9aac134dd9dd5d970b7918e780af7c021244224e9bdada17015443e899e9c71b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe
Size

372KB
MD5

b0006072baa8c8c4fe691641a9a86307
SHA1

23b80079b12a57b323945ccf912f294765bc31b3
SHA256

9aac134dd9dd5d970b7918e780af7c021244224e9bdada17015443e899e9c71b
SHA512

c06be15224fb413c0b969c60bb8829a128472b187df0f82c36f422b9a7e3ff599c711f1e6f9abf376943dea8bf4a34f5c2f60df298324dbba1511a6f038de738
SSDEEP

3072:CEGh0oolMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGqlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002328b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023295-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002329b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002314e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002329b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000733-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6B329A-7AB8-4480-803B-4EB8894E97A9}	{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3884178-C3FD-420b-9374-719269AA04D9}	{DD79C934-7A67-4441-814A-3757027D2A3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CE9B043-F826-4e17-BF2D-635C776F0FDC}\stubpath = "C:\\Windows\\{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe"	{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}\stubpath = "C:\\Windows\\{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe"	{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CE9B043-F826-4e17-BF2D-635C776F0FDC}	{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{971D988C-2783-439d-B32E-1CC9666C531B}	{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2771D77F-657A-471a-8E0F-32D3115A3B63}	{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C535A0FC-EB28-41de-8938-E9CC0CC230FA}	{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C535A0FC-EB28-41de-8938-E9CC0CC230FA}\stubpath = "C:\\Windows\\{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe"	{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6B329A-7AB8-4480-803B-4EB8894E97A9}\stubpath = "C:\\Windows\\{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe"	{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}\stubpath = "C:\\Windows\\{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe"	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD79C934-7A67-4441-814A-3757027D2A3D}\stubpath = "C:\\Windows\\{DD79C934-7A67-4441-814A-3757027D2A3D}.exe"	{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3842F2-D4D5-47bd-89D4-26AADC601DC6}	{C3884178-C3FD-420b-9374-719269AA04D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3842F2-D4D5-47bd-89D4-26AADC601DC6}\stubpath = "C:\\Windows\\{EF3842F2-D4D5-47bd-89D4-26AADC601DC6}.exe"	{C3884178-C3FD-420b-9374-719269AA04D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD79C934-7A67-4441-814A-3757027D2A3D}	{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}	{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}\stubpath = "C:\\Windows\\{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe"	{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}	{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{971D988C-2783-439d-B32E-1CC9666C531B}\stubpath = "C:\\Windows\\{971D988C-2783-439d-B32E-1CC9666C531B}.exe"	{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6447A966-A20F-44c4-ACF3-9E54093CFE80}	{971D988C-2783-439d-B32E-1CC9666C531B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6447A966-A20F-44c4-ACF3-9E54093CFE80}\stubpath = "C:\\Windows\\{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe"	{971D988C-2783-439d-B32E-1CC9666C531B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2771D77F-657A-471a-8E0F-32D3115A3B63}\stubpath = "C:\\Windows\\{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe"	{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3884178-C3FD-420b-9374-719269AA04D9}\stubpath = "C:\\Windows\\{C3884178-C3FD-420b-9374-719269AA04D9}.exe"	{DD79C934-7A67-4441-814A-3757027D2A3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
4276	{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe
3972	{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe
3320	{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe
4420	{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe
4836	{971D988C-2783-439d-B32E-1CC9666C531B}.exe
3956	{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe
4436	{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe
4908	{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe
4216	{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe
908	{DD79C934-7A67-4441-814A-3757027D2A3D}.exe
64	{C3884178-C3FD-420b-9374-719269AA04D9}.exe
3744	{EF3842F2-D4D5-47bd-89D4-26AADC601DC6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe	{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe
File created	C:\Windows\{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe	{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe
File created	C:\Windows\{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe	{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe
File created	C:\Windows\{DD79C934-7A67-4441-814A-3757027D2A3D}.exe	{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe
File created	C:\Windows\{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe
File created	C:\Windows\{971D988C-2783-439d-B32E-1CC9666C531B}.exe	{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe
File created	C:\Windows\{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe	{971D988C-2783-439d-B32E-1CC9666C531B}.exe
File created	C:\Windows\{C3884178-C3FD-420b-9374-719269AA04D9}.exe	{DD79C934-7A67-4441-814A-3757027D2A3D}.exe
File created	C:\Windows\{EF3842F2-D4D5-47bd-89D4-26AADC601DC6}.exe	{C3884178-C3FD-420b-9374-719269AA04D9}.exe
File created	C:\Windows\{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe	{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe
File created	C:\Windows\{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe	{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe
File created	C:\Windows\{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe	{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4888	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4276	{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe
Token: SeIncBasePriorityPrivilege	3972	{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe
Token: SeIncBasePriorityPrivilege	3320	{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe
Token: SeIncBasePriorityPrivilege	4420	{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe
Token: SeIncBasePriorityPrivilege	4836	{971D988C-2783-439d-B32E-1CC9666C531B}.exe
Token: SeIncBasePriorityPrivilege	3956	{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe
Token: SeIncBasePriorityPrivilege	4436	{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe
Token: SeIncBasePriorityPrivilege	4908	{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe
Token: SeIncBasePriorityPrivilege	4216	{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe
Token: SeIncBasePriorityPrivilege	908	{DD79C934-7A67-4441-814A-3757027D2A3D}.exe
Token: SeIncBasePriorityPrivilege	64	{C3884178-C3FD-420b-9374-719269AA04D9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4276	4888	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	95
PID 4888 wrote to memory of 4276	4888	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	95
PID 4888 wrote to memory of 4276	4888	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	95
PID 4888 wrote to memory of 4992	4888	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	96
PID 4888 wrote to memory of 4992	4888	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	96
PID 4888 wrote to memory of 4992	4888	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	96
PID 4276 wrote to memory of 3972	4276	{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe	100
PID 4276 wrote to memory of 3972	4276	{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe	100
PID 4276 wrote to memory of 3972	4276	{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe	100
PID 4276 wrote to memory of 3872	4276	{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe	101
PID 4276 wrote to memory of 3872	4276	{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe	101
PID 4276 wrote to memory of 3872	4276	{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe	101
PID 3972 wrote to memory of 3320	3972	{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe	103
PID 3972 wrote to memory of 3320	3972	{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe	103
PID 3972 wrote to memory of 3320	3972	{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe	103
PID 3972 wrote to memory of 2412	3972	{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe	104
PID 3972 wrote to memory of 2412	3972	{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe	104
PID 3972 wrote to memory of 2412	3972	{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe	104
PID 3320 wrote to memory of 4420	3320	{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe	106
PID 3320 wrote to memory of 4420	3320	{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe	106
PID 3320 wrote to memory of 4420	3320	{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe	106
PID 3320 wrote to memory of 1160	3320	{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe	107
PID 3320 wrote to memory of 1160	3320	{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe	107
PID 3320 wrote to memory of 1160	3320	{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe	107
PID 4420 wrote to memory of 4836	4420	{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe	108
PID 4420 wrote to memory of 4836	4420	{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe	108
PID 4420 wrote to memory of 4836	4420	{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe	108
PID 4420 wrote to memory of 4336	4420	{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe	109
PID 4420 wrote to memory of 4336	4420	{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe	109
PID 4420 wrote to memory of 4336	4420	{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe	109
PID 4836 wrote to memory of 3956	4836	{971D988C-2783-439d-B32E-1CC9666C531B}.exe	110
PID 4836 wrote to memory of 3956	4836	{971D988C-2783-439d-B32E-1CC9666C531B}.exe	110
PID 4836 wrote to memory of 3956	4836	{971D988C-2783-439d-B32E-1CC9666C531B}.exe	110
PID 4836 wrote to memory of 536	4836	{971D988C-2783-439d-B32E-1CC9666C531B}.exe	111
PID 4836 wrote to memory of 536	4836	{971D988C-2783-439d-B32E-1CC9666C531B}.exe	111
PID 4836 wrote to memory of 536	4836	{971D988C-2783-439d-B32E-1CC9666C531B}.exe	111
PID 3956 wrote to memory of 4436	3956	{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe	112
PID 3956 wrote to memory of 4436	3956	{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe	112
PID 3956 wrote to memory of 4436	3956	{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe	112
PID 3956 wrote to memory of 4652	3956	{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe	113
PID 3956 wrote to memory of 4652	3956	{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe	113
PID 3956 wrote to memory of 4652	3956	{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe	113
PID 4436 wrote to memory of 4908	4436	{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe	114
PID 4436 wrote to memory of 4908	4436	{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe	114
PID 4436 wrote to memory of 4908	4436	{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe	114
PID 4436 wrote to memory of 3840	4436	{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe	115
PID 4436 wrote to memory of 3840	4436	{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe	115
PID 4436 wrote to memory of 3840	4436	{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe	115
PID 4908 wrote to memory of 4216	4908	{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe	116
PID 4908 wrote to memory of 4216	4908	{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe	116
PID 4908 wrote to memory of 4216	4908	{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe	116
PID 4908 wrote to memory of 2836	4908	{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe	117
PID 4908 wrote to memory of 2836	4908	{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe	117
PID 4908 wrote to memory of 2836	4908	{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe	117
PID 4216 wrote to memory of 908	4216	{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe	118
PID 4216 wrote to memory of 908	4216	{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe	118
PID 4216 wrote to memory of 908	4216	{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe	118
PID 4216 wrote to memory of 1000	4216	{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe	119
PID 4216 wrote to memory of 1000	4216	{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe	119
PID 4216 wrote to memory of 1000	4216	{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe	119
PID 908 wrote to memory of 64	908	{DD79C934-7A67-4441-814A-3757027D2A3D}.exe	120
PID 908 wrote to memory of 64	908	{DD79C934-7A67-4441-814A-3757027D2A3D}.exe	120
PID 908 wrote to memory of 64	908	{DD79C934-7A67-4441-814A-3757027D2A3D}.exe	120
PID 908 wrote to memory of 3656	908	{DD79C934-7A67-4441-814A-3757027D2A3D}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe
  C:\Windows\{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe
    C:\Windows\{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe
      C:\Windows\{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3320
    - - C:\Windows\{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe
        
        C:\Windows\{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
      - C:\Windows\{971D988C-2783-439d-B32E-1CC9666C531B}.exe
        
        C:\Windows\{971D988C-2783-439d-B32E-1CC9666C531B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe
        
        C:\Windows\{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe
        
        C:\Windows\{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe
        
        C:\Windows\{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe
        
        C:\Windows\{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{DD79C934-7A67-4441-814A-3757027D2A3D}.exe
        
        C:\Windows\{DD79C934-7A67-4441-814A-3757027D2A3D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\{C3884178-C3FD-420b-9374-719269AA04D9}.exe
        
        C:\Windows\{C3884178-C3FD-420b-9374-719269AA04D9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
        
        C:\Windows\{EF3842F2-D4D5-47bd-89D4-26AADC601DC6}.exe
        
        C:\Windows\{EF3842F2-D4D5-47bd-89D4-26AADC601DC6}.exe
        13⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3884~1.EXE > nul
        13⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD79C~1.EXE > nul
        12⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D6B3~1.EXE > nul
        11⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C535A~1.EXE > nul
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2771D~1.EXE > nul
        9⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6447A~1.EXE > nul
        8⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{971D9~1.EXE > nul
        7⤵
        
        PID:536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3469~1.EXE > nul
        6⤵
        
        PID:4336
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CE9B~1.EXE > nul
        5⤵
        
        PID:1160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1CAFD~1.EXE > nul
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{84ED0~1.EXE > nul
    3⤵
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CAFDB3B-3BEE-49ee-85E4-F7CCEA249D59}.exe

Filesize
372KB

MD5
fc6b8bac495d86fa2e32e105feb4481f

SHA1
70e0044428644a93cc9b8e86d7c553aca69606bc

SHA256
cb1613ce2fbc5a7e296c30838db28f98ec6f53bb623d92ae675ee2755eaac1c4

SHA512
2cc16d26df961ba7463fa9ebb8c9b44145ad4c3c38c2d009cf5d12ced35a6458e730b21f4e1179a991f28757d4a84780eb6ccdfb341f3c0088717ae51e1b4f23

Download Submit
C:\Windows\{2771D77F-657A-471a-8E0F-32D3115A3B63}.exe

Filesize
372KB

MD5
efdffbf8f3678b909f9d088072369a62

SHA1
32e4d6010145666af3c9a83dff3b34a21b0684a8

SHA256
4ece3debe16d9c2b9f3a6216ff2b894c42ceb53304b2ce4d17186aa5f87e24de

SHA512
cc68ec97a7afc86484692db0d0365560cb112bb57e94f7016c5ea4c16c27ebf4a42b052abd7be7fcaa3a515581b48d72caaea81cfeec4e9c2516b2c4fac0e61f

Download Submit
C:\Windows\{3D6B329A-7AB8-4480-803B-4EB8894E97A9}.exe

Filesize
372KB

MD5
241b3b38b3389fd288281091b7ccf9de

SHA1
9d86bde863e807279a1e4ee645a8b9ee32c7c84d

SHA256
fc1a499bd81e24d7c5289ad8ac37066f21b6fcf411c9c43ee0aefa5a44cde413

SHA512
3a7d569c48568ed0a58883cfde72b681975e91e7362d90f35d655b78b467a1c1f92d83d86099b8857129ceaab523599dde079db4610c2ec6dfc2916e54276a41

Download Submit
C:\Windows\{6447A966-A20F-44c4-ACF3-9E54093CFE80}.exe

Filesize
372KB

MD5
d4ead6e6bfa3a80d1c2a0c725f5c3b87

SHA1
da259e48d6dc0fe7603b4ac1582f5d0aad59562d

SHA256
3feb43ece92b1f11b144c9778af6c7787be5cdb43ccf1535b319ef5a2707227c

SHA512
f0f56a609c44a7cb65c578cc62bb37c8a46c71f1780869d5106ff9604146436a607ff97cc867c68af6c9ac77cf35b8a3d5abe5b88b62e25775deb7d199c7e01f

Download Submit
C:\Windows\{6CE9B043-F826-4e17-BF2D-635C776F0FDC}.exe

Filesize
372KB

MD5
653cc4bab7a77ec8129dfd88bf0eaf56

SHA1
72416ac124b128d9eaba53d73341fc26f374b26a

SHA256
68487af8548cec8002cee3ac49f3e2adf5e9d955c856bae29106e6e59d37a3de

SHA512
d827a5fa9877232ef374582848c5bf72f1bac15e9dee51ebf86d724b8cafc84c9c703e4eb61389c280e399f7a1b7c8c1abe55550feae45f457fe27ec3ab6e592

Download Submit
C:\Windows\{84ED062E-ACDF-4dd6-84D2-F251E8A0FB71}.exe

Filesize
372KB

MD5
9bf2c3f30345b84162e89ca8e8cb14c4

SHA1
92683e9fb4b0ef2910cfa2d9e1f9759d48769cf8

SHA256
8a7c0fca50589b8b55b9c1dfedcffd88a7bc2c288dabcd524e3d4e66ae0bdeb7

SHA512
18bd3b6febaf0054f0c97413d7edeed7898ffc4e0f85fb54f0a048b92eafb86bc45be5aaf8907a59f7887f98f513e0ec9949dabe45779b5520b12a2ea525a846

Download Submit
C:\Windows\{971D988C-2783-439d-B32E-1CC9666C531B}.exe

Filesize
372KB

MD5
6af9c5d90b375cfa58678e4a4f2948e2

SHA1
887da005940fa3387ffe72bb272e342d2a137dce

SHA256
b1964960b855076807402e13ac269dc82ad0b606a9c7041394bd83af51846af2

SHA512
6ed84996050a56dd0b24c15bc0d57fc59f062e6f7393adae55d7984b6fe7ed78b2cef2b9455d686f559bc7196ef8fc4dbc96f3302b7b81695b43036dabc6ba9c

Download Submit
C:\Windows\{C3884178-C3FD-420b-9374-719269AA04D9}.exe

Filesize
372KB

MD5
a3b2edce78233d124b367b253b802509

SHA1
da0d7825808ce5e0a50fbec4c61e88d1bfa6e029

SHA256
8a625588c0b0b062d3faf3f546b988844daae4e63ea4328cd31b402b7dff6ac3

SHA512
5150d36ba8862bfd8864746377f5bc06d3e6eaf5bb46aafe585b4f7d61067adff2a303024f21e698e3047055b606accfb4954c3d249c9590b1eed0fe70fb8909

Download Submit
C:\Windows\{C535A0FC-EB28-41de-8938-E9CC0CC230FA}.exe

Filesize
372KB

MD5
03552c50459f077fc043f8af4f382169

SHA1
48d039c808253ae83d07171e3caefeb6add9f976

SHA256
7ddc2beacaedf9883f39c1d940a6a0d37fa4d83106cd721ebaaee4dc26b83254

SHA512
dd53ea6edd8835f5adfda999befed85ff1115007b492ba5eb7070196e88eb3c936633371c1372c45f928bc3bcd7e78d8a860454d9bdd6cd3518d76ad88789f3c

Download Submit
C:\Windows\{DD79C934-7A67-4441-814A-3757027D2A3D}.exe

Filesize
372KB

MD5
b13dbf00f466a4165b3bfe987caf3ca2

SHA1
2ca792c4de5ddfd89cf4dc0e65f760642fb9bee2

SHA256
7550bdcf3bc764ae2fe79e32ec20f5695b33e841c022c60245380ad41c51392a

SHA512
727b64fd167aea59667135b0d0136dd476d446445de01c03fface3379f17f6e32e25d98a016820ce886de410dd5d43e328f4ece2f35375ea66797b5e344e5299

Download Submit
C:\Windows\{E3469CFE-FFDA-4482-B4EC-FE0FBCD7E41F}.exe

Filesize
372KB

MD5
62910a5d7a8ccfad98aa84035db0730d

SHA1
1bf9edf391183287570367119ddbdb0761b93722

SHA256
ff10c79e102659f25e23f75aa353e36bc1e6cbcd4606d48853c3e2640d54a607

SHA512
ca658655f8bf0c4e4b342ce3368cbf5353db660f4b7fc40cdd9b04ba145fee96aa7e5b0402e2bfa8654a1c9d5f28be96c8ccd9e93d8d47708e1f5fe78c942b83

Download Submit
C:\Windows\{EF3842F2-D4D5-47bd-89D4-26AADC601DC6}.exe

Filesize
372KB

MD5
719b73fb56117cc2d84f57e8d6209166

SHA1
5b9fb414644141cb412ac1324741afa0ce2123af

SHA256
5be8ecc30b1579ad62909174d2c504c08fef93d0e1bae0340de3652f5111916b

SHA512
330a8520bc2f2f35e87e1f098f279b67fe50a1fcad056b057f9939775a7788c9243b39e1e52c7c7800eb9ecf543ba52ac537710ae35f20f599b70a8b46e3216d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads