dca84e34f3f7796e36861270114255240e91a42b84e0e3807905ec3328eb5a60

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 15:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
Size

408KB
MD5

12971782a980f5bde4c924dd747f40d6
SHA1

5e7dfd28987dc41b18a5e145e03c808e69214789
SHA256

dca84e34f3f7796e36861270114255240e91a42b84e0e3807905ec3328eb5a60
SHA512

c127e5ff00e1163197aabd0149b04d4ff03a28025795ff50761f4e243fa822027600fe555129ba6b8d9ceef9c183e0c874f1a7a5e41111e3c4801ef805eccb2e
SSDEEP

3072:CEGh0oMl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGWldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022d25-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023253-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002325e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023253-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002325e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13438CAE-E34D-4a57-97D0-2A8E27879611}\stubpath = "C:\\Windows\\{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe"	{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{484B9C4B-5AE0-45e2-829D-0C4974889F9C}\stubpath = "C:\\Windows\\{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe"	{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70EFD6D1-DC55-4cb8-9060-04A951AC028C}\stubpath = "C:\\Windows\\{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe"	{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{240AB759-1A5D-45a1-81B9-E16682397D23}\stubpath = "C:\\Windows\\{240AB759-1A5D-45a1-81B9-E16682397D23}.exe"	{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{063FDD89-0461-4a3d-A345-A1441C99063F}\stubpath = "C:\\Windows\\{063FDD89-0461-4a3d-A345-A1441C99063F}.exe"	{CDA1F8BA-B538-4a93-B302-61154E6268E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{063FDD89-0461-4a3d-A345-A1441C99063F}	{CDA1F8BA-B538-4a93-B302-61154E6268E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E469095E-C8A6-452f-8048-05FBDBFDB8A5}\stubpath = "C:\\Windows\\{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe"	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}\stubpath = "C:\\Windows\\{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe"	{90C44873-5292-4715-B627-1AA04F471C8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B28CA5EF-609A-4a49-BBC1-05030FA249D1}\stubpath = "C:\\Windows\\{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe"	{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}	{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{240AB759-1A5D-45a1-81B9-E16682397D23}	{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDA1F8BA-B538-4a93-B302-61154E6268E4}	{240AB759-1A5D-45a1-81B9-E16682397D23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDA1F8BA-B538-4a93-B302-61154E6268E4}\stubpath = "C:\\Windows\\{CDA1F8BA-B538-4a93-B302-61154E6268E4}.exe"	{240AB759-1A5D-45a1-81B9-E16682397D23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13438CAE-E34D-4a57-97D0-2A8E27879611}	{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90C44873-5292-4715-B627-1AA04F471C8E}	{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{484B9C4B-5AE0-45e2-829D-0C4974889F9C}	{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}	{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70EFD6D1-DC55-4cb8-9060-04A951AC028C}	{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}\stubpath = "C:\\Windows\\{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe"	{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E469095E-C8A6-452f-8048-05FBDBFDB8A5}	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90C44873-5292-4715-B627-1AA04F471C8E}\stubpath = "C:\\Windows\\{90C44873-5292-4715-B627-1AA04F471C8E}.exe"	{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}	{90C44873-5292-4715-B627-1AA04F471C8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}\stubpath = "C:\\Windows\\{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe"	{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B28CA5EF-609A-4a49-BBC1-05030FA249D1}	{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe

Executes dropped EXE 12 IoCs

pid	Process
232	{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe
3252	{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe
2860	{90C44873-5292-4715-B627-1AA04F471C8E}.exe
488	{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe
4104	{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe
2100	{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe
1400	{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe
3168	{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe
1804	{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe
3252	{240AB759-1A5D-45a1-81B9-E16682397D23}.exe
548	{CDA1F8BA-B538-4a93-B302-61154E6268E4}.exe
3700	{063FDD89-0461-4a3d-A345-A1441C99063F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe	{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe
File created	C:\Windows\{90C44873-5292-4715-B627-1AA04F471C8E}.exe	{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe
File created	C:\Windows\{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe	{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe
File created	C:\Windows\{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe	{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe
File created	C:\Windows\{240AB759-1A5D-45a1-81B9-E16682397D23}.exe	{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe
File created	C:\Windows\{CDA1F8BA-B538-4a93-B302-61154E6268E4}.exe	{240AB759-1A5D-45a1-81B9-E16682397D23}.exe
File created	C:\Windows\{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
File created	C:\Windows\{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe	{90C44873-5292-4715-B627-1AA04F471C8E}.exe
File created	C:\Windows\{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe	{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe
File created	C:\Windows\{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe	{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe
File created	C:\Windows\{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe	{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe
File created	C:\Windows\{063FDD89-0461-4a3d-A345-A1441C99063F}.exe	{CDA1F8BA-B538-4a93-B302-61154E6268E4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4504	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	232	{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe
Token: SeIncBasePriorityPrivilege	3252	{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe
Token: SeIncBasePriorityPrivilege	2860	{90C44873-5292-4715-B627-1AA04F471C8E}.exe
Token: SeIncBasePriorityPrivilege	488	{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe
Token: SeIncBasePriorityPrivilege	4104	{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe
Token: SeIncBasePriorityPrivilege	2100	{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe
Token: SeIncBasePriorityPrivilege	1400	{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe
Token: SeIncBasePriorityPrivilege	3168	{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe
Token: SeIncBasePriorityPrivilege	1804	{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe
Token: SeIncBasePriorityPrivilege	3252	{240AB759-1A5D-45a1-81B9-E16682397D23}.exe
Token: SeIncBasePriorityPrivilege	548	{CDA1F8BA-B538-4a93-B302-61154E6268E4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 232	4504	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	100
PID 4504 wrote to memory of 232	4504	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	100
PID 4504 wrote to memory of 232	4504	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	100
PID 4504 wrote to memory of 1824	4504	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	101
PID 4504 wrote to memory of 1824	4504	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	101
PID 4504 wrote to memory of 1824	4504	2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe	101
PID 232 wrote to memory of 3252	232	{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe	105
PID 232 wrote to memory of 3252	232	{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe	105
PID 232 wrote to memory of 3252	232	{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe	105
PID 232 wrote to memory of 3312	232	{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe	106
PID 232 wrote to memory of 3312	232	{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe	106
PID 232 wrote to memory of 3312	232	{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe	106
PID 3252 wrote to memory of 2860	3252	{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe	108
PID 3252 wrote to memory of 2860	3252	{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe	108
PID 3252 wrote to memory of 2860	3252	{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe	108
PID 3252 wrote to memory of 744	3252	{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe	109
PID 3252 wrote to memory of 744	3252	{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe	109
PID 3252 wrote to memory of 744	3252	{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe	109
PID 2860 wrote to memory of 488	2860	{90C44873-5292-4715-B627-1AA04F471C8E}.exe	111
PID 2860 wrote to memory of 488	2860	{90C44873-5292-4715-B627-1AA04F471C8E}.exe	111
PID 2860 wrote to memory of 488	2860	{90C44873-5292-4715-B627-1AA04F471C8E}.exe	111
PID 2860 wrote to memory of 3132	2860	{90C44873-5292-4715-B627-1AA04F471C8E}.exe	112
PID 2860 wrote to memory of 3132	2860	{90C44873-5292-4715-B627-1AA04F471C8E}.exe	112
PID 2860 wrote to memory of 3132	2860	{90C44873-5292-4715-B627-1AA04F471C8E}.exe	112
PID 488 wrote to memory of 4104	488	{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe	113
PID 488 wrote to memory of 4104	488	{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe	113
PID 488 wrote to memory of 4104	488	{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe	113
PID 488 wrote to memory of 4576	488	{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe	114
PID 488 wrote to memory of 4576	488	{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe	114
PID 488 wrote to memory of 4576	488	{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe	114
PID 4104 wrote to memory of 2100	4104	{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe	115
PID 4104 wrote to memory of 2100	4104	{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe	115
PID 4104 wrote to memory of 2100	4104	{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe	115
PID 4104 wrote to memory of 1848	4104	{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe	116
PID 4104 wrote to memory of 1848	4104	{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe	116
PID 4104 wrote to memory of 1848	4104	{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe	116
PID 2100 wrote to memory of 1400	2100	{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe	117
PID 2100 wrote to memory of 1400	2100	{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe	117
PID 2100 wrote to memory of 1400	2100	{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe	117
PID 2100 wrote to memory of 4080	2100	{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe	118
PID 2100 wrote to memory of 4080	2100	{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe	118
PID 2100 wrote to memory of 4080	2100	{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe	118
PID 1400 wrote to memory of 3168	1400	{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe	119
PID 1400 wrote to memory of 3168	1400	{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe	119
PID 1400 wrote to memory of 3168	1400	{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe	119
PID 1400 wrote to memory of 1764	1400	{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe	120
PID 1400 wrote to memory of 1764	1400	{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe	120
PID 1400 wrote to memory of 1764	1400	{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe	120
PID 3168 wrote to memory of 1804	3168	{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe	121
PID 3168 wrote to memory of 1804	3168	{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe	121
PID 3168 wrote to memory of 1804	3168	{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe	121
PID 3168 wrote to memory of 4136	3168	{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe	122
PID 3168 wrote to memory of 4136	3168	{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe	122
PID 3168 wrote to memory of 4136	3168	{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe	122
PID 1804 wrote to memory of 3252	1804	{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe	123
PID 1804 wrote to memory of 3252	1804	{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe	123
PID 1804 wrote to memory of 3252	1804	{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe	123
PID 1804 wrote to memory of 4564	1804	{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe	124
PID 1804 wrote to memory of 4564	1804	{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe	124
PID 1804 wrote to memory of 4564	1804	{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe	124
PID 3252 wrote to memory of 548	3252	{240AB759-1A5D-45a1-81B9-E16682397D23}.exe	125
PID 3252 wrote to memory of 548	3252	{240AB759-1A5D-45a1-81B9-E16682397D23}.exe	125
PID 3252 wrote to memory of 548	3252	{240AB759-1A5D-45a1-81B9-E16682397D23}.exe	125
PID 3252 wrote to memory of 3800	3252	{240AB759-1A5D-45a1-81B9-E16682397D23}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_12971782a980f5bde4c924dd747f40d6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe
  C:\Windows\{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe
    C:\Windows\{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\{90C44873-5292-4715-B627-1AA04F471C8E}.exe
      C:\Windows\{90C44873-5292-4715-B627-1AA04F471C8E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe
        
        C:\Windows\{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:488
      - C:\Windows\{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe
        
        C:\Windows\{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe
        
        C:\Windows\{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe
        
        C:\Windows\{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe
        
        C:\Windows\{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe
        
        C:\Windows\{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\{240AB759-1A5D-45a1-81B9-E16682397D23}.exe
        
        C:\Windows\{240AB759-1A5D-45a1-81B9-E16682397D23}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\{CDA1F8BA-B538-4a93-B302-61154E6268E4}.exe
        
        C:\Windows\{CDA1F8BA-B538-4a93-B302-61154E6268E4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{063FDD89-0461-4a3d-A345-A1441C99063F}.exe
        
        C:\Windows\{063FDD89-0461-4a3d-A345-A1441C99063F}.exe
        13⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDA1F~1.EXE > nul
        13⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{240AB~1.EXE > nul
        12⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A1DE~1.EXE > nul
        11⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B28CA~1.EXE > nul
        10⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70EFD~1.EXE > nul
        9⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A0FF~1.EXE > nul
        8⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{484B9~1.EXE > nul
        7⤵
        
        PID:1848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF599~1.EXE > nul
        6⤵
        
        PID:4576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90C44~1.EXE > nul
        5⤵
        
        PID:3132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{13438~1.EXE > nul
      4⤵
      PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E4690~1.EXE > nul
    3⤵
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{063FDD89-0461-4a3d-A345-A1441C99063F}.exe

Filesize
408KB

MD5
beb1101e590df3724b981ddefaa2d523

SHA1
31a94f3baa793a66c142abc7ad1bc220c1115943

SHA256
5fded1df76c516bd09893111dcd7620090d886d602a98e740e0db7c0002664f4

SHA512
955d359029a3a1009584453836b88f0252454988018d3e2ab0cf6b0ff043f966e7057302566b79a31ad3204ae28d46cf652ed86e1458ee516d5467fdfcb59086

Download Submit
C:\Windows\{13438CAE-E34D-4a57-97D0-2A8E27879611}.exe

Filesize
408KB

MD5
a604fa5444d4e7c7df82e55e0c417e54

SHA1
8d59488983d05db2c4a3036b7553dedee72229fc

SHA256
a0a5c6f1e6bdbb9cd6a51fd618c56052a55bfcb083765b34eaf69cb23fd39adf

SHA512
a134484589f3889e76f57830ee9718044c05394868aaf1adff9023a6a05575bbf1488f2eda60359fc97ab4ca3226799ac8e87959b39a3954353d59d8fab00715

Download Submit
C:\Windows\{1A0FFE76-7345-4d7a-9D53-382E8CDEA4A2}.exe

Filesize
408KB

MD5
38858099f4a595b209274330e716e73d

SHA1
016eeeb5280a2df6ba6d191898b422afacab2893

SHA256
322cb8c4fdf2479c6c5782d6d8ef9ea078b7be1a25aa072c9d364a38e8d778a3

SHA512
d18f9d9d41ecddb22e17de7507a1269b544bb5cf8ffb7c96ea6cc931836918feee3c30c1b30b5d176fa588613147c6cd6b698027928468a342b40d69c5c738bb

Download Submit
C:\Windows\{240AB759-1A5D-45a1-81B9-E16682397D23}.exe

Filesize
408KB

MD5
ecf4a002124aa6f9a5b48a50f40ba005

SHA1
c5b682e2ca500b46eaeb5a17581c646a184a3b70

SHA256
2a129b4676e403ac842e69ead09a3e4465216b91bf1a0c3721d7668e4edefe25

SHA512
89a48b8f3bad396061f33b8fc0ee4fcbeee9551ed6bd181eacc807bac08ed94a8b6f826a53fc671bf29fd2afc7ec4c8bdf6825142a5b99437bfe53778145da6b

Download Submit
C:\Windows\{484B9C4B-5AE0-45e2-829D-0C4974889F9C}.exe

Filesize
408KB

MD5
e7751a9f51981b3ef8a128220db21639

SHA1
affcab0328e96b45e8a8b1030363f0ece70a33d8

SHA256
948de7ad047590e06f91fa51d1bd0b03c6077a5360d42a3694dbc1ead5bab4f9

SHA512
af59f53c198ca3a61f410730734e07c20b7df68942e9e2e65070a58f3728bc5e5cd1bb347ce7578eaaee36fed2bef1cff36a5d6e1178b72ca0d1bd2bf22050ef

Download Submit
C:\Windows\{4A1DEA1D-FD0F-4fb1-A95F-D2AAC49D903E}.exe

Filesize
408KB

MD5
fecaff0fb8ea260cd5733c7ddb088e90

SHA1
6cf986f6d37dc206aa8fdea64580a44fe97d9f41

SHA256
2fed40e86f554f2e04c1911fd0169f3e72c370bf312fc4d47457d15d88f5ca61

SHA512
a175ae9e8a4bdd0d44de728aaffb6aa8529d220486c68dc61b0a699a4bef37545e9a45be53fbf620dc68c81013ae676ecf06137dae762ac4bc99d1b90317bf13

Download Submit
C:\Windows\{70EFD6D1-DC55-4cb8-9060-04A951AC028C}.exe

Filesize
408KB

MD5
50732960bffc9f321ff053b3a098ba6f

SHA1
7201aab5b4a644e49b22384a9b96e6263914a880

SHA256
2dab8ce319640acfbda43d829a0b2121b16bb37ff41d65fbe4c3e3dc93139fc4

SHA512
438235fd2c72b3c1da9e06eae6c518ffeee0a99bbd331ce707245a2f4c34a92fbb5ab873703839e31db05afc3cfcdc0e1c5666496249ac7dfa5a52ba1709f85b

Download Submit
C:\Windows\{90C44873-5292-4715-B627-1AA04F471C8E}.exe

Filesize
408KB

MD5
ad9b1494c6027ecc7f384e06d4d6a8d3

SHA1
34895ed75f32e4847c0e1e9e8d4678d1ef536d43

SHA256
0371777b90544e6ef98d175676040078a9580d15ba9bb82e36d6c4c8ac9309a6

SHA512
cd905fa10fad55d5e848a21dbb6adda52148a510e089f39bb9665fa3959efdf88a8aa1373a5a551a1ce5907390100a99a87816c1e94cec18d7411707a0c697a1

Download Submit
C:\Windows\{B28CA5EF-609A-4a49-BBC1-05030FA249D1}.exe

Filesize
408KB

MD5
cf9c01d356429f868ab044fa0220c6ee

SHA1
31ba419c29bf7b6de0514c0be577f0937e2204c4

SHA256
6465aefef74a8361c6832e400e5833615df54ea76933d3fdf1c54c0d43972275

SHA512
a7a6be379f592c8fa5333c22429719382c424a4f30eb3f5b25156fd97d98d7ff0b1672aca778cd1920508d08bcd857b054f23f3eebcf47ff0a80551ed02c565d

Download Submit
C:\Windows\{CDA1F8BA-B538-4a93-B302-61154E6268E4}.exe

Filesize
408KB

MD5
1f09b38bea5178c43f0f92bfdb925968

SHA1
a6505a08148206da904c8c0bf4774d29f554409d

SHA256
161948580d44c458f8f81eb085701e18f3c1aa23607b77a6bf383349074b7a0b

SHA512
71ed7b44a9dbdd34bcb9070798fe94491b212684f6b6c11d322d4f7a787b4c5f01f3341224caf5992b6ae3d5be89bbe7e0eaf7127344e2632f8f6a4217f5452e

Download Submit
C:\Windows\{E469095E-C8A6-452f-8048-05FBDBFDB8A5}.exe

Filesize
408KB

MD5
4303442584f9cbdcdb3a4e632369316e

SHA1
bf3550ea2b1bc4689bd20cdb57c43a276e00d9e0

SHA256
5f1db9921be79390e150b5bf3a8ba4dae64d991deee8bf265bc48bbe05857621

SHA512
7ae5524a387d74bf85b402c2449af849f58225f89b2ae0e5e5fb6e57e53cb0f73d1385446ebb51095a6cbb3548501d646332e1acaff71bdc3957aaf76c508825

Download Submit
C:\Windows\{FF599CE2-558C-4a27-9521-12EA9A6CE9DE}.exe

Filesize
408KB

MD5
ec82df1b48dbb70ffff48f16feec51c9

SHA1
8d8bcaafd94270a9fa9a94b619106c7c018f4f95

SHA256
33fab0aa0aafb58bee2c5b84b80e24ba6d77634ccde8797fcab45e0d93930c89

SHA512
e124bdedfa64c87104171c6f7977263ebe5f0748dd8e5303033357e9362f476b4822252a796ffe187496c1ff468940ae4d6112350b9f1869db8ff1fcde05e604

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads