3cc38d338d425649ebe82030f4587a33473938199cebfdb7b7a9856cb01e6a41

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe
Size

197KB
MD5

eb713f1aa3be8b1683cee7da058978f9
SHA1

cd44abe8321f884db8482c424e86f3bdca015836
SHA256

3cc38d338d425649ebe82030f4587a33473938199cebfdb7b7a9856cb01e6a41
SHA512

bb79ec2006b5053f797583c36730fbe53cf3d7b454c23c52d3ba259e2e9cfa1dcff120ca7fca5866c3b937349d8f6c6ba12ee4cc1790ab907cec214cb01c19b7
SSDEEP

3072:jEGh0oal+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGwlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000016fa5-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023260-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023267-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023260-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023267-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25068D5D-B1EA-4d55-8872-A3E5B26A4715}\stubpath = "C:\\Windows\\{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe"	{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{882DC02E-2D29-4954-9241-8078DF4B0C03}	{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{193E18C4-06EC-42e8-9A37-6A1EEE868122}	{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AEC073D-343A-487c-8C0E-802860CF861D}	{193E18C4-06EC-42e8-9A37-6A1EEE868122}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F393587-AA1C-4ee2-AB69-A885E3121DE2}\stubpath = "C:\\Windows\\{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe"	{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25068D5D-B1EA-4d55-8872-A3E5B26A4715}	{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}	{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}	{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC30E789-90DE-4762-B8C7-EFA7F675388D}	{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}\stubpath = "C:\\Windows\\{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe"	{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B682E48-A25D-49f7-B5C7-04FA313511C2}	2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5904F157-7E0E-44b1-9F80-8B04AFD170DA}\stubpath = "C:\\Windows\\{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe"	{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5904F157-7E0E-44b1-9F80-8B04AFD170DA}	{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AEC073D-343A-487c-8C0E-802860CF861D}\stubpath = "C:\\Windows\\{9AEC073D-343A-487c-8C0E-802860CF861D}.exe"	{193E18C4-06EC-42e8-9A37-6A1EEE868122}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF439574-4919-46d3-A920-FC89AE0D0E3E}\stubpath = "C:\\Windows\\{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe"	{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}\stubpath = "C:\\Windows\\{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe"	{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}\stubpath = "C:\\Windows\\{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe"	{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC30E789-90DE-4762-B8C7-EFA7F675388D}\stubpath = "C:\\Windows\\{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe"	{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}	{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F393587-AA1C-4ee2-AB69-A885E3121DE2}	{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B682E48-A25D-49f7-B5C7-04FA313511C2}\stubpath = "C:\\Windows\\{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe"	2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF439574-4919-46d3-A920-FC89AE0D0E3E}	{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{882DC02E-2D29-4954-9241-8078DF4B0C03}\stubpath = "C:\\Windows\\{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe"	{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{193E18C4-06EC-42e8-9A37-6A1EEE868122}\stubpath = "C:\\Windows\\{193E18C4-06EC-42e8-9A37-6A1EEE868122}.exe"	{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe

Executes dropped EXE 12 IoCs

pid	Process
1948	{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe
3228	{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe
4712	{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe
4956	{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe
4432	{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe
2484	{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe
4784	{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe
2084	{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe
1688	{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe
1760	{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe
4328	{193E18C4-06EC-42e8-9A37-6A1EEE868122}.exe
4456	{9AEC073D-343A-487c-8C0E-802860CF861D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe	{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe
File created	C:\Windows\{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe	{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe
File created	C:\Windows\{193E18C4-06EC-42e8-9A37-6A1EEE868122}.exe	{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe
File created	C:\Windows\{9AEC073D-343A-487c-8C0E-802860CF861D}.exe	{193E18C4-06EC-42e8-9A37-6A1EEE868122}.exe
File created	C:\Windows\{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe	{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe
File created	C:\Windows\{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe	{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe
File created	C:\Windows\{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe	{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe
File created	C:\Windows\{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe	{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe
File created	C:\Windows\{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe	{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe
File created	C:\Windows\{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe	2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe
File created	C:\Windows\{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe	{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe
File created	C:\Windows\{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe	{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2384	2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1948	{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe
Token: SeIncBasePriorityPrivilege	3228	{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe
Token: SeIncBasePriorityPrivilege	4712	{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe
Token: SeIncBasePriorityPrivilege	4956	{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe
Token: SeIncBasePriorityPrivilege	4432	{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe
Token: SeIncBasePriorityPrivilege	2484	{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe
Token: SeIncBasePriorityPrivilege	4784	{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe
Token: SeIncBasePriorityPrivilege	2084	{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe
Token: SeIncBasePriorityPrivilege	1688	{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe
Token: SeIncBasePriorityPrivilege	1760	{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe
Token: SeIncBasePriorityPrivilege	4328	{193E18C4-06EC-42e8-9A37-6A1EEE868122}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1948	2384	2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe	96
PID 2384 wrote to memory of 1948	2384	2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe	96
PID 2384 wrote to memory of 1948	2384	2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe	96
PID 2384 wrote to memory of 4028	2384	2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe	97
PID 2384 wrote to memory of 4028	2384	2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe	97
PID 2384 wrote to memory of 4028	2384	2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe	97
PID 1948 wrote to memory of 3228	1948	{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe	101
PID 1948 wrote to memory of 3228	1948	{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe	101
PID 1948 wrote to memory of 3228	1948	{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe	101
PID 1948 wrote to memory of 2804	1948	{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe	102
PID 1948 wrote to memory of 2804	1948	{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe	102
PID 1948 wrote to memory of 2804	1948	{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe	102
PID 3228 wrote to memory of 4712	3228	{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe	104
PID 3228 wrote to memory of 4712	3228	{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe	104
PID 3228 wrote to memory of 4712	3228	{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe	104
PID 3228 wrote to memory of 3708	3228	{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe	105
PID 3228 wrote to memory of 3708	3228	{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe	105
PID 3228 wrote to memory of 3708	3228	{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe	105
PID 4712 wrote to memory of 4956	4712	{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe	107
PID 4712 wrote to memory of 4956	4712	{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe	107
PID 4712 wrote to memory of 4956	4712	{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe	107
PID 4712 wrote to memory of 2820	4712	{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe	108
PID 4712 wrote to memory of 2820	4712	{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe	108
PID 4712 wrote to memory of 2820	4712	{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe	108
PID 4956 wrote to memory of 4432	4956	{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe	109
PID 4956 wrote to memory of 4432	4956	{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe	109
PID 4956 wrote to memory of 4432	4956	{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe	109
PID 4956 wrote to memory of 4600	4956	{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe	110
PID 4956 wrote to memory of 4600	4956	{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe	110
PID 4956 wrote to memory of 4600	4956	{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe	110
PID 4432 wrote to memory of 2484	4432	{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe	111
PID 4432 wrote to memory of 2484	4432	{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe	111
PID 4432 wrote to memory of 2484	4432	{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe	111
PID 4432 wrote to memory of 3048	4432	{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe	112
PID 4432 wrote to memory of 3048	4432	{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe	112
PID 4432 wrote to memory of 3048	4432	{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe	112
PID 2484 wrote to memory of 4784	2484	{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe	113
PID 2484 wrote to memory of 4784	2484	{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe	113
PID 2484 wrote to memory of 4784	2484	{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe	113
PID 2484 wrote to memory of 4164	2484	{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe	114
PID 2484 wrote to memory of 4164	2484	{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe	114
PID 2484 wrote to memory of 4164	2484	{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe	114
PID 4784 wrote to memory of 2084	4784	{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe	115
PID 4784 wrote to memory of 2084	4784	{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe	115
PID 4784 wrote to memory of 2084	4784	{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe	115
PID 4784 wrote to memory of 1152	4784	{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe	116
PID 4784 wrote to memory of 1152	4784	{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe	116
PID 4784 wrote to memory of 1152	4784	{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe	116
PID 2084 wrote to memory of 1688	2084	{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe	117
PID 2084 wrote to memory of 1688	2084	{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe	117
PID 2084 wrote to memory of 1688	2084	{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe	117
PID 2084 wrote to memory of 4212	2084	{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe	118
PID 2084 wrote to memory of 4212	2084	{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe	118
PID 2084 wrote to memory of 4212	2084	{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe	118
PID 1688 wrote to memory of 1760	1688	{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe	119
PID 1688 wrote to memory of 1760	1688	{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe	119
PID 1688 wrote to memory of 1760	1688	{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe	119
PID 1688 wrote to memory of 1536	1688	{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe	120
PID 1688 wrote to memory of 1536	1688	{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe	120
PID 1688 wrote to memory of 1536	1688	{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe	120
PID 1760 wrote to memory of 4328	1760	{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe	121
PID 1760 wrote to memory of 4328	1760	{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe	121
PID 1760 wrote to memory of 4328	1760	{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe	121
PID 1760 wrote to memory of 2068	1760	{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_eb713f1aa3be8b1683cee7da058978f9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe
  C:\Windows\{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe
    C:\Windows\{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Windows\{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe
      C:\Windows\{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4712
    - - C:\Windows\{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe
        
        C:\Windows\{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - C:\Windows\{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe
        
        C:\Windows\{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe
        
        C:\Windows\{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe
        
        C:\Windows\{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe
        
        C:\Windows\{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe
        
        C:\Windows\{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe
        
        C:\Windows\{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\{193E18C4-06EC-42e8-9A37-6A1EEE868122}.exe
        
        C:\Windows\{193E18C4-06EC-42e8-9A37-6A1EEE868122}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
        
        C:\Windows\{9AEC073D-343A-487c-8C0E-802860CF861D}.exe
        
        C:\Windows\{9AEC073D-343A-487c-8C0E-802860CF861D}.exe
        13⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{193E1~1.EXE > nul
        13⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{882DC~1.EXE > nul
        12⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25068~1.EXE > nul
        11⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F393~1.EXE > nul
        10⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38237~1.EXE > nul
        9⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC30E~1.EXE > nul
        8⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AD7A~1.EXE > nul
        7⤵
        
        PID:3048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0AC5~1.EXE > nul
        6⤵
        
        PID:4600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5904F~1.EXE > nul
        5⤵
        
        PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BF439~1.EXE > nul
      4⤵
      PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3B682~1.EXE > nul
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{193E18C4-06EC-42e8-9A37-6A1EEE868122}.exe

Filesize
197KB

MD5
a2bc6a82d13997a3c21c54180e9da458

SHA1
6ff40b6c976543dc666d766bfb703781396b8d97

SHA256
37a6ffd381c4cdd902bd7c2ff7f0f27ef7bd38df95e63b0ad66dc568ac958d25

SHA512
1f61823c93b9f258e66866f57b2f78169b08d35ee87bae57d2d84648cfaa8c8ab72d302b84a028859421bef8e4a317bc39f86e6cbddc87bb85d0ac6b296187ad

Download Submit
C:\Windows\{25068D5D-B1EA-4d55-8872-A3E5B26A4715}.exe

Filesize
197KB

MD5
088a2fd5b9d81861f51326b764a61b6f

SHA1
b7895a35a86c4a3572cabd8d4eeee3f225250adf

SHA256
17382d5725087acb5ce085a3fb469a93ea3cea16822be1b28609f8e41423cd6c

SHA512
e248e05fccba244402644e0351c1c1bdb10203979033360799014761648742764104415ee58c1e8c6a75b2cd6c062d8c622deee35e0b4154c80157f826cfba51

Download Submit
C:\Windows\{2F393587-AA1C-4ee2-AB69-A885E3121DE2}.exe

Filesize
197KB

MD5
975f4164f2988b7e1640e8c23b6a0f1e

SHA1
ad09f3449b55e31988668c423ad85ba45162f5e2

SHA256
a9e176e6470be38eaf067b2bac72b8d9f7623759e08ce0e60eee0de08952d4d3

SHA512
bd79473409e368c5c8669335394cb0dc3cf0256df54105e64d200923235dc444d252d45d057236b29b6fdc37bc3edc53f645b26ee471a919d3d2cf98a1f56929

Download Submit
C:\Windows\{38237FE7-679A-43fb-B7EE-6CC6A51F1AD7}.exe

Filesize
197KB

MD5
622470bbd33a984e005b066260fe6fad

SHA1
46dc667aa9363c4270deb3eb474ccd1e0565821a

SHA256
ed1e4a6705e117128520d90ccde96ab7c2389b3ae161c3ccb051fc59601bc1d6

SHA512
2a348466e525921048683bf49f5d99aae57e3fefa4fecfe8b5285dac380db1f4a81b7056a891e0e55638a3d0bcd556657231221d1d5960196d52706eebb1f796

Download Submit
C:\Windows\{3B682E48-A25D-49f7-B5C7-04FA313511C2}.exe

Filesize
197KB

MD5
663e4b979c844a14312f36627b5b71b4

SHA1
0effa97dc9fa68ecad29633a05323dfec360ec9e

SHA256
0691bea86d133090987980c5579cac47bf8277794b62153f228c73bd2ec00266

SHA512
9274237876b10e5a450c81c3cc0b23b32b7efd8263eca1cd35c5c3f92aa55d3fbfb204410f6b116f4bf703d9c6ff43f97c80712b5c03857844e0ad0f0a22cb5c

Download Submit
C:\Windows\{5904F157-7E0E-44b1-9F80-8B04AFD170DA}.exe

Filesize
197KB

MD5
ac25512e742de982296fcaee009ca346

SHA1
a86400217a973a53c9ed21a32a444fa59637ed1a

SHA256
924c99300ed52111c05814bd4e35c1c3b25adc67c33c32352424cadfbb7ba13f

SHA512
5b566f99e1bb1abe1c1ffd35fb9a3a07adaa88cec995d8dcb10a043423dbb08ae3d2017477aa1583bf09628d31c72b335f93a5dace6d58722a03134321e4dc57

Download Submit
C:\Windows\{7AD7AF53-3EF6-45d5-9589-2FBBEF71D230}.exe

Filesize
197KB

MD5
0ffcb2f3f80fff93b440d006c679fb19

SHA1
e63bac1b700221641ff0dfd0f674cce72565ec16

SHA256
e8f3dd707cb42dbd75a128253adb60fab01248dad9ea85c72da0e39eb6504fe0

SHA512
585987be8da9d7b9610303decaee5654ace598f2ec1779e68759f06944c97841f4fe00f4f32368af1ea7c2597cae7d643d582395c10cfab77189e22db9dc5fa8

Download Submit
C:\Windows\{882DC02E-2D29-4954-9241-8078DF4B0C03}.exe

Filesize
197KB

MD5
945da28c233c1fade4c19974f5471589

SHA1
ec72c319c3f7bd56a0e26fa578f9462338873818

SHA256
0f52a7b78e5d7c4be587187c2e78129467bd74d2f236598d14ff9504ade690fb

SHA512
21237697c5a4993f9209f012c95f1003f772195163b3cfb84885f3528769bed226e8716be361abaea8d54eb691c22914a683426b4aba4dbdb4ca1a7dc2a6d077

Download Submit
C:\Windows\{9AEC073D-343A-487c-8C0E-802860CF861D}.exe

Filesize
197KB

MD5
217660d6e509a92980b500936e069099

SHA1
ac5191379194c3e96a7fc21050867d002c652766

SHA256
6a779ba06ecd8bdec13bb4b9f2395b0b2447e6d96a7b5ff020816cc43e759f1f

SHA512
e52ee70440f5ffc719b4c6f62bc7aa92135f7148add6fa6699fba5858f251f3f47e24cc4e0cbf2049e185b9490436b49a6819cc81ff51376dc03ef748b654d35

Download Submit
C:\Windows\{BF439574-4919-46d3-A920-FC89AE0D0E3E}.exe

Filesize
197KB

MD5
6e3be2bdeaa508bfee3cf32be9a4fbe8

SHA1
1d57d570ea6dcc885635d495bce9bfe056aa2fe6

SHA256
407826e8b0dcc340ef961e167d25b32f11ca4d1c326ab903eda2e0cfc79c5173

SHA512
3ad9726e50334603b8b912f710ec5b711a28280e070c50fcfc39f62f2b113e4c5a69c09cae75ae28df4a2c7636d099d52904a383023a09f920c1bc1e3e4a8efa

Download Submit
C:\Windows\{C0AC51F1-C77C-4d38-8711-9B341ABDF51C}.exe

Filesize
197KB

MD5
93abf437617fac5553fb0fa7d4e76657

SHA1
280b3571e3e399296a4625f7d9b3ebbd6e7c63e5

SHA256
988e487892e40df9a351521952ed9267a6933a91e0477f770dacd6b81ac4f55f

SHA512
4326cd2c264b67f7c375673ebcbc66cdd23058e794410e1181a14754a9055724447d87757ba2e013f0807ca6018867da15ee9d7539b93abb8afe2a8ad2faf6dc

Download Submit
C:\Windows\{DC30E789-90DE-4762-B8C7-EFA7F675388D}.exe

Filesize
197KB

MD5
36caeab743af2c03c8d52fd23b283377

SHA1
ead0f26b73b33a47ed54c70bcdff8f5d56566219

SHA256
a18c5dccbcb867055bbd9144f9ecdc8346b6279265109d3dc8d7d3e67fe454b0

SHA512
050620400a814bc8e9f8156a96f92c569fdd2329825870968a6287a5559bb044b4341e5d1760dd0f13421c890f77ba1c86539c7486afa411048846087f352dbe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads