1c7b87ef90c55ec01ea251d1cc24f01b438d1ff94e3f48f1934a2d8418954293

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe
Size

408KB
MD5

331b16c89cf7370e3416ad0841a779d1
SHA1

c0fedffda6481ae75b1182013d2ff99af820be41
SHA256

1c7b87ef90c55ec01ea251d1cc24f01b438d1ff94e3f48f1934a2d8418954293
SHA512

a7b33e9b7249ff54d9498dcfd95b55af8cef4570b7d26c85b2ba387775ec1d6439e3e657ac6b192be53d2721468432bd4667f47f864a0070bb9b3a4f89110b5e
SSDEEP

3072:CEGh0oll3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGnldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023260-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002326c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023272-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002326c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023272-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA52038-FFEF-450f-A52A-B71EF501107A}\stubpath = "C:\\Windows\\{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe"	{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}	{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}\stubpath = "C:\\Windows\\{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe"	{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2F44C60-F195-496f-80E9-EB2AA4328394}	{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B9085D8-690E-400d-AE1A-4AC3461C765A}	{B375686E-F6F6-46f7-8981-383F744B742A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7EA10B6-77F1-46a7-A482-289C0889AD84}	{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7EA10B6-77F1-46a7-A482-289C0889AD84}\stubpath = "C:\\Windows\\{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe"	{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B198B7-08AB-4e30-9160-BBBBCAB00F87}\stubpath = "C:\\Windows\\{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe"	{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA52038-FFEF-450f-A52A-B71EF501107A}	{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}	{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}\stubpath = "C:\\Windows\\{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe"	{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFD49832-8A1F-482e-82B5-3822976171C1}\stubpath = "C:\\Windows\\{DFD49832-8A1F-482e-82B5-3822976171C1}.exe"	{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B9085D8-690E-400d-AE1A-4AC3461C765A}\stubpath = "C:\\Windows\\{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe"	{B375686E-F6F6-46f7-8981-383F744B742A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB1D1A20-BA45-4cb2-8F2B-94303F719EBC}\stubpath = "C:\\Windows\\{DB1D1A20-BA45-4cb2-8F2B-94303F719EBC}.exe"	{F2F44C60-F195-496f-80E9-EB2AA4328394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB1D1A20-BA45-4cb2-8F2B-94303F719EBC}	{F2F44C60-F195-496f-80E9-EB2AA4328394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFA10ED9-08D8-4410-80FD-AADC0620463A}\stubpath = "C:\\Windows\\{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe"	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFD49832-8A1F-482e-82B5-3822976171C1}	{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2F44C60-F195-496f-80E9-EB2AA4328394}\stubpath = "C:\\Windows\\{F2F44C60-F195-496f-80E9-EB2AA4328394}.exe"	{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFA10ED9-08D8-4410-80FD-AADC0620463A}	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B375686E-F6F6-46f7-8981-383F744B742A}\stubpath = "C:\\Windows\\{B375686E-F6F6-46f7-8981-383F744B742A}.exe"	{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60B198B7-08AB-4e30-9160-BBBBCAB00F87}	{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87F62077-8F8D-45ce-8118-5B54C0EB8073}	{DFD49832-8A1F-482e-82B5-3822976171C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87F62077-8F8D-45ce-8118-5B54C0EB8073}\stubpath = "C:\\Windows\\{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe"	{DFD49832-8A1F-482e-82B5-3822976171C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B375686E-F6F6-46f7-8981-383F744B742A}	{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe

Executes dropped EXE 12 IoCs

pid	Process
1020	{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe
2564	{B375686E-F6F6-46f7-8981-383F744B742A}.exe
3972	{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe
1320	{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe
2780	{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe
3268	{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe
548	{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe
2456	{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe
3532	{DFD49832-8A1F-482e-82B5-3822976171C1}.exe
5060	{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe
2948	{F2F44C60-F195-496f-80E9-EB2AA4328394}.exe
1504	{DB1D1A20-BA45-4cb2-8F2B-94303F719EBC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe	{B375686E-F6F6-46f7-8981-383F744B742A}.exe
File created	C:\Windows\{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe	{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe
File created	C:\Windows\{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe	{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe
File created	C:\Windows\{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe	{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe
File created	C:\Windows\{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe	{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe
File created	C:\Windows\{DB1D1A20-BA45-4cb2-8F2B-94303F719EBC}.exe	{F2F44C60-F195-496f-80E9-EB2AA4328394}.exe
File created	C:\Windows\{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe
File created	C:\Windows\{B375686E-F6F6-46f7-8981-383F744B742A}.exe	{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe
File created	C:\Windows\{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe	{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe
File created	C:\Windows\{DFD49832-8A1F-482e-82B5-3822976171C1}.exe	{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe
File created	C:\Windows\{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe	{DFD49832-8A1F-482e-82B5-3822976171C1}.exe
File created	C:\Windows\{F2F44C60-F195-496f-80E9-EB2AA4328394}.exe	{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2456	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1020	{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe
Token: SeIncBasePriorityPrivilege	2564	{B375686E-F6F6-46f7-8981-383F744B742A}.exe
Token: SeIncBasePriorityPrivilege	3972	{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe
Token: SeIncBasePriorityPrivilege	1320	{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe
Token: SeIncBasePriorityPrivilege	2780	{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe
Token: SeIncBasePriorityPrivilege	3268	{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe
Token: SeIncBasePriorityPrivilege	548	{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe
Token: SeIncBasePriorityPrivilege	2456	{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe
Token: SeIncBasePriorityPrivilege	3532	{DFD49832-8A1F-482e-82B5-3822976171C1}.exe
Token: SeIncBasePriorityPrivilege	5060	{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe
Token: SeIncBasePriorityPrivilege	2948	{F2F44C60-F195-496f-80E9-EB2AA4328394}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1020	2456	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	94
PID 2456 wrote to memory of 1020	2456	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	94
PID 2456 wrote to memory of 1020	2456	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	94
PID 2456 wrote to memory of 2128	2456	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	95
PID 2456 wrote to memory of 2128	2456	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	95
PID 2456 wrote to memory of 2128	2456	2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe	95
PID 1020 wrote to memory of 2564	1020	{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe	99
PID 1020 wrote to memory of 2564	1020	{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe	99
PID 1020 wrote to memory of 2564	1020	{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe	99
PID 1020 wrote to memory of 2988	1020	{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe	100
PID 1020 wrote to memory of 2988	1020	{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe	100
PID 1020 wrote to memory of 2988	1020	{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe	100
PID 2564 wrote to memory of 3972	2564	{B375686E-F6F6-46f7-8981-383F744B742A}.exe	102
PID 2564 wrote to memory of 3972	2564	{B375686E-F6F6-46f7-8981-383F744B742A}.exe	102
PID 2564 wrote to memory of 3972	2564	{B375686E-F6F6-46f7-8981-383F744B742A}.exe	102
PID 2564 wrote to memory of 2264	2564	{B375686E-F6F6-46f7-8981-383F744B742A}.exe	103
PID 2564 wrote to memory of 2264	2564	{B375686E-F6F6-46f7-8981-383F744B742A}.exe	103
PID 2564 wrote to memory of 2264	2564	{B375686E-F6F6-46f7-8981-383F744B742A}.exe	103
PID 3972 wrote to memory of 1320	3972	{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe	105
PID 3972 wrote to memory of 1320	3972	{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe	105
PID 3972 wrote to memory of 1320	3972	{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe	105
PID 3972 wrote to memory of 3248	3972	{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe	106
PID 3972 wrote to memory of 3248	3972	{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe	106
PID 3972 wrote to memory of 3248	3972	{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe	106
PID 1320 wrote to memory of 2780	1320	{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe	107
PID 1320 wrote to memory of 2780	1320	{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe	107
PID 1320 wrote to memory of 2780	1320	{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe	107
PID 1320 wrote to memory of 3076	1320	{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe	108
PID 1320 wrote to memory of 3076	1320	{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe	108
PID 1320 wrote to memory of 3076	1320	{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe	108
PID 2780 wrote to memory of 3268	2780	{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe	109
PID 2780 wrote to memory of 3268	2780	{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe	109
PID 2780 wrote to memory of 3268	2780	{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe	109
PID 2780 wrote to memory of 3464	2780	{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe	110
PID 2780 wrote to memory of 3464	2780	{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe	110
PID 2780 wrote to memory of 3464	2780	{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe	110
PID 3268 wrote to memory of 548	3268	{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe	111
PID 3268 wrote to memory of 548	3268	{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe	111
PID 3268 wrote to memory of 548	3268	{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe	111
PID 3268 wrote to memory of 2784	3268	{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe	112
PID 3268 wrote to memory of 2784	3268	{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe	112
PID 3268 wrote to memory of 2784	3268	{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe	112
PID 548 wrote to memory of 2456	548	{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe	113
PID 548 wrote to memory of 2456	548	{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe	113
PID 548 wrote to memory of 2456	548	{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe	113
PID 548 wrote to memory of 3480	548	{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe	114
PID 548 wrote to memory of 3480	548	{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe	114
PID 548 wrote to memory of 3480	548	{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe	114
PID 2456 wrote to memory of 3532	2456	{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe	115
PID 2456 wrote to memory of 3532	2456	{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe	115
PID 2456 wrote to memory of 3532	2456	{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe	115
PID 2456 wrote to memory of 3308	2456	{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe	116
PID 2456 wrote to memory of 3308	2456	{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe	116
PID 2456 wrote to memory of 3308	2456	{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe	116
PID 3532 wrote to memory of 5060	3532	{DFD49832-8A1F-482e-82B5-3822976171C1}.exe	117
PID 3532 wrote to memory of 5060	3532	{DFD49832-8A1F-482e-82B5-3822976171C1}.exe	117
PID 3532 wrote to memory of 5060	3532	{DFD49832-8A1F-482e-82B5-3822976171C1}.exe	117
PID 3532 wrote to memory of 2972	3532	{DFD49832-8A1F-482e-82B5-3822976171C1}.exe	118
PID 3532 wrote to memory of 2972	3532	{DFD49832-8A1F-482e-82B5-3822976171C1}.exe	118
PID 3532 wrote to memory of 2972	3532	{DFD49832-8A1F-482e-82B5-3822976171C1}.exe	118
PID 5060 wrote to memory of 2948	5060	{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe	119
PID 5060 wrote to memory of 2948	5060	{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe	119
PID 5060 wrote to memory of 2948	5060	{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe	119
PID 5060 wrote to memory of 2564	5060	{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_331b16c89cf7370e3416ad0841a779d1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe
  C:\Windows\{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\{B375686E-F6F6-46f7-8981-383F744B742A}.exe
    C:\Windows\{B375686E-F6F6-46f7-8981-383F744B742A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe
      C:\Windows\{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Windows\{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe
        
        C:\Windows\{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Windows\{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe
        
        C:\Windows\{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe
        
        C:\Windows\{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe
        
        C:\Windows\{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe
        
        C:\Windows\{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\{DFD49832-8A1F-482e-82B5-3822976171C1}.exe
        
        C:\Windows\{DFD49832-8A1F-482e-82B5-3822976171C1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe
        
        C:\Windows\{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\{F2F44C60-F195-496f-80E9-EB2AA4328394}.exe
        
        C:\Windows\{F2F44C60-F195-496f-80E9-EB2AA4328394}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\{DB1D1A20-BA45-4cb2-8F2B-94303F719EBC}.exe
        
        C:\Windows\{DB1D1A20-BA45-4cb2-8F2B-94303F719EBC}.exe
        13⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2F44~1.EXE > nul
        13⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87F62~1.EXE > nul
        12⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFD49~1.EXE > nul
        11⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D91~1.EXE > nul
        10⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AD3B~1.EXE > nul
        9⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBA52~1.EXE > nul
        8⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60B19~1.EXE > nul
        7⤵
        
        PID:3464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7EA1~1.EXE > nul
        6⤵
        
        PID:3076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B908~1.EXE > nul
        5⤵
        
        PID:3248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3756~1.EXE > nul
      4⤵
      PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EFA10~1.EXE > nul
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3AD3BAEB-5BC1-44a5-AF79-97F2AB47952A}.exe

Filesize
408KB

MD5
279a6a3745b1294b277301a476952052

SHA1
a52624e818990cae16d9fc88d0996dac6dfdcba8

SHA256
6e3b5186400f2799d1db3f1c8775cd993194b3d3c3495a4b7cb6834290ee6482

SHA512
3637bdca8ca9c26de697bf1dae77b66cb5aa558305d809e210320ab19b2657686d2b582dbb63b98cd77559a972343acced3b5381cefa9eaa7bc6b74bf8881df9

Download Submit
C:\Windows\{4B9085D8-690E-400d-AE1A-4AC3461C765A}.exe

Filesize
408KB

MD5
8e850c437d67d08daf0d7a95c7d46d11

SHA1
14e3bd4c2d5a0fec0349078789ebe6d722895fec

SHA256
3b4135dbe9bf3040138bb575ff49043098793986ce0f1aa09ce28dd13e0b5bc4

SHA512
9ebc58ba773ab88e3ffe46ee18432161e836783e2fce8bbdd228fbe9100945f7a2fca8e7611260aaa758548bdf7d79f997a44cbcd0335daecadfda840766b039

Download Submit
C:\Windows\{60B198B7-08AB-4e30-9160-BBBBCAB00F87}.exe

Filesize
408KB

MD5
7d540a28b7560605963cc0fde33c31d7

SHA1
abb6ff7039caa82240d228d4d0b01e6901c66e8a

SHA256
e4a0f10d88c5cb5ad6538ec924eb0ba9ed8d8f6b1ff8ddf177ce61ad9ccf56e2

SHA512
d7aeaa450945545669058f8b3775a38ef53b8f0bbe50df813c48cd18b4b4590b4f0082f69a628099d05242222b637d7792b3d03168b9494fab9e1ce680a44df7

Download Submit
C:\Windows\{87F62077-8F8D-45ce-8118-5B54C0EB8073}.exe

Filesize
408KB

MD5
eae83e210a9d1c8071af507d5212b0d1

SHA1
9702c38658c3fb720d794050d94034f003b749bf

SHA256
d3b8ffaa88e30c588e1fb8a2d0b3b498c7af4ff5241532c39e694ac5c18fbdf4

SHA512
2ea7302fed91bd6e7f56b7b2cdd3b5e46bff967e2aa0beeaf6468e25c6de6458537ad9d589f9e2ec8c5a1b894dd157e9097a474437717831a8de1df10111b6de

Download Submit
C:\Windows\{B375686E-F6F6-46f7-8981-383F744B742A}.exe

Filesize
408KB

MD5
fd95d122245c65c4618a36f19081725d

SHA1
4ed15e299e007e0bd164941fb8b0bebbc1e9eb10

SHA256
9a24636d3023da619427457a5d077012ff9fde2543bc88b76a7569df8c29a43c

SHA512
054b2d9e4dd064677cac8097f531203d421371ba512c16a208b2ae989c3f3c1485a2d76999c6f5cfea53c62e5e6fec5aff6dd18d559642468664ab54fd41a066

Download Submit
C:\Windows\{B9D9141D-4999-477e-B8BF-2F22A4BA8B1B}.exe

Filesize
408KB

MD5
67b7be628c11373be34db8a98b3ee79f

SHA1
c255da0e4380f09e48f1ebf5b1b0bf1a4fe9273c

SHA256
a044ac1a329ead25d8629b3e7d33b911b2443707a2ee4d67cf8c1b1adc502b2e

SHA512
3205b3f7014d1545af87826eb777fd7a7f17a431bf78e2f131d83942b8d745704631c9e0ce4ca9cab0ba5a9d49055a9808d85ed368c35d663a8294deb6e3b91d

Download Submit
C:\Windows\{CBA52038-FFEF-450f-A52A-B71EF501107A}.exe

Filesize
408KB

MD5
913f5bec23598f8c04979de08f3efb63

SHA1
8a055bd24e1e2945a365b4a82a83c7a85b7f9eac

SHA256
8e3acce8122af594200d065212ca25637d64e3abfdce85e9c958cc09a4bc68f2

SHA512
fa406a24d2ec752ffabfa942f0a059dd4c06ae115b779e21fbdecf4bfbaba466abd88dae8b9170ce5be67863242c980b8928133541a8fb271542627ec54aed97

Download Submit
C:\Windows\{D7EA10B6-77F1-46a7-A482-289C0889AD84}.exe

Filesize
408KB

MD5
120db602bc4bb1c91ccac99da0e72eba

SHA1
75ee10600b234762be5766938b82c90275d9fe32

SHA256
c9c0bb8d5b6ecb3b733bed34b42eb316435ce89f487ba21d336395562de93fd3

SHA512
5255798e7cb84cddcd3170aa8abdbe3701afa991339760ddffbf72e0f2ad56e0c53bd415300cd5f0e223a5999e82abb08d21ed14e182485c608f38957820761b

Download Submit
C:\Windows\{DB1D1A20-BA45-4cb2-8F2B-94303F719EBC}.exe

Filesize
408KB

MD5
61569b5afb293fff252f41a5adc6f949

SHA1
6dc3f679da1aa13bf2d8c8f08402cd210e246c42

SHA256
579a48f98a641d99ce61c7385d3b84d1cc8b33aef138efa68852ecb87b7e8d42

SHA512
e912ff8f4db2e24dee9b781ac91e69423be7396f148b165df5e4e683a36eb5588aba95dec00208ebb77cae5198190aa7ab7b7b044ed91d6441acebe86cc1610e

Download Submit
C:\Windows\{DFD49832-8A1F-482e-82B5-3822976171C1}.exe

Filesize
408KB

MD5
fd917061f01251b6b2a6a8f0fefbed68

SHA1
611328556d2b0cb3343ed2a9f85b5a5b995c6782

SHA256
5b8208a9e9215ae8900640c59090a5a65d72634af199ef91bef4a646bb465c7d

SHA512
9ceed5b6e767278d26ba2c0b745740b71b4cf546f3a841a29c998a72857479b587c19b184de46ebc795fceb602cac4538594c84e44c85c666f31a3a4b2ce7be2

Download Submit
C:\Windows\{EFA10ED9-08D8-4410-80FD-AADC0620463A}.exe

Filesize
408KB

MD5
38d3aa957694b6fde96fc3571af3b9fd

SHA1
bdc1dd84f928b2612bee98acea2c9fd38bc3d77b

SHA256
9c56ea5fde3c119337d67669a57caea7840511982e8ff329b1d7aeee01ae88dd

SHA512
85e6fb395beaaa0c002a6f19a3b7b3bbd768dc6dcf9d1dd3bf3c676a4a74e5a19b27ba07092fe11034342cc0e7883729fc389a8e5fe2673a3d468f93e5ac0c8d

Download Submit
C:\Windows\{F2F44C60-F195-496f-80E9-EB2AA4328394}.exe

Filesize
408KB

MD5
7ff1e8ab8a24c840095f3cef65fc3d6c

SHA1
f3a9cac22ba3386d145296d1b9651a5fd2025ff2

SHA256
55ceaf9e30f9d5282e926d0cff6675e8d4726403bf1f1470b7d3df6bbd04f5f3

SHA512
392ef28948fb2c15bba8cdf3ff41b21c29002cdac7e1c7cdb7a493018faeaaf7f8efb92ad470d33c6f48a13df88eac721181b85ffde7e30269081514efcb9eb2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads