df9e5e7ab8927fbdd960762ced5a4e677cf3e9d5c7c1c792c7942ac0ef2007da

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe
Size

380KB
MD5

bcd2bc0ad24491c26c8abf59acf9c9a1
SHA1

894ec5f89a6eb906564e7b301af5c24a8721ac4d
SHA256

df9e5e7ab8927fbdd960762ced5a4e677cf3e9d5c7c1c792c7942ac0ef2007da
SHA512

8c8f4f64997dab114eaa9b19379da4ff0e2e9df05935ea7f6cd096c11cb436d279f3668cd8f5d715d4a46d1f766fdcf64ceadfdf92e3ace8429efc0d801cce78
SSDEEP

3072:mEGh0oAlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGKl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e32b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023278-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002327e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023278-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002327e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}	{05B96B08-2731-4256-A167-6DA0B4200C98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1F97CD-635C-42fe-A807-6D7AA0D12326}	{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}	{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8676F386-FB18-4f86-BE84-1C3C5DC0D413}	{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}	{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80428095-BB46-4aed-B3BA-3317CA18246C}	{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05B96B08-2731-4256-A167-6DA0B4200C98}	2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C66F847B-99D3-43b3-812B-5DB09F9E22C5}\stubpath = "C:\\Windows\\{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe"	{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8676F386-FB18-4f86-BE84-1C3C5DC0D413}\stubpath = "C:\\Windows\\{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe"	{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C45DFA6-68B7-431d-8564-75419626D46F}\stubpath = "C:\\Windows\\{0C45DFA6-68B7-431d-8564-75419626D46F}.exe"	{80428095-BB46-4aed-B3BA-3317CA18246C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}\stubpath = "C:\\Windows\\{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe"	{0C45DFA6-68B7-431d-8564-75419626D46F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9816F043-8442-4bca-A648-DB4404BE06EE}	{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26527F4B-F748-4848-84FE-94A180CC52D3}	{9816F043-8442-4bca-A648-DB4404BE06EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05B96B08-2731-4256-A167-6DA0B4200C98}\stubpath = "C:\\Windows\\{05B96B08-2731-4256-A167-6DA0B4200C98}.exe"	2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1F97CD-635C-42fe-A807-6D7AA0D12326}\stubpath = "C:\\Windows\\{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe"	{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80428095-BB46-4aed-B3BA-3317CA18246C}\stubpath = "C:\\Windows\\{80428095-BB46-4aed-B3BA-3317CA18246C}.exe"	{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}\stubpath = "C:\\Windows\\{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe"	{05B96B08-2731-4256-A167-6DA0B4200C98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}\stubpath = "C:\\Windows\\{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe"	{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}\stubpath = "C:\\Windows\\{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe"	{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C45DFA6-68B7-431d-8564-75419626D46F}	{80428095-BB46-4aed-B3BA-3317CA18246C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}	{0C45DFA6-68B7-431d-8564-75419626D46F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9816F043-8442-4bca-A648-DB4404BE06EE}\stubpath = "C:\\Windows\\{9816F043-8442-4bca-A648-DB4404BE06EE}.exe"	{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26527F4B-F748-4848-84FE-94A180CC52D3}\stubpath = "C:\\Windows\\{26527F4B-F748-4848-84FE-94A180CC52D3}.exe"	{9816F043-8442-4bca-A648-DB4404BE06EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C66F847B-99D3-43b3-812B-5DB09F9E22C5}	{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe

Executes dropped EXE 12 IoCs

pid	Process
1308	{05B96B08-2731-4256-A167-6DA0B4200C98}.exe
3744	{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe
1060	{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe
3080	{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe
2960	{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe
4416	{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe
3768	{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe
1316	{80428095-BB46-4aed-B3BA-3317CA18246C}.exe
3540	{0C45DFA6-68B7-431d-8564-75419626D46F}.exe
5016	{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe
3744	{9816F043-8442-4bca-A648-DB4404BE06EE}.exe
1304	{26527F4B-F748-4848-84FE-94A180CC52D3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe	{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe
File created	C:\Windows\{80428095-BB46-4aed-B3BA-3317CA18246C}.exe	{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe
File created	C:\Windows\{26527F4B-F748-4848-84FE-94A180CC52D3}.exe	{9816F043-8442-4bca-A648-DB4404BE06EE}.exe
File created	C:\Windows\{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe	{05B96B08-2731-4256-A167-6DA0B4200C98}.exe
File created	C:\Windows\{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe	{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe
File created	C:\Windows\{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe	{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe
File created	C:\Windows\{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe	{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe
File created	C:\Windows\{0C45DFA6-68B7-431d-8564-75419626D46F}.exe	{80428095-BB46-4aed-B3BA-3317CA18246C}.exe
File created	C:\Windows\{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe	{0C45DFA6-68B7-431d-8564-75419626D46F}.exe
File created	C:\Windows\{9816F043-8442-4bca-A648-DB4404BE06EE}.exe	{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe
File created	C:\Windows\{05B96B08-2731-4256-A167-6DA0B4200C98}.exe	2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe
File created	C:\Windows\{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe	{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3076	2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1308	{05B96B08-2731-4256-A167-6DA0B4200C98}.exe
Token: SeIncBasePriorityPrivilege	3744	{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe
Token: SeIncBasePriorityPrivilege	1060	{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe
Token: SeIncBasePriorityPrivilege	3080	{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe
Token: SeIncBasePriorityPrivilege	2960	{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe
Token: SeIncBasePriorityPrivilege	4416	{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe
Token: SeIncBasePriorityPrivilege	3768	{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe
Token: SeIncBasePriorityPrivilege	1316	{80428095-BB46-4aed-B3BA-3317CA18246C}.exe
Token: SeIncBasePriorityPrivilege	3540	{0C45DFA6-68B7-431d-8564-75419626D46F}.exe
Token: SeIncBasePriorityPrivilege	5016	{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe
Token: SeIncBasePriorityPrivilege	3744	{9816F043-8442-4bca-A648-DB4404BE06EE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 1308	3076	2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe	93
PID 3076 wrote to memory of 1308	3076	2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe	93
PID 3076 wrote to memory of 1308	3076	2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe	93
PID 3076 wrote to memory of 2972	3076	2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe	94
PID 3076 wrote to memory of 2972	3076	2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe	94
PID 3076 wrote to memory of 2972	3076	2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe	94
PID 1308 wrote to memory of 3744	1308	{05B96B08-2731-4256-A167-6DA0B4200C98}.exe	100
PID 1308 wrote to memory of 3744	1308	{05B96B08-2731-4256-A167-6DA0B4200C98}.exe	100
PID 1308 wrote to memory of 3744	1308	{05B96B08-2731-4256-A167-6DA0B4200C98}.exe	100
PID 1308 wrote to memory of 3804	1308	{05B96B08-2731-4256-A167-6DA0B4200C98}.exe	101
PID 1308 wrote to memory of 3804	1308	{05B96B08-2731-4256-A167-6DA0B4200C98}.exe	101
PID 1308 wrote to memory of 3804	1308	{05B96B08-2731-4256-A167-6DA0B4200C98}.exe	101
PID 3744 wrote to memory of 1060	3744	{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe	103
PID 3744 wrote to memory of 1060	3744	{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe	103
PID 3744 wrote to memory of 1060	3744	{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe	103
PID 3744 wrote to memory of 1560	3744	{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe	104
PID 3744 wrote to memory of 1560	3744	{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe	104
PID 3744 wrote to memory of 1560	3744	{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe	104
PID 1060 wrote to memory of 3080	1060	{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe	106
PID 1060 wrote to memory of 3080	1060	{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe	106
PID 1060 wrote to memory of 3080	1060	{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe	106
PID 1060 wrote to memory of 3484	1060	{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe	107
PID 1060 wrote to memory of 3484	1060	{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe	107
PID 1060 wrote to memory of 3484	1060	{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe	107
PID 3080 wrote to memory of 2960	3080	{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe	108
PID 3080 wrote to memory of 2960	3080	{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe	108
PID 3080 wrote to memory of 2960	3080	{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe	108
PID 3080 wrote to memory of 4132	3080	{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe	109
PID 3080 wrote to memory of 4132	3080	{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe	109
PID 3080 wrote to memory of 4132	3080	{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe	109
PID 2960 wrote to memory of 4416	2960	{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe	110
PID 2960 wrote to memory of 4416	2960	{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe	110
PID 2960 wrote to memory of 4416	2960	{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe	110
PID 2960 wrote to memory of 3192	2960	{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe	111
PID 2960 wrote to memory of 3192	2960	{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe	111
PID 2960 wrote to memory of 3192	2960	{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe	111
PID 4416 wrote to memory of 3768	4416	{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe	112
PID 4416 wrote to memory of 3768	4416	{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe	112
PID 4416 wrote to memory of 3768	4416	{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe	112
PID 4416 wrote to memory of 4832	4416	{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe	113
PID 4416 wrote to memory of 4832	4416	{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe	113
PID 4416 wrote to memory of 4832	4416	{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe	113
PID 3768 wrote to memory of 1316	3768	{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe	114
PID 3768 wrote to memory of 1316	3768	{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe	114
PID 3768 wrote to memory of 1316	3768	{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe	114
PID 3768 wrote to memory of 4952	3768	{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe	115
PID 3768 wrote to memory of 4952	3768	{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe	115
PID 3768 wrote to memory of 4952	3768	{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe	115
PID 1316 wrote to memory of 3540	1316	{80428095-BB46-4aed-B3BA-3317CA18246C}.exe	116
PID 1316 wrote to memory of 3540	1316	{80428095-BB46-4aed-B3BA-3317CA18246C}.exe	116
PID 1316 wrote to memory of 3540	1316	{80428095-BB46-4aed-B3BA-3317CA18246C}.exe	116
PID 1316 wrote to memory of 404	1316	{80428095-BB46-4aed-B3BA-3317CA18246C}.exe	117
PID 1316 wrote to memory of 404	1316	{80428095-BB46-4aed-B3BA-3317CA18246C}.exe	117
PID 1316 wrote to memory of 404	1316	{80428095-BB46-4aed-B3BA-3317CA18246C}.exe	117
PID 3540 wrote to memory of 5016	3540	{0C45DFA6-68B7-431d-8564-75419626D46F}.exe	118
PID 3540 wrote to memory of 5016	3540	{0C45DFA6-68B7-431d-8564-75419626D46F}.exe	118
PID 3540 wrote to memory of 5016	3540	{0C45DFA6-68B7-431d-8564-75419626D46F}.exe	118
PID 3540 wrote to memory of 2340	3540	{0C45DFA6-68B7-431d-8564-75419626D46F}.exe	119
PID 3540 wrote to memory of 2340	3540	{0C45DFA6-68B7-431d-8564-75419626D46F}.exe	119
PID 3540 wrote to memory of 2340	3540	{0C45DFA6-68B7-431d-8564-75419626D46F}.exe	119
PID 5016 wrote to memory of 3744	5016	{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe	120
PID 5016 wrote to memory of 3744	5016	{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe	120
PID 5016 wrote to memory of 3744	5016	{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe	120
PID 5016 wrote to memory of 1840	5016	{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_bcd2bc0ad24491c26c8abf59acf9c9a1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\{05B96B08-2731-4256-A167-6DA0B4200C98}.exe
  C:\Windows\{05B96B08-2731-4256-A167-6DA0B4200C98}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe
    C:\Windows\{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe
      C:\Windows\{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe
        
        C:\Windows\{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3080
      - C:\Windows\{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe
        
        C:\Windows\{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe
        
        C:\Windows\{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe
        
        C:\Windows\{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\{80428095-BB46-4aed-B3BA-3317CA18246C}.exe
        
        C:\Windows\{80428095-BB46-4aed-B3BA-3317CA18246C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\{0C45DFA6-68B7-431d-8564-75419626D46F}.exe
        
        C:\Windows\{0C45DFA6-68B7-431d-8564-75419626D46F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe
        
        C:\Windows\{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{9816F043-8442-4bca-A648-DB4404BE06EE}.exe
        
        C:\Windows\{9816F043-8442-4bca-A648-DB4404BE06EE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
        
        C:\Windows\{26527F4B-F748-4848-84FE-94A180CC52D3}.exe
        
        C:\Windows\{26527F4B-F748-4848-84FE-94A180CC52D3}.exe
        13⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9816F~1.EXE > nul
        13⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7121~1.EXE > nul
        12⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C45D~1.EXE > nul
        11⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80428~1.EXE > nul
        10⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB4E3~1.EXE > nul
        9⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8676F~1.EXE > nul
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1A13~1.EXE > nul
        7⤵
        
        PID:3192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A1F9~1.EXE > nul
        6⤵
        
        PID:4132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C66F8~1.EXE > nul
        5⤵
        
        PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3ED56~1.EXE > nul
      4⤵
      PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{05B96~1.EXE > nul
    3⤵
    PID:3804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05B96B08-2731-4256-A167-6DA0B4200C98}.exe

Filesize
380KB

MD5
db80a05cefc95bb5d1e2b9fcb2179f1a

SHA1
8a5c38ea744d384e88a1cf3e846075edd4ca6b85

SHA256
f0f5b4cb4f4758b64d69e0561672d3050b0ad55a386e2e00c181d1780e0e9159

SHA512
2427a61847486bfeb604e87beab17358001ef54529979d6fc287c67e06e7a12755944e213714bdf81203a1847e477f0ad068e73ad781f326decdf93e4e065f20

Download Submit
C:\Windows\{0C45DFA6-68B7-431d-8564-75419626D46F}.exe

Filesize
380KB

MD5
d6cec515201e8add5674899b7a372cf6

SHA1
e33039952c19e1a094a607c606b399d33f7ce98d

SHA256
d1f162e5d3a418ba468e3b805556454f27ec14da486dcbab53600c4b129a250b

SHA512
7a0ff2e9f6b371286f5856c81bfdc2f7dc4c455078c063ae18aa8a1dbb720b7a589000d67abb320168c56b49e7b85aaf14b0de88a5973fca0ec8327758b6cce1

Download Submit
C:\Windows\{26527F4B-F748-4848-84FE-94A180CC52D3}.exe

Filesize
380KB

MD5
364841edb323ac43e86c3cc358c2701e

SHA1
6ceea93e5e3f04111deb40167e8d4a8671e5726b

SHA256
fe5697c7e24e0f71f6a59dcd82be3d459492b619ec6ba94fa721418f61cbbd03

SHA512
8751df507ce238558cca4d7bed965dbbc606133960c164662c844dcd9840aae4f1a4104f9db14f0b671712b200f0414d8364094c9fde6367813ca8383d811ba2

Download Submit
C:\Windows\{3ED56D33-C16C-4b7c-AAB5-61352B07FFD5}.exe

Filesize
380KB

MD5
226d90333b8712c9b382a6a1afc4bc10

SHA1
1bd1576cc3d54f8814897cd0bf43117b9156d0ff

SHA256
c65af42e8b50fc3eff557a4f77bf98db24b3e868dfd529e10cd619adbb4f40d7

SHA512
97dcb085bf181a0ac2b248366a7928db59ec4284e9e5478f0547ff4d968d0bf33d2f374ab40fac6e67e62799875cd2c30a08648d386dc2fb6790145f9b8215f2

Download Submit
C:\Windows\{5A1F97CD-635C-42fe-A807-6D7AA0D12326}.exe

Filesize
380KB

MD5
3ad976fd3b96b3b2adf3ffb84b8d91fb

SHA1
7565cb881e702827018d33a8ad50d79bd2671ec7

SHA256
cb9f567437c81aacced5ec697049e0c66afb13dc32b51960d9e4ee1122821e81

SHA512
6802ed1041bd7229efb55f4d6c41329340ead15ac27f06c94e9f42ed1443359595723cd36d723bfbd5b8e450a3d4b55d5e6dbfb1fda489a1a5f4948353586e63

Download Submit
C:\Windows\{80428095-BB46-4aed-B3BA-3317CA18246C}.exe

Filesize
380KB

MD5
a2780f535cd9a09946064144a574328a

SHA1
ecc383f4230f052e908dea910f9f67cba7ddb1c2

SHA256
d18947f4bfc879afc006a23615398e7ad368600213219e4ad0f8f82def81f3ef

SHA512
a33ba3113ce5912b1591c8d96136d21a83f4df249d5bb4a35d1ac0fd05ce552845dd05a0c007d7f1b1c3dc2b5a3fab1c97f98d1caecb2520b87bf899c2efe417

Download Submit
C:\Windows\{8676F386-FB18-4f86-BE84-1C3C5DC0D413}.exe

Filesize
380KB

MD5
0b9d562dd5dc65a9cd3cc7925624b9d0

SHA1
859f00be953006a9105d8905f1fe96ff20dafe43

SHA256
61ed9f1dcc69783e288a0d8f88c3cd7a648f8b264522c98c50a523a3f47baf4f

SHA512
081bc03e06c2a507edf3973ccb4d9ea25452addf4b6a00cd5cc1369fa18c0e9262348ee675c70d07ac4782ddc496867c47ead6dc71b7c3fc70b38d41b452e59a

Download Submit
C:\Windows\{9816F043-8442-4bca-A648-DB4404BE06EE}.exe

Filesize
380KB

MD5
d0635ecbfe376e1ffbb870038b09ff0f

SHA1
83889b45a47bb372b746ca62fc3496ebc07f893b

SHA256
9ec9d95a4a71b9db6e9b268e853d9d0cef776146fe34f023dc09090eb479c5c1

SHA512
51926a0006f35f08fcd559f91f6f209c2ef7336e4c97f43c2fd339fb98c1599be5d70b1117842eb8690b61eb87f45a26772214b23d5d9c913440a44c506841ed

Download Submit
C:\Windows\{B7121FF5-6A7D-42cf-9D4F-03F597015DEB}.exe

Filesize
380KB

MD5
d16d7597d1fc01ac7e8e0b0263e967f8

SHA1
065bd07881f59f6de3e8fed49bacc984d688e852

SHA256
f268ce868241e714a7d242655f4347378b7395fb34e8c53961c4930073a32457

SHA512
13d55f517a51e16acfbe5fbdab03fb14a45b1004099f864855caab667123d7c41a97db27cb46515a847db216c17c3b12b31f4e382ec82e4f9fd4e90a0f435c02

Download Submit
C:\Windows\{BB4E31DF-5A12-43c4-B882-B1A1F36EE8A6}.exe

Filesize
380KB

MD5
4ba8fa1d7dcd8726e103037ffb747963

SHA1
082c2001268a6416e57089d016f1c428a2efd90f

SHA256
325e5d8b1a621b7eeaea0cc80323bc9b76888ec25b9355195723967a3862bc2d

SHA512
0c1b244afff280ac750ce8a6c1dee900143c1bb1daff66221c225436ca20f9612fb40849085c0bd825d08321c1e7f98e1c8bebaaf896a0fa7af8519abdae8137

Download Submit
C:\Windows\{C66F847B-99D3-43b3-812B-5DB09F9E22C5}.exe

Filesize
380KB

MD5
50b2335a0538d411b62d3c293d3f2013

SHA1
3e218432f7cf4a9dd5f3ae090697a7176b1b240c

SHA256
e6070fa36969d52174125995063df1930d7a8d02b0515ef361fdc0befda68819

SHA512
2200c6c027ed1d2f84350d4039eb00abf817d36287cba73da9decf9a98a339bb5c6d1d6c14f3844c1ce08eee81224e6df6cabbb1631f7a110aa215810a3953a1

Download Submit
C:\Windows\{D1A13727-56A2-432b-BBB4-C1F9FCF91B88}.exe

Filesize
380KB

MD5
4840f85d0fd8a614b78cff2dbd3121bc

SHA1
9b68e6843571e7d186b370e1f98f43f102672eb5

SHA256
d4f1604206bf5aa5febead1053d7905fcc0ef786178a4e3348a478deb29bba82

SHA512
a702d0265104d4e0f21d871ca9d20548247a4936d8954a5300541f5271c7237be13fcb0104a4b4971fd27e962c0df53ff2a29caf557738e5e68f1725258b41fc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads