3866c236fa080df95c96714bed9a5d5a4aaa898450061a1f9986faa8897c8bd7

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe
Size

204KB
MD5

a614f358f8f96d8e0e6332e43a926df4
SHA1

c94244160c86b3c96372bf5581549f20595bb04c
SHA256

3866c236fa080df95c96714bed9a5d5a4aaa898450061a1f9986faa8897c8bd7
SHA512

d1c098f12c429aea56df5f8300ffbe5d495004cce7b32e2c5cb321d857599507e9023a2a3898961cc5a5900df928c3e5bec216e09f3c72472898b1767f03af7c
SSDEEP

1536:1EGh0odl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0odl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023313-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002331a-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230d9-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000230e6-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021166-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021960-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000021166-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000709-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}	{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FD34076-6AB1-4890-879B-1BFAA62C8757}\stubpath = "C:\\Windows\\{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe"	{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63B5C242-1E5F-4906-8FF6-500568D74BD7}\stubpath = "C:\\Windows\\{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe"	{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F28AAA98-6EAB-478e-9C00-CAF204A42829}	{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36776373-5D29-4e61-8F1A-7B5674C4DDC7}\stubpath = "C:\\Windows\\{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe"	{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0AF668A-F7E8-4eaf-87B5-447052C310AD}	{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7467C05F-80EF-45f5-8F17-77915C6D707B}	{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}\stubpath = "C:\\Windows\\{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe"	{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}	{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63B5C242-1E5F-4906-8FF6-500568D74BD7}	{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85B7A250-5517-4eb3-AB31-5539A12C8ECC}	{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85B7A250-5517-4eb3-AB31-5539A12C8ECC}\stubpath = "C:\\Windows\\{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe"	{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A19AF527-A9C1-44e3-A238-76EBB75803E2}	{C0AF668A-F7E8-4eaf-87B5-447052C310AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F87672-CD8A-422a-B936-B8F5DBECD26C}	2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FD34076-6AB1-4890-879B-1BFAA62C8757}	{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}	{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36776373-5D29-4e61-8F1A-7B5674C4DDC7}	{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0AF668A-F7E8-4eaf-87B5-447052C310AD}\stubpath = "C:\\Windows\\{C0AF668A-F7E8-4eaf-87B5-447052C310AD}.exe"	{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A19AF527-A9C1-44e3-A238-76EBB75803E2}\stubpath = "C:\\Windows\\{A19AF527-A9C1-44e3-A238-76EBB75803E2}.exe"	{C0AF668A-F7E8-4eaf-87B5-447052C310AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7467C05F-80EF-45f5-8F17-77915C6D707B}\stubpath = "C:\\Windows\\{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe"	{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}\stubpath = "C:\\Windows\\{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe"	{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}\stubpath = "C:\\Windows\\{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe"	{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F28AAA98-6EAB-478e-9C00-CAF204A42829}\stubpath = "C:\\Windows\\{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe"	{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F87672-CD8A-422a-B936-B8F5DBECD26C}\stubpath = "C:\\Windows\\{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe"	2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
2672	{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe
4436	{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe
2572	{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe
4396	{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe
1076	{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe
1888	{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe
4548	{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe
3812	{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe
3408	{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe
1980	{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe
3580	{C0AF668A-F7E8-4eaf-87B5-447052C310AD}.exe
2696	{A19AF527-A9C1-44e3-A238-76EBB75803E2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C0AF668A-F7E8-4eaf-87B5-447052C310AD}.exe	{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe
File created	C:\Windows\{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe	{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe
File created	C:\Windows\{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe	{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe
File created	C:\Windows\{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe	{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe
File created	C:\Windows\{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe	{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe
File created	C:\Windows\{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe	{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe
File created	C:\Windows\{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe	{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe
File created	C:\Windows\{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe	{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe
File created	C:\Windows\{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe	{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe
File created	C:\Windows\{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe	2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe
File created	C:\Windows\{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe	{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe
File created	C:\Windows\{A19AF527-A9C1-44e3-A238-76EBB75803E2}.exe	{C0AF668A-F7E8-4eaf-87B5-447052C310AD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1040	2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2672	{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe
Token: SeIncBasePriorityPrivilege	4436	{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe
Token: SeIncBasePriorityPrivilege	2572	{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe
Token: SeIncBasePriorityPrivilege	4396	{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe
Token: SeIncBasePriorityPrivilege	1076	{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe
Token: SeIncBasePriorityPrivilege	1888	{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe
Token: SeIncBasePriorityPrivilege	4548	{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe
Token: SeIncBasePriorityPrivilege	3812	{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe
Token: SeIncBasePriorityPrivilege	3408	{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe
Token: SeIncBasePriorityPrivilege	1980	{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe
Token: SeIncBasePriorityPrivilege	3580	{C0AF668A-F7E8-4eaf-87B5-447052C310AD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2672	1040	2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe	103
PID 1040 wrote to memory of 2672	1040	2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe	103
PID 1040 wrote to memory of 2672	1040	2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe	103
PID 1040 wrote to memory of 2824	1040	2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe	104
PID 1040 wrote to memory of 2824	1040	2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe	104
PID 1040 wrote to memory of 2824	1040	2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe	104
PID 2672 wrote to memory of 4436	2672	{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe	105
PID 2672 wrote to memory of 4436	2672	{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe	105
PID 2672 wrote to memory of 4436	2672	{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe	105
PID 2672 wrote to memory of 4548	2672	{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe	106
PID 2672 wrote to memory of 4548	2672	{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe	106
PID 2672 wrote to memory of 4548	2672	{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe	106
PID 4436 wrote to memory of 2572	4436	{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe	110
PID 4436 wrote to memory of 2572	4436	{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe	110
PID 4436 wrote to memory of 2572	4436	{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe	110
PID 4436 wrote to memory of 4904	4436	{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe	111
PID 4436 wrote to memory of 4904	4436	{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe	111
PID 4436 wrote to memory of 4904	4436	{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe	111
PID 2572 wrote to memory of 4396	2572	{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe	113
PID 2572 wrote to memory of 4396	2572	{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe	113
PID 2572 wrote to memory of 4396	2572	{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe	113
PID 2572 wrote to memory of 4640	2572	{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe	114
PID 2572 wrote to memory of 4640	2572	{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe	114
PID 2572 wrote to memory of 4640	2572	{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe	114
PID 4396 wrote to memory of 1076	4396	{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe	116
PID 4396 wrote to memory of 1076	4396	{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe	116
PID 4396 wrote to memory of 1076	4396	{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe	116
PID 4396 wrote to memory of 2824	4396	{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe	117
PID 4396 wrote to memory of 2824	4396	{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe	117
PID 4396 wrote to memory of 2824	4396	{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe	117
PID 1076 wrote to memory of 1888	1076	{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe	118
PID 1076 wrote to memory of 1888	1076	{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe	118
PID 1076 wrote to memory of 1888	1076	{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe	118
PID 1076 wrote to memory of 2532	1076	{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe	119
PID 1076 wrote to memory of 2532	1076	{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe	119
PID 1076 wrote to memory of 2532	1076	{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe	119
PID 1888 wrote to memory of 4548	1888	{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe	120
PID 1888 wrote to memory of 4548	1888	{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe	120
PID 1888 wrote to memory of 4548	1888	{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe	120
PID 1888 wrote to memory of 2672	1888	{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe	121
PID 1888 wrote to memory of 2672	1888	{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe	121
PID 1888 wrote to memory of 2672	1888	{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe	121
PID 4548 wrote to memory of 3812	4548	{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe	122
PID 4548 wrote to memory of 3812	4548	{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe	122
PID 4548 wrote to memory of 3812	4548	{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe	122
PID 4548 wrote to memory of 2104	4548	{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe	123
PID 4548 wrote to memory of 2104	4548	{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe	123
PID 4548 wrote to memory of 2104	4548	{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe	123
PID 3812 wrote to memory of 3408	3812	{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe	124
PID 3812 wrote to memory of 3408	3812	{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe	124
PID 3812 wrote to memory of 3408	3812	{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe	124
PID 3812 wrote to memory of 4848	3812	{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe	125
PID 3812 wrote to memory of 4848	3812	{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe	125
PID 3812 wrote to memory of 4848	3812	{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe	125
PID 3408 wrote to memory of 1980	3408	{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe	126
PID 3408 wrote to memory of 1980	3408	{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe	126
PID 3408 wrote to memory of 1980	3408	{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe	126
PID 3408 wrote to memory of 3132	3408	{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe	127
PID 3408 wrote to memory of 3132	3408	{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe	127
PID 3408 wrote to memory of 3132	3408	{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe	127
PID 1980 wrote to memory of 3580	1980	{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe	128
PID 1980 wrote to memory of 3580	1980	{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe	128
PID 1980 wrote to memory of 3580	1980	{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe	128
PID 1980 wrote to memory of 5056	1980	{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_a614f358f8f96d8e0e6332e43a926df4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe
  C:\Windows\{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe
    C:\Windows\{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe
      C:\Windows\{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe
        
        C:\Windows\{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
      - C:\Windows\{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe
        
        C:\Windows\{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe
        
        C:\Windows\{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe
        
        C:\Windows\{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe
        
        C:\Windows\{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe
        
        C:\Windows\{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe
        
        C:\Windows\{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{C0AF668A-F7E8-4eaf-87B5-447052C310AD}.exe
        
        C:\Windows\{C0AF668A-F7E8-4eaf-87B5-447052C310AD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
        
        C:\Windows\{A19AF527-A9C1-44e3-A238-76EBB75803E2}.exe
        
        C:\Windows\{A19AF527-A9C1-44e3-A238-76EBB75803E2}.exe
        13⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0AF6~1.EXE > nul
        13⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36776~1.EXE > nul
        12⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F28AA~1.EXE > nul
        11⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85B7A~1.EXE > nul
        10⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63B5C~1.EXE > nul
        9⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D338~1.EXE > nul
        8⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FD34~1.EXE > nul
        7⤵
        
        PID:2532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5BFC~1.EXE > nul
        6⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CFD2~1.EXE > nul
        5⤵
        
        PID:4640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7467C~1.EXE > nul
      4⤵
      PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A7F87~1.EXE > nul
    3⤵
    PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:8
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D3387B1-7BFA-43b0-96E6-5CF4AFDC08D0}.exe

Filesize
204KB

MD5
9b7df7235629c483d429e1964a05dada

SHA1
c53cfe1a67f34145f368a29ebb0877b03ba0db73

SHA256
de18132f3541a191496e2668c2bdc031bba946ee7b20dff22270a50d8bd323b2

SHA512
6d3e16351131f5955eca3a055938dd94033581af9759c5bfe2e3432ef335a6ffd191096a735a984df3af7d0208606a4c685fcd6c9e81eca6e8600b92b7b84ae7

Download Submit
C:\Windows\{36776373-5D29-4e61-8F1A-7B5674C4DDC7}.exe

Filesize
204KB

MD5
60878ddc4ae2bf660956521a26538f9c

SHA1
6ef659e0921697054976c4d7f3166c0f34e21fbb

SHA256
c0716ad3dbf553b6559b73c9379a7296b28e8b644688591a169b9b008f7e9013

SHA512
780a1ebdf7017bdeb07fd241a0af3f928d355b29ae936d360333dd4a91ab85ab196ec129e23be60d352789686ae021a0f00e9d46204f4e5be7f25eb3d4df41a2

Download Submit
C:\Windows\{63B5C242-1E5F-4906-8FF6-500568D74BD7}.exe

Filesize
204KB

MD5
bbacbb928cc59d0983e4b4c263a6831a

SHA1
dd2af046366b37ce756d03cc0070a4d779b65e45

SHA256
84b1cfa6d0db2731f64d32ddb02cbc7e344a32e7bf73681f466fa127e90f93f1

SHA512
753f04b09ccb76e9d19d2ec5b31769258377c62c7f79dd0628e9827ccd0b69264761b57946c0f46ccb178101c79eaa94a8b840f041d7af9fc5e7d61c9c51b666

Download Submit
C:\Windows\{7467C05F-80EF-45f5-8F17-77915C6D707B}.exe

Filesize
204KB

MD5
6685a84bce67766f14053a676e833ae5

SHA1
190e76a2a5ced0a1cf230efb18acd8fbb2e551c9

SHA256
3fd19a16a4d8134a607c110ed997d92beb4411171ddef2236fe995f130c3d519

SHA512
79f698710bb70a4abc6b7ecbd6a844e7075d06e2f97b0499903fbc041b631eb01cea1b3e039821c22919982e6e5bded9c1fab73f705424bb9bc508d374adb0a0

Download Submit
C:\Windows\{7FD34076-6AB1-4890-879B-1BFAA62C8757}.exe

Filesize
204KB

MD5
35e6d27252c668ca5b51cc2ca0433e60

SHA1
3a8d7b18d81b0161b3affcdebb61e0cd3b9e8ef6

SHA256
601cd943c1f1a3eeac43ca604c948760bb61e8339e5802db0a5f0ae0af709504

SHA512
6fc9c50019e63b722827e15fb179d4b8b6d992b12ecd72fe0093d371f3dfbf73fd1d5e75d3138ff5f1b1fe984aca2fa6cc6d9f54c3d67ebff157136d19ab4acd

Download Submit
C:\Windows\{85B7A250-5517-4eb3-AB31-5539A12C8ECC}.exe

Filesize
204KB

MD5
e9d2a13d30afc0c92766415d72326f7d

SHA1
202fab33a3e2f38c6f5c48397193f6a8f1a60dd1

SHA256
f706fada47ba5e1bcf9b43f1aae219f1cc269961f173803b61e70b6ae105fae6

SHA512
4893d675cd2cdf7a3a9bcab02aa44f9810400a7da022ecc6937d4a179c799a5b74a16bcab7382e3fbc57195d91a81aa4d2d1434441e1a6115b512caf465754b6

Download Submit
C:\Windows\{8CFD2B86-8622-4f76-83B1-3B157C9C04B0}.exe

Filesize
204KB

MD5
55c9987aee46b76863b022bf397ae406

SHA1
fa6387e8ccbcd01d31456917ad21826e7671ce54

SHA256
c359934ba7aefb97454f2d874e3ac6d3048c753eacc558caf723f8f610243353

SHA512
ada0e0ad80f7aa310cda6cdb50425725b875bdaecb6012e7fc8674aada5a6a05da103e18fdc08a219ed00841033807d119a81ff05318d79a772070e4df8fe9f3

Download Submit
C:\Windows\{A19AF527-A9C1-44e3-A238-76EBB75803E2}.exe

Filesize
204KB

MD5
446b6ca520cc015bf25ebf0f100aea7e

SHA1
cfdc3d1ce3d7ccc8ea42b036c6180caf7350728f

SHA256
fca21c8630cdbc68b98b82ec919fb985560ff33990799f836d93929bf23635a1

SHA512
2c5361e7acfddfee0d0678dc82c831d8926f8643df658402c90bcaf71b54008eb36e8d9370681578235710fc230d4989fe53683ea05b9d9ea6c09311ac1702a1

Download Submit
C:\Windows\{A7F87672-CD8A-422a-B936-B8F5DBECD26C}.exe

Filesize
204KB

MD5
d5aa594a65870a1e6668378120b2d0cf

SHA1
ba12be3e860cd5348d282bce660737f4689eaa79

SHA256
dbf3ef66067e09bdd7bb30aac66a68e78e010218c5d51267dc9b4fe55bee24a7

SHA512
25cf21bebaec25149dbb9e1c13ac5ea960bf539f66f6e2b0e6d9926553de30369feb5e48a73173b5b47fbc68ff9523409041331c5720d15c9e0b12e3c967821d

Download Submit
C:\Windows\{B5BFCD24-DE43-4bd8-B9F2-1EA4DBE5AE50}.exe

Filesize
204KB

MD5
4d6be35ce91ce8aa50eab5c6e55a2f19

SHA1
cdce92dbbf601b15cd6b42afbbd1cafeab481838

SHA256
ce9d05914d98ba9708495a79622158184439e2fbaf797e13488024468d85e9fe

SHA512
ea7c1e892279a99de8f36841f22763640022e13dca35819c24dab32285cec21efda2d5b6baa1cdae2861cdc549ff35a2b2c34e72d198d4f0786925455bed20dc

Download Submit
C:\Windows\{C0AF668A-F7E8-4eaf-87B5-447052C310AD}.exe

Filesize
204KB

MD5
cddf64efa1559d61f13496b23af578e2

SHA1
8037d648eaa2d7be56d938725a2d83c8f5055b2f

SHA256
995ae2d28aa200330d7ff165eba75a4c1b644aedf21b736bddb4f043ec8955c9

SHA512
c580d7ee47c4252014795dc7de12abcc7e74895c93d9bf33c784cbacf5854f2b8362ffe4e1fbe4c31272928f0b2d2bdb530db689ac47c21ab6a6c1dac766dac1

Download Submit
C:\Windows\{F28AAA98-6EAB-478e-9C00-CAF204A42829}.exe

Filesize
204KB

MD5
8b9811d12f6e771221f9a028e4a5cb05

SHA1
7d9ae5694eb66c022c6044f5236843b494fbb661

SHA256
53b8076b66d4ef28d93d95504c5e46a6e63113c0ead76adcd1f6839f0136b4ce

SHA512
d46d6336da1d0988dd6b8626db9cd629ad9e98bf86a9611506dd3d6ca3e886a94f849f8346803e1746301775d7469e8993a75456dfbbf54e2cd07cf96aeeb835

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads