8d69fb79034160c01a50298501500f3381b36bd9beb8cf8a8e1800982fb59deb

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe
Size

380KB
MD5

69be8f47bf80443a81922501b0a4cdb1
SHA1

cd252c6339a35520013e4db65bb4ebbba398ff29
SHA256

8d69fb79034160c01a50298501500f3381b36bd9beb8cf8a8e1800982fb59deb
SHA512

1dc269602fad287df97486ef55755050c7199274f07c0468ac8c05c9a2bc4fdd1a0490c26d37b2b9eea394c725b028e9c65b80c4fd03a4d28d5a1559a0510ccb
SSDEEP

3072:mEGh0o8lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG2l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022d25-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023279-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023280-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023279-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023280-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C090074D-83D5-452a-AC2A-16367C6F11FF}	{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90519C8F-FA29-4c43-A812-3E773328BB16}\stubpath = "C:\\Windows\\{90519C8F-FA29-4c43-A812-3E773328BB16}.exe"	{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87A87A0C-93B7-4e96-B808-32C3359601D8}	{90519C8F-FA29-4c43-A812-3E773328BB16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}	{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6B5622C-84FE-477e-A833-E3ACE74C5D54}\stubpath = "C:\\Windows\\{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe"	{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F452015-31B5-4783-9A7D-F279DFDFD4C9}\stubpath = "C:\\Windows\\{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe"	{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}	{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2B72E6A-1AAF-4987-8C03-985173042ABA}	{87A87A0C-93B7-4e96-B808-32C3359601D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2B72E6A-1AAF-4987-8C03-985173042ABA}\stubpath = "C:\\Windows\\{E2B72E6A-1AAF-4987-8C03-985173042ABA}.exe"	{87A87A0C-93B7-4e96-B808-32C3359601D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}	{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}\stubpath = "C:\\Windows\\{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe"	{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707B7840-7F64-4a84-849C-28D63EA0E7BD}	{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F452015-31B5-4783-9A7D-F279DFDFD4C9}	{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90519C8F-FA29-4c43-A812-3E773328BB16}	{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87A87A0C-93B7-4e96-B808-32C3359601D8}\stubpath = "C:\\Windows\\{87A87A0C-93B7-4e96-B808-32C3359601D8}.exe"	{90519C8F-FA29-4c43-A812-3E773328BB16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7373AD07-5ECD-4449-AB9F-500499BFD862}	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{620D973F-7AA6-45fd-8228-477A445ED5B0}	{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}\stubpath = "C:\\Windows\\{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe"	{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C090074D-83D5-452a-AC2A-16367C6F11FF}\stubpath = "C:\\Windows\\{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe"	{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6B5622C-84FE-477e-A833-E3ACE74C5D54}	{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7373AD07-5ECD-4449-AB9F-500499BFD862}\stubpath = "C:\\Windows\\{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe"	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}\stubpath = "C:\\Windows\\{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe"	{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{707B7840-7F64-4a84-849C-28D63EA0E7BD}\stubpath = "C:\\Windows\\{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe"	{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{620D973F-7AA6-45fd-8228-477A445ED5B0}\stubpath = "C:\\Windows\\{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe"	{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe

Executes dropped EXE 12 IoCs

pid	Process
2232	{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe
4924	{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe
384	{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe
4496	{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe
212	{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe
4888	{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe
1876	{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe
2080	{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe
2872	{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe
2568	{90519C8F-FA29-4c43-A812-3E773328BB16}.exe
1984	{87A87A0C-93B7-4e96-B808-32C3359601D8}.exe
908	{E2B72E6A-1AAF-4987-8C03-985173042ABA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe	{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe
File created	C:\Windows\{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe	{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe
File created	C:\Windows\{87A87A0C-93B7-4e96-B808-32C3359601D8}.exe	{90519C8F-FA29-4c43-A812-3E773328BB16}.exe
File created	C:\Windows\{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe
File created	C:\Windows\{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe	{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe
File created	C:\Windows\{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe	{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe
File created	C:\Windows\{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe	{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe
File created	C:\Windows\{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe	{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe
File created	C:\Windows\{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe	{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe
File created	C:\Windows\{90519C8F-FA29-4c43-A812-3E773328BB16}.exe	{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe
File created	C:\Windows\{E2B72E6A-1AAF-4987-8C03-985173042ABA}.exe	{87A87A0C-93B7-4e96-B808-32C3359601D8}.exe
File created	C:\Windows\{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe	{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	464	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2232	{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe
Token: SeIncBasePriorityPrivilege	4924	{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe
Token: SeIncBasePriorityPrivilege	384	{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe
Token: SeIncBasePriorityPrivilege	4496	{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe
Token: SeIncBasePriorityPrivilege	212	{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe
Token: SeIncBasePriorityPrivilege	4888	{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe
Token: SeIncBasePriorityPrivilege	1876	{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe
Token: SeIncBasePriorityPrivilege	2080	{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe
Token: SeIncBasePriorityPrivilege	2872	{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe
Token: SeIncBasePriorityPrivilege	2568	{90519C8F-FA29-4c43-A812-3E773328BB16}.exe
Token: SeIncBasePriorityPrivilege	1984	{87A87A0C-93B7-4e96-B808-32C3359601D8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 2232	464	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	100
PID 464 wrote to memory of 2232	464	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	100
PID 464 wrote to memory of 2232	464	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	100
PID 464 wrote to memory of 2132	464	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	101
PID 464 wrote to memory of 2132	464	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	101
PID 464 wrote to memory of 2132	464	2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe	101
PID 2232 wrote to memory of 4924	2232	{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe	105
PID 2232 wrote to memory of 4924	2232	{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe	105
PID 2232 wrote to memory of 4924	2232	{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe	105
PID 2232 wrote to memory of 2548	2232	{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe	106
PID 2232 wrote to memory of 2548	2232	{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe	106
PID 2232 wrote to memory of 2548	2232	{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe	106
PID 4924 wrote to memory of 384	4924	{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe	108
PID 4924 wrote to memory of 384	4924	{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe	108
PID 4924 wrote to memory of 384	4924	{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe	108
PID 4924 wrote to memory of 3488	4924	{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe	109
PID 4924 wrote to memory of 3488	4924	{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe	109
PID 4924 wrote to memory of 3488	4924	{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe	109
PID 384 wrote to memory of 4496	384	{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe	111
PID 384 wrote to memory of 4496	384	{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe	111
PID 384 wrote to memory of 4496	384	{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe	111
PID 384 wrote to memory of 4168	384	{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe	112
PID 384 wrote to memory of 4168	384	{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe	112
PID 384 wrote to memory of 4168	384	{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe	112
PID 4496 wrote to memory of 212	4496	{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe	113
PID 4496 wrote to memory of 212	4496	{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe	113
PID 4496 wrote to memory of 212	4496	{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe	113
PID 4496 wrote to memory of 4112	4496	{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe	114
PID 4496 wrote to memory of 4112	4496	{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe	114
PID 4496 wrote to memory of 4112	4496	{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe	114
PID 212 wrote to memory of 4888	212	{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe	115
PID 212 wrote to memory of 4888	212	{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe	115
PID 212 wrote to memory of 4888	212	{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe	115
PID 212 wrote to memory of 4692	212	{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe	116
PID 212 wrote to memory of 4692	212	{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe	116
PID 212 wrote to memory of 4692	212	{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe	116
PID 4888 wrote to memory of 1876	4888	{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe	117
PID 4888 wrote to memory of 1876	4888	{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe	117
PID 4888 wrote to memory of 1876	4888	{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe	117
PID 4888 wrote to memory of 508	4888	{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe	118
PID 4888 wrote to memory of 508	4888	{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe	118
PID 4888 wrote to memory of 508	4888	{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe	118
PID 1876 wrote to memory of 2080	1876	{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe	119
PID 1876 wrote to memory of 2080	1876	{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe	119
PID 1876 wrote to memory of 2080	1876	{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe	119
PID 1876 wrote to memory of 1796	1876	{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe	120
PID 1876 wrote to memory of 1796	1876	{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe	120
PID 1876 wrote to memory of 1796	1876	{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe	120
PID 2080 wrote to memory of 2872	2080	{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe	121
PID 2080 wrote to memory of 2872	2080	{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe	121
PID 2080 wrote to memory of 2872	2080	{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe	121
PID 2080 wrote to memory of 4108	2080	{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe	122
PID 2080 wrote to memory of 4108	2080	{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe	122
PID 2080 wrote to memory of 4108	2080	{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe	122
PID 2872 wrote to memory of 2568	2872	{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe	123
PID 2872 wrote to memory of 2568	2872	{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe	123
PID 2872 wrote to memory of 2568	2872	{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe	123
PID 2872 wrote to memory of 1936	2872	{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe	124
PID 2872 wrote to memory of 1936	2872	{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe	124
PID 2872 wrote to memory of 1936	2872	{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe	124
PID 2568 wrote to memory of 1984	2568	{90519C8F-FA29-4c43-A812-3E773328BB16}.exe	125
PID 2568 wrote to memory of 1984	2568	{90519C8F-FA29-4c43-A812-3E773328BB16}.exe	125
PID 2568 wrote to memory of 1984	2568	{90519C8F-FA29-4c43-A812-3E773328BB16}.exe	125
PID 2568 wrote to memory of 1820	2568	{90519C8F-FA29-4c43-A812-3E773328BB16}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_69be8f47bf80443a81922501b0a4cdb1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe
  C:\Windows\{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe
    C:\Windows\{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe
      C:\Windows\{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Windows\{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe
        
        C:\Windows\{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Windows\{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe
        
        C:\Windows\{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe
        
        C:\Windows\{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe
        
        C:\Windows\{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe
        
        C:\Windows\{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe
        
        C:\Windows\{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\{90519C8F-FA29-4c43-A812-3E773328BB16}.exe
        
        C:\Windows\{90519C8F-FA29-4c43-A812-3E773328BB16}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{87A87A0C-93B7-4e96-B808-32C3359601D8}.exe
        
        C:\Windows\{87A87A0C-93B7-4e96-B808-32C3359601D8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{E2B72E6A-1AAF-4987-8C03-985173042ABA}.exe
        
        C:\Windows\{E2B72E6A-1AAF-4987-8C03-985173042ABA}.exe
        13⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87A87~1.EXE > nul
        13⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90519~1.EXE > nul
        12⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0900~1.EXE > nul
        11⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC6D0~1.EXE > nul
        10⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F452~1.EXE > nul
        9⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6B56~1.EXE > nul
        8⤵
        
        PID:508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{620D9~1.EXE > nul
        7⤵
        
        PID:4692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{707B7~1.EXE > nul
        6⤵
        
        PID:4112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04B72~1.EXE > nul
        5⤵
        
        PID:4168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{359FB~1.EXE > nul
      4⤵
      PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7373A~1.EXE > nul
    3⤵
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04B726C1-A6B3-470c-9D0A-0F5A0254A74A}.exe

Filesize
380KB

MD5
2b51e4413889e6e6a71f17e350f166f2

SHA1
15e5b15d37a480ed9323ba182c960de7ba93c3c0

SHA256
9f4f10ac2dca997eff295c3f620d542942d5bb691e4ff7b03e16a98a54181c72

SHA512
87bf82eab0569f04f92c5bc9c231d5c0f28c29f31b06f63ebbda85c5800e264cbc650772e25007d9b7bf796b43472a3681ecc192e10e3f2283a8d5f753295cc6

Download Submit
C:\Windows\{359FB9D0-A184-4ff6-9F16-4F2273D9B1F4}.exe

Filesize
380KB

MD5
e74f5a11481c00c2774b57a826864053

SHA1
23d6accb270225d30ff09d6ff2bb271414ed83d2

SHA256
8415ff02197b447525c233475c2530b5efb3685ed9a93bd99bbad51afbd391df

SHA512
0735ede987bdb326cb205849e4c6e2d6d469cf0da55246ace87ec19271b60c0b296afdd6a28c241cf1cc31384638e75fab799d880e5699715b89a7ea185f8e01

Download Submit
C:\Windows\{5F452015-31B5-4783-9A7D-F279DFDFD4C9}.exe

Filesize
380KB

MD5
556ab725c17a5209205fdae018edd58e

SHA1
c6697cf34fee17a65026949184ac1509806176c0

SHA256
c5693280ac41712a38087af7bff6d6f3cc6ebee8731e9cca72309fd0c3a11bca

SHA512
2af3ff8dc5d1486de342e88dc6e4f8dad42ebd51a23868956a7d5140635cec8589f1401460c0b81938a9b3ce9f301452e51e09b0b57f21d21656da431e83a9f0

Download Submit
C:\Windows\{620D973F-7AA6-45fd-8228-477A445ED5B0}.exe

Filesize
380KB

MD5
00fa1b2998f61ef67152515a85921eff

SHA1
db819e896c65cd8dcb2190f1a83b3332d67e02ca

SHA256
1a701900308b9cfceaa31ee8f36a0609a0ad6635df928d3e97d79ffa12935992

SHA512
680c1d3fa92c6402ab299d91a711f6fbcb5bf01fbf05541059fc47be6a32e315d401723bde0e6ce69cb2c90baf413eaac20a050301fa9148196fe2b54302d3e6

Download Submit
C:\Windows\{707B7840-7F64-4a84-849C-28D63EA0E7BD}.exe

Filesize
380KB

MD5
fd187cb16e0b3dcf8f528986085c00ff

SHA1
19b02d149699ee45e020afe8ea2834a5747a5fb1

SHA256
e6a31ffa218124cb6363fb5277e1bdbb0b89c3d85e81ddf8eb6c075fb49b161f

SHA512
69af50362d4d4800fed90b9da790b7fe9c56f2c83ec05265d6172dfef7751aeb431f3d2456dcfce24f0d7fdb49ef35ee8db13f719eae03664712e4ac32e1f1e8

Download Submit
C:\Windows\{7373AD07-5ECD-4449-AB9F-500499BFD862}.exe

Filesize
380KB

MD5
69181cb71ae25fd6412a035456011cb2

SHA1
059d5facdf4fba3180a1b26f8dbfeded22728131

SHA256
77383adb8003e8e9381811d0f03682583ee162caa162cf17a43052a4f38a60e9

SHA512
a66493ee86ce92fe7340e43a5913e35cac5e75be92a026c8961022187aba05743cb666399a29d93fb40227dfb6108fec75e3da80276440958dc4350d1bb65f31

Download Submit
C:\Windows\{87A87A0C-93B7-4e96-B808-32C3359601D8}.exe

Filesize
380KB

MD5
009363debe7ffac595dbded0e4ce2a8c

SHA1
87041b051f369669dc44a2bb10bc55264eab9fd4

SHA256
47660e180c835e79ae2b89c2b3a037eee0352e97b678c711689845256a71d181

SHA512
4378f26f85833d03cf11d5ae2aff374a41d01496f5d41b0df35384d998eccaec752d12d2fd7903137d060d3df3976e9875eb9f1211479ebc02e5c63e3fbc69d0

Download Submit
C:\Windows\{90519C8F-FA29-4c43-A812-3E773328BB16}.exe

Filesize
380KB

MD5
996550fcdb80231474880e044a362da9

SHA1
7a1dcf08395e07f17dc4d9f8642482e888c9b3ea

SHA256
52b9e70851b4547e0eee0000d99df6940cbb6da223e89a6de8484e695275b3de

SHA512
d3871ccfffd8f617c7ca7dffb397f1863c43e8dfd40c4c6886d0cf6a911e51abc64019943e47b96f702c78c64591d7ff0687404938fb5cca4844bc5bd6b58314

Download Submit
C:\Windows\{A6B5622C-84FE-477e-A833-E3ACE74C5D54}.exe

Filesize
380KB

MD5
39d6a5ea5f1da0a828c869d10982a1cd

SHA1
539c3936e8092db9bc2c1fa50f8eda6db125ff44

SHA256
0e78475deb36d697724509cbcf7639fae3a6e32fefc5b86278670c4f8c954ba9

SHA512
9262ac11b80eb4cd389836de68d96372c56664c32fc6c1980b86af30b7aed08aa9fa72c24dbd584290dc21d80ef03ff13fd52c5d1d558cc90ee33965900af66c

Download Submit
C:\Windows\{C090074D-83D5-452a-AC2A-16367C6F11FF}.exe

Filesize
380KB

MD5
51e5e8112b106d08e197b6eb208e4a10

SHA1
f7ec53ada0b5e574fa576cb99f137bf3f900b090

SHA256
c3d15a077dab1f77345c5c0742a648aa3aee42c1ea392caae175abe959bcceda

SHA512
b702a58cde29ec4f4d21c9c2ef0b3815501b70636b80318e6ff0e28943ac0006f35c1556517d17292da2e6472d8a8a96b5e3e1365aa6f5686b2523eacafa1759

Download Submit
C:\Windows\{E2B72E6A-1AAF-4987-8C03-985173042ABA}.exe

Filesize
380KB

MD5
77622ec0595efa143ec8588bbe957c5e

SHA1
06e2b1e46f43b5dce0a894ab4c3346909c14fd67

SHA256
bd11be17d0a8e15bf95c96b0badf62189666e100f013564ced56684bd6593914

SHA512
8a3ce11cff7847c071bcd80b182408a19a4055de7ca75ee09463bfa331b07fb4d5b3bc814a1b45849791f5b1e8c04691b419960348a26b964587786847f2f9c0

Download Submit
C:\Windows\{EC6D071D-E425-4ea5-AC66-8D7D36219B0D}.exe

Filesize
380KB

MD5
81d6165f1a36035af031734ebe7b17c1

SHA1
3740455be6d3801dc264329f6376fe3f1b5a622f

SHA256
13ce63656a132ec7249855603430baa3ef41628ad06495efeff34e3fa6a06a7d

SHA512
e17d9b42483b6c72df1ee5bff62a59dffcfc183c5c27d9453f4135f910d7a0cb75aa95d8b190e749e86758117043c80d87a6ac8c2567038e012df6b7ba5f8191

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads