e87c5bac8b6756c54ef6644e27568f8bb3056dfa12d98ac7a75f601cdc7be4e9

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 01:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe
Size

408KB
MD5

8f0eab85581fde831e750bb2392096ab
SHA1

ffaffba947471066f947c7ea9f1b76ef36d7c121
SHA256

e87c5bac8b6756c54ef6644e27568f8bb3056dfa12d98ac7a75f601cdc7be4e9
SHA512

0df0c219d94c837da5186f59c6e367940bed830dd291a2552b2f6b990f57d4713daa0f95992a5c35a21de41b69fe97db70265be772ae6ee8e9dd24f338a02649
SSDEEP

3072:CEGh0o4l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGCldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002324c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002324f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023256-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002325a-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023261-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{731FA174-C9D3-4d14-8B33-4507BEC09CF7}\stubpath = "C:\\Windows\\{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe"	{10F82074-6EF0-411f-A278-D1D278AA473D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD75E3C5-4EE9-4151-AEF6-447D235FC768}\stubpath = "C:\\Windows\\{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe"	{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64826F20-CC77-4711-A785-D394AE4E4BCC}\stubpath = "C:\\Windows\\{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe"	{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C7B0421-B2AF-4f8c-9F69-BCB79FABD440}\stubpath = "C:\\Windows\\{4C7B0421-B2AF-4f8c-9F69-BCB79FABD440}.exe"	{DB619471-B110-4678-B462-D5E972BC8941}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D11ACB48-1337-4c01-93F8-B05840CC87F3}\stubpath = "C:\\Windows\\{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe"	2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCB19D9-420F-48c9-A063-519BE66FE066}	{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{017B7AFC-1207-47d3-9974-03CCBCEFE63C}	{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB619471-B110-4678-B462-D5E972BC8941}	{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB619471-B110-4678-B462-D5E972BC8941}\stubpath = "C:\\Windows\\{DB619471-B110-4678-B462-D5E972BC8941}.exe"	{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10F82074-6EF0-411f-A278-D1D278AA473D}\stubpath = "C:\\Windows\\{10F82074-6EF0-411f-A278-D1D278AA473D}.exe"	{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}	{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}\stubpath = "C:\\Windows\\{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe"	{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD75E3C5-4EE9-4151-AEF6-447D235FC768}	{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}	{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{017B7AFC-1207-47d3-9974-03CCBCEFE63C}\stubpath = "C:\\Windows\\{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe"	{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64826F20-CC77-4711-A785-D394AE4E4BCC}	{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}	{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}\stubpath = "C:\\Windows\\{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe"	{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10F82074-6EF0-411f-A278-D1D278AA473D}	{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{731FA174-C9D3-4d14-8B33-4507BEC09CF7}	{10F82074-6EF0-411f-A278-D1D278AA473D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}\stubpath = "C:\\Windows\\{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe"	{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C7B0421-B2AF-4f8c-9F69-BCB79FABD440}	{DB619471-B110-4678-B462-D5E972BC8941}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D11ACB48-1337-4c01-93F8-B05840CC87F3}	2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFCB19D9-420F-48c9-A063-519BE66FE066}\stubpath = "C:\\Windows\\{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe"	{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe

Executes dropped EXE 12 IoCs

pid	Process
5104	{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe
4392	{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe
3052	{10F82074-6EF0-411f-A278-D1D278AA473D}.exe
1572	{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe
4724	{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe
2704	{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe
4496	{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe
2668	{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe
2516	{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe
1468	{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe
1324	{DB619471-B110-4678-B462-D5E972BC8941}.exe
4132	{4C7B0421-B2AF-4f8c-9F69-BCB79FABD440}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4C7B0421-B2AF-4f8c-9F69-BCB79FABD440}.exe	{DB619471-B110-4678-B462-D5E972BC8941}.exe
File created	C:\Windows\{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe	{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe
File created	C:\Windows\{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe	{10F82074-6EF0-411f-A278-D1D278AA473D}.exe
File created	C:\Windows\{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe	{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe
File created	C:\Windows\{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe	{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe
File created	C:\Windows\{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe	{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe
File created	C:\Windows\{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe	{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe
File created	C:\Windows\{DB619471-B110-4678-B462-D5E972BC8941}.exe	{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe
File created	C:\Windows\{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe	2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe
File created	C:\Windows\{10F82074-6EF0-411f-A278-D1D278AA473D}.exe	{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe
File created	C:\Windows\{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe	{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe
File created	C:\Windows\{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe	{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3400	2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5104	{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe
Token: SeIncBasePriorityPrivilege	4392	{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe
Token: SeIncBasePriorityPrivilege	3052	{10F82074-6EF0-411f-A278-D1D278AA473D}.exe
Token: SeIncBasePriorityPrivilege	1572	{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe
Token: SeIncBasePriorityPrivilege	4724	{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe
Token: SeIncBasePriorityPrivilege	2704	{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe
Token: SeIncBasePriorityPrivilege	4496	{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe
Token: SeIncBasePriorityPrivilege	2668	{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe
Token: SeIncBasePriorityPrivilege	2516	{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe
Token: SeIncBasePriorityPrivilege	1468	{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe
Token: SeIncBasePriorityPrivilege	1324	{DB619471-B110-4678-B462-D5E972BC8941}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 5104	3400	2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe	91
PID 3400 wrote to memory of 5104	3400	2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe	91
PID 3400 wrote to memory of 5104	3400	2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe	91
PID 3400 wrote to memory of 1972	3400	2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe	92
PID 3400 wrote to memory of 1972	3400	2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe	92
PID 3400 wrote to memory of 1972	3400	2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe	92
PID 5104 wrote to memory of 4392	5104	{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe	93
PID 5104 wrote to memory of 4392	5104	{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe	93
PID 5104 wrote to memory of 4392	5104	{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe	93
PID 5104 wrote to memory of 884	5104	{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe	94
PID 5104 wrote to memory of 884	5104	{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe	94
PID 5104 wrote to memory of 884	5104	{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe	94
PID 4392 wrote to memory of 3052	4392	{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe	97
PID 4392 wrote to memory of 3052	4392	{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe	97
PID 4392 wrote to memory of 3052	4392	{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe	97
PID 4392 wrote to memory of 2292	4392	{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe	98
PID 4392 wrote to memory of 2292	4392	{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe	98
PID 4392 wrote to memory of 2292	4392	{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe	98
PID 3052 wrote to memory of 1572	3052	{10F82074-6EF0-411f-A278-D1D278AA473D}.exe	106
PID 3052 wrote to memory of 1572	3052	{10F82074-6EF0-411f-A278-D1D278AA473D}.exe	106
PID 3052 wrote to memory of 1572	3052	{10F82074-6EF0-411f-A278-D1D278AA473D}.exe	106
PID 3052 wrote to memory of 3760	3052	{10F82074-6EF0-411f-A278-D1D278AA473D}.exe	107
PID 3052 wrote to memory of 3760	3052	{10F82074-6EF0-411f-A278-D1D278AA473D}.exe	107
PID 3052 wrote to memory of 3760	3052	{10F82074-6EF0-411f-A278-D1D278AA473D}.exe	107
PID 1572 wrote to memory of 4724	1572	{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe	108
PID 1572 wrote to memory of 4724	1572	{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe	108
PID 1572 wrote to memory of 4724	1572	{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe	108
PID 1572 wrote to memory of 500	1572	{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe	109
PID 1572 wrote to memory of 500	1572	{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe	109
PID 1572 wrote to memory of 500	1572	{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe	109
PID 4724 wrote to memory of 2704	4724	{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe	110
PID 4724 wrote to memory of 2704	4724	{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe	110
PID 4724 wrote to memory of 2704	4724	{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe	110
PID 4724 wrote to memory of 3408	4724	{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe	111
PID 4724 wrote to memory of 3408	4724	{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe	111
PID 4724 wrote to memory of 3408	4724	{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe	111
PID 2704 wrote to memory of 4496	2704	{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe	112
PID 2704 wrote to memory of 4496	2704	{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe	112
PID 2704 wrote to memory of 4496	2704	{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe	112
PID 2704 wrote to memory of 2240	2704	{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe	113
PID 2704 wrote to memory of 2240	2704	{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe	113
PID 2704 wrote to memory of 2240	2704	{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe	113
PID 4496 wrote to memory of 2668	4496	{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe	114
PID 4496 wrote to memory of 2668	4496	{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe	114
PID 4496 wrote to memory of 2668	4496	{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe	114
PID 4496 wrote to memory of 3476	4496	{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe	115
PID 4496 wrote to memory of 3476	4496	{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe	115
PID 4496 wrote to memory of 3476	4496	{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe	115
PID 2668 wrote to memory of 2516	2668	{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe	116
PID 2668 wrote to memory of 2516	2668	{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe	116
PID 2668 wrote to memory of 2516	2668	{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe	116
PID 2668 wrote to memory of 2500	2668	{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe	117
PID 2668 wrote to memory of 2500	2668	{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe	117
PID 2668 wrote to memory of 2500	2668	{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe	117
PID 2516 wrote to memory of 1468	2516	{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe	118
PID 2516 wrote to memory of 1468	2516	{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe	118
PID 2516 wrote to memory of 1468	2516	{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe	118
PID 2516 wrote to memory of 2456	2516	{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe	119
PID 2516 wrote to memory of 2456	2516	{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe	119
PID 2516 wrote to memory of 2456	2516	{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe	119
PID 1468 wrote to memory of 1324	1468	{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe	120
PID 1468 wrote to memory of 1324	1468	{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe	120
PID 1468 wrote to memory of 1324	1468	{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe	120
PID 1468 wrote to memory of 4548	1468	{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_8f0eab85581fde831e750bb2392096ab_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe
  C:\Windows\{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe
    C:\Windows\{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\{10F82074-6EF0-411f-A278-D1D278AA473D}.exe
      C:\Windows\{10F82074-6EF0-411f-A278-D1D278AA473D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe
        
        C:\Windows\{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe
        
        C:\Windows\{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe
        
        C:\Windows\{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe
        
        C:\Windows\{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe
        
        C:\Windows\{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe
        
        C:\Windows\{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe
        
        C:\Windows\{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\{DB619471-B110-4678-B462-D5E972BC8941}.exe
        
        C:\Windows\{DB619471-B110-4678-B462-D5E972BC8941}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\{4C7B0421-B2AF-4f8c-9F69-BCB79FABD440}.exe
        
        C:\Windows\{4C7B0421-B2AF-4f8c-9F69-BCB79FABD440}.exe
        13⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB619~1.EXE > nul
        13⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64826~1.EXE > nul
        12⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{017B7~1.EXE > nul
        11⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDB5C~1.EXE > nul
        10⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD75E~1.EXE > nul
        9⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25DEA~1.EXE > nul
        8⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF6F0~1.EXE > nul
        7⤵
        
        PID:3408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{731FA~1.EXE > nul
        6⤵
        
        PID:500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10F82~1.EXE > nul
        5⤵
        
        PID:3760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EFCB1~1.EXE > nul
      4⤵
      PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D11AC~1.EXE > nul
    3⤵
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{017B7AFC-1207-47d3-9974-03CCBCEFE63C}.exe

Filesize
408KB

MD5
c274478840df03616936c2802120f0b5

SHA1
7678f05101c4b0b1acc2e007eb385a0784096878

SHA256
fa460caf640760152308c1a9f68905db6ddd5d76034948b9e5d04ad4c4a7e196

SHA512
e950099abc16a7b8c3d0bf1aa73bb6dea3964f6e41ef3c526c7b3324b2d655aa139ac7bc71ecd4b6effa8b393e95005653a4410f39965eea42f325f6da3e318d

Download Submit
C:\Windows\{10F82074-6EF0-411f-A278-D1D278AA473D}.exe

Filesize
408KB

MD5
51e17fd6543dc3b756421ba64bb6beb2

SHA1
5a6bbc5ba7016e21494ae113226b34a416902355

SHA256
321bbdad05dd300c3525d8a863947888db4a17adbff15b20aca8cc381df0a5d2

SHA512
f7513d85da246b0af05e80c8fad428c1d390eb535e0803ad451a25979561d18a098df8269982d2010df075e064ef1f226bb4a16f5f0fc979e0816feada49c9ac

Download Submit
C:\Windows\{25DEABDA-3301-4ad5-BF3E-7FAFBDAF40EE}.exe

Filesize
408KB

MD5
ad0d7a7ef69ed7ba7a2daf54e013a060

SHA1
2893f65a09d904e44f04ae7596472b540e458f3a

SHA256
06c2b159d508d1e9493708856cda59d72f1ea1f9f303d7e4f30d926a14365955

SHA512
b3b952f0749c81520ed1ad5ee789b63fe021fccbe9670fadfbd128c40ba57eacaac5248267e27c4e2e1086fb5d4aabcc3ac44794767ae9f83c86c53d8f321614

Download Submit
C:\Windows\{4C7B0421-B2AF-4f8c-9F69-BCB79FABD440}.exe

Filesize
408KB

MD5
7b3a64247c8c89ec5a859adb42ceb171

SHA1
f1b29e0c2d0c5d8e4cfa14d5e0f32f9a0fc1282d

SHA256
2c9d84853642e53d02cb2711b69945d0505c57f3c95a2d4258d282bf0eabfe67

SHA512
e9d063425cdbbfaec3c8bbcafe9cd1b562469874f848dbf4dee74f7063d3e6c96d16483878afb90c1ea86ad37a205cd93523df6fbbc181307e553bec656bfe74

Download Submit
C:\Windows\{64826F20-CC77-4711-A785-D394AE4E4BCC}.exe

Filesize
408KB

MD5
9332e43487907eb29f97db417b04291c

SHA1
7d0b4ea381894131d7690ff4205328b61d4b8220

SHA256
e637d94ec7ddd7ad1dc2e0e181bb1a666dc445eec600411ea7ebb2dbc280fcd5

SHA512
23cd5295b66a1656e53946587ece43401109edf450785aabf61327a404f5e1c10648823caae83c0de0777fcf6ceacd71903a9e152468e61216485a9b76e58bd6

Download Submit
C:\Windows\{731FA174-C9D3-4d14-8B33-4507BEC09CF7}.exe

Filesize
408KB

MD5
0dbf6365e20254c8a113b86785dea43c

SHA1
88d869dd7b2192c4ea98581408f54fc7e46b0525

SHA256
75ef19dfe3f64756a3f430edc64ededaa15de9162145deda080b87c19752d2da

SHA512
a0a42f624d131cf52c401b9e19dc0c50c4a3dc6a6861e129adc23e5649da60f846ae9d4d5bae8c6d4e2d4d7c88851dd56a9a19a621887b6c9bee00ae010304a3

Download Submit
C:\Windows\{AD75E3C5-4EE9-4151-AEF6-447D235FC768}.exe

Filesize
408KB

MD5
9ef5c16c81fdb1f4b4489d385754201d

SHA1
23c0dac0b87900ef6964a44c36f5c5fe71b9e9c6

SHA256
361a4bed8fd8b50eaeb415726ea06cab901585bb68e05762a251976b226b4506

SHA512
4fa93e40dc23a2144c41fdb85cd0270e29e7ac17a75778e1e5483c3917f9434937f63174a42cfd265c2c3f548ac594c0a85d7f4445d2db29484d7d06ccc9d7b8

Download Submit
C:\Windows\{D11ACB48-1337-4c01-93F8-B05840CC87F3}.exe

Filesize
408KB

MD5
586e763c69ebef6f960d32c214eb17bd

SHA1
e0e66e208bb097a0cf78cdcc95b0eda9ac95da91

SHA256
5bc00b94c487237d15cd9f1113f8bead4fa329cbc70e85ab8ad486b33ddc34ab

SHA512
227a37627400e07ec555d88963bfb17537a01d98187b8cf1e7d9692c4199a013f3aae4314f8af72be26cbc33c778ecb5e3c2cea2bd9fdaf2833fba463760f730

Download Submit
C:\Windows\{DB619471-B110-4678-B462-D5E972BC8941}.exe

Filesize
408KB

MD5
8c83667e2b0fc9dc57c934ea5438cec1

SHA1
e1ff76ea1de2119241e021f32d90cf7e28b9a734

SHA256
1ca6a9553c8d14a8258572733a7b17e1e002ce4a2d692e05eb0efe300a3afd0c

SHA512
b32ebd4a3367cea594348af0e45a1cf0b5332550aa17033306a7341f1f168ed2535445e3519c1a60a75c89ca8a70f074c3f5d8256e448adca0369be873bfd983

Download Submit
C:\Windows\{DDB5CD62-9C69-4ab6-A90B-0D62C0542B31}.exe

Filesize
408KB

MD5
87832071a94e956c9abd30b9d9c9a9cc

SHA1
49a5e5f2e77f9af72b276df0e5fd93d9fda71bd6

SHA256
a59df2cb0ef8cb78020349cb211c4b7c4552381306b42470fa622979c83a5900

SHA512
6d3fa3b131245896891b08a93370a13b79a10aadc6b210509de3d943dbf88e3ddde46190a9bfc9675266dafba1f0d4b03dbd3506cbd4f77a159540633d32a3b4

Download Submit
C:\Windows\{EFCB19D9-420F-48c9-A063-519BE66FE066}.exe

Filesize
408KB

MD5
cfcd9d37db8812e680697a4f69092282

SHA1
33b367b92e9cf23b9655adebc1c03b8999172efa

SHA256
0b519f330dceb0609c81edde4fc10838d9156f44e85c3085bf85466bfb27a883

SHA512
1921f4f1e1857e4aafd26822adddb8096323863347bce5a187d92eefeefda3cc5b35e6afd68b1d8aa56a74759922c7cc83754a6289f6ca81ffd78192d48a62ae

Download Submit
C:\Windows\{FF6F02DB-6C04-494d-AD35-DAA6C276F8C7}.exe

Filesize
408KB

MD5
aa62a8d3d266603c8414cade0c54c5b3

SHA1
abce5b64582f3cf9187b4383c4eaa55d607e6bd8

SHA256
72433195a8ba90ed13e6edbbad20e142a4f650ddf944b1ac61af54b44eb766ec

SHA512
174cfd2cd9f4aa32a7135eefad5dda3f5e0b9ce50d6a964ff2852c82ef6f7b9a35cb38b169b1d369318ac5f9f5a704221770672934abacd3e72c8e4d80187c72

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads