ab6b310086f1d741532aea2d30a2ee90a71002b2f7ead8e8ae3ff6d81851e4e2

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
Size

168KB
MD5

4ecfa6e51a1dab8dbdd70cc429eead73
SHA1

1fd7a2f28be6264bbc271bd4814958ae06a7c2df
SHA256

ab6b310086f1d741532aea2d30a2ee90a71002b2f7ead8e8ae3ff6d81851e4e2
SHA512

36c9d4fbe2a7ac33abf5bd00c9251943173fbc8597c62f60600d1cc1c5beea21fe7c9184e61a67fef4838e187d3335eb9c026923f5199ee47764c6665c283527
SSDEEP

1536:1EGh0oAlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023271-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000200000001e32b-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023281-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023140-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023281-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}\stubpath = "C:\\Windows\\{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe"	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A83249F3-7118-41d1-ABFE-39B4CB6565BF}	{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}\stubpath = "C:\\Windows\\{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe"	{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{030C510C-A4AE-4cab-83E2-8D6825D310BA}	{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{030C510C-A4AE-4cab-83E2-8D6825D310BA}\stubpath = "C:\\Windows\\{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe"	{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}\stubpath = "C:\\Windows\\{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe"	{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{190A9D66-C85A-4c81-BED9-DE51DE8B2751}	{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{190A9D66-C85A-4c81-BED9-DE51DE8B2751}\stubpath = "C:\\Windows\\{190A9D66-C85A-4c81-BED9-DE51DE8B2751}.exe"	{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAB9577B-3468-4d63-B96D-3149C094A298}	{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAB9577B-3468-4d63-B96D-3149C094A298}\stubpath = "C:\\Windows\\{FAB9577B-3468-4d63-B96D-3149C094A298}.exe"	{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}	{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBB4B68C-898E-46b5-84A6-064EE6D38E63}	{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A83249F3-7118-41d1-ABFE-39B4CB6565BF}\stubpath = "C:\\Windows\\{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe"	{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}\stubpath = "C:\\Windows\\{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe"	{FAB9577B-3468-4d63-B96D-3149C094A298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}	{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}\stubpath = "C:\\Windows\\{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe"	{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}	{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0B4CED4-D9B6-4f2c-964B-FD5A02CE16EE}\stubpath = "C:\\Windows\\{E0B4CED4-D9B6-4f2c-964B-FD5A02CE16EE}.exe"	{190A9D66-C85A-4c81-BED9-DE51DE8B2751}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}	{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}	{FAB9577B-3468-4d63-B96D-3149C094A298}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}\stubpath = "C:\\Windows\\{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe"	{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBB4B68C-898E-46b5-84A6-064EE6D38E63}\stubpath = "C:\\Windows\\{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe"	{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0B4CED4-D9B6-4f2c-964B-FD5A02CE16EE}	{190A9D66-C85A-4c81-BED9-DE51DE8B2751}.exe

Executes dropped EXE 12 IoCs

pid	Process
4512	{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe
3972	{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe
4588	{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe
4456	{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe
4472	{FAB9577B-3468-4d63-B96D-3149C094A298}.exe
4448	{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe
3388	{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe
2416	{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe
4912	{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe
208	{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe
376	{190A9D66-C85A-4c81-BED9-DE51DE8B2751}.exe
1492	{E0B4CED4-D9B6-4f2c-964B-FD5A02CE16EE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe	{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe
File created	C:\Windows\{E0B4CED4-D9B6-4f2c-964B-FD5A02CE16EE}.exe	{190A9D66-C85A-4c81-BED9-DE51DE8B2751}.exe
File created	C:\Windows\{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe	{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe
File created	C:\Windows\{FAB9577B-3468-4d63-B96D-3149C094A298}.exe	{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe
File created	C:\Windows\{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe	{FAB9577B-3468-4d63-B96D-3149C094A298}.exe
File created	C:\Windows\{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe	{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe
File created	C:\Windows\{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe	{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe
File created	C:\Windows\{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
File created	C:\Windows\{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe	{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe
File created	C:\Windows\{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe	{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe
File created	C:\Windows\{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe	{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe
File created	C:\Windows\{190A9D66-C85A-4c81-BED9-DE51DE8B2751}.exe	{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4844	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4512	{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe
Token: SeIncBasePriorityPrivilege	3972	{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe
Token: SeIncBasePriorityPrivilege	4588	{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe
Token: SeIncBasePriorityPrivilege	4456	{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe
Token: SeIncBasePriorityPrivilege	4472	{FAB9577B-3468-4d63-B96D-3149C094A298}.exe
Token: SeIncBasePriorityPrivilege	4448	{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe
Token: SeIncBasePriorityPrivilege	3388	{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe
Token: SeIncBasePriorityPrivilege	2416	{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe
Token: SeIncBasePriorityPrivilege	4912	{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe
Token: SeIncBasePriorityPrivilege	208	{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe
Token: SeIncBasePriorityPrivilege	376	{190A9D66-C85A-4c81-BED9-DE51DE8B2751}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4512	4844	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	91
PID 4844 wrote to memory of 4512	4844	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	91
PID 4844 wrote to memory of 4512	4844	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	91
PID 4844 wrote to memory of 3812	4844	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	92
PID 4844 wrote to memory of 3812	4844	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	92
PID 4844 wrote to memory of 3812	4844	2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe	92
PID 4512 wrote to memory of 3972	4512	{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe	93
PID 4512 wrote to memory of 3972	4512	{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe	93
PID 4512 wrote to memory of 3972	4512	{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe	93
PID 4512 wrote to memory of 1076	4512	{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe	94
PID 4512 wrote to memory of 1076	4512	{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe	94
PID 4512 wrote to memory of 1076	4512	{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe	94
PID 3972 wrote to memory of 4588	3972	{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe	103
PID 3972 wrote to memory of 4588	3972	{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe	103
PID 3972 wrote to memory of 4588	3972	{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe	103
PID 3972 wrote to memory of 3704	3972	{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe	104
PID 3972 wrote to memory of 3704	3972	{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe	104
PID 3972 wrote to memory of 3704	3972	{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe	104
PID 4588 wrote to memory of 4456	4588	{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe	106
PID 4588 wrote to memory of 4456	4588	{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe	106
PID 4588 wrote to memory of 4456	4588	{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe	106
PID 4588 wrote to memory of 1068	4588	{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe	107
PID 4588 wrote to memory of 1068	4588	{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe	107
PID 4588 wrote to memory of 1068	4588	{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe	107
PID 4456 wrote to memory of 4472	4456	{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe	108
PID 4456 wrote to memory of 4472	4456	{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe	108
PID 4456 wrote to memory of 4472	4456	{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe	108
PID 4456 wrote to memory of 2160	4456	{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe	109
PID 4456 wrote to memory of 2160	4456	{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe	109
PID 4456 wrote to memory of 2160	4456	{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe	109
PID 4472 wrote to memory of 4448	4472	{FAB9577B-3468-4d63-B96D-3149C094A298}.exe	110
PID 4472 wrote to memory of 4448	4472	{FAB9577B-3468-4d63-B96D-3149C094A298}.exe	110
PID 4472 wrote to memory of 4448	4472	{FAB9577B-3468-4d63-B96D-3149C094A298}.exe	110
PID 4472 wrote to memory of 2696	4472	{FAB9577B-3468-4d63-B96D-3149C094A298}.exe	111
PID 4472 wrote to memory of 2696	4472	{FAB9577B-3468-4d63-B96D-3149C094A298}.exe	111
PID 4472 wrote to memory of 2696	4472	{FAB9577B-3468-4d63-B96D-3149C094A298}.exe	111
PID 4448 wrote to memory of 3388	4448	{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe	112
PID 4448 wrote to memory of 3388	4448	{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe	112
PID 4448 wrote to memory of 3388	4448	{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe	112
PID 4448 wrote to memory of 404	4448	{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe	113
PID 4448 wrote to memory of 404	4448	{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe	113
PID 4448 wrote to memory of 404	4448	{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe	113
PID 3388 wrote to memory of 2416	3388	{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe	114
PID 3388 wrote to memory of 2416	3388	{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe	114
PID 3388 wrote to memory of 2416	3388	{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe	114
PID 3388 wrote to memory of 1568	3388	{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe	115
PID 3388 wrote to memory of 1568	3388	{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe	115
PID 3388 wrote to memory of 1568	3388	{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe	115
PID 2416 wrote to memory of 4912	2416	{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe	116
PID 2416 wrote to memory of 4912	2416	{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe	116
PID 2416 wrote to memory of 4912	2416	{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe	116
PID 2416 wrote to memory of 4188	2416	{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe	117
PID 2416 wrote to memory of 4188	2416	{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe	117
PID 2416 wrote to memory of 4188	2416	{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe	117
PID 4912 wrote to memory of 208	4912	{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe	118
PID 4912 wrote to memory of 208	4912	{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe	118
PID 4912 wrote to memory of 208	4912	{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe	118
PID 4912 wrote to memory of 4904	4912	{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe	119
PID 4912 wrote to memory of 4904	4912	{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe	119
PID 4912 wrote to memory of 4904	4912	{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe	119
PID 208 wrote to memory of 376	208	{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe	120
PID 208 wrote to memory of 376	208	{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe	120
PID 208 wrote to memory of 376	208	{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe	120
PID 208 wrote to memory of 408	208	{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_4ecfa6e51a1dab8dbdd70cc429eead73_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe
  C:\Windows\{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe
    C:\Windows\{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe
      C:\Windows\{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe
        
        C:\Windows\{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4456
      - C:\Windows\{FAB9577B-3468-4d63-B96D-3149C094A298}.exe
        
        C:\Windows\{FAB9577B-3468-4d63-B96D-3149C094A298}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe
        
        C:\Windows\{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe
        
        C:\Windows\{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe
        
        C:\Windows\{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe
        
        C:\Windows\{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe
        
        C:\Windows\{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\{190A9D66-C85A-4c81-BED9-DE51DE8B2751}.exe
        
        C:\Windows\{190A9D66-C85A-4c81-BED9-DE51DE8B2751}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\{E0B4CED4-D9B6-4f2c-964B-FD5A02CE16EE}.exe
        
        C:\Windows\{E0B4CED4-D9B6-4f2c-964B-FD5A02CE16EE}.exe
        13⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{190A9~1.EXE > nul
        13⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBB4B~1.EXE > nul
        12⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74EFE~1.EXE > nul
        11⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C62F~1.EXE > nul
        10⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA45F~1.EXE > nul
        9⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CE81~1.EXE > nul
        8⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAB95~1.EXE > nul
        7⤵
        
        PID:2696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{030C5~1.EXE > nul
        6⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92E03~1.EXE > nul
        5⤵
        
        PID:1068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A8324~1.EXE > nul
      4⤵
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6EC8B~1.EXE > nul
    3⤵
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{030C510C-A4AE-4cab-83E2-8D6825D310BA}.exe

Filesize
168KB

MD5
fb24f7f04ac20f407ad44a6a6b4aeafd

SHA1
f61fc136de4afc9611107c063f9cf7f6dc4d7bbf

SHA256
cd52328e21b58659b0bfc8435f2635d5fed6e8ba3ab00007a12a64817f2f785f

SHA512
50d45ca3dcfa6f41fecab5ba117b9e3c97f2c87cc3f818be51de992b297d7aab47fd12dd3142b258d0dbcdb0d706d5cba9e66c9b5e310eeb1cd839b6c165d8c3

Download Submit
C:\Windows\{190A9D66-C85A-4c81-BED9-DE51DE8B2751}.exe

Filesize
168KB

MD5
15ce46ada8ef24e77edf943bfc362ebd

SHA1
468bea656a6a48d8708f12916d09b41fa545e870

SHA256
e16962c272f75d04a0019d4cb83c44db8239b1ed3e0ce0b2859a2c810fecf609

SHA512
960c16878b3ef88ba44597a0b3d9cdb96cc46e616a44b11e48ef48b505841566abba24ec5229c9ed1f3f12b7fd4f3a73b11ef7a1dee4225bed8ad3bcd37788bd

Download Submit
C:\Windows\{1CE8171A-BCD5-4cfc-B870-94EBF2A5F0B2}.exe

Filesize
168KB

MD5
36e4999161b9992848c02c3536e0f655

SHA1
c4a92cb309f34740e8a5d03b4a095a0b629fff5c

SHA256
339b9f040c81d674b34fa549da89ca01d83bf60fcfce67485ed1f9e2bab70183

SHA512
02bb0edb511d44e72e87f0741b9cb4bbc32edaa4008b2bba49a28ff137f9f222e5572c667385a5541c40386bc5e1197e12e95782378711a7dc549b5bd31e5772

Download Submit
C:\Windows\{6EC8BDB6-D83C-48a2-A089-D1E8A21683CC}.exe

Filesize
168KB

MD5
ce20a844668896c5742f6f7cb324b2d1

SHA1
3b26d88157464f185dda2804a5c4feda7a9b75c1

SHA256
b81b106cb566ee4bab1094b650f17fe2d3d951be5e91e285c4241f01875462cb

SHA512
3d02615ee53c618e9fa6be66a11e3644719787ddb216e01ec60bcd35a63ca55374ea84914e5079547ba6f796a8340cb90b27e6ac5e81bf6b894705a41caf612e

Download Submit
C:\Windows\{74EFE5F5-B85D-40d8-A361-89AD3E1A8046}.exe

Filesize
168KB

MD5
6d1b6958e3e08799b4a380cc4f3f2519

SHA1
da0745364af9495af52edd2fddd1dde65ffccf9c

SHA256
68d28abc805feac5125d8638d2f24ddd34136a378b953d1eec2471eac07d33a0

SHA512
b8f535aa40f98ddaada1b61cc258b20f02fc74b927eee28cc30f655249853aa4ee82b97808131dcccf54ae1265deaf7969775e03843bdb6ccda34df032b25021

Download Submit
C:\Windows\{92E034C2-8EAD-4b2f-ABA2-5AFC2BEF9FDC}.exe

Filesize
168KB

MD5
3afa24908037918b3b71d413619c1752

SHA1
fcaf6fd9d2d84a112f61adc59aa52ec18fb2c603

SHA256
8dd4e509574dd58eb59ad884e7cc8cee5f7b88996a0c10c05826f32546b9c92f

SHA512
3da3d615d818ae37bdcb4488b5f5a9ecc1187d047551ef908123af2becfdf83ae51747a9a31c63d55be984b0f33484df5209a28c57f826c11ee30ad14260f270

Download Submit
C:\Windows\{9C62FA2A-DF09-41b2-AFD4-5A652DAEAF23}.exe

Filesize
168KB

MD5
6728a811453ced2d63ae028036864e34

SHA1
e3acdf443c7a9a3e302fa870edd38482da3ee934

SHA256
871fa45418e45e081c00a4aa0ca6ffa7cdef6d7f6c55092d3374ca04355d4e14

SHA512
ccabcbfea9b5aa9a8c77cb7db6b6938d6a69396ef10dea239a2f8eb3e5ddd67d267f133a3e10c574a04976056384b20e3b1e616be1853b938b65f10608c83bf3

Download Submit
C:\Windows\{A83249F3-7118-41d1-ABFE-39B4CB6565BF}.exe

Filesize
168KB

MD5
ffc512b82aea996ca9305d8f780898bd

SHA1
69ebcaa3641487ae12cd0f83bcc02498d0db5c44

SHA256
d0fd5d0f6e3ed7f2c8133ddf3849a6d9092ec0431579bb0eb7e11401c4492705

SHA512
62d63340a4e3b648dfe6270e83ac4ea8fa02bf962b591bd575ffe0f85ecaddfe3034ecf5aecc81a2573b2e941718f20401f97f5427f5cb664a2c4a327709b5dc

Download Submit
C:\Windows\{E0B4CED4-D9B6-4f2c-964B-FD5A02CE16EE}.exe

Filesize
168KB

MD5
05610dd81b5027fa5ba794d32cdb19d3

SHA1
4d091ceefb02365cfaf39c6a1bb0a42185920eeb

SHA256
f26b1e1a9a244a72229d3fb11c4e7600c04f8b2c744374fd9e0a820442d5d559

SHA512
bf1a2a310f7a5be2bd799822c37ec9746d0c56ae77e3c4d73c6627220dd5cd5c7bf691fb9754f6b25910a793150af6625fb0a3109568c2381883fa3a4928df35

Download Submit
C:\Windows\{EBB4B68C-898E-46b5-84A6-064EE6D38E63}.exe

Filesize
168KB

MD5
3aaffcc638b14d918a4c496fb76d8939

SHA1
95c35fc07d6df62be5cb17255ab583b8e6506480

SHA256
46d86c44a7c09d0b674d0bdca6b263417c71d1f78c4f611f2ba975eb03b38728

SHA512
e07c147ab85aafd4dc908e72b428e9cfd541f489098a0bcf2969756310664a970014befa1f9e52373848e170e99cdd6192838dfdd34c745629b490440dafc4a7

Download Submit
C:\Windows\{FA45F573-8977-4d72-A1CA-C0CDF229B6AD}.exe

Filesize
168KB

MD5
959d439770dfc7bf1c39623e3b0d6d52

SHA1
6ead50750330f45e9ba61c3547037e2a78c52a3a

SHA256
6e5346e3155f8b1090687a3a0b1bdf1ce073422f4343b6b67f4f2ef084c00547

SHA512
d69b77a3c87963a8e09d96c8a3fbffce1ee3c8812c6a702f0df97b606af8c964093022e9b618ce550a0efe1304ddeb33ac1c5c485e37fb04b10b673daf5d35c0

Download Submit
C:\Windows\{FAB9577B-3468-4d63-B96D-3149C094A298}.exe

Filesize
168KB

MD5
221bcc2be9c5e8c7bcef23d826b99641

SHA1
7397d53a777332a5c124252aad90b4b118578409

SHA256
136c2c148fe7680c497902e17c000c838fbef0ac2c5a95f6d7e7321fbb9fe864

SHA512
9454dd3529f5e7ee17f7e976ad54dfbe3d543285bd5656a6634c7fac909551434a8f0806a41744b2f282a822988f1afe9b116e028db86bdc896ec7b185ebb0d1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads