fd29f61518d33f730371b1b1a56e2fb0fe931dbe5d3b1f2e7230361618539a33

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
Size

204KB
MD5

9106f3fccf758489a1da37662b2cafd9
SHA1

56f5d45802dd4ffa1fbda16989873c0c4315a7aa
SHA256

fd29f61518d33f730371b1b1a56e2fb0fe931dbe5d3b1f2e7230361618539a33
SHA512

4cf61f30705a674ed056beb7493a5d9a636b68756a8d3a478752f3d0d8320cb06826eff26e263b848de979d6e2d811f476a7497c957ab3f0143c284ae5783e2e
SSDEEP

1536:1EGh0ovl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ovl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e32b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023251-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002325c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023251-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002325c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}\stubpath = "C:\\Windows\\{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}.exe"	{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AD92389-7F86-4543-93F6-132ED86B6570}\stubpath = "C:\\Windows\\{4AD92389-7F86-4543-93F6-132ED86B6570}.exe"	{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73159C60-1C64-4da0-B043-F3C7B808DE67}	{4AD92389-7F86-4543-93F6-132ED86B6570}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}	{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}	{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}	{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB39F070-3CCF-4f69-A965-E8181E557B3D}	{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}\stubpath = "C:\\Windows\\{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe"	{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95F2E242-0350-455a-98F9-167CD6A7DBF1}	{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95F2E242-0350-455a-98F9-167CD6A7DBF1}\stubpath = "C:\\Windows\\{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe"	{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06E1F445-580E-49b1-88D0-D938D63CE52E}	{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}	{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}\stubpath = "C:\\Windows\\{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe"	{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}\stubpath = "C:\\Windows\\{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe"	{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}\stubpath = "C:\\Windows\\{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe"	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}\stubpath = "C:\\Windows\\{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe"	{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AD92389-7F86-4543-93F6-132ED86B6570}	{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06E1F445-580E-49b1-88D0-D938D63CE52E}\stubpath = "C:\\Windows\\{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe"	{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}	{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}\stubpath = "C:\\Windows\\{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe"	{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}	{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73159C60-1C64-4da0-B043-F3C7B808DE67}\stubpath = "C:\\Windows\\{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe"	{4AD92389-7F86-4543-93F6-132ED86B6570}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB39F070-3CCF-4f69-A965-E8181E557B3D}\stubpath = "C:\\Windows\\{AB39F070-3CCF-4f69-A965-E8181E557B3D}.exe"	{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}.exe

Executes dropped EXE 12 IoCs

pid	Process
3204	{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe
4484	{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe
4572	{4AD92389-7F86-4543-93F6-132ED86B6570}.exe
4128	{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe
3192	{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe
4236	{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe
4316	{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe
2104	{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe
3704	{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe
4876	{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe
2232	{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}.exe
4916	{AB39F070-3CCF-4f69-A965-E8181E557B3D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4AD92389-7F86-4543-93F6-132ED86B6570}.exe	{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe
File created	C:\Windows\{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe	{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe
File created	C:\Windows\{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe	{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe
File created	C:\Windows\{AB39F070-3CCF-4f69-A965-E8181E557B3D}.exe	{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}.exe
File created	C:\Windows\{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe	{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe
File created	C:\Windows\{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe	{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe
File created	C:\Windows\{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe	{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe
File created	C:\Windows\{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}.exe	{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe
File created	C:\Windows\{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
File created	C:\Windows\{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe	{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe
File created	C:\Windows\{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe	{4AD92389-7F86-4543-93F6-132ED86B6570}.exe
File created	C:\Windows\{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe	{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1836	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3204	{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe
Token: SeIncBasePriorityPrivilege	4484	{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe
Token: SeIncBasePriorityPrivilege	4572	{4AD92389-7F86-4543-93F6-132ED86B6570}.exe
Token: SeIncBasePriorityPrivilege	4128	{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe
Token: SeIncBasePriorityPrivilege	3192	{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe
Token: SeIncBasePriorityPrivilege	4236	{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe
Token: SeIncBasePriorityPrivilege	4316	{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe
Token: SeIncBasePriorityPrivilege	2104	{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe
Token: SeIncBasePriorityPrivilege	3704	{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe
Token: SeIncBasePriorityPrivilege	4876	{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe
Token: SeIncBasePriorityPrivilege	2232	{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 3204	1836	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	90
PID 1836 wrote to memory of 3204	1836	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	90
PID 1836 wrote to memory of 3204	1836	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	90
PID 1836 wrote to memory of 868	1836	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	91
PID 1836 wrote to memory of 868	1836	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	91
PID 1836 wrote to memory of 868	1836	2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe	91
PID 3204 wrote to memory of 4484	3204	{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe	99
PID 3204 wrote to memory of 4484	3204	{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe	99
PID 3204 wrote to memory of 4484	3204	{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe	99
PID 3204 wrote to memory of 2152	3204	{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe	100
PID 3204 wrote to memory of 2152	3204	{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe	100
PID 3204 wrote to memory of 2152	3204	{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe	100
PID 4484 wrote to memory of 4572	4484	{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe	102
PID 4484 wrote to memory of 4572	4484	{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe	102
PID 4484 wrote to memory of 4572	4484	{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe	102
PID 4484 wrote to memory of 4876	4484	{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe	103
PID 4484 wrote to memory of 4876	4484	{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe	103
PID 4484 wrote to memory of 4876	4484	{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe	103
PID 4572 wrote to memory of 4128	4572	{4AD92389-7F86-4543-93F6-132ED86B6570}.exe	105
PID 4572 wrote to memory of 4128	4572	{4AD92389-7F86-4543-93F6-132ED86B6570}.exe	105
PID 4572 wrote to memory of 4128	4572	{4AD92389-7F86-4543-93F6-132ED86B6570}.exe	105
PID 4572 wrote to memory of 1120	4572	{4AD92389-7F86-4543-93F6-132ED86B6570}.exe	106
PID 4572 wrote to memory of 1120	4572	{4AD92389-7F86-4543-93F6-132ED86B6570}.exe	106
PID 4572 wrote to memory of 1120	4572	{4AD92389-7F86-4543-93F6-132ED86B6570}.exe	106
PID 4128 wrote to memory of 3192	4128	{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe	107
PID 4128 wrote to memory of 3192	4128	{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe	107
PID 4128 wrote to memory of 3192	4128	{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe	107
PID 4128 wrote to memory of 1132	4128	{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe	108
PID 4128 wrote to memory of 1132	4128	{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe	108
PID 4128 wrote to memory of 1132	4128	{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe	108
PID 3192 wrote to memory of 4236	3192	{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe	109
PID 3192 wrote to memory of 4236	3192	{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe	109
PID 3192 wrote to memory of 4236	3192	{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe	109
PID 3192 wrote to memory of 2460	3192	{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe	110
PID 3192 wrote to memory of 2460	3192	{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe	110
PID 3192 wrote to memory of 2460	3192	{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe	110
PID 4236 wrote to memory of 4316	4236	{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe	111
PID 4236 wrote to memory of 4316	4236	{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe	111
PID 4236 wrote to memory of 4316	4236	{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe	111
PID 4236 wrote to memory of 3948	4236	{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe	112
PID 4236 wrote to memory of 3948	4236	{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe	112
PID 4236 wrote to memory of 3948	4236	{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe	112
PID 4316 wrote to memory of 2104	4316	{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe	113
PID 4316 wrote to memory of 2104	4316	{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe	113
PID 4316 wrote to memory of 2104	4316	{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe	113
PID 4316 wrote to memory of 384	4316	{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe	114
PID 4316 wrote to memory of 384	4316	{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe	114
PID 4316 wrote to memory of 384	4316	{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe	114
PID 2104 wrote to memory of 3704	2104	{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe	115
PID 2104 wrote to memory of 3704	2104	{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe	115
PID 2104 wrote to memory of 3704	2104	{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe	115
PID 2104 wrote to memory of 1276	2104	{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe	116
PID 2104 wrote to memory of 1276	2104	{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe	116
PID 2104 wrote to memory of 1276	2104	{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe	116
PID 3704 wrote to memory of 4876	3704	{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe	117
PID 3704 wrote to memory of 4876	3704	{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe	117
PID 3704 wrote to memory of 4876	3704	{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe	117
PID 3704 wrote to memory of 4736	3704	{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe	118
PID 3704 wrote to memory of 4736	3704	{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe	118
PID 3704 wrote to memory of 4736	3704	{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe	118
PID 4876 wrote to memory of 2232	4876	{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe	119
PID 4876 wrote to memory of 2232	4876	{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe	119
PID 4876 wrote to memory of 2232	4876	{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe	119
PID 4876 wrote to memory of 2976	4876	{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_9106f3fccf758489a1da37662b2cafd9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe
  C:\Windows\{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe
    C:\Windows\{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\{4AD92389-7F86-4543-93F6-132ED86B6570}.exe
      C:\Windows\{4AD92389-7F86-4543-93F6-132ED86B6570}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe
        
        C:\Windows\{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4128
      - C:\Windows\{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe
        
        C:\Windows\{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe
        
        C:\Windows\{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe
        
        C:\Windows\{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe
        
        C:\Windows\{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe
        
        C:\Windows\{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe
        
        C:\Windows\{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}.exe
        
        C:\Windows\{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{AB39F070-3CCF-4f69-A965-E8181E557B3D}.exe
        
        C:\Windows\{AB39F070-3CCF-4f69-A965-E8181E557B3D}.exe
        13⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0DA4~1.EXE > nul
        13⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D6BA~1.EXE > nul
        12⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD071~1.EXE > nul
        11⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EF3E~1.EXE > nul
        10⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06E1F~1.EXE > nul
        9⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95F2E~1.EXE > nul
        8⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70D01~1.EXE > nul
        7⤵
        
        PID:2460
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73159~1.EXE > nul
        6⤵
        
        PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AD92~1.EXE > nul
        5⤵
        
        PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2008B~1.EXE > nul
      4⤵
      PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2C1CC~1.EXE > nul
    3⤵
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06E1F445-580E-49b1-88D0-D938D63CE52E}.exe

Filesize
204KB

MD5
202351c5177827c3d755357ca686cd0b

SHA1
36cffd464db2c522becd0920fba4431dbda84240

SHA256
effe0ef5616624e69e86f6cd2c72b6fcfb765abda0d4ba7dc075b0bfceac2773

SHA512
c5b6d71014ffaafe5525355692051ba9ed06dce20493fe7bf91da9814d662c5247dcbc8a9be1e362e740a7b10341a1af434406afeb902c108dca394dd3834f33

Download Submit
C:\Windows\{2008B0AA-632D-48d7-81F7-D232BAFFAAE6}.exe

Filesize
204KB

MD5
a90799838c3b941d9f07960dacdc89a6

SHA1
8c840d8dfb914078afb888088f438b82a26ab192

SHA256
8dfb9c3f99a2fce3b81b6821ca5dd31562e8e7b3d1bee2864974068f5649fb08

SHA512
6b302c37a5aa88cb6b557fa73ca8e5aeaa3d6d1cf7c8bbebb5fc715ff6ca549f9ad0e6af49a9dc00bfd95015f41ae766459b8a4b15a8a7b4f7cde50a22f7a149

Download Submit
C:\Windows\{2C1CC406-FD72-46bf-835C-6D9E730C8B9A}.exe

Filesize
204KB

MD5
4b1cdc3b7196fc07d772661f32b3c5c1

SHA1
405931a43967df3e73ec2309159d3e29aa4a74b1

SHA256
bcfb03cb852b3e1ebb469964e36bfb2dc51ee7bd8b137056857b948836402a71

SHA512
734d7463607403d488f5760a231de4030b2b78485dae6e2e2990f86d55a666663fe5b94c9eff3f61276b3686ce00928c004715c00d53a3662617df6ec5edbd75

Download Submit
C:\Windows\{4AD92389-7F86-4543-93F6-132ED86B6570}.exe

Filesize
204KB

MD5
23633e461e210ad0e63bc9fa70a26ca3

SHA1
5b373a5ec75982db3a307682ed4727eaa50dc85e

SHA256
1fdab6186dc51cc88771d05f8c1560bc67e371e2f1bff4719cfb1435c4941f90

SHA512
a219e9b7ed44ba10a26de846a172e5de85a2705f2964570e36f8472c8f49ffeff7de29ac6c8750d24eedb3b310980c928920d49240422829375592b96793f421

Download Submit
C:\Windows\{4D6BA80A-7718-49db-86BF-D0DFC35F3C0D}.exe

Filesize
204KB

MD5
03dfd402dca8f7790d6a6361f39e055d

SHA1
0655a089f3e6b1059fa81120668a41d0661123eb

SHA256
f76fcb6c6f1b567cee682131ac230e77fd7ada2c6524f1e2116d078e47117f63

SHA512
19acd5c97b142e24e59ab81cf54fa85aa714bbbab2faf703c9a6c520081b069438539ee0f08f2e8f620dbe31dd0ff93461c55bf9539f078a2b8ba4552bbcdee7

Download Submit
C:\Windows\{4EF3EBBC-4623-462d-88F9-2D691AE4BC31}.exe

Filesize
204KB

MD5
2755a52d4077d2c56f0e1f9c10910c23

SHA1
1d2f57cdfbdea2dd829f8c0cde46792cfdfcb70e

SHA256
badbaa81bb441685d5348e00ffcb23748376efa3d3fec7bdaae6341cdc834cb3

SHA512
4c025405fa38d73901da44ae733c020550a9758d3d1367015dc9dd253711302ca6493e8115afb237ef9bc09ca74ad3b015668fb3773908f7ed2f57604314eac1

Download Submit
C:\Windows\{70D01591-3D0C-427f-BFD9-CB6B9F1640D5}.exe

Filesize
204KB

MD5
42fee232ce64e97251eedd9839e8bd7b

SHA1
db456047b7fd74acc8f97201ec2695c51318769d

SHA256
94b2908168abcaddc0b27ce2da4a241a666b916ef0415a85070e504a03b1e5a0

SHA512
b8930013304710240d12802e324bc30806d038eba6041693ff238851803551cb53e6a9a475a5b9fa5c3729492c9d19881bb7d13aa59bb252680e0eb9ed42689d

Download Submit
C:\Windows\{73159C60-1C64-4da0-B043-F3C7B808DE67}.exe

Filesize
204KB

MD5
86fb3c1b8e70ce6ce726f91c036f6ce9

SHA1
e06fbee936b5dce8e429e3fa7e209b4778f91c93

SHA256
5417359b46379f58aace8ee68749b2ce111c93f875c3613c48771ea7a75132a4

SHA512
967a09b49ca14b9be253c15309308df969e5071573076a95956eda6a5f737f5f77fc204611abeb3f56b63a78519a33e1bfdff274d1e9b9b1af9d8cefb3d8581d

Download Submit
C:\Windows\{95F2E242-0350-455a-98F9-167CD6A7DBF1}.exe

Filesize
204KB

MD5
b927de78ed77df595e2f888e70f31396

SHA1
d3ea0d2656d0e0c1fbb33911af5b1a15f535f9f6

SHA256
e6488840806460aabafe0573dbf8e24408907873f3cbeee54d77f9d6466ad9ef

SHA512
64bca04cd6ae844a81989b4b371c305c8da3915a661f9c437692762ef319d602b963772f052ffd13407cdb43573d22420758cb951879cbe7c3201873dcb938db

Download Submit
C:\Windows\{A0DA4A8C-CD33-4faf-8129-8A0AEB71F372}.exe

Filesize
204KB

MD5
d3654e42419548de7f554a70e18e331b

SHA1
ddf8de0d122485a96c96b4f96d5b38cb540e7fab

SHA256
bf5e3f6779ea34491a00cff21fce8028d7e18c07b31a96f72f4537b917881601

SHA512
ff844846e465c3a1232c17eebaa5f2a869286adda9c8f70e2dbed5b2dd5a4f531e6c936b28318edcd8563420814e9d006d2776bc56f6bce74bc7a38bd91cdb00

Download Submit
C:\Windows\{AB39F070-3CCF-4f69-A965-E8181E557B3D}.exe

Filesize
204KB

MD5
6e0951f3f12405b0554fb157948bd39e

SHA1
ca283a319ab55ab54ea91a8d14a2b7b0af3584b6

SHA256
d9d5e7c5b4c08e14f82edbe5982f11e88681a9fff7a0e82ddc1bd1d0e5188810

SHA512
b27e3b8a30621891d641923a31021194ea63b8bb357850774f690cf119f5f2d4fead2df2865a72cb27816434e1cc745834e8cc25bf53c8b03a4a09e9b06a04f9

Download Submit
C:\Windows\{CD0714E0-E4E7-436c-B17E-E7B3256EB55B}.exe

Filesize
204KB

MD5
7eb4a22a17b6e9a576aa6aa2db1029a7

SHA1
35edf23948c78cc1f3a621157807f48c7791bf48

SHA256
1f50d6ff9ffd31fd8c1c7c2177a28b69c305c922540fdb79fd5241baf341c360

SHA512
2dd4805ad2d313a581cc1470a4ae893f51d4c9e9ed73db5b509080a4611f55d5d8ebadf5245108b649518946e7706fc9220dc1eeb9b41b42feca8831bbf8c46e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads