d722a81e97ce8ca07de0d84f224aaa71f5881c0dba80bbc1e3c0af39426a5784

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe
Size

408KB
MD5

ff470f997a9ea0fecd18bf69a8052569
SHA1

bb053be692d42c1ff1932a3dc1e6c7476fda668a
SHA256

d722a81e97ce8ca07de0d84f224aaa71f5881c0dba80bbc1e3c0af39426a5784
SHA512

d46949302e580d44aa2b77afcaf3cb43c4079b14c18cce2a018f610eb9eef4335351fb4df8b340307e9b4f731c06894256c69360a7ccc11d23d3be917d5bdf28
SSDEEP

3072:CEGh0opl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGjldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023261-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002326e-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023275-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002326e-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023275-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}\stubpath = "C:\\Windows\\{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe"	{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}	{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8F6B651-0D27-47af-85D8-1380D2824CD2}\stubpath = "C:\\Windows\\{B8F6B651-0D27-47af-85D8-1380D2824CD2}.exe"	{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE837CD-7972-49fd-BF91-A41AC2EE1203}	{B8F6B651-0D27-47af-85D8-1380D2824CD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E86B2F8-3855-486c-A279-35629DD1954F}\stubpath = "C:\\Windows\\{9E86B2F8-3855-486c-A279-35629DD1954F}.exe"	2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}\stubpath = "C:\\Windows\\{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe"	{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{331295E7-0B27-438d-92E7-057ABAD1667E}\stubpath = "C:\\Windows\\{331295E7-0B27-438d-92E7-057ABAD1667E}.exe"	{70801288-A0D5-4ffe-B44C-171117D3689E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8F6B651-0D27-47af-85D8-1380D2824CD2}	{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}\stubpath = "C:\\Windows\\{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe"	{9E86B2F8-3855-486c-A279-35629DD1954F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}	{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}\stubpath = "C:\\Windows\\{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe"	{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70801288-A0D5-4ffe-B44C-171117D3689E}	{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{331295E7-0B27-438d-92E7-057ABAD1667E}	{70801288-A0D5-4ffe-B44C-171117D3689E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{992505CA-8D5D-467d-B55B-3413E9741B40}\stubpath = "C:\\Windows\\{992505CA-8D5D-467d-B55B-3413E9741B40}.exe"	{331295E7-0B27-438d-92E7-057ABAD1667E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}	{992505CA-8D5D-467d-B55B-3413E9741B40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}	{9E86B2F8-3855-486c-A279-35629DD1954F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}\stubpath = "C:\\Windows\\{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe"	{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}	{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70801288-A0D5-4ffe-B44C-171117D3689E}\stubpath = "C:\\Windows\\{70801288-A0D5-4ffe-B44C-171117D3689E}.exe"	{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{992505CA-8D5D-467d-B55B-3413E9741B40}	{331295E7-0B27-438d-92E7-057ABAD1667E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}\stubpath = "C:\\Windows\\{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe"	{992505CA-8D5D-467d-B55B-3413E9741B40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE837CD-7972-49fd-BF91-A41AC2EE1203}\stubpath = "C:\\Windows\\{9BE837CD-7972-49fd-BF91-A41AC2EE1203}.exe"	{B8F6B651-0D27-47af-85D8-1380D2824CD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E86B2F8-3855-486c-A279-35629DD1954F}	2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}	{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe

Executes dropped EXE 12 IoCs

pid	Process
2220	{9E86B2F8-3855-486c-A279-35629DD1954F}.exe
2572	{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe
4812	{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe
1104	{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe
3360	{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe
4524	{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe
1736	{70801288-A0D5-4ffe-B44C-171117D3689E}.exe
1364	{331295E7-0B27-438d-92E7-057ABAD1667E}.exe
1808	{992505CA-8D5D-467d-B55B-3413E9741B40}.exe
4148	{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe
1636	{B8F6B651-0D27-47af-85D8-1380D2824CD2}.exe
5024	{9BE837CD-7972-49fd-BF91-A41AC2EE1203}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9E86B2F8-3855-486c-A279-35629DD1954F}.exe	2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe
File created	C:\Windows\{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe	{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe
File created	C:\Windows\{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe	{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe
File created	C:\Windows\{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe	{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe
File created	C:\Windows\{992505CA-8D5D-467d-B55B-3413E9741B40}.exe	{331295E7-0B27-438d-92E7-057ABAD1667E}.exe
File created	C:\Windows\{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe	{992505CA-8D5D-467d-B55B-3413E9741B40}.exe
File created	C:\Windows\{B8F6B651-0D27-47af-85D8-1380D2824CD2}.exe	{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe
File created	C:\Windows\{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe	{9E86B2F8-3855-486c-A279-35629DD1954F}.exe
File created	C:\Windows\{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe	{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe
File created	C:\Windows\{70801288-A0D5-4ffe-B44C-171117D3689E}.exe	{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe
File created	C:\Windows\{331295E7-0B27-438d-92E7-057ABAD1667E}.exe	{70801288-A0D5-4ffe-B44C-171117D3689E}.exe
File created	C:\Windows\{9BE837CD-7972-49fd-BF91-A41AC2EE1203}.exe	{B8F6B651-0D27-47af-85D8-1380D2824CD2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4284	2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2220	{9E86B2F8-3855-486c-A279-35629DD1954F}.exe
Token: SeIncBasePriorityPrivilege	2572	{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe
Token: SeIncBasePriorityPrivilege	4812	{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe
Token: SeIncBasePriorityPrivilege	1104	{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe
Token: SeIncBasePriorityPrivilege	3360	{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe
Token: SeIncBasePriorityPrivilege	4524	{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe
Token: SeIncBasePriorityPrivilege	1736	{70801288-A0D5-4ffe-B44C-171117D3689E}.exe
Token: SeIncBasePriorityPrivilege	1364	{331295E7-0B27-438d-92E7-057ABAD1667E}.exe
Token: SeIncBasePriorityPrivilege	1808	{992505CA-8D5D-467d-B55B-3413E9741B40}.exe
Token: SeIncBasePriorityPrivilege	4148	{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe
Token: SeIncBasePriorityPrivilege	1636	{B8F6B651-0D27-47af-85D8-1380D2824CD2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2220	4284	2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe	93
PID 4284 wrote to memory of 2220	4284	2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe	93
PID 4284 wrote to memory of 2220	4284	2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe	93
PID 4284 wrote to memory of 4944	4284	2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe	94
PID 4284 wrote to memory of 4944	4284	2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe	94
PID 4284 wrote to memory of 4944	4284	2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe	94
PID 2220 wrote to memory of 2572	2220	{9E86B2F8-3855-486c-A279-35629DD1954F}.exe	99
PID 2220 wrote to memory of 2572	2220	{9E86B2F8-3855-486c-A279-35629DD1954F}.exe	99
PID 2220 wrote to memory of 2572	2220	{9E86B2F8-3855-486c-A279-35629DD1954F}.exe	99
PID 2220 wrote to memory of 2420	2220	{9E86B2F8-3855-486c-A279-35629DD1954F}.exe	100
PID 2220 wrote to memory of 2420	2220	{9E86B2F8-3855-486c-A279-35629DD1954F}.exe	100
PID 2220 wrote to memory of 2420	2220	{9E86B2F8-3855-486c-A279-35629DD1954F}.exe	100
PID 2572 wrote to memory of 4812	2572	{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe	102
PID 2572 wrote to memory of 4812	2572	{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe	102
PID 2572 wrote to memory of 4812	2572	{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe	102
PID 2572 wrote to memory of 4856	2572	{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe	103
PID 2572 wrote to memory of 4856	2572	{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe	103
PID 2572 wrote to memory of 4856	2572	{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe	103
PID 4812 wrote to memory of 1104	4812	{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe	105
PID 4812 wrote to memory of 1104	4812	{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe	105
PID 4812 wrote to memory of 1104	4812	{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe	105
PID 4812 wrote to memory of 1036	4812	{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe	106
PID 4812 wrote to memory of 1036	4812	{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe	106
PID 4812 wrote to memory of 1036	4812	{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe	106
PID 1104 wrote to memory of 3360	1104	{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe	107
PID 1104 wrote to memory of 3360	1104	{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe	107
PID 1104 wrote to memory of 3360	1104	{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe	107
PID 1104 wrote to memory of 2044	1104	{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe	108
PID 1104 wrote to memory of 2044	1104	{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe	108
PID 1104 wrote to memory of 2044	1104	{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe	108
PID 3360 wrote to memory of 4524	3360	{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe	109
PID 3360 wrote to memory of 4524	3360	{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe	109
PID 3360 wrote to memory of 4524	3360	{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe	109
PID 3360 wrote to memory of 2432	3360	{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe	110
PID 3360 wrote to memory of 2432	3360	{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe	110
PID 3360 wrote to memory of 2432	3360	{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe	110
PID 4524 wrote to memory of 1736	4524	{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe	111
PID 4524 wrote to memory of 1736	4524	{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe	111
PID 4524 wrote to memory of 1736	4524	{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe	111
PID 4524 wrote to memory of 3104	4524	{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe	112
PID 4524 wrote to memory of 3104	4524	{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe	112
PID 4524 wrote to memory of 3104	4524	{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe	112
PID 1736 wrote to memory of 1364	1736	{70801288-A0D5-4ffe-B44C-171117D3689E}.exe	113
PID 1736 wrote to memory of 1364	1736	{70801288-A0D5-4ffe-B44C-171117D3689E}.exe	113
PID 1736 wrote to memory of 1364	1736	{70801288-A0D5-4ffe-B44C-171117D3689E}.exe	113
PID 1736 wrote to memory of 4464	1736	{70801288-A0D5-4ffe-B44C-171117D3689E}.exe	114
PID 1736 wrote to memory of 4464	1736	{70801288-A0D5-4ffe-B44C-171117D3689E}.exe	114
PID 1736 wrote to memory of 4464	1736	{70801288-A0D5-4ffe-B44C-171117D3689E}.exe	114
PID 1364 wrote to memory of 1808	1364	{331295E7-0B27-438d-92E7-057ABAD1667E}.exe	115
PID 1364 wrote to memory of 1808	1364	{331295E7-0B27-438d-92E7-057ABAD1667E}.exe	115
PID 1364 wrote to memory of 1808	1364	{331295E7-0B27-438d-92E7-057ABAD1667E}.exe	115
PID 1364 wrote to memory of 1484	1364	{331295E7-0B27-438d-92E7-057ABAD1667E}.exe	116
PID 1364 wrote to memory of 1484	1364	{331295E7-0B27-438d-92E7-057ABAD1667E}.exe	116
PID 1364 wrote to memory of 1484	1364	{331295E7-0B27-438d-92E7-057ABAD1667E}.exe	116
PID 1808 wrote to memory of 4148	1808	{992505CA-8D5D-467d-B55B-3413E9741B40}.exe	117
PID 1808 wrote to memory of 4148	1808	{992505CA-8D5D-467d-B55B-3413E9741B40}.exe	117
PID 1808 wrote to memory of 4148	1808	{992505CA-8D5D-467d-B55B-3413E9741B40}.exe	117
PID 1808 wrote to memory of 2176	1808	{992505CA-8D5D-467d-B55B-3413E9741B40}.exe	118
PID 1808 wrote to memory of 2176	1808	{992505CA-8D5D-467d-B55B-3413E9741B40}.exe	118
PID 1808 wrote to memory of 2176	1808	{992505CA-8D5D-467d-B55B-3413E9741B40}.exe	118
PID 4148 wrote to memory of 1636	4148	{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe	119
PID 4148 wrote to memory of 1636	4148	{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe	119
PID 4148 wrote to memory of 1636	4148	{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe	119
PID 4148 wrote to memory of 928	4148	{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_ff470f997a9ea0fecd18bf69a8052569_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\{9E86B2F8-3855-486c-A279-35629DD1954F}.exe
  C:\Windows\{9E86B2F8-3855-486c-A279-35629DD1954F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe
    C:\Windows\{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe
      C:\Windows\{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Windows\{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe
        
        C:\Windows\{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe
        
        C:\Windows\{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe
        
        C:\Windows\{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{70801288-A0D5-4ffe-B44C-171117D3689E}.exe
        
        C:\Windows\{70801288-A0D5-4ffe-B44C-171117D3689E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{331295E7-0B27-438d-92E7-057ABAD1667E}.exe
        
        C:\Windows\{331295E7-0B27-438d-92E7-057ABAD1667E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\{992505CA-8D5D-467d-B55B-3413E9741B40}.exe
        
        C:\Windows\{992505CA-8D5D-467d-B55B-3413E9741B40}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe
        
        C:\Windows\{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\{B8F6B651-0D27-47af-85D8-1380D2824CD2}.exe
        
        C:\Windows\{B8F6B651-0D27-47af-85D8-1380D2824CD2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\{9BE837CD-7972-49fd-BF91-A41AC2EE1203}.exe
        
        C:\Windows\{9BE837CD-7972-49fd-BF91-A41AC2EE1203}.exe
        13⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8F6B~1.EXE > nul
        13⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DB15~1.EXE > nul
        12⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99250~1.EXE > nul
        11⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33129~1.EXE > nul
        10⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70801~1.EXE > nul
        9⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5E10~1.EXE > nul
        8⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F259~1.EXE > nul
        7⤵
        
        PID:2432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2920~1.EXE > nul
        6⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{840CA~1.EXE > nul
        5⤵
        
        PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{239AC~1.EXE > nul
      4⤵
      PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9E86B~1.EXE > nul
    3⤵
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{239AC444-7ACF-4cf8-A725-8584D3A3AFF4}.exe

Filesize
408KB

MD5
4e7f69e3647b83e415ce36083bd09e18

SHA1
22da01b78d7bb2cdaa3c3d726ea74a294fb3442f

SHA256
6ef0658107c302b505753830d3dffd3e3e0e3d73447e87512c68508949e3692b

SHA512
d93a8db799eefa4fbf8b8844d4ffac1cc710b833c36ba6943ffaeb07a1284436727d4275516a470202efdf9d7d20ee0b0fa1bb262de854bc93ebf5dad06d45d9

Download Submit
C:\Windows\{2DB1580A-6D4C-4b19-B92A-90BC0F147E13}.exe

Filesize
408KB

MD5
2b12c65b399dae74e2b61a08b0b00ad8

SHA1
1e5fbf8956cbeb82c90b4608f9d17422c8b63560

SHA256
7cfebe5f3e8649802bd0c8cc3a51561671a97f27ae7778c390bd2d168a8b4be7

SHA512
c1925d6fa4a24ef82c7d5c961afe20792afdf7b7b12782ffc1b589c5236765b2dd9f5ccf4473590e9f04e7db680b5624e338ab894ff1c6e2fe7748526c4d812c

Download Submit
C:\Windows\{331295E7-0B27-438d-92E7-057ABAD1667E}.exe

Filesize
408KB

MD5
19d1804223f2c3aa8c9e128ab26af8fa

SHA1
caff271291ace84819b1bad53f3016af8f6a64d7

SHA256
53d19e726787ba072181cba46427d8195d7c8c98dd253852842ffc22ede553ad

SHA512
bee96330e3ed49485765ec782021691ae63de566a8c88a7771b3f3e19456cac621251882d7ef4400be14cd60bce298ef004c18eb52ee7b973f8de0e465f6f4ed

Download Submit
C:\Windows\{4F259A73-F1F5-49b2-AF62-63BD3E36DE1D}.exe

Filesize
408KB

MD5
39284fbba0bd313363f0dbe68fc97dcc

SHA1
0e316ea71d50056df55e0c2782e9096c7766d3fd

SHA256
482c073a6eabc80d05956f4990a8b8ca9a4ed4fe094174c0cd8fdf3fd85ed098

SHA512
fe492b6cc06a4b388ce2c12312b252edc8052e51ac00d7021dee9196c990c93c1942fff7406422cdbea6c6c617e50636efaa34432b3c541558cb08b1892ecdc2

Download Submit
C:\Windows\{70801288-A0D5-4ffe-B44C-171117D3689E}.exe

Filesize
408KB

MD5
43ac4e46f5d63568ac1486a8592e3ad9

SHA1
01cf4ee149c683b84286ec4c5ece6f3940d7c841

SHA256
df60ad2642d359a3a37a9c3f4253082c7dd4f9d5b5f541b1cd5c40e8601fe726

SHA512
15fce74fec84eb44e7295d3a7e3630ce9e30d2b5b743f89de297ab949d728e68ae0b25752748c892d194c8e07e254598e22d9948366ee2dc5a9ac85a362a5b1b

Download Submit
C:\Windows\{840CAF41-9BB8-4dfd-83CF-FD388F012B7B}.exe

Filesize
408KB

MD5
3dadafd8f8f14ae838b188fc3620ca88

SHA1
0ab6862c4445749e4bf34d5017d407941ff6d694

SHA256
987fc54d93e950b04e83bbc45bf8358811680586dc268d9f7fb7194872ec95f1

SHA512
65ebea4034cfe52d1966bbeeeb2fb43101277637cfd0946bfea5f9545b33f9bf1c12dddbcb6e475a75410e70642c37c31a03de2668cd5cbc08029d18f9f7b05e

Download Submit
C:\Windows\{992505CA-8D5D-467d-B55B-3413E9741B40}.exe

Filesize
408KB

MD5
0877a70446d31e4dd0ea1dd1a3971a21

SHA1
d04a3c7b034750671caed0f99c9ad68624e2bafe

SHA256
9e3fdf8c821843dd878c1e08d8bc58ea41e18b48fb3d890f02298532558bb4d3

SHA512
5d13b89d58ea5f3a03222aab1e8c10f0871e45c4696c312b218760e86829d41ac06a8e086922b1491e6509da87eefad91462bb553a4a3d77a298b5e13eb72bd7

Download Submit
C:\Windows\{9BE837CD-7972-49fd-BF91-A41AC2EE1203}.exe

Filesize
408KB

MD5
a98b64434cbbcd59cf8ee08a81d8dc8a

SHA1
95bb6fdbfbc95b1aa49b5737dd8ecc0795fdca59

SHA256
59c394f9d1ce8fa7f22963e31a09fc1bed9e6c3f92b88d3c7c9ee5c187aa4bf1

SHA512
b47bb0abb87a08526844a5c8cc3aeaa77d887b4af08c621c32cd9fe98af9dcddf625c9dcfdf13f006272f8ae0595e887aac5e479fa6f161e36dd7d6a110aa6d9

Download Submit
C:\Windows\{9E86B2F8-3855-486c-A279-35629DD1954F}.exe

Filesize
408KB

MD5
0907525a0cbb4879b4df76d4ffaa1599

SHA1
30a0fb1519d7cbde68b4d1bd378882ca15ff47b4

SHA256
68c9ee06bde68f8bf9d7081734569dfc39863b89156082916dfe11cce22d7a17

SHA512
67f84b0838d8096278103986508a38782da6e2d1eccf4ba0d047ffc11b5f106c5b1c3f7fee5eb1372346234cce24fadbf40e94d88d6c2e3269e4ceedf3df707a

Download Submit
C:\Windows\{B29209B9-F734-4f59-AB22-2AD9B6EACDA7}.exe

Filesize
408KB

MD5
52ef73d4a75190645639c00d06d94349

SHA1
e861b088bd640e03f9c2b8e655cc141c62a27519

SHA256
6a3f11eee8fe2d0381c278eec2ef3da25bbf5e6f809b80b6a489271932ecd9f1

SHA512
2dcb85efba0f3c1f8e522e7d56f906926cef11ed4415ca5bf203ed39c86973f79745a9dd2b42933b7fe1c719fe61ecdc25b27362c824b4920e65698b099db23d

Download Submit
C:\Windows\{B8F6B651-0D27-47af-85D8-1380D2824CD2}.exe

Filesize
408KB

MD5
05b53df51fc5e1fffe9d23cedbeb69d8

SHA1
b10fd571bdd6908d792632b261f24f62e394c332

SHA256
16d6272034706fae47f0fcdc9e055b007825f491538c1236885895da6108f1c0

SHA512
8466bde6f2d583fcfddaf9522bcefce411e230e26e12ada9f70c58f486045cbbc74313438177128aa35b1bd806272fbb7f58c9ea61822c5a89daace9974054d2

Download Submit
C:\Windows\{D5E10F0F-9E02-40c3-A5A7-0A8D7BAC097E}.exe

Filesize
408KB

MD5
ded1bd9517260d12b4784b8ace1467a0

SHA1
a8c94375e5dd5bd360ba4dba5eaccd57b662954c

SHA256
687ddf180b4abc16ba776aa1854deb81c17645f6cb250f734ff194b3c5654292

SHA512
229b9ceb08ba2944549a97ab334dc22ba1f780dbbad56a16db03727ecd18768935eb56ddfce34ad10c30d60c7a4aafe76fb3ee1d32383757ec42a4ad3ceff3d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads