ee5219178226dd1c21654374a5ac7b5ff17bb217f1770c33b79341870bbed897

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe
Size

380KB
MD5

5245f1929d0dd081a4186160b9482bdc
SHA1

8b8d4b1b6530533aa984612fcb6b650e5ec092ee
SHA256

ee5219178226dd1c21654374a5ac7b5ff17bb217f1770c33b79341870bbed897
SHA512

05208bfe150b198ac7d36766106f23a7c32ca5b2c2bdb1bb03a6e79f27f4bd8484dd8483ce6580e416322a7a07c3367cc5368c9e0dcbf84684d078ccca142486
SSDEEP

3072:mEGh0o+lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGQl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023252-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002325c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023263-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002325c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023263-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000000026-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990C730F-ADB0-42c6-923B-AD13C32A443E}	{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C707E72-A484-4f9a-B1E3-E8EE2A580587}	{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C94E209-7496-469f-9151-0AFDA56A9B3B}	{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}	{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A5F8AEF-0694-4237-8152-1D16742B8F4D}	{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A5F8AEF-0694-4237-8152-1D16742B8F4D}\stubpath = "C:\\Windows\\{4A5F8AEF-0694-4237-8152-1D16742B8F4D}.exe"	{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}\stubpath = "C:\\Windows\\{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe"	2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A55A445-885E-454f-94FA-09E70DF3FF59}\stubpath = "C:\\Windows\\{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe"	{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}	{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}\stubpath = "C:\\Windows\\{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe"	{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A55A445-885E-454f-94FA-09E70DF3FF59}	{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}	{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}\stubpath = "C:\\Windows\\{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe"	{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C94E209-7496-469f-9151-0AFDA56A9B3B}\stubpath = "C:\\Windows\\{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe"	{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2381C99-A743-4072-B2A8-BF8355C13992}	{4A5F8AEF-0694-4237-8152-1D16742B8F4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE491542-05BA-42bd-B0F7-2A65926B621D}	{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE491542-05BA-42bd-B0F7-2A65926B621D}\stubpath = "C:\\Windows\\{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe"	{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88BFFEDF-682F-4118-85BD-8BF0561D1128}	{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88BFFEDF-682F-4118-85BD-8BF0561D1128}\stubpath = "C:\\Windows\\{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe"	{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990C730F-ADB0-42c6-923B-AD13C32A443E}\stubpath = "C:\\Windows\\{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe"	{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C707E72-A484-4f9a-B1E3-E8EE2A580587}\stubpath = "C:\\Windows\\{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe"	{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}\stubpath = "C:\\Windows\\{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe"	{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2381C99-A743-4072-B2A8-BF8355C13992}\stubpath = "C:\\Windows\\{C2381C99-A743-4072-B2A8-BF8355C13992}.exe"	{4A5F8AEF-0694-4237-8152-1D16742B8F4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}	2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
3888	{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe
2608	{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe
4900	{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe
2232	{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe
1480	{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe
3308	{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe
1504	{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe
3488	{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe
3692	{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe
4764	{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe
4704	{4A5F8AEF-0694-4237-8152-1D16742B8F4D}.exe
3876	{C2381C99-A743-4072-B2A8-BF8355C13992}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe	{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe
File created	C:\Windows\{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe	{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe
File created	C:\Windows\{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe	{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe
File created	C:\Windows\{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe	{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe
File created	C:\Windows\{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe	{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe
File created	C:\Windows\{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe	{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe
File created	C:\Windows\{4A5F8AEF-0694-4237-8152-1D16742B8F4D}.exe	{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe
File created	C:\Windows\{C2381C99-A743-4072-B2A8-BF8355C13992}.exe	{4A5F8AEF-0694-4237-8152-1D16742B8F4D}.exe
File created	C:\Windows\{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe	2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe
File created	C:\Windows\{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe	{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe
File created	C:\Windows\{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe	{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe
File created	C:\Windows\{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe	{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4768	2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3888	{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe
Token: SeIncBasePriorityPrivilege	2608	{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe
Token: SeIncBasePriorityPrivilege	4900	{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe
Token: SeIncBasePriorityPrivilege	2232	{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe
Token: SeIncBasePriorityPrivilege	1480	{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe
Token: SeIncBasePriorityPrivilege	3308	{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe
Token: SeIncBasePriorityPrivilege	1504	{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe
Token: SeIncBasePriorityPrivilege	3488	{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe
Token: SeIncBasePriorityPrivilege	3692	{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe
Token: SeIncBasePriorityPrivilege	4764	{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe
Token: SeIncBasePriorityPrivilege	4704	{4A5F8AEF-0694-4237-8152-1D16742B8F4D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 3888	4768	2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe	96
PID 4768 wrote to memory of 3888	4768	2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe	96
PID 4768 wrote to memory of 3888	4768	2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe	96
PID 4768 wrote to memory of 2096	4768	2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe	97
PID 4768 wrote to memory of 2096	4768	2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe	97
PID 4768 wrote to memory of 2096	4768	2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe	97
PID 3888 wrote to memory of 2608	3888	{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe	101
PID 3888 wrote to memory of 2608	3888	{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe	101
PID 3888 wrote to memory of 2608	3888	{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe	101
PID 3888 wrote to memory of 4020	3888	{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe	102
PID 3888 wrote to memory of 4020	3888	{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe	102
PID 3888 wrote to memory of 4020	3888	{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe	102
PID 2608 wrote to memory of 4900	2608	{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe	104
PID 2608 wrote to memory of 4900	2608	{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe	104
PID 2608 wrote to memory of 4900	2608	{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe	104
PID 2608 wrote to memory of 4800	2608	{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe	105
PID 2608 wrote to memory of 4800	2608	{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe	105
PID 2608 wrote to memory of 4800	2608	{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe	105
PID 4900 wrote to memory of 2232	4900	{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe	107
PID 4900 wrote to memory of 2232	4900	{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe	107
PID 4900 wrote to memory of 2232	4900	{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe	107
PID 4900 wrote to memory of 3164	4900	{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe	108
PID 4900 wrote to memory of 3164	4900	{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe	108
PID 4900 wrote to memory of 3164	4900	{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe	108
PID 2232 wrote to memory of 1480	2232	{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe	109
PID 2232 wrote to memory of 1480	2232	{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe	109
PID 2232 wrote to memory of 1480	2232	{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe	109
PID 2232 wrote to memory of 3356	2232	{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe	110
PID 2232 wrote to memory of 3356	2232	{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe	110
PID 2232 wrote to memory of 3356	2232	{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe	110
PID 1480 wrote to memory of 3308	1480	{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe	111
PID 1480 wrote to memory of 3308	1480	{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe	111
PID 1480 wrote to memory of 3308	1480	{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe	111
PID 1480 wrote to memory of 1572	1480	{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe	112
PID 1480 wrote to memory of 1572	1480	{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe	112
PID 1480 wrote to memory of 1572	1480	{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe	112
PID 3308 wrote to memory of 1504	3308	{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe	113
PID 3308 wrote to memory of 1504	3308	{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe	113
PID 3308 wrote to memory of 1504	3308	{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe	113
PID 3308 wrote to memory of 3152	3308	{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe	114
PID 3308 wrote to memory of 3152	3308	{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe	114
PID 3308 wrote to memory of 3152	3308	{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe	114
PID 1504 wrote to memory of 3488	1504	{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe	115
PID 1504 wrote to memory of 3488	1504	{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe	115
PID 1504 wrote to memory of 3488	1504	{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe	115
PID 1504 wrote to memory of 2600	1504	{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe	116
PID 1504 wrote to memory of 2600	1504	{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe	116
PID 1504 wrote to memory of 2600	1504	{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe	116
PID 3488 wrote to memory of 3692	3488	{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe	117
PID 3488 wrote to memory of 3692	3488	{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe	117
PID 3488 wrote to memory of 3692	3488	{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe	117
PID 3488 wrote to memory of 4448	3488	{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe	118
PID 3488 wrote to memory of 4448	3488	{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe	118
PID 3488 wrote to memory of 4448	3488	{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe	118
PID 3692 wrote to memory of 4764	3692	{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe	119
PID 3692 wrote to memory of 4764	3692	{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe	119
PID 3692 wrote to memory of 4764	3692	{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe	119
PID 3692 wrote to memory of 1268	3692	{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe	120
PID 3692 wrote to memory of 1268	3692	{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe	120
PID 3692 wrote to memory of 1268	3692	{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe	120
PID 4764 wrote to memory of 4704	4764	{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe	121
PID 4764 wrote to memory of 4704	4764	{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe	121
PID 4764 wrote to memory of 4704	4764	{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe	121
PID 4764 wrote to memory of 1088	4764	{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_5245f1929d0dd081a4186160b9482bdc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe
  C:\Windows\{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe
    C:\Windows\{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe
      C:\Windows\{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe
        
        C:\Windows\{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe
        
        C:\Windows\{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe
        
        C:\Windows\{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe
        
        C:\Windows\{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe
        
        C:\Windows\{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe
        
        C:\Windows\{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe
        
        C:\Windows\{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\{4A5F8AEF-0694-4237-8152-1D16742B8F4D}.exe
        
        C:\Windows\{4A5F8AEF-0694-4237-8152-1D16742B8F4D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
        
        C:\Windows\{C2381C99-A743-4072-B2A8-BF8355C13992}.exe
        
        C:\Windows\{C2381C99-A743-4072-B2A8-BF8355C13992}.exe
        13⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A5F8~1.EXE > nul
        13⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AD52~1.EXE > nul
        12⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{035FD~1.EXE > nul
        11⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C94E~1.EXE > nul
        10⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E91D~1.EXE > nul
        9⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C707~1.EXE > nul
        8⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{990C7~1.EXE > nul
        7⤵
        
        PID:1572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A55A~1.EXE > nul
        6⤵
        
        PID:3356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88BFF~1.EXE > nul
        5⤵
        
        PID:3164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BE491~1.EXE > nul
      4⤵
      PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2A9E8~1.EXE > nul
    3⤵
    PID:4020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{035FDBA1-F77A-4f98-A268-3E4DE2907EBD}.exe

Filesize
380KB

MD5
cd229d8d9ae8737a65251df13cca81a9

SHA1
9810f3f50d16cd053c5238c8baa28981fbcdf455

SHA256
c231f7efd8ba00c14ad134e164023aa83c03d4202c14cecc71445ec37754715c

SHA512
1be54f00c8c97761857a1c0e7aa4c8a6950e59336cb15eded5a44c64255a486d9418f70f8a96be9a5aee3047d4060cddb2699abbad1be9c16a85d8d546e5aab7

Download Submit
C:\Windows\{2A9E8FFD-B6F8-435c-9369-0E489874BDE8}.exe

Filesize
380KB

MD5
aed9db784212732914e3d8212e9db162

SHA1
9739ea8463e73139adec41440c0bda31a0506ac1

SHA256
c8b91a5f8b3edd5e503fe8f4d38e772a06b9e469a6bd8db4a3ae5c7bc685a297

SHA512
f3d94c0a8385fe09770dbf348f4f0501ab48780f79f248f7a139d99dd0c4107c978b0e30bf850186deb81d8b82125f1eb7b4a5a7d83728626efd2e8db24afac7

Download Submit
C:\Windows\{3E91DFFF-4AB3-4fb0-AF4E-052E285AA923}.exe

Filesize
380KB

MD5
52168987d20f1b58ecea1823fbc64a93

SHA1
5154c3ee4b82c40775569ab1b975a260a6db8f27

SHA256
c1bb310af7b466b24b5a8f86d415ef33ad90f364227d818d84aa37ae1171739c

SHA512
08a077bd9348faedc3beb6ff8297f58ec84821c3e30902213540bede9df55b9bfdef06ffb90acbd4a25d064b98395c9abff6e7a7db716f37a523349b62d986e9

Download Submit
C:\Windows\{4A5F8AEF-0694-4237-8152-1D16742B8F4D}.exe

Filesize
380KB

MD5
a2ada33711c247a237c0de212ba8667d

SHA1
8ade972244072838c58488d0dba816f7ccdf7086

SHA256
8ae7b535a5a7b01f02723b80934a43f67ba46acad2d3b2a8fce689118017a470

SHA512
2c7728908f1efd0bfd03f6ddb2e55c4b39b9f72c9221a4aab25a2f309fcadaa08f35a3e31682eeadfadb58e59650037c1048693c05841cfdde22bb556cdd394f

Download Submit
C:\Windows\{4C94E209-7496-469f-9151-0AFDA56A9B3B}.exe

Filesize
380KB

MD5
a4ee4ca20b7f7b4e33534aedabbcbaf6

SHA1
d7123aa1f4e2f356853c9990d88824c156ba47f3

SHA256
9404d3e7431fac728c96aa144e2a364ba4cd0a952e7796a4ada3ceff7953af3c

SHA512
4c98c4d8e57e993d56a3c434da54d0d4b83b23a13b4dcc70d394fd24c912ce0c11090f5feae4891a18c5919b6357a5b4a45c6ed1f0050ab1dc19c51a0620e9a3

Download Submit
C:\Windows\{88BFFEDF-682F-4118-85BD-8BF0561D1128}.exe

Filesize
380KB

MD5
fcc38bbe5f08ce543e086ba931bf4c16

SHA1
e3835e4275b2846ae86d72de8025026a01942062

SHA256
91d8c020fa066be472da29d7093c429dea6f0fe71f37e4dc13f900dde924b4f1

SHA512
789e8864aa334c6ed390031183432eaf97d425129751ba5b3f622d60e8a6b8d2ee2bb3671fa2441cffddd3bb4412f056d02d36e441220667b659e9cc979351ed

Download Submit
C:\Windows\{990C730F-ADB0-42c6-923B-AD13C32A443E}.exe

Filesize
380KB

MD5
30933cff558342e1006d11d8a6d64fcb

SHA1
d3cd6a8029ba05dabd6881a0040abaaf9b3282ce

SHA256
2d05e9565426d6719c2a810e4ade4bb2cc8ba1de198aab8c06be210f85b1b46a

SHA512
5a2150d620b9332d678828e3e04ba083980e61a3d3b8b2a2a0cc01c23c9bce96295baa0bb0ebdf692a80f9d34417ad44b623201a2f724fdd96604679bdf85f36

Download Submit
C:\Windows\{9A55A445-885E-454f-94FA-09E70DF3FF59}.exe

Filesize
380KB

MD5
8947fd2348b32c8b78c74b7ea8635c36

SHA1
9b2e58022ecb87120dc6261f1599ff89d7b0ef15

SHA256
f895a8b895e500c12cd7b33d003ffa5cd3493f2a321e21091cd112799dd15282

SHA512
02288fb38f22b03ccd09ad74c100c3e39b81871575ffc4529ae95e34b83fa97d4825512849ccf7e82db88b5dafba9df369ff0b82df2bf07c4b10a90804a5588a

Download Submit
C:\Windows\{9AD52A90-38B1-4a40-80B3-80D3AA9C6F47}.exe

Filesize
380KB

MD5
ce650984d73d2160aa8f1dea33acb98e

SHA1
f28fc8182f2d8bc81b67443513949d92dd99b156

SHA256
d6a4c6c46113e710ee5ef97541d505348922565712763a7cfcb7e3c09d0ce152

SHA512
fa1893715dd9bd6ea59034af2a21b449685f53fbd500661b9c445bc7e184d1eb2bf2ee68c345e01c29694158cb8088d22e206db0eafadb61f5dbdd37d60e7f44

Download Submit
C:\Windows\{9C707E72-A484-4f9a-B1E3-E8EE2A580587}.exe

Filesize
380KB

MD5
67d2162ae4aa63719144c2106c6717bb

SHA1
c10adf220b5adb0845d8c0688e41b9958d67dc4b

SHA256
02c8223bb42819bb79da99239c5840ea67aff8b6614b190e8926677714cf64ac

SHA512
ec04439a5c2bec1994926b828e9e7e78a184b198246700d26d5c8b98026878bce2a66eb883273c6c9f50a8ac4f6bb48a36bb681274e0eab7b1f7cbdfcdbdb448

Download Submit
C:\Windows\{BE491542-05BA-42bd-B0F7-2A65926B621D}.exe

Filesize
380KB

MD5
9e2c5cba0d6566b6f62ed73047249cc7

SHA1
b55e390cd0dd18f0dbb9cf8ee7400bbc4aed7611

SHA256
cfd50a206d326d56a6db0675bab362d30696a130b99c36b3c503cc382b605a86

SHA512
da01fa8e7a094012af519225685c2fa9a643848b9b04db256d32a9eeda22ba2db03c557a90a6aabf58126805a01b9ed73c8dcb412c838a12f3d8e7055520aeac

Download Submit
C:\Windows\{C2381C99-A743-4072-B2A8-BF8355C13992}.exe

Filesize
380KB

MD5
4e1e03057795ff1a3f0b808cf6115283

SHA1
a8ce0a04cc6ff6717ebfcd03604360a0c791a88b

SHA256
c72c489cc24a7e0a210d152e001242f4a4d9d50f2288a7d0f617c96300d37cbb

SHA512
f062e252b8a9caa16ee416a7306f55c856cf8bd7995473a024e6cee7eea16e15d444284eea82172d8b6d5af2ef33f68777e9826b1421c4786969dfd3ec21f377

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads