1a22b80a2ec066eb464788b8840adc31569dbf1c4cd600dcc40128e840298b0e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
Size

168KB
MD5

7a2f22b707a0ad0080e3bad72b251743
SHA1

b585b7803dc4fb2efb5455c1c5fc2ef6bde676a3
SHA256

1a22b80a2ec066eb464788b8840adc31569dbf1c4cd600dcc40128e840298b0e
SHA512

af9934b0b78e3c0e4f733e6eed624409ae4802f5e6c6d76cef7a8ed19f6640c0215d3a20eb44505cdf325a34425acf3a21d5f0c6c22cd19eab268d6ac0cbdeda
SSDEEP

1536:1EGh0orlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e32b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002326d-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023279-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002326d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023279-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E42AB136-A067-40e9-82E5-8F915E38A41F}	{272433CB-8F2B-4688-9463-0699A9562BD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}\stubpath = "C:\\Windows\\{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe"	{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}	{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63CFDBC9-B081-4250-979A-BD3673A8A6E3}	{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{272433CB-8F2B-4688-9463-0699A9562BD8}\stubpath = "C:\\Windows\\{272433CB-8F2B-4688-9463-0699A9562BD8}.exe"	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E42AB136-A067-40e9-82E5-8F915E38A41F}\stubpath = "C:\\Windows\\{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe"	{272433CB-8F2B-4688-9463-0699A9562BD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B667803A-C47C-4daa-AE97-F7E3E9559785}	{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B667803A-C47C-4daa-AE97-F7E3E9559785}\stubpath = "C:\\Windows\\{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe"	{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6FD4324-C8E2-4982-AF61-D610781C22FE}	{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE32860C-ED10-48ae-8241-14FEB66FCEA1}	{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE32860C-ED10-48ae-8241-14FEB66FCEA1}\stubpath = "C:\\Windows\\{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe"	{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}\stubpath = "C:\\Windows\\{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe"	{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}\stubpath = "C:\\Windows\\{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe"	{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCAF9816-3579-4d64-AC53-D71B94F85BD5}	{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}\stubpath = "C:\\Windows\\{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe"	{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63CFDBC9-B081-4250-979A-BD3673A8A6E3}\stubpath = "C:\\Windows\\{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe"	{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}	{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{272433CB-8F2B-4688-9463-0699A9562BD8}	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}	{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6FD4324-C8E2-4982-AF61-D610781C22FE}\stubpath = "C:\\Windows\\{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe"	{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}	{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}	{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}\stubpath = "C:\\Windows\\{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}.exe"	{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCAF9816-3579-4d64-AC53-D71B94F85BD5}\stubpath = "C:\\Windows\\{BCAF9816-3579-4d64-AC53-D71B94F85BD5}.exe"	{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1952	{272433CB-8F2B-4688-9463-0699A9562BD8}.exe
464	{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe
4600	{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe
1380	{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe
5808	{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe
6068	{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe
6024	{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe
4768	{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe
496	{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe
3088	{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe
1436	{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}.exe
332	{BCAF9816-3579-4d64-AC53-D71B94F85BD5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe	{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe
File created	C:\Windows\{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe	{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe
File created	C:\Windows\{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}.exe	{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe
File created	C:\Windows\{BCAF9816-3579-4d64-AC53-D71B94F85BD5}.exe	{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}.exe
File created	C:\Windows\{272433CB-8F2B-4688-9463-0699A9562BD8}.exe	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
File created	C:\Windows\{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe	{272433CB-8F2B-4688-9463-0699A9562BD8}.exe
File created	C:\Windows\{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe	{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe
File created	C:\Windows\{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe	{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe
File created	C:\Windows\{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe	{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe
File created	C:\Windows\{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe	{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe
File created	C:\Windows\{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe	{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe
File created	C:\Windows\{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe	{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4620	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1952	{272433CB-8F2B-4688-9463-0699A9562BD8}.exe
Token: SeIncBasePriorityPrivilege	464	{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe
Token: SeIncBasePriorityPrivilege	4600	{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe
Token: SeIncBasePriorityPrivilege	1380	{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe
Token: SeIncBasePriorityPrivilege	5808	{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe
Token: SeIncBasePriorityPrivilege	6068	{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe
Token: SeIncBasePriorityPrivilege	6024	{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe
Token: SeIncBasePriorityPrivilege	4768	{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe
Token: SeIncBasePriorityPrivilege	496	{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe
Token: SeIncBasePriorityPrivilege	3088	{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe
Token: SeIncBasePriorityPrivilege	1436	{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1952	4620	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	91
PID 4620 wrote to memory of 1952	4620	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	91
PID 4620 wrote to memory of 1952	4620	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	91
PID 4620 wrote to memory of 4040	4620	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	92
PID 4620 wrote to memory of 4040	4620	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	92
PID 4620 wrote to memory of 4040	4620	2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe	92
PID 1952 wrote to memory of 464	1952	{272433CB-8F2B-4688-9463-0699A9562BD8}.exe	100
PID 1952 wrote to memory of 464	1952	{272433CB-8F2B-4688-9463-0699A9562BD8}.exe	100
PID 1952 wrote to memory of 464	1952	{272433CB-8F2B-4688-9463-0699A9562BD8}.exe	100
PID 1952 wrote to memory of 1484	1952	{272433CB-8F2B-4688-9463-0699A9562BD8}.exe	101
PID 1952 wrote to memory of 1484	1952	{272433CB-8F2B-4688-9463-0699A9562BD8}.exe	101
PID 1952 wrote to memory of 1484	1952	{272433CB-8F2B-4688-9463-0699A9562BD8}.exe	101
PID 464 wrote to memory of 4600	464	{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe	103
PID 464 wrote to memory of 4600	464	{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe	103
PID 464 wrote to memory of 4600	464	{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe	103
PID 464 wrote to memory of 2180	464	{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe	104
PID 464 wrote to memory of 2180	464	{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe	104
PID 464 wrote to memory of 2180	464	{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe	104
PID 4600 wrote to memory of 1380	4600	{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe	106
PID 4600 wrote to memory of 1380	4600	{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe	106
PID 4600 wrote to memory of 1380	4600	{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe	106
PID 4600 wrote to memory of 4256	4600	{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe	107
PID 4600 wrote to memory of 4256	4600	{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe	107
PID 4600 wrote to memory of 4256	4600	{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe	107
PID 1380 wrote to memory of 5808	1380	{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe	108
PID 1380 wrote to memory of 5808	1380	{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe	108
PID 1380 wrote to memory of 5808	1380	{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe	108
PID 1380 wrote to memory of 5816	1380	{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe	109
PID 1380 wrote to memory of 5816	1380	{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe	109
PID 1380 wrote to memory of 5816	1380	{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe	109
PID 5808 wrote to memory of 6068	5808	{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe	110
PID 5808 wrote to memory of 6068	5808	{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe	110
PID 5808 wrote to memory of 6068	5808	{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe	110
PID 5808 wrote to memory of 1580	5808	{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe	111
PID 5808 wrote to memory of 1580	5808	{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe	111
PID 5808 wrote to memory of 1580	5808	{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe	111
PID 6068 wrote to memory of 6024	6068	{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe	112
PID 6068 wrote to memory of 6024	6068	{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe	112
PID 6068 wrote to memory of 6024	6068	{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe	112
PID 6068 wrote to memory of 3924	6068	{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe	113
PID 6068 wrote to memory of 3924	6068	{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe	113
PID 6068 wrote to memory of 3924	6068	{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe	113
PID 6024 wrote to memory of 4768	6024	{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe	114
PID 6024 wrote to memory of 4768	6024	{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe	114
PID 6024 wrote to memory of 4768	6024	{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe	114
PID 6024 wrote to memory of 3332	6024	{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe	115
PID 6024 wrote to memory of 3332	6024	{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe	115
PID 6024 wrote to memory of 3332	6024	{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe	115
PID 4768 wrote to memory of 496	4768	{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe	116
PID 4768 wrote to memory of 496	4768	{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe	116
PID 4768 wrote to memory of 496	4768	{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe	116
PID 4768 wrote to memory of 1480	4768	{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe	117
PID 4768 wrote to memory of 1480	4768	{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe	117
PID 4768 wrote to memory of 1480	4768	{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe	117
PID 496 wrote to memory of 3088	496	{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe	118
PID 496 wrote to memory of 3088	496	{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe	118
PID 496 wrote to memory of 3088	496	{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe	118
PID 496 wrote to memory of 820	496	{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe	119
PID 496 wrote to memory of 820	496	{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe	119
PID 496 wrote to memory of 820	496	{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe	119
PID 3088 wrote to memory of 1436	3088	{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe	120
PID 3088 wrote to memory of 1436	3088	{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe	120
PID 3088 wrote to memory of 1436	3088	{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe	120
PID 3088 wrote to memory of 5144	3088	{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_7a2f22b707a0ad0080e3bad72b251743_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\{272433CB-8F2B-4688-9463-0699A9562BD8}.exe
  C:\Windows\{272433CB-8F2B-4688-9463-0699A9562BD8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe
    C:\Windows\{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe
      C:\Windows\{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Windows\{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe
        
        C:\Windows\{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe
        
        C:\Windows\{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5808
        
        C:\Windows\{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe
        
        C:\Windows\{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6068
        
        C:\Windows\{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe
        
        C:\Windows\{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6024
        
        C:\Windows\{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe
        
        C:\Windows\{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe
        
        C:\Windows\{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe
        
        C:\Windows\{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}.exe
        
        C:\Windows\{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\{BCAF9816-3579-4d64-AC53-D71B94F85BD5}.exe
        
        C:\Windows\{BCAF9816-3579-4d64-AC53-D71B94F85BD5}.exe
        13⤵
        Executes dropped EXE
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFEF0~1.EXE > nul
        13⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63CFD~1.EXE > nul
        12⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EDA0~1.EXE > nul
        11⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FCBC~1.EXE > nul
        10⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B590F~1.EXE > nul
        9⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE328~1.EXE > nul
        8⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6FD4~1.EXE > nul
        7⤵
        
        PID:1580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2293F~1.EXE > nul
        6⤵
        
        PID:5816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6678~1.EXE > nul
        5⤵
        
        PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E42AB~1.EXE > nul
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{27243~1.EXE > nul
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EDA0D16-6599-47f6-AFCF-41FA878D7A05}.exe

Filesize
168KB

MD5
814d996781d3d5a18aa0b210108e32b1

SHA1
9f84d02a2c900b0837b9765b26668913124f09ed

SHA256
97530d3c366af878183039e6761e00b62b08dfa36c0efb1a60b6f5105e869da1

SHA512
a087e9d92f27f79a0a122493053f5ee61700a6067943a3dd048f50eec251391828a0cd2807a01a054610c41ea2c7e5234fe18383146701c3010b7f61f820f80d

Download Submit
C:\Windows\{2293FBC7-DDE6-4897-AB2D-A4BE8BA9EFB5}.exe

Filesize
168KB

MD5
9f6e49aa067e7aa8b0f674e90090c6b6

SHA1
ecef87937a6aded98a17a2d36ae2c99647fbb78b

SHA256
4b6c2d69e70343b936f119479158d9bb62a951faf072653b06db2146c6a2f282

SHA512
5dbfdd01de75f15ba3852e32821b31201a493530c411391fbff9b3e147f4eccbe7276c32a5035d6fa2f27d7a2abcccecb0cbb4fdeb66ad413e53cd53067e8e31

Download Submit
C:\Windows\{272433CB-8F2B-4688-9463-0699A9562BD8}.exe

Filesize
168KB

MD5
8e8315727cf6197cdb88c2efda35011c

SHA1
e736e5ff5f9f443cdfc95f32041b98df6d2dcbbe

SHA256
f4deee4128ef1a52928e3fed09bf6dd8248189335961099ba0214eea9c2a1453

SHA512
aca86c9ebb895a0c6d1b696e09912c91fce1cb799dc63170a9aabbf182761403808a184f779a5121f9db3638f91d385012c80fb331e0d4b81e657aa79e044efe

Download Submit
C:\Windows\{2FCBC9E7-5BD5-4b8a-A350-3A1986B8D783}.exe

Filesize
168KB

MD5
a5ab25732b5526fbe85d2145a8f1f27d

SHA1
abac45c86cdeffcf805d51172cb890b81792c288

SHA256
1ef55c7b1224f1496a45f7f396d9c4a5515534426323f90d28b437e6a85fb57d

SHA512
f3b7246310d7175e71e5d226b65238c48948ec519659e83e02cc9abf9a9585bb688e9a27d0d331870ae4ffc68dd2ebce17c350e812bd65b1494cb4336a8ed36f

Download Submit
C:\Windows\{63CFDBC9-B081-4250-979A-BD3673A8A6E3}.exe

Filesize
168KB

MD5
9849532db64ddbbc99301daded51e4ff

SHA1
9dc4d98b05aca3b2650d1f20afdc3ef21891287f

SHA256
8f5eb774336e3a1cd267e84a0cb911994461b8928297efdc35499237a4e89774

SHA512
e7558259e1c41cfcae434f1ddd67b17e98da83a3a06738c088392413d0d09d3e450ab2631ec52d3cce6233a17bb87584d009f5ba6c6a6c0ebcd030b36ce38e6b

Download Submit
C:\Windows\{B590FD75-15E2-4d16-8E4E-9A002DF09AA3}.exe

Filesize
168KB

MD5
3ac4455c623c5ec9606068070c9fd915

SHA1
fb766e3f1127e5d511df36541b1389b67807a211

SHA256
333c3171fe7c5dba4b80b32d9bb00398748bcc4ac345f24078dd1822335435f7

SHA512
3e6c5584a19942a2cfdde1378766cdbbd2b8cf06820dbe9f3c551ba6c64d172629448f2c8d2b722d43da04c8aeb8dffe372eeeba38af44b66800ca9e9b0b73a2

Download Submit
C:\Windows\{B667803A-C47C-4daa-AE97-F7E3E9559785}.exe

Filesize
168KB

MD5
06f6c7c8bcb2cd08da8b17b2d6ca862a

SHA1
abe82f117ecc4c26da3d4ed42be53f1eb129a5ed

SHA256
54f48f497af59f0e0b29d0e5b79495020d52067302773a148d6cf5ab3e4e2f56

SHA512
d8888e23e77f31b47ffc0eab033a8e7d61558dbcbfe2f1db24f4bbceac1d6f3d5d4c9db96706506b3f0defb712d6b8cfcb25279ca4093d8f382acae905696868

Download Submit
C:\Windows\{BCAF9816-3579-4d64-AC53-D71B94F85BD5}.exe

Filesize
168KB

MD5
38357502d02a27067042ab339d02241e

SHA1
37ff2ff8a28b2a765248e6bfc33acb1b755f6140

SHA256
9222d6eaac78db011d1f6216c66bb1984b58608c1b183e2d3d702cf0382c0ff7

SHA512
af6cd22f4480ba45475a9923736760fa126dd6077ac2017ea19de50c3f3c4ae8a537820daf12a73cff0d5e940d621fbf79bdd0bdb6225b2b7e02b3e76c4d608c

Download Submit
C:\Windows\{E42AB136-A067-40e9-82E5-8F915E38A41F}.exe

Filesize
168KB

MD5
b60a2b27a860b1c3aa26bb7403283421

SHA1
9083c6223823e86a8ad4c49e83d47b6f03b5148f

SHA256
1bcde6bf09bf282a42e7b8474158f82f619c051f296b4ef34490969cfd66a9c9

SHA512
57ecde91a3373a94f6bcb433d33ecdf3355190552fddc22b8b4e4c7b21472adccb7c9af0d4641f0a69d51c6d5838e0f8ce7ae10cd15a2b7d3318be048745fdcc

Download Submit
C:\Windows\{EE32860C-ED10-48ae-8241-14FEB66FCEA1}.exe

Filesize
168KB

MD5
a16f837dbfb0270208065077eedc93c5

SHA1
878c1e8709bd47917683ca7bcb586b53256f587a

SHA256
32e30e3d32a93d5ee541991c0f12aaf3b393c0f3ef2be20925d26bcae0826f8b

SHA512
923393ccd2f386288d930a6dfb6ef0a9e9324a4de8f96393cac656b93ea42aff42b1e938d4087eb5ff64154c690b478731ff34965e26c03bef5a84b12a010fc4

Download Submit
C:\Windows\{EFEF00AD-49F3-4236-A11D-58A87A0D7A8C}.exe

Filesize
168KB

MD5
2836c22e1b2958586b84be63f3f1a3e0

SHA1
9340587b9e9ccb7733efd21a5828156aff5be156

SHA256
4c622b5c30fde43f1ad6e8cd399555210be6bcf3833ef42debbe8fae965fc7a2

SHA512
d3d184235d705589677b0bd8f40296d785374075a8ea30c932e17d9bbbe66e30d8b13211157b7a756a654eb3b2512b1b46f416609ab3f147949a5bbddd10b269

Download Submit
C:\Windows\{F6FD4324-C8E2-4982-AF61-D610781C22FE}.exe

Filesize
168KB

MD5
4ddab71e34ff35b7df9cd42ca2ed8de5

SHA1
e66153b18388a4043dddf7b04c068d7fbd911d2a

SHA256
c8d2dc44523839994334fb0644e9c443761dced2359ceae5cda12dae8c8dfe54

SHA512
7d5b27d651ca854dd6c2f010e4c630ba5ac3c28fabec79b5b2d8766a907c3a93caf48b7077b7e9a739953add33be8deb60ea41a80ea08036ce8b71de84e65b7f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads