35c1b5c61834cc7643eab716bba0bd624b88db114309bc6f1ebba84b4e389119

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe
Size

204KB
MD5

9bae1aa5e8e5bc1e88cad11342f4d200
SHA1

257d3cedee19d7eb1e79308d61111d90ca5c9156
SHA256

35c1b5c61834cc7643eab716bba0bd624b88db114309bc6f1ebba84b4e389119
SHA512

6df5ea320c5039c88f60abfe30dd3da3c3c0641eb602f62301c9eadbe28cb72387a1a55ec858bb2ee45404ffb85307a252e0b35c8f7f3f192c8fc9c90224b9a3
SSDEEP

1536:1EGh0oXl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oXl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023253-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002325d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023263-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002325d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023263-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000000026-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69176807-25DA-49b0-A711-CAA9CDBF911A}\stubpath = "C:\\Windows\\{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe"	{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20299FD8-4A25-481d-9297-DCE72D1EB700}	{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}	{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBE8B0A0-1615-4a38-9290-A351D372577F}	{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39870E94-9C1E-4408-AE2A-0869C11D5BA3}\stubpath = "C:\\Windows\\{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe"	{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AED9FB35-F3F8-4245-9D65-112CCF1DF31B}\stubpath = "C:\\Windows\\{AED9FB35-F3F8-4245-9D65-112CCF1DF31B}.exe"	{C1FC2B05-CD74-4c90-8157-BD1925F32F28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900253DD-AABA-4ca6-84FF-562CEA569A5F}\stubpath = "C:\\Windows\\{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe"	2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{257EC3AC-3F24-4d89-9CF3-074A99A0F772}\stubpath = "C:\\Windows\\{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe"	{1AF00860-2262-4375-8713-67E18473060B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}\stubpath = "C:\\Windows\\{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe"	{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1FC2B05-CD74-4c90-8157-BD1925F32F28}	{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1FC2B05-CD74-4c90-8157-BD1925F32F28}\stubpath = "C:\\Windows\\{C1FC2B05-CD74-4c90-8157-BD1925F32F28}.exe"	{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AED9FB35-F3F8-4245-9D65-112CCF1DF31B}	{C1FC2B05-CD74-4c90-8157-BD1925F32F28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}	{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69176807-25DA-49b0-A711-CAA9CDBF911A}	{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}\stubpath = "C:\\Windows\\{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe"	{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{900253DD-AABA-4ca6-84FF-562CEA569A5F}	2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}\stubpath = "C:\\Windows\\{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe"	{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBE8B0A0-1615-4a38-9290-A351D372577F}\stubpath = "C:\\Windows\\{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe"	{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AF00860-2262-4375-8713-67E18473060B}	{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AF00860-2262-4375-8713-67E18473060B}\stubpath = "C:\\Windows\\{1AF00860-2262-4375-8713-67E18473060B}.exe"	{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{257EC3AC-3F24-4d89-9CF3-074A99A0F772}	{1AF00860-2262-4375-8713-67E18473060B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}	{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39870E94-9C1E-4408-AE2A-0869C11D5BA3}	{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20299FD8-4A25-481d-9297-DCE72D1EB700}\stubpath = "C:\\Windows\\{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe"	{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe

Executes dropped EXE 12 IoCs

pid	Process
620	{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe
4592	{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe
2484	{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe
1100	{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe
2784	{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe
3544	{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe
4804	{1AF00860-2262-4375-8713-67E18473060B}.exe
4956	{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe
3508	{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe
4612	{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe
3520	{C1FC2B05-CD74-4c90-8157-BD1925F32F28}.exe
2132	{AED9FB35-F3F8-4245-9D65-112CCF1DF31B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe	{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe
File created	C:\Windows\{1AF00860-2262-4375-8713-67E18473060B}.exe	{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe
File created	C:\Windows\{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe	{1AF00860-2262-4375-8713-67E18473060B}.exe
File created	C:\Windows\{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe	{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe
File created	C:\Windows\{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe	{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe
File created	C:\Windows\{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe	{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe
File created	C:\Windows\{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe	{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe
File created	C:\Windows\{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe	{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe
File created	C:\Windows\{C1FC2B05-CD74-4c90-8157-BD1925F32F28}.exe	{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe
File created	C:\Windows\{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe	2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe
File created	C:\Windows\{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe	{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe
File created	C:\Windows\{AED9FB35-F3F8-4245-9D65-112CCF1DF31B}.exe	{C1FC2B05-CD74-4c90-8157-BD1925F32F28}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	332	2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe
Token: SeIncBasePriorityPrivilege	620	{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe
Token: SeIncBasePriorityPrivilege	4592	{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe
Token: SeIncBasePriorityPrivilege	2484	{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe
Token: SeIncBasePriorityPrivilege	1100	{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe
Token: SeIncBasePriorityPrivilege	2784	{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe
Token: SeIncBasePriorityPrivilege	3544	{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe
Token: SeIncBasePriorityPrivilege	4804	{1AF00860-2262-4375-8713-67E18473060B}.exe
Token: SeIncBasePriorityPrivilege	4956	{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe
Token: SeIncBasePriorityPrivilege	3508	{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe
Token: SeIncBasePriorityPrivilege	4612	{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe
Token: SeIncBasePriorityPrivilege	3520	{C1FC2B05-CD74-4c90-8157-BD1925F32F28}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 620	332	2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe	96
PID 332 wrote to memory of 620	332	2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe	96
PID 332 wrote to memory of 620	332	2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe	96
PID 332 wrote to memory of 4780	332	2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe	97
PID 332 wrote to memory of 4780	332	2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe	97
PID 332 wrote to memory of 4780	332	2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe	97
PID 620 wrote to memory of 4592	620	{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe	101
PID 620 wrote to memory of 4592	620	{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe	101
PID 620 wrote to memory of 4592	620	{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe	101
PID 620 wrote to memory of 1408	620	{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe	102
PID 620 wrote to memory of 1408	620	{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe	102
PID 620 wrote to memory of 1408	620	{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe	102
PID 4592 wrote to memory of 2484	4592	{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe	104
PID 4592 wrote to memory of 2484	4592	{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe	104
PID 4592 wrote to memory of 2484	4592	{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe	104
PID 4592 wrote to memory of 4404	4592	{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe	105
PID 4592 wrote to memory of 4404	4592	{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe	105
PID 4592 wrote to memory of 4404	4592	{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe	105
PID 2484 wrote to memory of 1100	2484	{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe	107
PID 2484 wrote to memory of 1100	2484	{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe	107
PID 2484 wrote to memory of 1100	2484	{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe	107
PID 2484 wrote to memory of 4196	2484	{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe	108
PID 2484 wrote to memory of 4196	2484	{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe	108
PID 2484 wrote to memory of 4196	2484	{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe	108
PID 1100 wrote to memory of 2784	1100	{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe	109
PID 1100 wrote to memory of 2784	1100	{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe	109
PID 1100 wrote to memory of 2784	1100	{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe	109
PID 1100 wrote to memory of 4852	1100	{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe	110
PID 1100 wrote to memory of 4852	1100	{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe	110
PID 1100 wrote to memory of 4852	1100	{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe	110
PID 2784 wrote to memory of 3544	2784	{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe	111
PID 2784 wrote to memory of 3544	2784	{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe	111
PID 2784 wrote to memory of 3544	2784	{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe	111
PID 2784 wrote to memory of 3808	2784	{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe	112
PID 2784 wrote to memory of 3808	2784	{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe	112
PID 2784 wrote to memory of 3808	2784	{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe	112
PID 3544 wrote to memory of 4804	3544	{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe	113
PID 3544 wrote to memory of 4804	3544	{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe	113
PID 3544 wrote to memory of 4804	3544	{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe	113
PID 3544 wrote to memory of 4528	3544	{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe	114
PID 3544 wrote to memory of 4528	3544	{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe	114
PID 3544 wrote to memory of 4528	3544	{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe	114
PID 4804 wrote to memory of 4956	4804	{1AF00860-2262-4375-8713-67E18473060B}.exe	115
PID 4804 wrote to memory of 4956	4804	{1AF00860-2262-4375-8713-67E18473060B}.exe	115
PID 4804 wrote to memory of 4956	4804	{1AF00860-2262-4375-8713-67E18473060B}.exe	115
PID 4804 wrote to memory of 4248	4804	{1AF00860-2262-4375-8713-67E18473060B}.exe	116
PID 4804 wrote to memory of 4248	4804	{1AF00860-2262-4375-8713-67E18473060B}.exe	116
PID 4804 wrote to memory of 4248	4804	{1AF00860-2262-4375-8713-67E18473060B}.exe	116
PID 4956 wrote to memory of 3508	4956	{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe	117
PID 4956 wrote to memory of 3508	4956	{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe	117
PID 4956 wrote to memory of 3508	4956	{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe	117
PID 4956 wrote to memory of 4892	4956	{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe	118
PID 4956 wrote to memory of 4892	4956	{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe	118
PID 4956 wrote to memory of 4892	4956	{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe	118
PID 3508 wrote to memory of 4612	3508	{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe	119
PID 3508 wrote to memory of 4612	3508	{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe	119
PID 3508 wrote to memory of 4612	3508	{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe	119
PID 3508 wrote to memory of 3656	3508	{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe	120
PID 3508 wrote to memory of 3656	3508	{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe	120
PID 3508 wrote to memory of 3656	3508	{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe	120
PID 4612 wrote to memory of 3520	4612	{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe	121
PID 4612 wrote to memory of 3520	4612	{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe	121
PID 4612 wrote to memory of 3520	4612	{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe	121
PID 4612 wrote to memory of 3792	4612	{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_9bae1aa5e8e5bc1e88cad11342f4d200_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe
  C:\Windows\{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe
    C:\Windows\{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe
      C:\Windows\{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe
        
        C:\Windows\{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe
        
        C:\Windows\{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe
        
        C:\Windows\{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\{1AF00860-2262-4375-8713-67E18473060B}.exe
        
        C:\Windows\{1AF00860-2262-4375-8713-67E18473060B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe
        
        C:\Windows\{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe
        
        C:\Windows\{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe
        
        C:\Windows\{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\{C1FC2B05-CD74-4c90-8157-BD1925F32F28}.exe
        
        C:\Windows\{C1FC2B05-CD74-4c90-8157-BD1925F32F28}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Windows\{AED9FB35-F3F8-4245-9D65-112CCF1DF31B}.exe
        
        C:\Windows\{AED9FB35-F3F8-4245-9D65-112CCF1DF31B}.exe
        13⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1FC2~1.EXE > nul
        13⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39870~1.EXE > nul
        12⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FF14~1.EXE > nul
        11⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{257EC~1.EXE > nul
        10⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AF00~1.EXE > nul
        9⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBE8B~1.EXE > nul
        8⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72A9B~1.EXE > nul
        7⤵
        
        PID:3808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4FB2~1.EXE > nul
        6⤵
        
        PID:4852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20299~1.EXE > nul
        5⤵
        
        PID:4196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{69176~1.EXE > nul
      4⤵
      PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{90025~1.EXE > nul
    3⤵
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1AF00860-2262-4375-8713-67E18473060B}.exe

Filesize
204KB

MD5
4129ed463318808bed2e8062c622179d

SHA1
de6ae2f8bcd58c0ec3e715a67f1369363386c39e

SHA256
b9aff4cf05dd7eea75a45e27edfde8029dcd1a47849579f413f2a0f558eb32c6

SHA512
9582488f5aafc8b51b74ee00a18cf3dc51454e29633fd30773e4cfc353e95b78d59705aebc2cfba6fca96ef2c82773638eacebf12241a8cf4fad1eb134a93fad

Download Submit
C:\Windows\{20299FD8-4A25-481d-9297-DCE72D1EB700}.exe

Filesize
204KB

MD5
db51b03c22f8a0a882de31e86f44c01b

SHA1
9deb336e24f55c4a7d7eacfc8bae4113f6255181

SHA256
c1aa87072bd8ef1ed81f0379041eca98169f70f562e42d19079fab0715f29bf9

SHA512
c5493447c3167ba9652011c3c55819275c41cabacc5ac0acdb562b9bb7db5c24e3519fcb35dc0b1888eabdf9c43a2faf64d3a18ffc706d73162cdabb41652118

Download Submit
C:\Windows\{257EC3AC-3F24-4d89-9CF3-074A99A0F772}.exe

Filesize
204KB

MD5
5f9bb4b65b075fe6f2afbda179ed9c27

SHA1
8eb01bb86eaa5c5eaf13653fed0de7e77ddd0d3c

SHA256
9e48d59d82ed9434b1d35c0ed2474a3d84d1252640efe4b80de84d47f169ca5c

SHA512
b854adcc54cd62c0f10672d40887df172a716579daab2bd06d1258d08433115aaaa5a1bc58e678e2d43449f64e412b1f41abc696ff1d9f49ed74b6c98f05ffe5

Download Submit
C:\Windows\{2FF148AD-8677-48fe-8B8A-EEBED0C38ECB}.exe

Filesize
204KB

MD5
27da36e7c09cc9e7484e8c3873cc3dcc

SHA1
38b079dc04c0220b2cd7821b3d3858527bef5390

SHA256
a7bee2b7500e6656f5b5eda6c4ebf1d05a46435627298e7e446b3f8f9aff4b21

SHA512
970d45be23367862612aa93653fb26e63f203c1b3923316368552a2abfa19766c992b8fbdea73f3befafc4c374d4922c7cea16650448e4429438b7130f4e06ac

Download Submit
C:\Windows\{39870E94-9C1E-4408-AE2A-0869C11D5BA3}.exe

Filesize
204KB

MD5
6bea174a02cd3a9f23209beea702de05

SHA1
d2d2f12f6a7b7e53877d2fa93d1160c1e42a86dc

SHA256
098a0174089739cdb50279ed9d20cc94327a3c276559453d994eda919231bd22

SHA512
852dae0a6ea740e6e82f5b4bb29f868abb8fdc4d7ad0965b463522d5b00cac3e70e7bd0a1ff22266f9a1c3b7866c47fe9b878aa898930484d7d829f0d59bb82f

Download Submit
C:\Windows\{69176807-25DA-49b0-A711-CAA9CDBF911A}.exe

Filesize
204KB

MD5
d08aabca509e2c7eae1bd1a43d83e451

SHA1
e0468a11b5dbbf44efe10dee1e899775d3855ac3

SHA256
6c76c7bb478e9947e1d3317614b7d99b34b7652f8666fe44eb16134d6e2e5e26

SHA512
908470c890836426906065df1332dc65f4392b18cec08007d06f00442e4205e22f4a043539a42cc9666e1cccfc3f9b9eef42c1668c82588547cabdbb4c4c898b

Download Submit
C:\Windows\{72A9B82B-EA8B-44ef-8F15-D867D2A52F3F}.exe

Filesize
204KB

MD5
65cac21633c5d58594e668f590f8be92

SHA1
079c0db07e7513dad9a0387fcf5b756ffaabe0bd

SHA256
7010e11860d5fc9b4d5111f18febd765a43485923ee0c99cde00be19a42c29ef

SHA512
6882d991ee923a7e7a5663edb588ea646f0023696fc8a79badc7832f578c8b9b7d25a76c0752ecf3026569771cca0f759c1909bb629b414e98d93280b9b8c20d

Download Submit
C:\Windows\{900253DD-AABA-4ca6-84FF-562CEA569A5F}.exe

Filesize
204KB

MD5
adc152f5be97b4279aa2ea38b60695e9

SHA1
1ebcde8c72a43cbb25a5f415d87ecbf207e660fb

SHA256
f95e25cfd67064089d29cacf2c6b8456c971f03a1eb7a5ac57e81125bd3f1975

SHA512
06bccdaed67576c2ae41b66fb6c07a8ac2933b0647ddb44fc6bffbda1f3500bbbc72ead4f99c8d03afe977fd720ac166c5e115858935e2ca14f8d71fecb220a7

Download Submit
C:\Windows\{A4FB20F4-AEE7-451d-B28A-DCB2C145BB9E}.exe

Filesize
204KB

MD5
04619dd20801175b196f101ffe7826b4

SHA1
86aa1c282a7d1ee942336ae5c2a9f687b7e0b604

SHA256
d415fb86a225d55d9e8c16a243e666ac9263f36891cdefb0f22c990658e91da1

SHA512
4701dc2189e78ef6fbb343747a7ff9f36834074c5f0745a1967e8ba7247e10b88b7411693657395a1b2968e5b4cbde309a2b73cc5783b0263d0231d43519e113

Download Submit
C:\Windows\{AED9FB35-F3F8-4245-9D65-112CCF1DF31B}.exe

Filesize
204KB

MD5
f2edfd0c3fe7a22a35786eb602c9896c

SHA1
f48e7015e431889dd5e721e3411d6e03793fc904

SHA256
3961a37665730d12f7388dbdcebc0929eca669deb2c3449f6cd1ead5c4086f65

SHA512
d9618f55e71075320d8e88f8de7ea7325a55af07f14e53b21e221b5c1b9501dac75ab908a790458786f0b30aa6253dc64b23387a83140c843e7586123c70a837

Download Submit
C:\Windows\{BBE8B0A0-1615-4a38-9290-A351D372577F}.exe

Filesize
204KB

MD5
4e2f9ed9c65be280bd6b720ce16d4964

SHA1
68e2d6b893097db4971dee6b2488a94791ca1ea5

SHA256
c79a304cb4164b2f20b201ad9c53d148b853e1b0f4d408468dc896242e88a1e5

SHA512
8cb967392dcc7ae95b2bc927d4b5bf9978b288f43591fb214765db281e6523908d1c8865a38fd5ed6bd549d069b4a99d9c7acbc84e3278f7e4cf3c0eb8cf6774

Download Submit
C:\Windows\{C1FC2B05-CD74-4c90-8157-BD1925F32F28}.exe

Filesize
204KB

MD5
80536f96e523bbab5e58deebe4c6a031

SHA1
fb68a46873f7c2b81fbec94c4bbf0fdc888eba15

SHA256
612684cf608287474eb7c320cea96f6d4434a1c0cfe7ba6314307636e89a0997

SHA512
5169a362223f106871e4203686a426beee17585c47d9a7cb65c491c938c37b1e7d4bd8b5c7d308722e08e2db79d747062d3369269ed9926373702eefc325f14b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads