b1c71b72430f5ad9357152ac48e7cfb158dad9365d8e9128a041146e46407373

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe
Size

408KB
MD5

e5b335366380489fde3e7c88c66366c0
SHA1

e121b2c4c093d7381b6085a4d6409be8d35f759b
SHA256

b1c71b72430f5ad9357152ac48e7cfb158dad9365d8e9128a041146e46407373
SHA512

e22b0e8616d3f137fdfe06b7f87e0afdc52ee6ba831b0a23530684cba3282ec6e2f9c73969d490ee6d7ece6b77675f0a74ccf2e12aac4c6adc11619da97b209d
SSDEEP

3072:CEGh0owl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGKldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023242-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023245-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000022fdf-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023245-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000022fdf-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8348E15-1265-4c2e-B086-CBE0DF5C608E}	{E06EEAA6-971B-450a-B855-C2348CC88665}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8348E15-1265-4c2e-B086-CBE0DF5C608E}\stubpath = "C:\\Windows\\{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe"	{E06EEAA6-971B-450a-B855-C2348CC88665}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFA52579-0264-4afc-8413-15ADFEA53EA5}	{0A18D1CC-606E-4911-A317-C0717C98568C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E06EEAA6-971B-450a-B855-C2348CC88665}	{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{946004A1-142F-43ee-9ED2-BCA4E5F504B5}	{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{946004A1-142F-43ee-9ED2-BCA4E5F504B5}\stubpath = "C:\\Windows\\{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe"	{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}\stubpath = "C:\\Windows\\{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe"	{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A95A5718-B7FE-4659-A7B8-D4F51938D298}	{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A95A5718-B7FE-4659-A7B8-D4F51938D298}\stubpath = "C:\\Windows\\{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe"	{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD53743-958E-437e-9D85-298856B195D7}	{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}	2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A18D1CC-606E-4911-A317-C0717C98568C}\stubpath = "C:\\Windows\\{0A18D1CC-606E-4911-A317-C0717C98568C}.exe"	{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}\stubpath = "C:\\Windows\\{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}.exe"	{2DD53743-958E-437e-9D85-298856B195D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FD1EDBE-4721-4655-9EEB-E159D962E71D}\stubpath = "C:\\Windows\\{1FD1EDBE-4721-4655-9EEB-E159D962E71D}.exe"	{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}\stubpath = "C:\\Windows\\{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe"	{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A18D1CC-606E-4911-A317-C0717C98568C}	{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}	{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}\stubpath = "C:\\Windows\\{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe"	2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}	{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD53743-958E-437e-9D85-298856B195D7}\stubpath = "C:\\Windows\\{2DD53743-958E-437e-9D85-298856B195D7}.exe"	{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}	{2DD53743-958E-437e-9D85-298856B195D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FD1EDBE-4721-4655-9EEB-E159D962E71D}	{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFA52579-0264-4afc-8413-15ADFEA53EA5}\stubpath = "C:\\Windows\\{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe"	{0A18D1CC-606E-4911-A317-C0717C98568C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E06EEAA6-971B-450a-B855-C2348CC88665}\stubpath = "C:\\Windows\\{E06EEAA6-971B-450a-B855-C2348CC88665}.exe"	{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe

Executes dropped EXE 12 IoCs

pid	Process
2772	{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe
1864	{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe
4840	{0A18D1CC-606E-4911-A317-C0717C98568C}.exe
4472	{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe
4456	{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe
5028	{E06EEAA6-971B-450a-B855-C2348CC88665}.exe
1932	{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe
1680	{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe
2976	{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe
3564	{2DD53743-958E-437e-9D85-298856B195D7}.exe
1948	{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}.exe
4660	{1FD1EDBE-4721-4655-9EEB-E159D962E71D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe	{E06EEAA6-971B-450a-B855-C2348CC88665}.exe
File created	C:\Windows\{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe	{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe
File created	C:\Windows\{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}.exe	{2DD53743-958E-437e-9D85-298856B195D7}.exe
File created	C:\Windows\{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe	2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe
File created	C:\Windows\{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe	{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe
File created	C:\Windows\{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe	{0A18D1CC-606E-4911-A317-C0717C98568C}.exe
File created	C:\Windows\{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe	{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe
File created	C:\Windows\{E06EEAA6-971B-450a-B855-C2348CC88665}.exe	{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe
File created	C:\Windows\{1FD1EDBE-4721-4655-9EEB-E159D962E71D}.exe	{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}.exe
File created	C:\Windows\{0A18D1CC-606E-4911-A317-C0717C98568C}.exe	{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe
File created	C:\Windows\{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe	{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe
File created	C:\Windows\{2DD53743-958E-437e-9D85-298856B195D7}.exe	{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	412	2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2772	{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe
Token: SeIncBasePriorityPrivilege	1864	{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe
Token: SeIncBasePriorityPrivilege	4840	{0A18D1CC-606E-4911-A317-C0717C98568C}.exe
Token: SeIncBasePriorityPrivilege	4472	{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe
Token: SeIncBasePriorityPrivilege	4456	{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe
Token: SeIncBasePriorityPrivilege	5028	{E06EEAA6-971B-450a-B855-C2348CC88665}.exe
Token: SeIncBasePriorityPrivilege	1932	{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe
Token: SeIncBasePriorityPrivilege	1680	{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe
Token: SeIncBasePriorityPrivilege	2976	{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe
Token: SeIncBasePriorityPrivilege	3564	{2DD53743-958E-437e-9D85-298856B195D7}.exe
Token: SeIncBasePriorityPrivilege	1948	{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 2772	412	2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe	90
PID 412 wrote to memory of 2772	412	2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe	90
PID 412 wrote to memory of 2772	412	2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe	90
PID 412 wrote to memory of 2900	412	2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe	91
PID 412 wrote to memory of 2900	412	2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe	91
PID 412 wrote to memory of 2900	412	2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe	91
PID 2772 wrote to memory of 1864	2772	{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe	97
PID 2772 wrote to memory of 1864	2772	{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe	97
PID 2772 wrote to memory of 1864	2772	{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe	97
PID 2772 wrote to memory of 2012	2772	{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe	98
PID 2772 wrote to memory of 2012	2772	{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe	98
PID 2772 wrote to memory of 2012	2772	{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe	98
PID 1864 wrote to memory of 4840	1864	{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe	102
PID 1864 wrote to memory of 4840	1864	{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe	102
PID 1864 wrote to memory of 4840	1864	{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe	102
PID 1864 wrote to memory of 4040	1864	{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe	103
PID 1864 wrote to memory of 4040	1864	{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe	103
PID 1864 wrote to memory of 4040	1864	{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe	103
PID 4840 wrote to memory of 4472	4840	{0A18D1CC-606E-4911-A317-C0717C98568C}.exe	105
PID 4840 wrote to memory of 4472	4840	{0A18D1CC-606E-4911-A317-C0717C98568C}.exe	105
PID 4840 wrote to memory of 4472	4840	{0A18D1CC-606E-4911-A317-C0717C98568C}.exe	105
PID 4840 wrote to memory of 3828	4840	{0A18D1CC-606E-4911-A317-C0717C98568C}.exe	106
PID 4840 wrote to memory of 3828	4840	{0A18D1CC-606E-4911-A317-C0717C98568C}.exe	106
PID 4840 wrote to memory of 3828	4840	{0A18D1CC-606E-4911-A317-C0717C98568C}.exe	106
PID 4472 wrote to memory of 4456	4472	{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe	107
PID 4472 wrote to memory of 4456	4472	{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe	107
PID 4472 wrote to memory of 4456	4472	{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe	107
PID 4472 wrote to memory of 2728	4472	{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe	108
PID 4472 wrote to memory of 2728	4472	{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe	108
PID 4472 wrote to memory of 2728	4472	{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe	108
PID 4456 wrote to memory of 5028	4456	{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe	109
PID 4456 wrote to memory of 5028	4456	{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe	109
PID 4456 wrote to memory of 5028	4456	{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe	109
PID 4456 wrote to memory of 1716	4456	{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe	110
PID 4456 wrote to memory of 1716	4456	{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe	110
PID 4456 wrote to memory of 1716	4456	{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe	110
PID 5028 wrote to memory of 1932	5028	{E06EEAA6-971B-450a-B855-C2348CC88665}.exe	111
PID 5028 wrote to memory of 1932	5028	{E06EEAA6-971B-450a-B855-C2348CC88665}.exe	111
PID 5028 wrote to memory of 1932	5028	{E06EEAA6-971B-450a-B855-C2348CC88665}.exe	111
PID 5028 wrote to memory of 2076	5028	{E06EEAA6-971B-450a-B855-C2348CC88665}.exe	112
PID 5028 wrote to memory of 2076	5028	{E06EEAA6-971B-450a-B855-C2348CC88665}.exe	112
PID 5028 wrote to memory of 2076	5028	{E06EEAA6-971B-450a-B855-C2348CC88665}.exe	112
PID 1932 wrote to memory of 1680	1932	{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe	113
PID 1932 wrote to memory of 1680	1932	{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe	113
PID 1932 wrote to memory of 1680	1932	{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe	113
PID 1932 wrote to memory of 4540	1932	{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe	114
PID 1932 wrote to memory of 4540	1932	{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe	114
PID 1932 wrote to memory of 4540	1932	{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe	114
PID 1680 wrote to memory of 2976	1680	{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe	115
PID 1680 wrote to memory of 2976	1680	{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe	115
PID 1680 wrote to memory of 2976	1680	{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe	115
PID 1680 wrote to memory of 1112	1680	{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe	116
PID 1680 wrote to memory of 1112	1680	{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe	116
PID 1680 wrote to memory of 1112	1680	{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe	116
PID 2976 wrote to memory of 3564	2976	{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe	117
PID 2976 wrote to memory of 3564	2976	{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe	117
PID 2976 wrote to memory of 3564	2976	{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe	117
PID 2976 wrote to memory of 3476	2976	{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe	118
PID 2976 wrote to memory of 3476	2976	{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe	118
PID 2976 wrote to memory of 3476	2976	{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe	118
PID 3564 wrote to memory of 1948	3564	{2DD53743-958E-437e-9D85-298856B195D7}.exe	119
PID 3564 wrote to memory of 1948	3564	{2DD53743-958E-437e-9D85-298856B195D7}.exe	119
PID 3564 wrote to memory of 1948	3564	{2DD53743-958E-437e-9D85-298856B195D7}.exe	119
PID 3564 wrote to memory of 3832	3564	{2DD53743-958E-437e-9D85-298856B195D7}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_e5b335366380489fde3e7c88c66366c0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe
  C:\Windows\{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe
    C:\Windows\{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\{0A18D1CC-606E-4911-A317-C0717C98568C}.exe
      C:\Windows\{0A18D1CC-606E-4911-A317-C0717C98568C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Windows\{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe
        
        C:\Windows\{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Windows\{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe
        
        C:\Windows\{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\{E06EEAA6-971B-450a-B855-C2348CC88665}.exe
        
        C:\Windows\{E06EEAA6-971B-450a-B855-C2348CC88665}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe
        
        C:\Windows\{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe
        
        C:\Windows\{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe
        
        C:\Windows\{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\{2DD53743-958E-437e-9D85-298856B195D7}.exe
        
        C:\Windows\{2DD53743-958E-437e-9D85-298856B195D7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}.exe
        
        C:\Windows\{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\{1FD1EDBE-4721-4655-9EEB-E159D962E71D}.exe
        
        C:\Windows\{1FD1EDBE-4721-4655-9EEB-E159D962E71D}.exe
        13⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F2CE~1.EXE > nul
        13⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DD53~1.EXE > nul
        12⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A95A5~1.EXE > nul
        11⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A692E~1.EXE > nul
        10⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8348~1.EXE > nul
        9⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E06EE~1.EXE > nul
        8⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94600~1.EXE > nul
        7⤵
        
        PID:1716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFA52~1.EXE > nul
        6⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A18D~1.EXE > nul
        5⤵
        
        PID:3828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8E13B~1.EXE > nul
      4⤵
      PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A60AA~1.EXE > nul
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A18D1CC-606E-4911-A317-C0717C98568C}.exe

Filesize
408KB

MD5
4552234e5a07f32903f851b500bfb052

SHA1
bacba847972d7e8311110e66b5113560bc6c8ddc

SHA256
afcc98e3064413d66330b0c0a5c6a3a69eed17416fec78ed81d29db12addfbb9

SHA512
5519b8b7807e26733209555a9df0de915c712c81e8fd25fcf485fe5acbab11dc6611d02287d6482dacee64918076b3c16a26000a12c4b8aa7dd9a8608e015404

Download Submit
C:\Windows\{1FD1EDBE-4721-4655-9EEB-E159D962E71D}.exe

Filesize
408KB

MD5
6c4dc14efed72c80e3ad52d336bd2561

SHA1
ad368c5bd51e6314bc8bdf18cfb984e82df899fe

SHA256
7a1ca5b057591b794199dae149927161716559933c74f7c0d76493270596645c

SHA512
7e8f604c66df6716eb79ce7ef39b2e2ed5a3df1c01cab37624416adddbf28c946c236730838c372dac68bf82ddbc9d7c1ad2aef9551b84d942b37904a44a5b8b

Download Submit
C:\Windows\{2DD53743-958E-437e-9D85-298856B195D7}.exe

Filesize
408KB

MD5
eb86099d8a45b82b6d9a53e974021d29

SHA1
3126b9bea4f86da94fbab314d46a554d93f84ebe

SHA256
1e09ef4a5b962d6d5bac3ed45ab466ee9d4a1e9203c38a759555eacbfbe0acd4

SHA512
6c5e8192cd9e2614b868ae1eba400d39762826245628bf256d5e71cda99b86bf00da2d5815b2204fa92371b630efed044a5117de696410d85f75c9d48cfb627e

Download Submit
C:\Windows\{8E13BA5A-DFAE-45ca-A3EC-1CFE655D7A74}.exe

Filesize
408KB

MD5
7ec53331811d95b82d7c4ad500cd2608

SHA1
adfeae102bdd7054e6da64dfe4af2870dcd21da4

SHA256
660c5dde335f20ee75c955ea38235a3435621a00ef2e9ac737603b033a6aafa7

SHA512
8108b55473dbbabb7637fcaf21c9d8161d784c8309dfd964e878d88c5d7160de52d04d25530d18438eac36348f7b250319c4643e3c525f3159b3b8f2bf37b009

Download Submit
C:\Windows\{8F2CE780-43CF-46ab-A9EF-F9FF6E9FF35D}.exe

Filesize
408KB

MD5
559ccd5fcf5e071b40c785b0153ad999

SHA1
6a1803b522299891a2166a206530df1c7473a4e7

SHA256
89d4ee7a788d48280ea9e052d188a22d47aaf4abaf9ce6aa86067093d10be310

SHA512
b4c6ae7d5a296504bd3c1d50aac452237ec69d2cc25aaf2efd7d8279bf3c77ccbe8b802d0536d489fc85fcbced96b7e38790a25db4c9c957b03979ae07e8b5c1

Download Submit
C:\Windows\{946004A1-142F-43ee-9ED2-BCA4E5F504B5}.exe

Filesize
408KB

MD5
1c63dfde5da41628810f53a32c3829fa

SHA1
3a7044b58e14128976054afdf7ed601c6041b163

SHA256
cf48ac2811d9e8a3d8d65f70e8c8434d6636cac6e703a807d52e3dc32067a0ff

SHA512
906547ba2a4cb11646496ef15ca1f1a14914f35ee2feb37bea361e5906a47ea84eb0ece98c2830856450b62ef289cbc68b86448d6fa46ec0cbe831e891fe801a

Download Submit
C:\Windows\{A60AAE0C-7CB9-47bf-9A1F-734F56757DF2}.exe

Filesize
408KB

MD5
65fc3ec658c9ed574c8318dd4b1a74f8

SHA1
9601aa4783366858da6db483034516a4d8ec276e

SHA256
eac25fefe7c167f6cfafb3640f3dfef5be260af20056d58c26ae890d81f4f70a

SHA512
48795d1e0501ebae0f126f6f9aea8aea99068ec0282b3dd561f35c160a6d8cc0c113bfc3d7a31739abe181ba6f5a6bd0807a5c6a608badc7de759ae2afb5072c

Download Submit
C:\Windows\{A692EB5B-536B-4f8e-93A9-2D23D3551ECB}.exe

Filesize
408KB

MD5
189c83eb33c5445f3b03806b345a02c9

SHA1
4a7203e754a590f839d24ebbcb808165b2e62178

SHA256
9c18f5b3d16c9b68d97c9c2dc2bf3c3ccce782d104a0000b803c5945fef40d67

SHA512
48aa286ee4ffdeadafb5cce047bcbdd78f3cf48dc4453885bf464e193c82f8b645945b3ff2f0d040e79c524f7f3e7ce39d8cb7385808aa638bddd50b4e99c333

Download Submit
C:\Windows\{A8348E15-1265-4c2e-B086-CBE0DF5C608E}.exe

Filesize
408KB

MD5
1b2361cd299cac71c65716431677a787

SHA1
185be8217c15b60f147599a89e50a17bd3f25764

SHA256
307fdb3d78aa8e34d589c22be952d44962421edb4c14bba45b24249fc394abb0

SHA512
1692ba9485dc12f67075a8f3b52ba9a2ac3faf75ef10b1fe31c6d2b1adc6ee9b01bec48de6a9721e44ccf4ef25ba3c3bddaa8fe8c9612463c74f8bc89d872cb9

Download Submit
C:\Windows\{A95A5718-B7FE-4659-A7B8-D4F51938D298}.exe

Filesize
408KB

MD5
2d43a9957cd3f5f3d79c28aaf675df9a

SHA1
e4bc17d85064b968ed163181f3dac836ffb4fa68

SHA256
f0d118e6b3ade51a15d3f0b4bf2748e384948242d5ec57c652492757f292d8f8

SHA512
945dcea51ea67fc9afd4779f64697cb495f54639cfa627abce869b9816630ed93209a38d883778aa03fb8d94349e0a5cdd7161a247a973ffe0044b4181928cfd

Download Submit
C:\Windows\{E06EEAA6-971B-450a-B855-C2348CC88665}.exe

Filesize
408KB

MD5
41fa0def29013978d3832ad10914cb44

SHA1
72a8118dbd45095b8029eeee12b0a49d1f1207b9

SHA256
139d7b81ad573e32460d7c39e79f3ec73d7e176eb8c16a615bbf47f15ec1e00f

SHA512
8e8dca26080dfe85d3ab2ad4b5bad4a96d643a5b3b6b8b7216e1f1f3d4ac21be2f5ef67fcd4540b74cc91ffb9d16dab677698f66304c41aae9f4c43853ce764e

Download Submit
C:\Windows\{EFA52579-0264-4afc-8413-15ADFEA53EA5}.exe

Filesize
408KB

MD5
99e16b68dd2090e93fd06f75fd1311cb

SHA1
9ed8ce016a626a603bbd7cf2b87ffa65e634f295

SHA256
32fa72529899c39e51e58512714c6392ff4176efc178421e75afd8a61901b807

SHA512
a5bb8402535b5355dc1d30adc3a82bfe9ea8b864bec22c3498c771d1c2cd4be21112fea2bf07e9e81ed7fd2ed47a02c5e85f8e1133dc4ae4521dafbc3505570b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads