0554a16473318b913debfa3dbb22a28de980e0a39d3979b557e53b07c7b7cafc

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe
Size

380KB
MD5

2bcf183bf94ce9ef957f534faa09f756
SHA1

3a4c15629fca9462960048ee9ab2e255f0835171
SHA256

0554a16473318b913debfa3dbb22a28de980e0a39d3979b557e53b07c7b7cafc
SHA512

d9cc6d35bfd0bcbf78f6ded091a7da3fc9ed048e5743ccc40a9c8c9bb5b604afcd47cd6ded1daff4bbbe4b51592a7ba2d2ed01d56aa0def8bafe76f86bbdc741
SSDEEP

3072:mEGh0omlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGIl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023342-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023349-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023350-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023349-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021166-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021960-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000021166-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000709-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A524D84-93AA-4ff1-A8DD-356FF06B0171}	{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC511F2-B98F-43d5-8A9E-BC27C0B4A5DA}\stubpath = "C:\\Windows\\{5CC511F2-B98F-43d5-8A9E-BC27C0B4A5DA}.exe"	{C353FE71-53C1-4516-9C87-51BA7C3C80C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3720D86-3519-4cb0-9AB1-9316C24F9F19}\stubpath = "C:\\Windows\\{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe"	{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1FC8133-7297-410d-9A23-07077235A97E}	{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD853A45-F16A-4286-BF54-514E7B72D3BE}\stubpath = "C:\\Windows\\{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe"	{F1FC8133-7297-410d-9A23-07077235A97E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{461E4B29-2B64-49b9-87DA-2D4285652F03}	{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1FC8133-7297-410d-9A23-07077235A97E}\stubpath = "C:\\Windows\\{F1FC8133-7297-410d-9A23-07077235A97E}.exe"	{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C353FE71-53C1-4516-9C87-51BA7C3C80C2}\stubpath = "C:\\Windows\\{C353FE71-53C1-4516-9C87-51BA7C3C80C2}.exe"	{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A2D8AB-0E23-4c3c-A875-770D22126695}\stubpath = "C:\\Windows\\{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe"	2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}	{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}\stubpath = "C:\\Windows\\{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe"	{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}\stubpath = "C:\\Windows\\{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe"	{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B00D84B8-7A50-4b42-9116-490928BD8CA3}\stubpath = "C:\\Windows\\{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe"	{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC511F2-B98F-43d5-8A9E-BC27C0B4A5DA}	{C353FE71-53C1-4516-9C87-51BA7C3C80C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A2D8AB-0E23-4c3c-A875-770D22126695}	2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}	{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}	{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD853A45-F16A-4286-BF54-514E7B72D3BE}	{F1FC8133-7297-410d-9A23-07077235A97E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A524D84-93AA-4ff1-A8DD-356FF06B0171}\stubpath = "C:\\Windows\\{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe"	{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C353FE71-53C1-4516-9C87-51BA7C3C80C2}	{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3720D86-3519-4cb0-9AB1-9316C24F9F19}	{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}\stubpath = "C:\\Windows\\{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe"	{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{461E4B29-2B64-49b9-87DA-2D4285652F03}\stubpath = "C:\\Windows\\{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe"	{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B00D84B8-7A50-4b42-9116-490928BD8CA3}	{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe

Executes dropped EXE 12 IoCs

pid	Process
1240	{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe
2032	{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe
5072	{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe
4052	{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe
3796	{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe
3692	{F1FC8133-7297-410d-9A23-07077235A97E}.exe
648	{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe
3408	{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe
1440	{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe
3200	{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe
1872	{C353FE71-53C1-4516-9C87-51BA7C3C80C2}.exe
572	{5CC511F2-B98F-43d5-8A9E-BC27C0B4A5DA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe	{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe
File created	C:\Windows\{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe	{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe
File created	C:\Windows\{F1FC8133-7297-410d-9A23-07077235A97E}.exe	{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe
File created	C:\Windows\{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe	{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe
File created	C:\Windows\{C353FE71-53C1-4516-9C87-51BA7C3C80C2}.exe	{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe
File created	C:\Windows\{5CC511F2-B98F-43d5-8A9E-BC27C0B4A5DA}.exe	{C353FE71-53C1-4516-9C87-51BA7C3C80C2}.exe
File created	C:\Windows\{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe	2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe
File created	C:\Windows\{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe	{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe
File created	C:\Windows\{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe	{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe
File created	C:\Windows\{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe	{F1FC8133-7297-410d-9A23-07077235A97E}.exe
File created	C:\Windows\{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe	{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe
File created	C:\Windows\{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe	{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3652	2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1240	{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe
Token: SeIncBasePriorityPrivilege	2032	{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe
Token: SeIncBasePriorityPrivilege	5072	{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe
Token: SeIncBasePriorityPrivilege	4052	{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe
Token: SeIncBasePriorityPrivilege	3796	{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe
Token: SeIncBasePriorityPrivilege	3692	{F1FC8133-7297-410d-9A23-07077235A97E}.exe
Token: SeIncBasePriorityPrivilege	648	{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe
Token: SeIncBasePriorityPrivilege	3408	{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe
Token: SeIncBasePriorityPrivilege	1440	{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe
Token: SeIncBasePriorityPrivilege	3200	{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe
Token: SeIncBasePriorityPrivilege	1872	{C353FE71-53C1-4516-9C87-51BA7C3C80C2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 1240	3652	2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe	101
PID 3652 wrote to memory of 1240	3652	2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe	101
PID 3652 wrote to memory of 1240	3652	2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe	101
PID 3652 wrote to memory of 1764	3652	2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe	102
PID 3652 wrote to memory of 1764	3652	2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe	102
PID 3652 wrote to memory of 1764	3652	2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe	102
PID 1240 wrote to memory of 2032	1240	{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe	103
PID 1240 wrote to memory of 2032	1240	{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe	103
PID 1240 wrote to memory of 2032	1240	{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe	103
PID 1240 wrote to memory of 5056	1240	{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe	104
PID 1240 wrote to memory of 5056	1240	{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe	104
PID 1240 wrote to memory of 5056	1240	{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe	104
PID 2032 wrote to memory of 5072	2032	{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe	106
PID 2032 wrote to memory of 5072	2032	{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe	106
PID 2032 wrote to memory of 5072	2032	{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe	106
PID 2032 wrote to memory of 4716	2032	{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe	107
PID 2032 wrote to memory of 4716	2032	{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe	107
PID 2032 wrote to memory of 4716	2032	{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe	107
PID 5072 wrote to memory of 4052	5072	{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe	109
PID 5072 wrote to memory of 4052	5072	{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe	109
PID 5072 wrote to memory of 4052	5072	{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe	109
PID 5072 wrote to memory of 1384	5072	{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe	110
PID 5072 wrote to memory of 1384	5072	{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe	110
PID 5072 wrote to memory of 1384	5072	{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe	110
PID 4052 wrote to memory of 3796	4052	{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe	111
PID 4052 wrote to memory of 3796	4052	{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe	111
PID 4052 wrote to memory of 3796	4052	{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe	111
PID 4052 wrote to memory of 3384	4052	{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe	112
PID 4052 wrote to memory of 3384	4052	{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe	112
PID 4052 wrote to memory of 3384	4052	{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe	112
PID 3796 wrote to memory of 3692	3796	{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe	113
PID 3796 wrote to memory of 3692	3796	{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe	113
PID 3796 wrote to memory of 3692	3796	{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe	113
PID 3796 wrote to memory of 1912	3796	{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe	114
PID 3796 wrote to memory of 1912	3796	{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe	114
PID 3796 wrote to memory of 1912	3796	{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe	114
PID 3692 wrote to memory of 648	3692	{F1FC8133-7297-410d-9A23-07077235A97E}.exe	115
PID 3692 wrote to memory of 648	3692	{F1FC8133-7297-410d-9A23-07077235A97E}.exe	115
PID 3692 wrote to memory of 648	3692	{F1FC8133-7297-410d-9A23-07077235A97E}.exe	115
PID 3692 wrote to memory of 4152	3692	{F1FC8133-7297-410d-9A23-07077235A97E}.exe	116
PID 3692 wrote to memory of 4152	3692	{F1FC8133-7297-410d-9A23-07077235A97E}.exe	116
PID 3692 wrote to memory of 4152	3692	{F1FC8133-7297-410d-9A23-07077235A97E}.exe	116
PID 648 wrote to memory of 3408	648	{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe	117
PID 648 wrote to memory of 3408	648	{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe	117
PID 648 wrote to memory of 3408	648	{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe	117
PID 648 wrote to memory of 4244	648	{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe	118
PID 648 wrote to memory of 4244	648	{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe	118
PID 648 wrote to memory of 4244	648	{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe	118
PID 3408 wrote to memory of 1440	3408	{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe	119
PID 3408 wrote to memory of 1440	3408	{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe	119
PID 3408 wrote to memory of 1440	3408	{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe	119
PID 3408 wrote to memory of 2752	3408	{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe	120
PID 3408 wrote to memory of 2752	3408	{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe	120
PID 3408 wrote to memory of 2752	3408	{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe	120
PID 1440 wrote to memory of 3200	1440	{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe	121
PID 1440 wrote to memory of 3200	1440	{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe	121
PID 1440 wrote to memory of 3200	1440	{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe	121
PID 1440 wrote to memory of 4524	1440	{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe	122
PID 1440 wrote to memory of 4524	1440	{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe	122
PID 1440 wrote to memory of 4524	1440	{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe	122
PID 3200 wrote to memory of 1872	3200	{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe	123
PID 3200 wrote to memory of 1872	3200	{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe	123
PID 3200 wrote to memory of 1872	3200	{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe	123
PID 3200 wrote to memory of 2876	3200	{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_2bcf183bf94ce9ef957f534faa09f756_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe
  C:\Windows\{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe
    C:\Windows\{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe
      C:\Windows\{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Windows\{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe
        
        C:\Windows\{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Windows\{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe
        
        C:\Windows\{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\{F1FC8133-7297-410d-9A23-07077235A97E}.exe
        
        C:\Windows\{F1FC8133-7297-410d-9A23-07077235A97E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe
        
        C:\Windows\{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe
        
        C:\Windows\{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe
        
        C:\Windows\{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe
        
        C:\Windows\{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\{C353FE71-53C1-4516-9C87-51BA7C3C80C2}.exe
        
        C:\Windows\{C353FE71-53C1-4516-9C87-51BA7C3C80C2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\{5CC511F2-B98F-43d5-8A9E-BC27C0B4A5DA}.exe
        
        C:\Windows\{5CC511F2-B98F-43d5-8A9E-BC27C0B4A5DA}.exe
        13⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C353F~1.EXE > nul
        13⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A524~1.EXE > nul
        12⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B00D8~1.EXE > nul
        11⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{461E4~1.EXE > nul
        10⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD853~1.EXE > nul
        9⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1FC8~1.EXE > nul
        8⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E20D6~1.EXE > nul
        7⤵
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD787~1.EXE > nul
        6⤵
        
        PID:3384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3720~1.EXE > nul
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{97BE0~1.EXE > nul
      4⤵
      PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{82A2D~1.EXE > nul
    3⤵
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2256,i,9172343514068348080,519219714517961765,262144 --variations-seed-version /prefetch:8
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2A524D84-93AA-4ff1-A8DD-356FF06B0171}.exe

Filesize
380KB

MD5
755303dfe19837337ca9a6f33f05d977

SHA1
267625c3f8cd641c65031bd5c5adaa5eb02d1dc6

SHA256
a93cc3fbffdc004757fb386b9d7d3d4650b578332135dfd45d1cb6d57f173ff4

SHA512
ca987f2fd5fdf074443f61774588fbbf6282a1c121aa85c26fe20ee393f2fe2c57dca96860ae9d09724990a5f7210f08f8949e6aeacb72daa473aa56f86dba81

Download Submit
C:\Windows\{461E4B29-2B64-49b9-87DA-2D4285652F03}.exe

Filesize
380KB

MD5
ecaaceb8b1d26df67ea9509f35688e5e

SHA1
a65586d0adbb760da89016285a5b4ac44fe77d45

SHA256
1c355900fddf5291ff4cb4bb6f475f4e5d7098dedabb8488b61547436ffa7ba7

SHA512
2406b01ebbc860ae5f47dbf895f74303cbc8d52b164bdb498603780a36462e94bbb3e085dbf40ee56c39fabe14cbbc898a83b6130e2dd1fbd1ce67fdc8283ea2

Download Submit
C:\Windows\{5CC511F2-B98F-43d5-8A9E-BC27C0B4A5DA}.exe

Filesize
380KB

MD5
2e3f17aa3c647007320581fa33d58de9

SHA1
804fda9057d71fa97796df56783b2c0d6f3d36d3

SHA256
6d0c34d0e11aff06debfc1fdbba305dd8732e7106c61beba58c2aca6f9254905

SHA512
4983461bb2d032ee9599e7511ca4233d90db8c5e8abb38d0a437aab698c7c3d482eeae626bb22e6e2b77908aad12610bc015b0090bd70eed964fe95a32b6ef31

Download Submit
C:\Windows\{82A2D8AB-0E23-4c3c-A875-770D22126695}.exe

Filesize
380KB

MD5
40b8cd7fe0d4ede22880e35b63c7a89b

SHA1
c5f6b3b814ef27b9f80ecac0002ac60f32bd3293

SHA256
b7b612fde560607d6a82aa6a2ed98fe6aa47e707bf77323c31a9fdd24fda87b8

SHA512
8a493047addb9fc52ee2763e33a393c75781f5fd9f78dd894ce3a30808ace2152db7bf029a260c3e2f74e0db532c1191b3ab3be621e25bbb9ec4fe6b5a5910be

Download Submit
C:\Windows\{97BE0FD4-DEE5-480d-8CED-2A30310EFD1D}.exe

Filesize
380KB

MD5
65f11ee15c505572f52ae872c95dd292

SHA1
278dd65fab256ba9d0d1fbbb0f646a782bb6393f

SHA256
4914a084d5290f4f6ad860cd13b9d673044cc254e842eea51442c680e5462505

SHA512
74b41464d02b280e933714fc0814c6f05873d8c62fc588cf73fc3f83d33f4467824359c5927e65b140dafa1131cd0d39eaee79531c81cea19d4959c759faf546

Download Submit
C:\Windows\{AD7872CB-8CA2-4aaf-9146-25F9BCDF657C}.exe

Filesize
380KB

MD5
d61d419eb1c3e10212516b474523a132

SHA1
0b63f069bd03f58fc97b9a1c4a54748993f81769

SHA256
2426b7e0dc867cd08dfaaa52d168728aca9e039c3ccfd53f0cb62ad2d151477d

SHA512
e9be04e6c537892d88b9e90e9f7383017afe53d8131329bba91696181d28de404a10463dd4c4bac7f9955f9299e0f67a1ab3d25bc0e825f09cf7558be9aed91b

Download Submit
C:\Windows\{B00D84B8-7A50-4b42-9116-490928BD8CA3}.exe

Filesize
380KB

MD5
727f7db3c20e18e4191848ab40e03cb6

SHA1
e424090039054fd8e314a97176a7ec19efc5cb11

SHA256
88fe715e221afb1c0f97c544e201971b7eb0004af3c3fb47f4a8e7b218ff48fd

SHA512
00dafe29a61de5ad2549f21a69afe29376a0c3831c08edd9032451ccf238e61b735a9e56e514960f7bcfa770711e24b96b84eab55b19f17e6279dc069a337f52

Download Submit
C:\Windows\{C353FE71-53C1-4516-9C87-51BA7C3C80C2}.exe

Filesize
380KB

MD5
0270d9e823b5578303e8dd18391ba983

SHA1
1a801c503e7d46d77054f8c35133efddf2e76152

SHA256
d3472e7b36d08899eb4882f0d19081033b13f523e3d73e11761ca289185223f8

SHA512
284b5c93df3f46f2dec4fcdbd10bb54c41e96d47d055b79b0917338a743c505bc3e32053c923bfe5dd6b92eb9306b3a65c7d1f14ab44ada56030f5ad38f64def

Download Submit
C:\Windows\{C3720D86-3519-4cb0-9AB1-9316C24F9F19}.exe

Filesize
380KB

MD5
4f79e8539f51d732ce071ebbc3a4b468

SHA1
bbcef22425fb7976f2ce2d037578402ba27880f7

SHA256
1b770555f120dfb5ea472ff88269a97c8c66b6c45bfff3102934233254f5a135

SHA512
c22c81f56c50e00020ee18d845f8541ded6a8e2f89c3dfc7621f227accd619efa3c96dfa9756be243a0b011eac55a742ff3390d57d49fa24568286290584ff18

Download Submit
C:\Windows\{E20D6BFF-2228-4f86-A9DE-B399ACFB5307}.exe

Filesize
380KB

MD5
180b3c8e6415049ffe928e9a2466d42f

SHA1
ec2a9b70bd77a88d4f4c0de79f19c2da65df0877

SHA256
269a754099d7564804e2b109b571cd54364a0ead6137a6e3a1eaad6bf25aa918

SHA512
cec4bb9948d17e0da5fea2961be26004895f29f361826492140d4b6228c996300266e0d9883de37f81c698ea79ed09a8743c5e05acf33db9d0c22afd324f8c71

Download Submit
C:\Windows\{F1FC8133-7297-410d-9A23-07077235A97E}.exe

Filesize
380KB

MD5
7f2ede48a92bf61f06e7e702157d11dc

SHA1
595562ea277d739fc3328876b7b7461da90649f6

SHA256
3d24d86aa110f19b548562a6ff527192368f8ee696b0247b95b1432343409f26

SHA512
44dadb620b9c1562d07d66bfacc3722e2a0f030ed82e5404a2cb375cf825fcff7af526b556ab90f28f6bd1455cddf75844998e09b1f95574de18133c90920ba2

Download Submit
C:\Windows\{FD853A45-F16A-4286-BF54-514E7B72D3BE}.exe

Filesize
380KB

MD5
ff59b35b05df99ee61fd3846f691d7e9

SHA1
b4a104b8c821fca6b13e4c939fa97d3e7d4e2e26

SHA256
ad64d9f19f833ddbf8eb328801374abee3f7cece6868c95e5ecc38f1ec758300

SHA512
d7d48b43392a97e42a70170e91d44659683bfe033c0344424ea56e10930ec63b18f27e8958661b0e80ee9be172e4df3e213bf9c3ac496af2b71b2346a9e243c7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads