76dfc0d08172f4e0c073a4b9ab05736e864da91b511b82876304c9ee411400f57ddbfcbafc27c6e204fd87a9feff22dad588124830315da6780c808ff4cac95d

Download Submit
C:\Windows\{E70BF938-BE4E-4f3e-B6C7-D3E5BC311476}.exe

Filesize
192KB

MD5
c496b567bebe4e715bc792d62ce637b8

SHA1
8497986fd9a54bfad9289f314bb49cb13ed0e1fa

SHA256
aede2648fa2f07c5edc5f1248d005a762c3e98fba0008d4eba6ff98286f5fa55

SHA512
583b4eb56db52777d5cbf2ca441524128db819230cbd6f71cf6ae9e45637a4796889e3d24260c42245b50b0293d6d4a5d96a9f8301e1924b9f3e27246b8460e6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads