7dcaa96b4d283bb031ee606b3c1f820074c3fb774a196550c6c0ec9eb64230fa

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe
Size

204KB
MD5

eab24f112dab06700cb4b8af986192cd
SHA1

2b93700ccca76082edaddb6f2e6d646bc18b21f5
SHA256

7dcaa96b4d283bb031ee606b3c1f820074c3fb774a196550c6c0ec9eb64230fa
SHA512

a17b84bb5efa5105b9e98e12c3ca61cf1fd74816d99a8f00c7cc0320e604deb790688f2fa4622bb1f85ffea642536e297e11b8663258855ff8b85fcc3b68d2df
SSDEEP

1536:1EGh0ohl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ohl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023232-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002323c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e3d2-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002323c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e3d2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e3d2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{400839BB-FB13-4f9f-B853-5DB72D544D66}	{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{400839BB-FB13-4f9f-B853-5DB72D544D66}\stubpath = "C:\\Windows\\{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe"	{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D397B13-3C96-4bc0-8F5C-3912BD81F218}\stubpath = "C:\\Windows\\{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe"	{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}\stubpath = "C:\\Windows\\{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe"	{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3632ECA-0696-4195-B6A3-20B36BEC22EB}\stubpath = "C:\\Windows\\{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe"	{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9ED8D56E-F716-411c-9E7F-86E00332417E}	{0B72DCEE-C203-4435-A64F-68F48B7C99C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}\stubpath = "C:\\Windows\\{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe"	{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}\stubpath = "C:\\Windows\\{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe"	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CD45121-0249-46db-B5E6-B54A936AFC3B}\stubpath = "C:\\Windows\\{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe"	{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0B18F92-8974-408a-843E-EF999A5F4A1D}	{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B72DCEE-C203-4435-A64F-68F48B7C99C7}	{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9ED8D56E-F716-411c-9E7F-86E00332417E}\stubpath = "C:\\Windows\\{9ED8D56E-F716-411c-9E7F-86E00332417E}.exe"	{0B72DCEE-C203-4435-A64F-68F48B7C99C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9067B27C-2A29-46e4-9D05-15930361B2AF}\stubpath = "C:\\Windows\\{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe"	{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0B18F92-8974-408a-843E-EF999A5F4A1D}\stubpath = "C:\\Windows\\{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe"	{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3632ECA-0696-4195-B6A3-20B36BEC22EB}	{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9067B27C-2A29-46e4-9D05-15930361B2AF}	{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E055D3AD-4194-41ef-9451-AC5B1C9BB221}	{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E055D3AD-4194-41ef-9451-AC5B1C9BB221}\stubpath = "C:\\Windows\\{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe"	{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CD45121-0249-46db-B5E6-B54A936AFC3B}	{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D397B13-3C96-4bc0-8F5C-3912BD81F218}	{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}	{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B72DCEE-C203-4435-A64F-68F48B7C99C7}\stubpath = "C:\\Windows\\{0B72DCEE-C203-4435-A64F-68F48B7C99C7}.exe"	{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}	{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe

Executes dropped EXE 12 IoCs

pid	Process
3456	{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe
3268	{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe
3612	{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe
4956	{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe
3132	{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe
4436	{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe
3264	{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe
2432	{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe
3412	{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe
2796	{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe
4172	{0B72DCEE-C203-4435-A64F-68F48B7C99C7}.exe
1132	{9ED8D56E-F716-411c-9E7F-86E00332417E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe	{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe
File created	C:\Windows\{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe	{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe
File created	C:\Windows\{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe	{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe
File created	C:\Windows\{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe	{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe
File created	C:\Windows\{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe	{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe
File created	C:\Windows\{0B72DCEE-C203-4435-A64F-68F48B7C99C7}.exe	{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe
File created	C:\Windows\{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe
File created	C:\Windows\{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe	{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe
File created	C:\Windows\{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe	{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe
File created	C:\Windows\{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe	{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe
File created	C:\Windows\{9ED8D56E-F716-411c-9E7F-86E00332417E}.exe	{0B72DCEE-C203-4435-A64F-68F48B7C99C7}.exe
File created	C:\Windows\{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe	{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3372	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3456	{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe
Token: SeIncBasePriorityPrivilege	3268	{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe
Token: SeIncBasePriorityPrivilege	3612	{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe
Token: SeIncBasePriorityPrivilege	4956	{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe
Token: SeIncBasePriorityPrivilege	3132	{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe
Token: SeIncBasePriorityPrivilege	4436	{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe
Token: SeIncBasePriorityPrivilege	3264	{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe
Token: SeIncBasePriorityPrivilege	2432	{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe
Token: SeIncBasePriorityPrivilege	3412	{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe
Token: SeIncBasePriorityPrivilege	2796	{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe
Token: SeIncBasePriorityPrivilege	4172	{0B72DCEE-C203-4435-A64F-68F48B7C99C7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 3456	3372	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	96
PID 3372 wrote to memory of 3456	3372	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	96
PID 3372 wrote to memory of 3456	3372	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	96
PID 3372 wrote to memory of 2572	3372	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	97
PID 3372 wrote to memory of 2572	3372	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	97
PID 3372 wrote to memory of 2572	3372	2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe	97
PID 3456 wrote to memory of 3268	3456	{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe	101
PID 3456 wrote to memory of 3268	3456	{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe	101
PID 3456 wrote to memory of 3268	3456	{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe	101
PID 3456 wrote to memory of 4780	3456	{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe	102
PID 3456 wrote to memory of 4780	3456	{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe	102
PID 3456 wrote to memory of 4780	3456	{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe	102
PID 3268 wrote to memory of 3612	3268	{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe	104
PID 3268 wrote to memory of 3612	3268	{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe	104
PID 3268 wrote to memory of 3612	3268	{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe	104
PID 3268 wrote to memory of 212	3268	{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe	105
PID 3268 wrote to memory of 212	3268	{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe	105
PID 3268 wrote to memory of 212	3268	{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe	105
PID 3612 wrote to memory of 4956	3612	{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe	107
PID 3612 wrote to memory of 4956	3612	{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe	107
PID 3612 wrote to memory of 4956	3612	{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe	107
PID 3612 wrote to memory of 1860	3612	{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe	108
PID 3612 wrote to memory of 1860	3612	{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe	108
PID 3612 wrote to memory of 1860	3612	{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe	108
PID 4956 wrote to memory of 3132	4956	{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe	109
PID 4956 wrote to memory of 3132	4956	{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe	109
PID 4956 wrote to memory of 3132	4956	{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe	109
PID 4956 wrote to memory of 2440	4956	{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe	110
PID 4956 wrote to memory of 2440	4956	{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe	110
PID 4956 wrote to memory of 2440	4956	{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe	110
PID 3132 wrote to memory of 4436	3132	{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe	111
PID 3132 wrote to memory of 4436	3132	{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe	111
PID 3132 wrote to memory of 4436	3132	{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe	111
PID 3132 wrote to memory of 4020	3132	{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe	112
PID 3132 wrote to memory of 4020	3132	{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe	112
PID 3132 wrote to memory of 4020	3132	{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe	112
PID 4436 wrote to memory of 3264	4436	{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe	113
PID 4436 wrote to memory of 3264	4436	{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe	113
PID 4436 wrote to memory of 3264	4436	{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe	113
PID 4436 wrote to memory of 4924	4436	{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe	114
PID 4436 wrote to memory of 4924	4436	{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe	114
PID 4436 wrote to memory of 4924	4436	{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe	114
PID 3264 wrote to memory of 2432	3264	{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe	115
PID 3264 wrote to memory of 2432	3264	{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe	115
PID 3264 wrote to memory of 2432	3264	{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe	115
PID 3264 wrote to memory of 2324	3264	{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe	116
PID 3264 wrote to memory of 2324	3264	{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe	116
PID 3264 wrote to memory of 2324	3264	{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe	116
PID 2432 wrote to memory of 3412	2432	{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe	117
PID 2432 wrote to memory of 3412	2432	{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe	117
PID 2432 wrote to memory of 3412	2432	{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe	117
PID 2432 wrote to memory of 4984	2432	{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe	118
PID 2432 wrote to memory of 4984	2432	{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe	118
PID 2432 wrote to memory of 4984	2432	{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe	118
PID 3412 wrote to memory of 2796	3412	{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe	119
PID 3412 wrote to memory of 2796	3412	{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe	119
PID 3412 wrote to memory of 2796	3412	{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe	119
PID 3412 wrote to memory of 3652	3412	{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe	120
PID 3412 wrote to memory of 3652	3412	{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe	120
PID 3412 wrote to memory of 3652	3412	{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe	120
PID 2796 wrote to memory of 4172	2796	{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe	121
PID 2796 wrote to memory of 4172	2796	{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe	121
PID 2796 wrote to memory of 4172	2796	{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe	121
PID 2796 wrote to memory of 1748	2796	{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_eab24f112dab06700cb4b8af986192cd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe
  C:\Windows\{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe
    C:\Windows\{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe
      C:\Windows\{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe
        
        C:\Windows\{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - C:\Windows\{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe
        
        C:\Windows\{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe
        
        C:\Windows\{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe
        
        C:\Windows\{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe
        
        C:\Windows\{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe
        
        C:\Windows\{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe
        
        C:\Windows\{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{0B72DCEE-C203-4435-A64F-68F48B7C99C7}.exe
        
        C:\Windows\{0B72DCEE-C203-4435-A64F-68F48B7C99C7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
        
        C:\Windows\{9ED8D56E-F716-411c-9E7F-86E00332417E}.exe
        
        C:\Windows\{9ED8D56E-F716-411c-9E7F-86E00332417E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B72D~1.EXE > nul
        13⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3632~1.EXE > nul
        12⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DE4A~1.EXE > nul
        11⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0B18~1.EXE > nul
        10⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9067B~1.EXE > nul
        9⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D397~1.EXE > nul
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40083~1.EXE > nul
        7⤵
        
        PID:4020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CD45~1.EXE > nul
        6⤵
        
        PID:2440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E055D~1.EXE > nul
        5⤵
        
        PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0B5E3~1.EXE > nul
      4⤵
      PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BBA76~1.EXE > nul
    3⤵
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B5E3C47-DFF4-45a9-AA35-F0580BADC3D0}.exe

Filesize
204KB

MD5
4c5174873ca136e10d9359bc971f9210

SHA1
43348013c1a53bf4aeeccf0c4eebbff914ae11b5

SHA256
2b89dd4eec42bd5203af08dcbe4b1c6b4104bf3ed919386591c3039c3b3d4990

SHA512
7afb6db21cc4a9d4364d052fd7ac94e493e6efb5cf3a68d8ea76c05f3c2d56b998cf0791d8fb76d1c821010fa0b9e8d053643d8fa308dbe8fdd1d7a24607f442

Download Submit
C:\Windows\{0B72DCEE-C203-4435-A64F-68F48B7C99C7}.exe

Filesize
204KB

MD5
1e5d08055d57896e52959af766238ced

SHA1
ec3a1db9e052837b39f665a6eb993716244aec6c

SHA256
f5db80c41446972b70f7815467c3cdbe99fb4e30bb5c8b4fee5a732db62e0361

SHA512
1586a0cda77b5d0c601559d2d3a51aca91ec091da50e58627211b502885cf67489f17424e0090d99e496d3ebb97c6afd70e7a7719d5c5a995f530df1d7ae5e99

Download Submit
C:\Windows\{3CD45121-0249-46db-B5E6-B54A936AFC3B}.exe

Filesize
204KB

MD5
2e3726ffdcca74cdf77551afee0c7e50

SHA1
f6b5b401e57faa046c10487ade2002a7d93ed357

SHA256
1b2270a2f83e3d77a19498a2ac940b01c6f90343df82bd7a8b0c55ea4e3ff8cf

SHA512
fc720c89eb42a9c6e1d055282272a5508d0c2b392a6b1dbabf2cecd1be303099f8f447fc4b2b533e568625b8724ff42b2e7d452d77ba4fbdefaa29309b51b354

Download Submit
C:\Windows\{400839BB-FB13-4f9f-B853-5DB72D544D66}.exe

Filesize
204KB

MD5
36d4faaaba4fb5278c5ff4ddacb8b949

SHA1
634ba632b4e771e86f9f09ac37f6ffdace36bc56

SHA256
54c6df3315e66ec5a822ae97fbb01912f29b0aa34eef6f405df340af44b6383a

SHA512
2fa9bdd1cb3afbb05a8e5deebb3140383b19b4eecd6315cba77d71c32646d85ff7d6a0fb898856ad69b232099f84909edd0ec0990f060be4b3d3c0eeddc7c4d2

Download Submit
C:\Windows\{6D397B13-3C96-4bc0-8F5C-3912BD81F218}.exe

Filesize
204KB

MD5
090eb0b55e8a6554fd5f17444470ebbb

SHA1
fe6169c3ff04dce3feaad63fb8ea872828deeebe

SHA256
37016f8439ea452eaeb3d647e53c95d3f864d2c946d9236d4c05b5922ff927b4

SHA512
e4bcde043c84f2fb51bc71659b2ecdbeb4853986d69cc6dd49dc8c5b7ee57a95ee0c7ff6050b0617698642c224018ea14c1283726408e09b9c637f8db6807891

Download Submit
C:\Windows\{6DE4A04C-9E7E-4209-AE4D-1F302AD03989}.exe

Filesize
204KB

MD5
0dc21f7939c78990aabffa9ad2ed8842

SHA1
f515f4ab069e81fcebe3a9dc409f1bbda4254d88

SHA256
30e38100935602d8015e202145e089209b35ff96f58c5e69a36edfb307cd7ddc

SHA512
89a23704932833dccb049daf84b622775051f8fdd23c74c902eb41cca10a79f7944cc03bfa51f4d8e80a93c54a43cee6b11f936ca959116551f5c26c659571b2

Download Submit
C:\Windows\{9067B27C-2A29-46e4-9D05-15930361B2AF}.exe

Filesize
204KB

MD5
9a6f6cd045c03d561f871023badeac87

SHA1
cde05c62c34ee332eb875c40df00b00fcfd3269e

SHA256
5e8785f53c24ccf2ff38cea0c7f29cf9f6e65424fa03a28d65e47ec6e083bfd2

SHA512
50122a564a429b58b157e58f30e947872e23153fb20f8c5c9930be0a81a247da769f4bbb4c7ddaa0d120d724b19c8502c03c94f56f448b061909853a9b09fc81

Download Submit
C:\Windows\{9ED8D56E-F716-411c-9E7F-86E00332417E}.exe

Filesize
204KB

MD5
0792e80340cdf8ee4ab9de2315af416b

SHA1
26a17479b90cb7b4e79bc90bb8d488169c137647

SHA256
e9c0fdca3239c28da3caae51c217f42c8d285d574f7d67a5dc9d42e1c84478b1

SHA512
ef387b1e9a5794789cf6f06b888db411d88a6b2053412a952131215d0712e8789bb2f6999de3a1795c16c4f1802466998a5f623240820d11cb7e641b757a3b44

Download Submit
C:\Windows\{B3632ECA-0696-4195-B6A3-20B36BEC22EB}.exe

Filesize
204KB

MD5
fa398693eda1f0213240475eb7c52ac2

SHA1
7d8ca19eb4710b7658407634b1353a9bd2da7ff2

SHA256
2f35b75db6bcdb9475361ba8100878de85f260aa97b9545ccc6d2f0e5e1b08e7

SHA512
c64db0bc6da81c37ec509a20e7fa9f6816b9ef97601fe8c18aad50c9c14dd573dd9831688fe84e97a1a0e94b757150d8af4b0252ec1b2f12cf2585006b1487b6

Download Submit
C:\Windows\{BBA76BAF-B95D-4ffc-815D-F72C724D8B64}.exe

Filesize
204KB

MD5
aa5fc9f78bee46b1c2a7d9f499e76955

SHA1
1ef89d9472fa5cb942b4f442c52cd8602ff6584e

SHA256
94246a3965068e96b969e1862753ad98b77ccd8f68ae5a18ae946df612f55a40

SHA512
dc433494025c6527b4a0badace4d21b9aa5ff6be5bcd719fdedab0395986a723ff51533f2712bf47139fd17e9e44aff9ecf8cb919749f141032334700544fd1e

Download Submit
C:\Windows\{E055D3AD-4194-41ef-9451-AC5B1C9BB221}.exe

Filesize
204KB

MD5
2bd7fa6e4dbf88883d6704d891f4ac7e

SHA1
8265ace9bf10c8a27e3081510ab880596dffdfb7

SHA256
bf62592c38be960e2948d80ea0da8291b630d0ed6aeb8de0ad11cb423280a203

SHA512
0f30deb9fd7eeb43746fdb5af226a21e703c5ab43cbed61617dc88275daf94b22043fb3a3e58491342b4593668a657065f9949935f273d2b297e83ee5c800bf5

Download Submit
C:\Windows\{E0B18F92-8974-408a-843E-EF999A5F4A1D}.exe

Filesize
204KB

MD5
453a1a45693183bfccb8a03fe541e480

SHA1
df1459fe6a395635ee808b3853d37a370b6f099f

SHA256
1411e4b3cee624482eb03a41fe80f11925c7fd6f8ac232437e65e6dec0e954ad

SHA512
9b2a3d37f91d1c1d513c9afc45d70ca53f070e12127cadd3f61be54f67c274ba569deae9b8517bcb39c6ab48d757cefc76657492c016ede607bf60f47ada4138

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads