f2e9f9f3f814fededa3875f7994da404bcc8c81a2bc799d359ed9a2bba553bf7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe
Size

180KB
MD5

dce680bbb0d5cf36eb941e5d03cc6580
SHA1

726ee05fa130e29990f4d3439128b70876f5aabe
SHA256

f2e9f9f3f814fededa3875f7994da404bcc8c81a2bc799d359ed9a2bba553bf7
SHA512

ea05077da4a5361340b333d708e1dc1116b1926380c4ba8290373f1a33720ec37be1df2ac5ff4b41639a3f066922b03fe9583ce7db098c07515d2d8c5befad1c
SSDEEP

3072:jEGh0oDlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002332e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023337-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000167e1-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023337-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000167e1-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0015000000023337-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000167e1-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0016000000023337-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000230d1-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230d5-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000230d1-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023354-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D93C076E-EEDF-445b-BB37-F5023F518018}	{EF796BA6-B3CD-48c1-9EB2-DD250780992A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C04D581F-31CB-4008-8D91-AD0E43E22E57}	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}	{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}\stubpath = "C:\\Windows\\{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe"	{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}	{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}	{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF796BA6-B3CD-48c1-9EB2-DD250780992A}	{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}\stubpath = "C:\\Windows\\{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe"	{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11CC323B-CEC5-4c23-9358-0155757717FD}\stubpath = "C:\\Windows\\{11CC323B-CEC5-4c23-9358-0155757717FD}.exe"	{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}	{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}\stubpath = "C:\\Windows\\{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe"	{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA529AC5-8409-432d-8CEF-7C39E39CE837}\stubpath = "C:\\Windows\\{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe"	{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF796BA6-B3CD-48c1-9EB2-DD250780992A}\stubpath = "C:\\Windows\\{EF796BA6-B3CD-48c1-9EB2-DD250780992A}.exe"	{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C04D581F-31CB-4008-8D91-AD0E43E22E57}\stubpath = "C:\\Windows\\{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe"	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A04838D-A97D-49d5-9FC5-386506D6B288}	{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA529AC5-8409-432d-8CEF-7C39E39CE837}	{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}\stubpath = "C:\\Windows\\{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe"	{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D93C076E-EEDF-445b-BB37-F5023F518018}\stubpath = "C:\\Windows\\{D93C076E-EEDF-445b-BB37-F5023F518018}.exe"	{EF796BA6-B3CD-48c1-9EB2-DD250780992A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11CC323B-CEC5-4c23-9358-0155757717FD}	{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}	{11CC323B-CEC5-4c23-9358-0155757717FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}\stubpath = "C:\\Windows\\{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe"	{11CC323B-CEC5-4c23-9358-0155757717FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A04838D-A97D-49d5-9FC5-386506D6B288}\stubpath = "C:\\Windows\\{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe"	{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}	{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}\stubpath = "C:\\Windows\\{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe"	{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe

Executes dropped EXE 12 IoCs

pid	Process
4320	{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe
1916	{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe
976	{11CC323B-CEC5-4c23-9358-0155757717FD}.exe
2068	{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe
4392	{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe
1052	{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe
3388	{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe
444	{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe
3984	{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe
1228	{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe
2016	{EF796BA6-B3CD-48c1-9EB2-DD250780992A}.exe
4964	{D93C076E-EEDF-445b-BB37-F5023F518018}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe	{11CC323B-CEC5-4c23-9358-0155757717FD}.exe
File created	C:\Windows\{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe	{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe
File created	C:\Windows\{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe	{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe
File created	C:\Windows\{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe	{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe
File created	C:\Windows\{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe	{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe
File created	C:\Windows\{11CC323B-CEC5-4c23-9358-0155757717FD}.exe	{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe
File created	C:\Windows\{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe	{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe
File created	C:\Windows\{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe	{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe
File created	C:\Windows\{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe	{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe
File created	C:\Windows\{EF796BA6-B3CD-48c1-9EB2-DD250780992A}.exe	{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe
File created	C:\Windows\{D93C076E-EEDF-445b-BB37-F5023F518018}.exe	{EF796BA6-B3CD-48c1-9EB2-DD250780992A}.exe
File created	C:\Windows\{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3228	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4320	{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe
Token: SeIncBasePriorityPrivilege	1916	{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe
Token: SeIncBasePriorityPrivilege	976	{11CC323B-CEC5-4c23-9358-0155757717FD}.exe
Token: SeIncBasePriorityPrivilege	2068	{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe
Token: SeIncBasePriorityPrivilege	4392	{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe
Token: SeIncBasePriorityPrivilege	1052	{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe
Token: SeIncBasePriorityPrivilege	3388	{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe
Token: SeIncBasePriorityPrivilege	444	{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe
Token: SeIncBasePriorityPrivilege	3984	{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe
Token: SeIncBasePriorityPrivilege	1228	{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe
Token: SeIncBasePriorityPrivilege	2016	{EF796BA6-B3CD-48c1-9EB2-DD250780992A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4320	3228	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	105
PID 3228 wrote to memory of 4320	3228	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	105
PID 3228 wrote to memory of 4320	3228	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	105
PID 3228 wrote to memory of 624	3228	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	106
PID 3228 wrote to memory of 624	3228	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	106
PID 3228 wrote to memory of 624	3228	2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe	106
PID 4320 wrote to memory of 1916	4320	{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe	108
PID 4320 wrote to memory of 1916	4320	{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe	108
PID 4320 wrote to memory of 1916	4320	{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe	108
PID 4320 wrote to memory of 2824	4320	{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe	109
PID 4320 wrote to memory of 2824	4320	{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe	109
PID 4320 wrote to memory of 2824	4320	{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe	109
PID 1916 wrote to memory of 976	1916	{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe	112
PID 1916 wrote to memory of 976	1916	{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe	112
PID 1916 wrote to memory of 976	1916	{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe	112
PID 1916 wrote to memory of 624	1916	{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe	113
PID 1916 wrote to memory of 624	1916	{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe	113
PID 1916 wrote to memory of 624	1916	{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe	113
PID 976 wrote to memory of 2068	976	{11CC323B-CEC5-4c23-9358-0155757717FD}.exe	115
PID 976 wrote to memory of 2068	976	{11CC323B-CEC5-4c23-9358-0155757717FD}.exe	115
PID 976 wrote to memory of 2068	976	{11CC323B-CEC5-4c23-9358-0155757717FD}.exe	115
PID 976 wrote to memory of 940	976	{11CC323B-CEC5-4c23-9358-0155757717FD}.exe	116
PID 976 wrote to memory of 940	976	{11CC323B-CEC5-4c23-9358-0155757717FD}.exe	116
PID 976 wrote to memory of 940	976	{11CC323B-CEC5-4c23-9358-0155757717FD}.exe	116
PID 2068 wrote to memory of 4392	2068	{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe	117
PID 2068 wrote to memory of 4392	2068	{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe	117
PID 2068 wrote to memory of 4392	2068	{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe	117
PID 2068 wrote to memory of 1480	2068	{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe	118
PID 2068 wrote to memory of 1480	2068	{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe	118
PID 2068 wrote to memory of 1480	2068	{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe	118
PID 4392 wrote to memory of 1052	4392	{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe	120
PID 4392 wrote to memory of 1052	4392	{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe	120
PID 4392 wrote to memory of 1052	4392	{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe	120
PID 4392 wrote to memory of 4340	4392	{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe	121
PID 4392 wrote to memory of 4340	4392	{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe	121
PID 4392 wrote to memory of 4340	4392	{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe	121
PID 1052 wrote to memory of 3388	1052	{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe	122
PID 1052 wrote to memory of 3388	1052	{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe	122
PID 1052 wrote to memory of 3388	1052	{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe	122
PID 1052 wrote to memory of 1368	1052	{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe	123
PID 1052 wrote to memory of 1368	1052	{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe	123
PID 1052 wrote to memory of 1368	1052	{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe	123
PID 3388 wrote to memory of 444	3388	{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe	124
PID 3388 wrote to memory of 444	3388	{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe	124
PID 3388 wrote to memory of 444	3388	{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe	124
PID 3388 wrote to memory of 1964	3388	{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe	125
PID 3388 wrote to memory of 1964	3388	{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe	125
PID 3388 wrote to memory of 1964	3388	{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe	125
PID 444 wrote to memory of 3984	444	{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe	133
PID 444 wrote to memory of 3984	444	{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe	133
PID 444 wrote to memory of 3984	444	{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe	133
PID 444 wrote to memory of 2320	444	{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe	134
PID 444 wrote to memory of 2320	444	{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe	134
PID 444 wrote to memory of 2320	444	{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe	134
PID 3984 wrote to memory of 1228	3984	{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe	135
PID 3984 wrote to memory of 1228	3984	{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe	135
PID 3984 wrote to memory of 1228	3984	{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe	135
PID 3984 wrote to memory of 556	3984	{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe	136
PID 3984 wrote to memory of 556	3984	{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe	136
PID 3984 wrote to memory of 556	3984	{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe	136
PID 1228 wrote to memory of 2016	1228	{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe	137
PID 1228 wrote to memory of 2016	1228	{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe	137
PID 1228 wrote to memory of 2016	1228	{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe	137
PID 1228 wrote to memory of 3596	1228	{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe	138

C:\Users\Admin\AppData\Local\Temp\2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_dce680bbb0d5cf36eb941e5d03cc6580_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe
  C:\Windows\{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe
    C:\Windows\{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\{11CC323B-CEC5-4c23-9358-0155757717FD}.exe
      C:\Windows\{11CC323B-CEC5-4c23-9358-0155757717FD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Windows\{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe
        
        C:\Windows\{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe
        
        C:\Windows\{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe
        
        C:\Windows\{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe
        
        C:\Windows\{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe
        
        C:\Windows\{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe
        
        C:\Windows\{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe
        
        C:\Windows\{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\{EF796BA6-B3CD-48c1-9EB2-DD250780992A}.exe
        
        C:\Windows\{EF796BA6-B3CD-48c1-9EB2-DD250780992A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\{D93C076E-EEDF-445b-BB37-F5023F518018}.exe
        
        C:\Windows\{D93C076E-EEDF-445b-BB37-F5023F518018}.exe
        13⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF796~1.EXE > nul
        13⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17AEC~1.EXE > nul
        12⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA529~1.EXE > nul
        11⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36AAA~1.EXE > nul
        10⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48F5F~1.EXE > nul
        9⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B53DD~1.EXE > nul
        8⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A048~1.EXE > nul
        7⤵
        
        PID:4340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B8ED~1.EXE > nul
        6⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11CC3~1.EXE > nul
        5⤵
        
        PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1DEDA~1.EXE > nul
      4⤵
      PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C04D5~1.EXE > nul
    3⤵
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3680 --field-trial-handle=2256,i,16750283575152780128,2524258836761969159,262144 --variations-seed-version /prefetch:8
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11CC323B-CEC5-4c23-9358-0155757717FD}.exe

Filesize
180KB

MD5
225c5e0815a6669ec090b32f1ba4184a

SHA1
e8f83bda8f15e82d31b4f69b983d989e9832d832

SHA256
e3f2ac8383afc9cc9785833121b25f555f8df671e24551cfc76053e609c64f1c

SHA512
fc34582ece117ff94f11d16f3ad21bf8b9c9a1cc057691c8e73a9d538831e7b62dba71d17eafe11247401e84982ac848d69440c0a46f6acd53bb5f47425ddd9c

Download Submit
C:\Windows\{17AEC740-E8AF-450e-BD09-FB8C95B1CA25}.exe

Filesize
180KB

MD5
e975c56b4d6a0bb85112f015746842b8

SHA1
63dfe96ec7b0ee3dbc9c71d9fdf942549bc20ac2

SHA256
9dd3c33f889d14e8aef528efc1c46638449fb9fd0bccd23632532d0f0abaf16a

SHA512
9433ca839bee4529e66695cb3ddff56c260e17772d99fc2d9c9456002021de93fc3a7f1964ed0e9aa7ffd91ec810ab20b7185da08cfba046afa7f159291249aa

Download Submit
C:\Windows\{1DEDACDE-35FE-4564-B6F0-FD06DC8B8E2C}.exe

Filesize
180KB

MD5
059652ffb65def7c31dbb41f54dd48f4

SHA1
c089e416078d881a9bd78cc1aa94370a874d51a8

SHA256
e3801524ce6d0affdc8f84721aa5ef9ed7dd5f8f3bb4e89def3954e879e8d55a

SHA512
5526b569ceebbe89ceca1449f1ef0b388aa65e226cd66b304a98b439a2efce570828d3e0bddfe1703a5408a5c2366fcaff28d9cc428899b059c4fe42cca6bb03

Download Submit
C:\Windows\{36AAA86D-1BAA-4f09-8D7D-7F6CBB734D96}.exe

Filesize
180KB

MD5
159feccdba428045c8f08f27daafc081

SHA1
37feb48ed8c2f0648f7ea410fbed135615c17b61

SHA256
c2c7cbbae938bcb0880d775d62c06f5af23d6b783f88c390387487df2bd822cd

SHA512
f530d714067714084011c6dcf02290cdc3fb866dd6938d573a7803ce82cfe6396ce792653f3db1c6f94277633902b3671480fd79f101ae867a5ed352e2355462

Download Submit
C:\Windows\{48F5F0CF-9D15-4cfd-BCBA-B715129711B4}.exe

Filesize
180KB

MD5
6540ed7a34b76b4bdd340486f215182e

SHA1
1d8ff63b5dd992c3deb757c9c243e8540eaa4af3

SHA256
6117d148eab3ac0050bae00b3d221501ea3fee78b9aaaa67bcc7a668353c3955

SHA512
679699315e9f26e290a0a55ff251ffe8a2a171f0bfb1fd3b637e1c2019d9f0125ea37859d7a991233f6001b9b3a8ebb70d83aab8246f8a121af3ca3bbab3de54

Download Submit
C:\Windows\{8B8ED1DB-2E1F-4fd5-AAD9-961551B69462}.exe

Filesize
180KB

MD5
4dfb324a65c312a8dc3ca3ba6e58fb54

SHA1
8b7bfb2c35913a3685bd5c85f97475e138f4bd6d

SHA256
2113e8e41492c4eb0cb0df3237b92b33e2e18e1a095d5fd2d9579e2f464af4da

SHA512
fd87f964abe44b3cdbbbad05970de364488551e60f2cb3a9fd8b2476343a6fa45d0d8870202557786770a9ef082ab92405ac7aa9b45b3c75b70640f30dab33cf

Download Submit
C:\Windows\{9A04838D-A97D-49d5-9FC5-386506D6B288}.exe

Filesize
180KB

MD5
9154b85b71de55d223de068e043904ee

SHA1
9914d2c37dbfbfd429dbeddac903a9276f2628e6

SHA256
7e7f3a8c29b192d2cfdf896ee86fc9649e986346c2c922aff548e6ee37e8ba94

SHA512
09139d1b25cfed4bc6938da9cc8310032f7d5d4b8d97a7f38f7562e81a07121ed5bc9529b9eb84a837dbce65b4253fff3656269b7076283f1473b042f1e8262b

Download Submit
C:\Windows\{B53DDB81-E1EA-45f6-B4F2-75B7253776E0}.exe

Filesize
180KB

MD5
2daf9003c879f7128443b8e9188a0f09

SHA1
4feee716331ea6ebe77e25560197bdcfe1cdd6f0

SHA256
719c066d8dd9aabda44de3c481c357158cf63e0dee8774c8afd80d43c6dccdc9

SHA512
de90788c0ade77d6c0f7ee538ad2363c08555ff0d7e47e5791f37aa650f9905b764253be8b284538f0ec521b1899d29b9e9edfe417decd123bf9372f0220ee56

Download Submit
C:\Windows\{C04D581F-31CB-4008-8D91-AD0E43E22E57}.exe

Filesize
180KB

MD5
278967a137427a6acb7e367a59387e12

SHA1
a555a5570726c525d2fb49957d2c514b3c7fe9f0

SHA256
9185c3455ff458844a1d12eb10f01bba0d4af7bf86ed84659f0fdedc08d31aba

SHA512
c2895c5dd6c59750adcbe6bed79908eaad0f5a6efbb3d3aa5654a359dd58f0d7ffa20c4c04bbb320563734b900bdf515fcc8e44470dc6294e12812a2f09bf3c7

Download Submit
C:\Windows\{CA529AC5-8409-432d-8CEF-7C39E39CE837}.exe

Filesize
180KB

MD5
9a6ce0f539d215ed4b754ba17f523469

SHA1
f92e078d9de4e47c9f0d4513ca1e3b9ec730ba96

SHA256
863154abe6165ec749c5a1d313fdcb4ae1654d14464a514edac58f956914e8cf

SHA512
b07396f15e388ed7a364ec7d34f15ab3d6450d81488e6699908b8def3463069bfc7007ad17b7b8d13ca69c62f5cbd1fee0a46066757762f8a2ffc261cb79307f

Download Submit
C:\Windows\{D93C076E-EEDF-445b-BB37-F5023F518018}.exe

Filesize
180KB

MD5
13277a69621efcc65d3c8521ee73af25

SHA1
87c8f36adf30be5d693f691b5261cd6d52ca7cb5

SHA256
fc8516197cf1a138d0947162cf4952538ea3ccdce0097880449edd7db79befd1

SHA512
f8b55b025620e31b9fc0cb7847028a9d8626e2e261ee85769983b53dd448c91e7361e3cf06b35b5bad07340d90f1e311cbdf50410c04d856c3ecb9d6fa3fc714

Download Submit
C:\Windows\{EF796BA6-B3CD-48c1-9EB2-DD250780992A}.exe

Filesize
180KB

MD5
995e815c96ace0b49f92d01db01a2d83

SHA1
a041d497532eee0c9f73da84e7b3b9503090aa67

SHA256
aeb661ce6d6252299eb765b0a2e8bf5907da10822ed23aca3ee0dc89a6c6cf35

SHA512
279c213810f01093006024cf3e586eee01efe7d44962bd88308fd6edb4c3dee327c85db48a728aa7fe0a19cef16e68a3e9e9c4a790240ab54bafa6f3a4daa7ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads