3e87290a8d66a8be344bb90c0c392dbbec2b280046ee18e87396b1e9b7a7f1e1

Analysis

max time kernel
149s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
Size

372KB
MD5

26c7ed80110b0851401af812a404aded
SHA1

f02978ab210e8d6d799bcbbd1af7f716cb0de2ec
SHA256

3e87290a8d66a8be344bb90c0c392dbbec2b280046ee18e87396b1e9b7a7f1e1
SHA512

810e6768b9476e13e368667ace7a324f358b91af7dc72c96bae35bc0cbf356607077f2e06835189271191cb47aa87f748bc2055ba7a7a50ec2f5fffd9d9eb471
SSDEEP

3072:CEGh0oZlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGHlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022975-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000232fa-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000232f7-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000232fa-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000232f7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000232fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000232f7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000232fa-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000232f7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000232fa-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023324-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000232fa-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}	{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}\stubpath = "C:\\Windows\\{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe"	{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B63885D5-30DF-498b-9EFA-82EA6F9CF380}	{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}\stubpath = "C:\\Windows\\{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe"	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{588513B0-4034-4ab0-8B49-E1669E42BAC4}	{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B7C9F8-1443-4e04-838B-4C9E60F86C39}\stubpath = "C:\\Windows\\{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe"	{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}\stubpath = "C:\\Windows\\{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe"	{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}	{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{334B9614-7D74-411a-95BD-AE403B43E6D9}	{B63885D5-30DF-498b-9EFA-82EA6F9CF380}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A875EC03-2C8E-4471-A9AD-269695C7DDE7}	{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{334B9614-7D74-411a-95BD-AE403B43E6D9}\stubpath = "C:\\Windows\\{334B9614-7D74-411a-95BD-AE403B43E6D9}.exe"	{B63885D5-30DF-498b-9EFA-82EA6F9CF380}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{588513B0-4034-4ab0-8B49-E1669E42BAC4}\stubpath = "C:\\Windows\\{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe"	{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82713C0B-537D-4d78-ACB1-3DF86589F7C5}\stubpath = "C:\\Windows\\{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe"	{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}	{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}\stubpath = "C:\\Windows\\{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe"	{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC3A731-C212-4f92-B7B3-8F9026802BEB}	{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82713C0B-537D-4d78-ACB1-3DF86589F7C5}	{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B7C9F8-1443-4e04-838B-4C9E60F86C39}	{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC3A731-C212-4f92-B7B3-8F9026802BEB}\stubpath = "C:\\Windows\\{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe"	{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A875EC03-2C8E-4471-A9AD-269695C7DDE7}\stubpath = "C:\\Windows\\{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe"	{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B63885D5-30DF-498b-9EFA-82EA6F9CF380}\stubpath = "C:\\Windows\\{B63885D5-30DF-498b-9EFA-82EA6F9CF380}.exe"	{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}	{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}\stubpath = "C:\\Windows\\{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe"	{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe

Executes dropped EXE 12 IoCs

pid	Process
2560	{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe
4964	{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe
4332	{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe
3284	{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe
4024	{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe
2052	{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe
884	{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe
1888	{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe
2852	{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe
652	{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe
1032	{B63885D5-30DF-498b-9EFA-82EA6F9CF380}.exe
2804	{334B9614-7D74-411a-95BD-AE403B43E6D9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe	{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe
File created	C:\Windows\{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe	{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe
File created	C:\Windows\{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe	{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe
File created	C:\Windows\{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe	{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe
File created	C:\Windows\{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe	{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe
File created	C:\Windows\{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe	{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe
File created	C:\Windows\{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe	{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe
File created	C:\Windows\{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
File created	C:\Windows\{B63885D5-30DF-498b-9EFA-82EA6F9CF380}.exe	{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe
File created	C:\Windows\{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe	{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe
File created	C:\Windows\{334B9614-7D74-411a-95BD-AE403B43E6D9}.exe	{B63885D5-30DF-498b-9EFA-82EA6F9CF380}.exe
File created	C:\Windows\{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe	{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3052	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2560	{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe
Token: SeIncBasePriorityPrivilege	4964	{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe
Token: SeIncBasePriorityPrivilege	4332	{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe
Token: SeIncBasePriorityPrivilege	3284	{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe
Token: SeIncBasePriorityPrivilege	4024	{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe
Token: SeIncBasePriorityPrivilege	2052	{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe
Token: SeIncBasePriorityPrivilege	884	{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe
Token: SeIncBasePriorityPrivilege	1888	{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe
Token: SeIncBasePriorityPrivilege	2852	{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe
Token: SeIncBasePriorityPrivilege	652	{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe
Token: SeIncBasePriorityPrivilege	1032	{B63885D5-30DF-498b-9EFA-82EA6F9CF380}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2560	3052	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	96
PID 3052 wrote to memory of 2560	3052	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	96
PID 3052 wrote to memory of 2560	3052	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	96
PID 3052 wrote to memory of 4588	3052	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	97
PID 3052 wrote to memory of 4588	3052	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	97
PID 3052 wrote to memory of 4588	3052	2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe	97
PID 2560 wrote to memory of 4964	2560	{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe	98
PID 2560 wrote to memory of 4964	2560	{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe	98
PID 2560 wrote to memory of 4964	2560	{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe	98
PID 2560 wrote to memory of 4152	2560	{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe	99
PID 2560 wrote to memory of 4152	2560	{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe	99
PID 2560 wrote to memory of 4152	2560	{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe	99
PID 4964 wrote to memory of 4332	4964	{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe	103
PID 4964 wrote to memory of 4332	4964	{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe	103
PID 4964 wrote to memory of 4332	4964	{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe	103
PID 4964 wrote to memory of 2504	4964	{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe	104
PID 4964 wrote to memory of 2504	4964	{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe	104
PID 4964 wrote to memory of 2504	4964	{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe	104
PID 4332 wrote to memory of 3284	4332	{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe	105
PID 4332 wrote to memory of 3284	4332	{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe	105
PID 4332 wrote to memory of 3284	4332	{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe	105
PID 4332 wrote to memory of 1028	4332	{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe	106
PID 4332 wrote to memory of 1028	4332	{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe	106
PID 4332 wrote to memory of 1028	4332	{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe	106
PID 3284 wrote to memory of 4024	3284	{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe	107
PID 3284 wrote to memory of 4024	3284	{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe	107
PID 3284 wrote to memory of 4024	3284	{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe	107
PID 3284 wrote to memory of 2908	3284	{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe	108
PID 3284 wrote to memory of 2908	3284	{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe	108
PID 3284 wrote to memory of 2908	3284	{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe	108
PID 4024 wrote to memory of 2052	4024	{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe	109
PID 4024 wrote to memory of 2052	4024	{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe	109
PID 4024 wrote to memory of 2052	4024	{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe	109
PID 4024 wrote to memory of 2236	4024	{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe	110
PID 4024 wrote to memory of 2236	4024	{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe	110
PID 4024 wrote to memory of 2236	4024	{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe	110
PID 2052 wrote to memory of 884	2052	{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe	111
PID 2052 wrote to memory of 884	2052	{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe	111
PID 2052 wrote to memory of 884	2052	{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe	111
PID 2052 wrote to memory of 4452	2052	{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe	112
PID 2052 wrote to memory of 4452	2052	{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe	112
PID 2052 wrote to memory of 4452	2052	{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe	112
PID 884 wrote to memory of 1888	884	{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe	113
PID 884 wrote to memory of 1888	884	{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe	113
PID 884 wrote to memory of 1888	884	{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe	113
PID 884 wrote to memory of 1792	884	{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe	114
PID 884 wrote to memory of 1792	884	{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe	114
PID 884 wrote to memory of 1792	884	{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe	114
PID 1888 wrote to memory of 2852	1888	{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe	115
PID 1888 wrote to memory of 2852	1888	{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe	115
PID 1888 wrote to memory of 2852	1888	{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe	115
PID 1888 wrote to memory of 2560	1888	{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe	116
PID 1888 wrote to memory of 2560	1888	{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe	116
PID 1888 wrote to memory of 2560	1888	{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe	116
PID 2852 wrote to memory of 652	2852	{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe	117
PID 2852 wrote to memory of 652	2852	{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe	117
PID 2852 wrote to memory of 652	2852	{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe	117
PID 2852 wrote to memory of 2436	2852	{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe	118
PID 2852 wrote to memory of 2436	2852	{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe	118
PID 2852 wrote to memory of 2436	2852	{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe	118
PID 652 wrote to memory of 1032	652	{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe	119
PID 652 wrote to memory of 1032	652	{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe	119
PID 652 wrote to memory of 1032	652	{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe	119
PID 652 wrote to memory of 1764	652	{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_26c7ed80110b0851401af812a404aded_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe
  C:\Windows\{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe
    C:\Windows\{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe
      C:\Windows\{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Windows\{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe
        
        C:\Windows\{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Windows\{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe
        
        C:\Windows\{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe
        
        C:\Windows\{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe
        
        C:\Windows\{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe
        
        C:\Windows\{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe
        
        C:\Windows\{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe
        
        C:\Windows\{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\{B63885D5-30DF-498b-9EFA-82EA6F9CF380}.exe
        
        C:\Windows\{B63885D5-30DF-498b-9EFA-82EA6F9CF380}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\{334B9614-7D74-411a-95BD-AE403B43E6D9}.exe
        
        C:\Windows\{334B9614-7D74-411a-95BD-AE403B43E6D9}.exe
        13⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6388~1.EXE > nul
        13⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A875E~1.EXE > nul
        12⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FC3A~1.EXE > nul
        11⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{699CE~1.EXE > nul
        10⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4C78~1.EXE > nul
        9⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB0AA~1.EXE > nul
        8⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85DF8~1.EXE > nul
        7⤵
        
        PID:2236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89B7C~1.EXE > nul
        6⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82713~1.EXE > nul
        5⤵
        
        PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58851~1.EXE > nul
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{53CB5~1.EXE > nul
    3⤵
    PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4156,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1FC3A731-C212-4f92-B7B3-8F9026802BEB}.exe

Filesize
372KB

MD5
5677fcf1826f0c3b970a55e219060230

SHA1
6f9bb0144baed009fd715d3a719a2f3a4412d831

SHA256
228899137578efabb21c7cb02fdaa53c52f5e810ce4f18ca84e9f8a7eed70fa9

SHA512
91a27fde9d89ee243486b5b8fc1c1dce38027d5453c04dbc157e8dae12644b045ae5729365570a90c222cf49e144c9c1f25072eec42f39b485ef0dfbb08e4595

Download Submit
C:\Windows\{334B9614-7D74-411a-95BD-AE403B43E6D9}.exe

Filesize
372KB

MD5
6112c53b6d71b73383c35f5d4f995d23

SHA1
0dd85237b04125939f51b83f0a9d2c96f519d581

SHA256
2ab49d72f377deed666029e3ad4e7d15122d6e98e458a99994fe131e7fe6960e

SHA512
56b4f90479b6b17115797fc4b2e7be3f3975e7b3c1ff97c41d9ba06862c06a8539c5c3f9034a5676e0c5045453e53ec0f3e640ef338412c64ec73b0faed13743

Download Submit
C:\Windows\{53CB5A8A-6BFA-4154-B8A0-DAD2A4EF9B53}.exe

Filesize
372KB

MD5
5bf1a1544f182a1caf4a7d4eb95d0785

SHA1
d82811cb01d69b28294147b8c0c2982635a5a5c8

SHA256
c7b8c6cd35cb1c437545757de0517609d1f3d5b40e3ab6f1ab2349a4f8235adb

SHA512
b2c122cb5bea2738eb3e7e5eeabbf6fc303b18ecd05b13698a0aa15cc2b13b952337ba8601883302786a09419798da5e5a2147d696d51979c90807b374600882

Download Submit
C:\Windows\{588513B0-4034-4ab0-8B49-E1669E42BAC4}.exe

Filesize
372KB

MD5
273695a227f1f586b1e6cc7b12bcc329

SHA1
eee427c3524ab8edfce3b271428f9edd876de21f

SHA256
91f5aef7baac2fa6810b9b50c6dbd75c430dc531d8397eb486a50b0661867b96

SHA512
0c8b92498c6babe5ed89e9cee9458b4ad73b0c7f2ac05832ce5976bf3f3eeba2882b51260c6ea4aa6292e20117bee216b163d2376b9d2869f06632dcf6af242b

Download Submit
C:\Windows\{699CE00A-40CE-435e-A1A5-B9E4EEAD1013}.exe

Filesize
372KB

MD5
0a265885d4f083fd2341172bffbab120

SHA1
c4a2df895a3bc603694c999940b6da8cba941e54

SHA256
51b86f67274225976baeae5c0ae1759a0585ce256ae3dd7b2aa0f283b7a1c9a8

SHA512
b261f021e6c97af29a08bb88098c12068473844f4e78fd64ed7b5db46025d09f34539156290a6a53fd269e712679c9ba716fc531ecf26801a84c10de36a168d2

Download Submit
C:\Windows\{82713C0B-537D-4d78-ACB1-3DF86589F7C5}.exe

Filesize
372KB

MD5
8f57892bab747edf23c6bc1223f406a2

SHA1
2c60319bf706bdc710cb9ce807b4ade5708b996a

SHA256
6e6caee6e0cf8a56db1009f2c5f4a3ac47d9690e48291aaf5d866cd0e917260b

SHA512
1581db2d5c3dcaa26256ab80b9362c192bc2693e1e095862a7485a82cdb49e8471e3b317747fcd258f7721b3c4197c4373850782ea107cbdf032a5049bbc1068

Download Submit
C:\Windows\{85DF8E4A-E27F-4aa9-A2CF-EB51068F52B7}.exe

Filesize
372KB

MD5
2cd0c7c58d2c91a97fb3856f09615f91

SHA1
bee96f7348291866f480e02e56e8dfca41aa40f6

SHA256
9b40d70111604859f85eb30558eb82be5dbc01bef02f4b554ed0691b2b34ce05

SHA512
1efb1f8db83ce175e62193ba047ba939cd94727289506b2c0728c172ff945c389a5b5ea336122894a7556b944956660f971a36cb86bf008c43c4a39d89622af7

Download Submit
C:\Windows\{89B7C9F8-1443-4e04-838B-4C9E60F86C39}.exe

Filesize
372KB

MD5
bcc3dbbba7bbda45a4e81c1f17cd54da

SHA1
3c17a683c7ba50d8d81d08a55987005fbf4427e8

SHA256
c69c50bada42a0a43ee43ceab00081c94d44022bb42fbf43e24846c8fa23efbd

SHA512
b2c65ccd90704dc90af4f52f573eace60f8d41264e0e0ba96933cec0654fbe7fc2a6f0d515fd5ada635cd555afe9ca164ead3c64db83e06bc19fb9ba4a8c7fba

Download Submit
C:\Windows\{A4C78A4E-EA55-49df-9DA6-4A5446CDC9DD}.exe

Filesize
372KB

MD5
01ff74d10d1b6c29b6046cb031ca115b

SHA1
b208613ebe58a368ac369533bfb450ed9eb1fca3

SHA256
e15a26f077888ac8d4b9e860fdafef6e6a006bc2037cd7fe7b8a307537b23550

SHA512
4fb46b438bddb364556bd3709174b850901284d5de140d1e3fdab98a72092ac0b5a173d4128ed6d925e1ca411421672531bce75348fb24f7d3f4d94a246bd3bc

Download Submit
C:\Windows\{A875EC03-2C8E-4471-A9AD-269695C7DDE7}.exe

Filesize
372KB

MD5
be1d2ea764f3cb9f4a7700b35bd5a905

SHA1
c91c2827523a9389b9f79e7c7d609cdefbb44eae

SHA256
5319a2870cc82f198cbaf79d0a6cef93a4faae1eab2b9218e62b3fc2f36e780a

SHA512
26019cef34b168a72ba2c3b63ccf3aac256712b1f4e0be0cc61a78d2411607186bc7ff7fb1439cfa65650c126fd8a913e04a156fef689a52ee998efbc9627955

Download Submit
C:\Windows\{B63885D5-30DF-498b-9EFA-82EA6F9CF380}.exe

Filesize
372KB

MD5
f9e30818f79196f5be758b7d435d7ea0

SHA1
1f7af042e2a6a0ef33a8fa066acdb256701bebd4

SHA256
8b2e53b8bc7a673eb3dee2111aa133b76f9f3617656b73c4c7604fb7802c9508

SHA512
4397985f779b4a84f0fda524bd491aadedc5505ab21b73155391e4fee4168e646fc892c1fb2706373a54fb1f77ba30f2cc63c1bf83d4ca29323e024942456b02

Download Submit
C:\Windows\{CB0AAC78-AC44-47c2-8218-8F81B6ADD9EE}.exe

Filesize
372KB

MD5
e0f1e198eca006a65db9027f03bb1fe8

SHA1
78c7b0ee38fe0bc7cb5fc60d3885756c20ab3e20

SHA256
01491a4f65a8602f571b444887945e82ebfac3f2cb6dc6afe3279d24cd10334f

SHA512
65ae20aa3b90afda92ebb91de30117e2a996e8f59de98e9f57cb9781d3e98ff3b622ef1e3b0436d9101d6de4e4e70325dc090ca57fef9c10dff21db4ece38e72

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads