6bbd3c8b1aa40a8edae2b65e6d12faf9e8223a2abe207999fbfb2229fe06c69b

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 16:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe
Size

372KB
MD5

3bc0c4b2a430ec96e86091e395db65a7
SHA1

f5481ceee8915a774aaf40282602d9acbbc3bf58
SHA256

6bbd3c8b1aa40a8edae2b65e6d12faf9e8223a2abe207999fbfb2229fe06c69b
SHA512

801d0c3318efbe00983937de5abb27a98f918214a953fa2b112588817b8ade023a684938c91d01d9f28fc309b0c44609bf434841b33975804b77a9bacd8c8523
SSDEEP

3072:CEGh0ojlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGtlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023322-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002332c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023336-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000167e1-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023336-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000167e1-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023336-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000167e1-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000006c1-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000167e1-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000006c1-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000230e6-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}	{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29F35C03-A553-48ae-891D-4B90CFA3017F}\stubpath = "C:\\Windows\\{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe"	{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76D05F86-FCB6-416e-8204-304E11B311D9}\stubpath = "C:\\Windows\\{76D05F86-FCB6-416e-8204-304E11B311D9}.exe"	{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{239C1927-847C-4958-AD3E-BE59DBB26AD7}\stubpath = "C:\\Windows\\{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe"	{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACE81A8D-153F-4da2-91AE-18EE18C4979F}	{666AD574-483D-4fb3-882C-C7F8E2131467}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACE81A8D-153F-4da2-91AE-18EE18C4979F}\stubpath = "C:\\Windows\\{ACE81A8D-153F-4da2-91AE-18EE18C4979F}.exe"	{666AD574-483D-4fb3-882C-C7F8E2131467}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C40BC068-CD06-4ead-9E07-3E9158BA489D}\stubpath = "C:\\Windows\\{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe"	2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}	{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29F35C03-A553-48ae-891D-4B90CFA3017F}	{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F87D7205-71B3-43d0-98C8-B99280CA5B32}	{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}\stubpath = "C:\\Windows\\{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe"	{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76D05F86-FCB6-416e-8204-304E11B311D9}	{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{239C1927-847C-4958-AD3E-BE59DBB26AD7}	{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{666AD574-483D-4fb3-882C-C7F8E2131467}\stubpath = "C:\\Windows\\{666AD574-483D-4fb3-882C-C7F8E2131467}.exe"	{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C40BC068-CD06-4ead-9E07-3E9158BA489D}	2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}\stubpath = "C:\\Windows\\{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe"	{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F87D7205-71B3-43d0-98C8-B99280CA5B32}\stubpath = "C:\\Windows\\{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe"	{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}\stubpath = "C:\\Windows\\{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe"	{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}	{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}\stubpath = "C:\\Windows\\{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe"	{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}	{76D05F86-FCB6-416e-8204-304E11B311D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}\stubpath = "C:\\Windows\\{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe"	{76D05F86-FCB6-416e-8204-304E11B311D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{666AD574-483D-4fb3-882C-C7F8E2131467}	{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}	{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe

Executes dropped EXE 12 IoCs

pid	Process
3444	{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe
396	{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe
3552	{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe
3116	{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe
4196	{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe
2624	{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe
4396	{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe
3012	{76D05F86-FCB6-416e-8204-304E11B311D9}.exe
764	{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe
4384	{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe
2232	{666AD574-483D-4fb3-882C-C7F8E2131467}.exe
2620	{ACE81A8D-153F-4da2-91AE-18EE18C4979F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe	2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe
File created	C:\Windows\{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe	{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe
File created	C:\Windows\{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe	{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe
File created	C:\Windows\{76D05F86-FCB6-416e-8204-304E11B311D9}.exe	{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe
File created	C:\Windows\{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe	{76D05F86-FCB6-416e-8204-304E11B311D9}.exe
File created	C:\Windows\{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe	{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe
File created	C:\Windows\{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe	{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe
File created	C:\Windows\{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe	{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe
File created	C:\Windows\{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe	{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe
File created	C:\Windows\{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe	{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe
File created	C:\Windows\{666AD574-483D-4fb3-882C-C7F8E2131467}.exe	{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe
File created	C:\Windows\{ACE81A8D-153F-4da2-91AE-18EE18C4979F}.exe	{666AD574-483D-4fb3-882C-C7F8E2131467}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1376	2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3444	{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe
Token: SeIncBasePriorityPrivilege	396	{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe
Token: SeIncBasePriorityPrivilege	3552	{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe
Token: SeIncBasePriorityPrivilege	3116	{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe
Token: SeIncBasePriorityPrivilege	4196	{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe
Token: SeIncBasePriorityPrivilege	2624	{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe
Token: SeIncBasePriorityPrivilege	4396	{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe
Token: SeIncBasePriorityPrivilege	3012	{76D05F86-FCB6-416e-8204-304E11B311D9}.exe
Token: SeIncBasePriorityPrivilege	764	{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe
Token: SeIncBasePriorityPrivilege	4384	{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe
Token: SeIncBasePriorityPrivilege	2232	{666AD574-483D-4fb3-882C-C7F8E2131467}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 3444	1376	2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe	103
PID 1376 wrote to memory of 3444	1376	2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe	103
PID 1376 wrote to memory of 3444	1376	2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe	103
PID 1376 wrote to memory of 1492	1376	2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe	104
PID 1376 wrote to memory of 1492	1376	2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe	104
PID 1376 wrote to memory of 1492	1376	2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe	104
PID 3444 wrote to memory of 396	3444	{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe	108
PID 3444 wrote to memory of 396	3444	{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe	108
PID 3444 wrote to memory of 396	3444	{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe	108
PID 3444 wrote to memory of 4196	3444	{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe	109
PID 3444 wrote to memory of 4196	3444	{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe	109
PID 3444 wrote to memory of 4196	3444	{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe	109
PID 396 wrote to memory of 3552	396	{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe	111
PID 396 wrote to memory of 3552	396	{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe	111
PID 396 wrote to memory of 3552	396	{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe	111
PID 396 wrote to memory of 4640	396	{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe	112
PID 396 wrote to memory of 4640	396	{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe	112
PID 396 wrote to memory of 4640	396	{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe	112
PID 3552 wrote to memory of 3116	3552	{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe	114
PID 3552 wrote to memory of 3116	3552	{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe	114
PID 3552 wrote to memory of 3116	3552	{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe	114
PID 3552 wrote to memory of 4972	3552	{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe	115
PID 3552 wrote to memory of 4972	3552	{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe	115
PID 3552 wrote to memory of 4972	3552	{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe	115
PID 3116 wrote to memory of 4196	3116	{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe	117
PID 3116 wrote to memory of 4196	3116	{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe	117
PID 3116 wrote to memory of 4196	3116	{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe	117
PID 3116 wrote to memory of 2724	3116	{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe	118
PID 3116 wrote to memory of 2724	3116	{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe	118
PID 3116 wrote to memory of 2724	3116	{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe	118
PID 4196 wrote to memory of 2624	4196	{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe	120
PID 4196 wrote to memory of 2624	4196	{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe	120
PID 4196 wrote to memory of 2624	4196	{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe	120
PID 4196 wrote to memory of 4504	4196	{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe	121
PID 4196 wrote to memory of 4504	4196	{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe	121
PID 4196 wrote to memory of 4504	4196	{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe	121
PID 2624 wrote to memory of 4396	2624	{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe	122
PID 2624 wrote to memory of 4396	2624	{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe	122
PID 2624 wrote to memory of 4396	2624	{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe	122
PID 2624 wrote to memory of 2832	2624	{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe	123
PID 2624 wrote to memory of 2832	2624	{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe	123
PID 2624 wrote to memory of 2832	2624	{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe	123
PID 4396 wrote to memory of 3012	4396	{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe	124
PID 4396 wrote to memory of 3012	4396	{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe	124
PID 4396 wrote to memory of 3012	4396	{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe	124
PID 4396 wrote to memory of 1976	4396	{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe	125
PID 4396 wrote to memory of 1976	4396	{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe	125
PID 4396 wrote to memory of 1976	4396	{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe	125
PID 3012 wrote to memory of 764	3012	{76D05F86-FCB6-416e-8204-304E11B311D9}.exe	133
PID 3012 wrote to memory of 764	3012	{76D05F86-FCB6-416e-8204-304E11B311D9}.exe	133
PID 3012 wrote to memory of 764	3012	{76D05F86-FCB6-416e-8204-304E11B311D9}.exe	133
PID 3012 wrote to memory of 2184	3012	{76D05F86-FCB6-416e-8204-304E11B311D9}.exe	134
PID 3012 wrote to memory of 2184	3012	{76D05F86-FCB6-416e-8204-304E11B311D9}.exe	134
PID 3012 wrote to memory of 2184	3012	{76D05F86-FCB6-416e-8204-304E11B311D9}.exe	134
PID 764 wrote to memory of 4384	764	{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe	135
PID 764 wrote to memory of 4384	764	{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe	135
PID 764 wrote to memory of 4384	764	{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe	135
PID 764 wrote to memory of 1004	764	{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe	136
PID 764 wrote to memory of 1004	764	{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe	136
PID 764 wrote to memory of 1004	764	{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe	136
PID 4384 wrote to memory of 2232	4384	{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe	137
PID 4384 wrote to memory of 2232	4384	{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe	137
PID 4384 wrote to memory of 2232	4384	{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe	137
PID 4384 wrote to memory of 1376	4384	{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe	138

C:\Users\Admin\AppData\Local\Temp\2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_3bc0c4b2a430ec96e86091e395db65a7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe
  C:\Windows\{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe
    C:\Windows\{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe
      C:\Windows\{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3552
    - - C:\Windows\{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe
        
        C:\Windows\{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3116
      - C:\Windows\{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe
        
        C:\Windows\{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe
        
        C:\Windows\{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe
        
        C:\Windows\{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{76D05F86-FCB6-416e-8204-304E11B311D9}.exe
        
        C:\Windows\{76D05F86-FCB6-416e-8204-304E11B311D9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe
        
        C:\Windows\{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe
        
        C:\Windows\{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{666AD574-483D-4fb3-882C-C7F8E2131467}.exe
        
        C:\Windows\{666AD574-483D-4fb3-882C-C7F8E2131467}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{ACE81A8D-153F-4da2-91AE-18EE18C4979F}.exe
        
        C:\Windows\{ACE81A8D-153F-4da2-91AE-18EE18C4979F}.exe
        13⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{666AD~1.EXE > nul
        13⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{239C1~1.EXE > nul
        12⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2A02~1.EXE > nul
        11⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76D05~1.EXE > nul
        10⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2AB7~1.EXE > nul
        9⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C306E~1.EXE > nul
        8⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F87D7~1.EXE > nul
        7⤵
        
        PID:4504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29F35~1.EXE > nul
        6⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DE55~1.EXE > nul
        5⤵
        
        PID:4972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{46AC6~1.EXE > nul
      4⤵
      PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C40BC~1.EXE > nul
    3⤵
    PID:4196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3936 --field-trial-handle=2244,i,861925222566734100,5228329984880658054,262144 --variations-seed-version /prefetch:8
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{239C1927-847C-4958-AD3E-BE59DBB26AD7}.exe

Filesize
372KB

MD5
0c111232e1aba93da7c9b9c42c182b1d

SHA1
2013d5c03436fc88d0619d963869de69a7f93296

SHA256
865a13122b7c6509070da3eab28df56e80593087a2199d8bc42ee7d301705405

SHA512
f429a0246eed92b52e0bb2a5e39784d3b19386de0f04b1214f32307712d4b39a54616eedf611942a7204a706fed5a5585ee45f7b9f06da8c2cbc5060e3bfca8d

Download Submit
C:\Windows\{29F35C03-A553-48ae-891D-4B90CFA3017F}.exe

Filesize
372KB

MD5
745123bd4e8364ccb58f77678b039a15

SHA1
26843881687f689feac232f3ef8b83ea49e6d1d4

SHA256
2cc8cb3713a537d594cdb1443806ff491cca28c3954df9e034fe023dac57be2c

SHA512
33aa6470789286ecd600c877b9fdb540c766351d292f220068b36df369e09d09e74dd6871a2a806f83f26a023d5d4a1fa8bb7decdfe7be8183d64e9de1a14329

Download Submit
C:\Windows\{46AC6D08-EED6-423a-8DB3-D513F6FFFDAE}.exe

Filesize
372KB

MD5
b4a1417ede7f60549baff39b5891d273

SHA1
354922f6f55f0d37ec3601ac6d810dceeb4182d5

SHA256
4eb45f4bfd7be5e1a3ed5a32d6c8a586ae54cee0cdbbd5b76003911035e85dfb

SHA512
dc3330c62653552c4677fa7d2c70dcf8ae45cd827d37b218d785a3deb21f60db7d72bdc5de968160ebdeb3cb7c97bbb637c44a3e249b02056ac48e1199fff80f

Download Submit
C:\Windows\{666AD574-483D-4fb3-882C-C7F8E2131467}.exe

Filesize
372KB

MD5
c1ec5954b6032b0892810597bbc76cbb

SHA1
263d8480ae274fe9024d5e8ae5fb97d71da8f685

SHA256
f66f1bb5ca476afc9539d51247e3f61bd6aab9f8db15c23254ab1b5a8a7f422b

SHA512
c9f75ec3a49c23b09a2ab6df165601c3e8136cfc5b62fd2047a6d4fb1a604da4169807008c6d5ad6c1fb69019b812a506fb8d022a18f8331ad794679a0ed24f4

Download Submit
C:\Windows\{76D05F86-FCB6-416e-8204-304E11B311D9}.exe

Filesize
372KB

MD5
b831f3bbb57bf41669570b9117a5616f

SHA1
a5447c1d5950d7e9ae5f6ed8544686cc0732eac9

SHA256
889b3b66430e7c8845d26af5c6f44acf4ee0938164a26528c9f983100909aa52

SHA512
4723840ca9d658b5ca292ad4e58c38e4393cf340ab0956ed27c5899787b8206f8ef868420567c6b0f283fdf16d5cce70a314f304069b9f770661a6e9d207d341

Download Submit
C:\Windows\{9DE5539F-C4C1-48e8-A177-29CCE7B8DBB7}.exe

Filesize
372KB

MD5
d4d616a0c85428d98b419b3b94b68deb

SHA1
ce4758193fd3e75a0f9f46bee3dcf01e08658fcb

SHA256
8e1d82267254370b67cf52278b9d55da591b754a78e14ff3604e7974f35535bf

SHA512
ded7415e407641dd54e7b8809a7140d3e832e93945e298d2e2977ae3659519c11ff57f2448a8ee0e7826c83f594a67b73903a26d78bd95ebe4891acf33463247

Download Submit
C:\Windows\{ACE81A8D-153F-4da2-91AE-18EE18C4979F}.exe

Filesize
372KB

MD5
3c8c51c07e3c436c6e9577592b4dcac0

SHA1
3f9e3ed2ba24b9d4bf7cb1b4560fd0b8a8323c22

SHA256
34c3e5573a417b38f9318639e62861c1d0526e3c3b56a3f1fa6a3d41077c9942

SHA512
06ac7a60cbcff7c242a0b1f17b25ee5e0eb155f5cdc06ccfb9c27996fb022dde72659c3f948861fd40111c79e5484463825c4ee242e2592d38287becf004f5ab

Download Submit
C:\Windows\{C2AB717C-D4E8-4252-8D6D-4043C80B18D2}.exe

Filesize
372KB

MD5
4edb43fe74df5989e400a4ac367c963a

SHA1
9100d50417645d7208f68cf2e02fcd07927203d3

SHA256
9285e242113a2b1d3257e0da9b86e9845b44ddef9a41a17b6cfac9e0a16e8556

SHA512
c47d6db92e3e105b781162480d06ba6f515adf0bcb61de044d97cf65a28861194be4206bc7c179f2fe9148756589c9bfb45d2de1a0af3d74ba3cf9f26778bb1b

Download Submit
C:\Windows\{C306E5A2-80CA-4aa6-80FF-5AABD7DE2FD5}.exe

Filesize
372KB

MD5
38ee88c4595d35ee34cf392c7d2b520e

SHA1
050c477ca85d26cf3e321dac4cb24569968ea803

SHA256
748aa28f5f04c5b21ac7b5652e1f94eabd06c1f631c1ac452de0e30544ef6ecd

SHA512
2c11e2d22b2b3302969e0eb934d2254dbdbe43661e066054708565123096fc639a9068dbb770b88f5763fa574559043bdfa0adeb0aa2bad921ae71d5e0c83a03

Download Submit
C:\Windows\{C40BC068-CD06-4ead-9E07-3E9158BA489D}.exe

Filesize
372KB

MD5
c0ef67b25b8b3b82f37da6db2b957bf1

SHA1
dac8f8b418f65a5a4249ea796292a61fd93803b7

SHA256
3b78b9b7960ce64b6f4ee60972f4d1d75ee0e47ab752290813de887042513b4e

SHA512
5e426140467ac0c99623336ade12092a2d48300383f9a03d7aaf37e65b3fd33406a517b2e9a4cf486ce513ae0b834724fa00012c97a08a2e4843a20f7e29c1a5

Download Submit
C:\Windows\{E2A02019-38ED-4e60-98BE-2B2BDB00BBC0}.exe

Filesize
372KB

MD5
7b01235dc8bab4644bb7da056c948673

SHA1
828caadd10d655d0b0935b0369569dbbbcd2972e

SHA256
a17b9439ac844be7b2fdb5b2b9f2426537c6b531812265802b899123e0d29a01

SHA512
a26cd0c458fe3fe8c0faaffc74ca6b636abf316d20cfaf79b5da9509b538f672b292187a1001a41b67a7db21aefc8b59a1d136d8836a3331c01b831894a867cf

Download Submit
C:\Windows\{F87D7205-71B3-43d0-98C8-B99280CA5B32}.exe

Filesize
372KB

MD5
0471f919e14c1f18c924561493a5947b

SHA1
4caf8e76bf20e9ff234e5c68c2d518a4f28455d0

SHA256
4917c41f069f551c1b7ece50e4313ff16cfa3a351ce9575e16e375d4ecb530a6

SHA512
4c9e07c413b913f4d9bb8d3c9d04d3257150f4bff19d47c37360622de8cce17cbbf7a051349ef4830d9e051400c0858e2f0e46dc484467abcb253a4d674ad9a3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads