cec2be1e18e0985e7aeff55b7f893e7ca079bdc65cf6dd2d0a206f2c255ffac0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
Size

197KB
MD5

ef4e0a15e9f824ace1e60de38c6d705d
SHA1

61455e4d67b350fe51efda84725b96e7e784b0fc
SHA256

cec2be1e18e0985e7aeff55b7f893e7ca079bdc65cf6dd2d0a206f2c255ffac0
SHA512

cde0b37012dc091829eadd467e2959b8c2d705d1a9c92eeab868450d00eeaf9bb9be771c0cf9a9e82fe79ef1c57e5c7d536db1b63aad1e2d65d63c267c00d488
SSDEEP

3072:jEGh0oZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGjlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e32b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023259-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023261-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023269-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023261-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000733-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000000070f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}\stubpath = "C:\\Windows\\{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe"	{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{183673F6-97D6-4668-B194-CE2C34604F1E}	{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87C4CE6B-618C-41b2-A545-AC980932D9B8}	{183673F6-97D6-4668-B194-CE2C34604F1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}	{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E8267F-314E-40b5-8277-5359B2DF2368}	{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}	{19E8267F-314E-40b5-8277-5359B2DF2368}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A4CB260-18AF-476e-8C65-926CBA9F63E4}	{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80268ABD-076D-43ae-B3B2-86B667E4DBF5}	{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80268ABD-076D-43ae-B3B2-86B667E4DBF5}\stubpath = "C:\\Windows\\{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe"	{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E8267F-314E-40b5-8277-5359B2DF2368}\stubpath = "C:\\Windows\\{19E8267F-314E-40b5-8277-5359B2DF2368}.exe"	{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A617FFDB-AB0E-47f5-ABF8-F7142476399B}	{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A617FFDB-AB0E-47f5-ABF8-F7142476399B}\stubpath = "C:\\Windows\\{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe"	{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}	{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{315F92CA-24B0-43ce-B34C-6E4C0A254DED}\stubpath = "C:\\Windows\\{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe"	{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}\stubpath = "C:\\Windows\\{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe"	{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B22D849-4319-47e3-B259-2C4B4C4386B6}	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B22D849-4319-47e3-B259-2C4B4C4386B6}\stubpath = "C:\\Windows\\{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe"	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}\stubpath = "C:\\Windows\\{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe"	{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}	{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{315F92CA-24B0-43ce-B34C-6E4C0A254DED}	{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{183673F6-97D6-4668-B194-CE2C34604F1E}\stubpath = "C:\\Windows\\{183673F6-97D6-4668-B194-CE2C34604F1E}.exe"	{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87C4CE6B-618C-41b2-A545-AC980932D9B8}\stubpath = "C:\\Windows\\{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe"	{183673F6-97D6-4668-B194-CE2C34604F1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}\stubpath = "C:\\Windows\\{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}.exe"	{19E8267F-314E-40b5-8277-5359B2DF2368}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A4CB260-18AF-476e-8C65-926CBA9F63E4}\stubpath = "C:\\Windows\\{6A4CB260-18AF-476e-8C65-926CBA9F63E4}.exe"	{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}.exe

Executes dropped EXE 12 IoCs

pid	Process
3548	{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe
2116	{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe
4512	{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe
1212	{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe
1288	{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe
1568	{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe
2120	{183673F6-97D6-4668-B194-CE2C34604F1E}.exe
940	{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe
2524	{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe
464	{19E8267F-314E-40b5-8277-5359B2DF2368}.exe
1060	{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}.exe
3080	{6A4CB260-18AF-476e-8C65-926CBA9F63E4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
File created	C:\Windows\{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe	{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe
File created	C:\Windows\{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe	{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe
File created	C:\Windows\{183673F6-97D6-4668-B194-CE2C34604F1E}.exe	{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe
File created	C:\Windows\{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe	{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe
File created	C:\Windows\{6A4CB260-18AF-476e-8C65-926CBA9F63E4}.exe	{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}.exe
File created	C:\Windows\{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe	{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe
File created	C:\Windows\{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe	{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe
File created	C:\Windows\{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe	{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe
File created	C:\Windows\{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe	{183673F6-97D6-4668-B194-CE2C34604F1E}.exe
File created	C:\Windows\{19E8267F-314E-40b5-8277-5359B2DF2368}.exe	{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe
File created	C:\Windows\{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}.exe	{19E8267F-314E-40b5-8277-5359B2DF2368}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4580	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3548	{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe
Token: SeIncBasePriorityPrivilege	2116	{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe
Token: SeIncBasePriorityPrivilege	4512	{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe
Token: SeIncBasePriorityPrivilege	1212	{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe
Token: SeIncBasePriorityPrivilege	1288	{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe
Token: SeIncBasePriorityPrivilege	1568	{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe
Token: SeIncBasePriorityPrivilege	2120	{183673F6-97D6-4668-B194-CE2C34604F1E}.exe
Token: SeIncBasePriorityPrivilege	940	{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe
Token: SeIncBasePriorityPrivilege	2524	{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe
Token: SeIncBasePriorityPrivilege	464	{19E8267F-314E-40b5-8277-5359B2DF2368}.exe
Token: SeIncBasePriorityPrivilege	1060	{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 3548	4580	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	91
PID 4580 wrote to memory of 3548	4580	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	91
PID 4580 wrote to memory of 3548	4580	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	91
PID 4580 wrote to memory of 1484	4580	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	92
PID 4580 wrote to memory of 1484	4580	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	92
PID 4580 wrote to memory of 1484	4580	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	92
PID 3548 wrote to memory of 2116	3548	{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe	93
PID 3548 wrote to memory of 2116	3548	{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe	93
PID 3548 wrote to memory of 2116	3548	{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe	93
PID 3548 wrote to memory of 2524	3548	{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe	94
PID 3548 wrote to memory of 2524	3548	{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe	94
PID 3548 wrote to memory of 2524	3548	{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe	94
PID 2116 wrote to memory of 4512	2116	{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe	103
PID 2116 wrote to memory of 4512	2116	{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe	103
PID 2116 wrote to memory of 4512	2116	{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe	103
PID 2116 wrote to memory of 4916	2116	{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe	104
PID 2116 wrote to memory of 4916	2116	{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe	104
PID 2116 wrote to memory of 4916	2116	{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe	104
PID 4512 wrote to memory of 1212	4512	{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe	106
PID 4512 wrote to memory of 1212	4512	{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe	106
PID 4512 wrote to memory of 1212	4512	{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe	106
PID 4512 wrote to memory of 2404	4512	{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe	107
PID 4512 wrote to memory of 2404	4512	{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe	107
PID 4512 wrote to memory of 2404	4512	{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe	107
PID 1212 wrote to memory of 1288	1212	{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe	108
PID 1212 wrote to memory of 1288	1212	{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe	108
PID 1212 wrote to memory of 1288	1212	{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe	108
PID 1212 wrote to memory of 2032	1212	{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe	109
PID 1212 wrote to memory of 2032	1212	{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe	109
PID 1212 wrote to memory of 2032	1212	{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe	109
PID 1288 wrote to memory of 1568	1288	{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe	110
PID 1288 wrote to memory of 1568	1288	{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe	110
PID 1288 wrote to memory of 1568	1288	{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe	110
PID 1288 wrote to memory of 4524	1288	{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe	111
PID 1288 wrote to memory of 4524	1288	{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe	111
PID 1288 wrote to memory of 4524	1288	{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe	111
PID 1568 wrote to memory of 2120	1568	{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe	112
PID 1568 wrote to memory of 2120	1568	{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe	112
PID 1568 wrote to memory of 2120	1568	{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe	112
PID 1568 wrote to memory of 224	1568	{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe	113
PID 1568 wrote to memory of 224	1568	{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe	113
PID 1568 wrote to memory of 224	1568	{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe	113
PID 2120 wrote to memory of 940	2120	{183673F6-97D6-4668-B194-CE2C34604F1E}.exe	114
PID 2120 wrote to memory of 940	2120	{183673F6-97D6-4668-B194-CE2C34604F1E}.exe	114
PID 2120 wrote to memory of 940	2120	{183673F6-97D6-4668-B194-CE2C34604F1E}.exe	114
PID 2120 wrote to memory of 4652	2120	{183673F6-97D6-4668-B194-CE2C34604F1E}.exe	115
PID 2120 wrote to memory of 4652	2120	{183673F6-97D6-4668-B194-CE2C34604F1E}.exe	115
PID 2120 wrote to memory of 4652	2120	{183673F6-97D6-4668-B194-CE2C34604F1E}.exe	115
PID 940 wrote to memory of 2524	940	{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe	116
PID 940 wrote to memory of 2524	940	{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe	116
PID 940 wrote to memory of 2524	940	{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe	116
PID 940 wrote to memory of 3548	940	{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe	117
PID 940 wrote to memory of 3548	940	{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe	117
PID 940 wrote to memory of 3548	940	{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe	117
PID 2524 wrote to memory of 464	2524	{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe	118
PID 2524 wrote to memory of 464	2524	{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe	118
PID 2524 wrote to memory of 464	2524	{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe	118
PID 2524 wrote to memory of 2056	2524	{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe	119
PID 2524 wrote to memory of 2056	2524	{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe	119
PID 2524 wrote to memory of 2056	2524	{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe	119
PID 464 wrote to memory of 1060	464	{19E8267F-314E-40b5-8277-5359B2DF2368}.exe	120
PID 464 wrote to memory of 1060	464	{19E8267F-314E-40b5-8277-5359B2DF2368}.exe	120
PID 464 wrote to memory of 1060	464	{19E8267F-314E-40b5-8277-5359B2DF2368}.exe	120
PID 464 wrote to memory of 3316	464	{19E8267F-314E-40b5-8277-5359B2DF2368}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe
  C:\Windows\{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe
    C:\Windows\{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe
      C:\Windows\{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe
        
        C:\Windows\{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
      - C:\Windows\{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe
        
        C:\Windows\{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe
        
        C:\Windows\{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\{183673F6-97D6-4668-B194-CE2C34604F1E}.exe
        
        C:\Windows\{183673F6-97D6-4668-B194-CE2C34604F1E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe
        
        C:\Windows\{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe
        
        C:\Windows\{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{19E8267F-314E-40b5-8277-5359B2DF2368}.exe
        
        C:\Windows\{19E8267F-314E-40b5-8277-5359B2DF2368}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}.exe
        
        C:\Windows\{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\{6A4CB260-18AF-476e-8C65-926CBA9F63E4}.exe
        
        C:\Windows\{6A4CB260-18AF-476e-8C65-926CBA9F63E4}.exe
        13⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B2BB~1.EXE > nul
        13⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19E82~1.EXE > nul
        12⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24B21~1.EXE > nul
        11⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87C4C~1.EXE > nul
        10⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18367~1.EXE > nul
        9⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{315F9~1.EXE > nul
        8⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80268~1.EXE > nul
        7⤵
        
        PID:4524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F34FE~1.EXE > nul
        6⤵
        
        PID:2032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B54F5~1.EXE > nul
        5⤵
        
        PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A617F~1.EXE > nul
      4⤵
      PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0B22D~1.EXE > nul
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B22D849-4319-47e3-B259-2C4B4C4386B6}.exe

Filesize
197KB

MD5
6ce1c685508edca3a03c39cf368c144c

SHA1
b9e0d5695041f5b7de60868c81e5afb13a613d29

SHA256
fed6998572f0fcb5faf53318d9d942e79308e7f3b26c4eb1d1de70b8dafb2c1d

SHA512
925880adf8b104a6664a0c78b9b43e99b3751242988c76c3042521843f7e3cbcca267a86abef6307924528078d78cfebd61833e375dcd0e2b9177c7bd751405b

Download Submit
C:\Windows\{0B2BB7E3-4FCF-4b70-A9FB-B2B3128B93F6}.exe

Filesize
197KB

MD5
0ca28ffbd53610593f145b1d8da2bed6

SHA1
4f8742200c8e22f1018160d4ddb2ca6ff60e3fab

SHA256
3c85fd161f8538af5b91497c6e54caa63164aa97e4bfad07ebf1700b9b78ed3f

SHA512
aec443e2d5de6481784f929e144310ad022a1c6b003f123d377216788e0c5d9da82b5f23fed80848621afa907ee60eb0b1a38002d5722d51ceacf4e480489711

Download Submit
C:\Windows\{183673F6-97D6-4668-B194-CE2C34604F1E}.exe

Filesize
197KB

MD5
9b19aab77443ea52a615e405b333d642

SHA1
7c553c16dd5824cec49c0e0648ce4df0b535cb54

SHA256
c0eaa6267db5f8486c8912c71d63030dedfb433b8a083c14dceb187ba6e91ddf

SHA512
6425bef093ac7a7e35a93d6fda8ecfd5bf570ca20ae874605b767a9064eb5e833a0fba336d685ecf69b4a4ebf0d256f8abf0dd4f82268ef515f57e2ea68ff527

Download Submit
C:\Windows\{19E8267F-314E-40b5-8277-5359B2DF2368}.exe

Filesize
197KB

MD5
a042faa0bdb681a6114b29669a66738d

SHA1
93e20adc3d1af23c1f5a969981df7395a398f2d8

SHA256
7a6b16a023b63bdb6b518e20cf3c155b4c3ca48b11b0b6f668c6e76d926c0e55

SHA512
d8bce4782ca6740080bed1473a474f1646ac3da0825127b427ffa615e6816fc56d7660a82fb44539000d90654df28d32a0047249ed57b46c708af29e7ab8d5ce

Download Submit
C:\Windows\{24B21ECF-FB2C-4ac3-94EF-9DEDBDD52600}.exe

Filesize
197KB

MD5
aae8c3f2ec0bada67aacef8c405b055b

SHA1
32eea2c63e37e97c5e7e3f0e6e9d1b0150cb132c

SHA256
81a10a5bcda88f4e7b6c14cb2e98444e0945d3674c1934442511ae0ab3337df0

SHA512
744a233bc314ebd89190c8ab2eba0ec6a180b6c0b019b6b5dfae70214ce76335321256e7edbd7839fae1b2af619d10345448d50df614523f2e965b281766ac38

Download Submit
C:\Windows\{315F92CA-24B0-43ce-B34C-6E4C0A254DED}.exe

Filesize
197KB

MD5
9cddaf14f1d4be40fecfb6c945492244

SHA1
6a5cf8eb50abab2648c129ee06751ac9815e3771

SHA256
ea78b3cca8db2f00a1075da4ed56b5d677e5c2b3ec8394ed28485ce2edbcedc5

SHA512
2ddc7ab0a3a8006334305f1f780b7d53a47f6d5f60144bd048d0485a73a9b1886d889a1ecebfa8bfd13d2e9b4df20b48ac9dabd4c1e682e4e77aad287ed8f947

Download Submit
C:\Windows\{6A4CB260-18AF-476e-8C65-926CBA9F63E4}.exe

Filesize
197KB

MD5
4c8c8d7ca559e6151fbab9f53ac24aa2

SHA1
720752899cf4bc2c6b823ef88b76182aab848fe2

SHA256
78a60dd27b06165d05750d24a86469c093cbddc723c558db89632ccb9e1124b8

SHA512
1278d6695b861746e5fec3580dd6577a74af0abee4ab8a30def9d9e66ab09a9e7a260e563d1513154063560786ad034d912e86df9bde7ab11ed910faade649de

Download Submit
C:\Windows\{80268ABD-076D-43ae-B3B2-86B667E4DBF5}.exe

Filesize
197KB

MD5
402134fe25a2fc08e33d6bb5b8b25abe

SHA1
77db3a3269c70512938b6aa8a69708760c386309

SHA256
b0700b504a7e7c8ade06de14a607eda0f0b08c5aaf372ad5683da0dc2bf4e697

SHA512
8ca3b7143ce31e4c248748adc929947f8bd23ca88ce5fb1f2f820e6108617eeb6f59ca18d39b4a7d4d2f04c218c53e9a7abbb0569031371e1530b31d96d23325

Download Submit
C:\Windows\{87C4CE6B-618C-41b2-A545-AC980932D9B8}.exe

Filesize
197KB

MD5
76a58e6b9163f705302ce42ff8a16a89

SHA1
414560526ebf549b49a2986c3a21c7debb60a4c0

SHA256
7d7238a1049dc688e6ee4e139e3fdb7e214a3ad46e0cde9a7ae0a65beb068dab

SHA512
809855412c01a20f364e31cc227d84657ec2320d9b34ccd5ab9e6efc0dd7faf91c95cdbcf81713ce364bfa3a99c3262bc6e8229f12ecb759d483d06d0b955ebb

Download Submit
C:\Windows\{A617FFDB-AB0E-47f5-ABF8-F7142476399B}.exe

Filesize
197KB

MD5
967444fc0643ec26cba90026fd29be2d

SHA1
b537edf51611a80329050a35d75e6b5fbe12d8a8

SHA256
f16c9384af3cbe62485f538a20cb61348ee2d503015f2963bce01e063b3c84df

SHA512
8f4520c7876f006d23f677a6648a621946811091275a16a7c4359283eb9fa1e963ef071f794b0337fade750aaa16e09fb7b7566727987ad0b5de053845aac637

Download Submit
C:\Windows\{B54F5CDA-A82C-4a5b-95FE-6711C7E89200}.exe

Filesize
197KB

MD5
c4b10119ead8aa1784469daae3378792

SHA1
ceb02c1c766f84f2247caaf6e7d5219e0b7df636

SHA256
3bb2e1e2c51d3e5f57451dce27870309c54e04033ddd814ec61d56b82e299a02

SHA512
025ddf00b17261636e3fce68fd3e68a07b54ecc397e6aa1b2fcef1dcbe679b78d7af3de194361479d1d4b966a1f654d2a0f0cf030a3c56624a07e90fd89bfa15

Download Submit
C:\Windows\{F34FE0EC-4E6A-4ebf-B8BD-2E7017EBFC73}.exe

Filesize
197KB

MD5
83e49784e73f37c9facb9f21081577a0

SHA1
97e4b11b7d5cf398b8477366bf553849dc2f1b17

SHA256
13c5d4e08ebd519ac96278a20cd58ac2aa9f3c55783fb2ec19f00e06f0ad1afe

SHA512
70305dbd633bdd213086d0e441664db95f4bc542b85341ae84cd0681e94cbf27ef7d1e5cd646ba2ffd7d36293b42df56b880320f25daaa8dfd1686b5ea3e351b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads