49fac542510ca9786014f13c0f7a11ca9e295902cdcadeeef4941460b9e81f35

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe
Size

380KB
MD5

07f5b0e454e04d3818d62a1c20854ebf
SHA1

fbde11c70e7d670e1fecc8eefd1aeae97cdb0fb2
SHA256

49fac542510ca9786014f13c0f7a11ca9e295902cdcadeeef4941460b9e81f35
SHA512

5b01e369f92225dc85b470e28728cc0e152316d1ec61cec3b9da64d42bdc4b307e4bc8b761e01280547ac76ec52d08580a03f4ac23cae17502a5a3f5f491fc20
SSDEEP

3072:mEGh0oRZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEct:mEGNl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e32b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002327c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023282-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002327c-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023282-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e3d2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006e3-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92B7968F-689C-4adc-9F3C-E784E3E34502}\stubpath = "C:\\Windows\\{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe"	{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{663503CE-D823-44df-8DFB-1F4F888F2129}	{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC225078-5F36-4a70-B0EE-4095718DC1FD}	{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA1E4715-7037-429b-83E1-24E3F1122901}	{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{065960FF-6607-4bb6-B5EB-4A2E99AB918E}\stubpath = "C:\\Windows\\{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe"	{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}\stubpath = "C:\\Windows\\{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe"	{663503CE-D823-44df-8DFB-1F4F888F2129}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}\stubpath = "C:\\Windows\\{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe"	{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA1E4715-7037-429b-83E1-24E3F1122901}\stubpath = "C:\\Windows\\{CA1E4715-7037-429b-83E1-24E3F1122901}.exe"	{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{065960FF-6607-4bb6-B5EB-4A2E99AB918E}	{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{091D6FC6-016F-4880-AC13-7FBFE045EDC2}\stubpath = "C:\\Windows\\{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe"	{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B564D97D-C145-495b-A8C4-707452D9CF0A}\stubpath = "C:\\Windows\\{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe"	{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92B7968F-689C-4adc-9F3C-E784E3E34502}	{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{663503CE-D823-44df-8DFB-1F4F888F2129}\stubpath = "C:\\Windows\\{663503CE-D823-44df-8DFB-1F4F888F2129}.exe"	{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}	{663503CE-D823-44df-8DFB-1F4F888F2129}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC225078-5F36-4a70-B0EE-4095718DC1FD}\stubpath = "C:\\Windows\\{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe"	{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5712EC2E-372A-4a18-9B6F-7FA560C43300}	{CA1E4715-7037-429b-83E1-24E3F1122901}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{256E30EF-4328-4c95-A3CD-FE4FAC852948}	{5712EC2E-372A-4a18-9B6F-7FA560C43300}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{256E30EF-4328-4c95-A3CD-FE4FAC852948}\stubpath = "C:\\Windows\\{256E30EF-4328-4c95-A3CD-FE4FAC852948}.exe"	{5712EC2E-372A-4a18-9B6F-7FA560C43300}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5712EC2E-372A-4a18-9B6F-7FA560C43300}\stubpath = "C:\\Windows\\{5712EC2E-372A-4a18-9B6F-7FA560C43300}.exe"	{CA1E4715-7037-429b-83E1-24E3F1122901}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{091D6FC6-016F-4880-AC13-7FBFE045EDC2}	{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B564D97D-C145-495b-A8C4-707452D9CF0A}	{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}	{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}\stubpath = "C:\\Windows\\{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe"	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
1568	{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe
1924	{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe
2268	{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe
4548	{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe
3464	{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe
4392	{663503CE-D823-44df-8DFB-1F4F888F2129}.exe
4208	{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe
4964	{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe
1620	{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe
320	{CA1E4715-7037-429b-83E1-24E3F1122901}.exe
2120	{5712EC2E-372A-4a18-9B6F-7FA560C43300}.exe
1520	{256E30EF-4328-4c95-A3CD-FE4FAC852948}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe
File created	C:\Windows\{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe	{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe
File created	C:\Windows\{256E30EF-4328-4c95-A3CD-FE4FAC852948}.exe	{5712EC2E-372A-4a18-9B6F-7FA560C43300}.exe
File created	C:\Windows\{CA1E4715-7037-429b-83E1-24E3F1122901}.exe	{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe
File created	C:\Windows\{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe	{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe
File created	C:\Windows\{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe	{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe
File created	C:\Windows\{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe	{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe
File created	C:\Windows\{663503CE-D823-44df-8DFB-1F4F888F2129}.exe	{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe
File created	C:\Windows\{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe	{663503CE-D823-44df-8DFB-1F4F888F2129}.exe
File created	C:\Windows\{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe	{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe
File created	C:\Windows\{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe	{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe
File created	C:\Windows\{5712EC2E-372A-4a18-9B6F-7FA560C43300}.exe	{CA1E4715-7037-429b-83E1-24E3F1122901}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1496	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1568	{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe
Token: SeIncBasePriorityPrivilege	1924	{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe
Token: SeIncBasePriorityPrivilege	2268	{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe
Token: SeIncBasePriorityPrivilege	4548	{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe
Token: SeIncBasePriorityPrivilege	3464	{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe
Token: SeIncBasePriorityPrivilege	4392	{663503CE-D823-44df-8DFB-1F4F888F2129}.exe
Token: SeIncBasePriorityPrivilege	4208	{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe
Token: SeIncBasePriorityPrivilege	4964	{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe
Token: SeIncBasePriorityPrivilege	1620	{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe
Token: SeIncBasePriorityPrivilege	320	{CA1E4715-7037-429b-83E1-24E3F1122901}.exe
Token: SeIncBasePriorityPrivilege	2120	{5712EC2E-372A-4a18-9B6F-7FA560C43300}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1568	1496	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	91
PID 1496 wrote to memory of 1568	1496	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	91
PID 1496 wrote to memory of 1568	1496	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	91
PID 1496 wrote to memory of 2000	1496	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	92
PID 1496 wrote to memory of 2000	1496	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	92
PID 1496 wrote to memory of 2000	1496	2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe	92
PID 1568 wrote to memory of 1924	1568	{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe	98
PID 1568 wrote to memory of 1924	1568	{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe	98
PID 1568 wrote to memory of 1924	1568	{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe	98
PID 1568 wrote to memory of 4400	1568	{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe	99
PID 1568 wrote to memory of 4400	1568	{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe	99
PID 1568 wrote to memory of 4400	1568	{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe	99
PID 1924 wrote to memory of 2268	1924	{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe	101
PID 1924 wrote to memory of 2268	1924	{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe	101
PID 1924 wrote to memory of 2268	1924	{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe	101
PID 1924 wrote to memory of 2456	1924	{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe	102
PID 1924 wrote to memory of 2456	1924	{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe	102
PID 1924 wrote to memory of 2456	1924	{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe	102
PID 2268 wrote to memory of 4548	2268	{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe	104
PID 2268 wrote to memory of 4548	2268	{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe	104
PID 2268 wrote to memory of 4548	2268	{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe	104
PID 2268 wrote to memory of 4308	2268	{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe	105
PID 2268 wrote to memory of 4308	2268	{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe	105
PID 2268 wrote to memory of 4308	2268	{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe	105
PID 4548 wrote to memory of 3464	4548	{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe	106
PID 4548 wrote to memory of 3464	4548	{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe	106
PID 4548 wrote to memory of 3464	4548	{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe	106
PID 4548 wrote to memory of 912	4548	{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe	107
PID 4548 wrote to memory of 912	4548	{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe	107
PID 4548 wrote to memory of 912	4548	{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe	107
PID 3464 wrote to memory of 4392	3464	{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe	108
PID 3464 wrote to memory of 4392	3464	{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe	108
PID 3464 wrote to memory of 4392	3464	{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe	108
PID 3464 wrote to memory of 1832	3464	{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe	109
PID 3464 wrote to memory of 1832	3464	{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe	109
PID 3464 wrote to memory of 1832	3464	{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe	109
PID 4392 wrote to memory of 4208	4392	{663503CE-D823-44df-8DFB-1F4F888F2129}.exe	110
PID 4392 wrote to memory of 4208	4392	{663503CE-D823-44df-8DFB-1F4F888F2129}.exe	110
PID 4392 wrote to memory of 4208	4392	{663503CE-D823-44df-8DFB-1F4F888F2129}.exe	110
PID 4392 wrote to memory of 324	4392	{663503CE-D823-44df-8DFB-1F4F888F2129}.exe	111
PID 4392 wrote to memory of 324	4392	{663503CE-D823-44df-8DFB-1F4F888F2129}.exe	111
PID 4392 wrote to memory of 324	4392	{663503CE-D823-44df-8DFB-1F4F888F2129}.exe	111
PID 4208 wrote to memory of 4964	4208	{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe	112
PID 4208 wrote to memory of 4964	4208	{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe	112
PID 4208 wrote to memory of 4964	4208	{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe	112
PID 4208 wrote to memory of 4348	4208	{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe	113
PID 4208 wrote to memory of 4348	4208	{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe	113
PID 4208 wrote to memory of 4348	4208	{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe	113
PID 4964 wrote to memory of 1620	4964	{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe	114
PID 4964 wrote to memory of 1620	4964	{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe	114
PID 4964 wrote to memory of 1620	4964	{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe	114
PID 4964 wrote to memory of 1840	4964	{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe	115
PID 4964 wrote to memory of 1840	4964	{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe	115
PID 4964 wrote to memory of 1840	4964	{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe	115
PID 1620 wrote to memory of 320	1620	{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe	116
PID 1620 wrote to memory of 320	1620	{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe	116
PID 1620 wrote to memory of 320	1620	{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe	116
PID 1620 wrote to memory of 720	1620	{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe	117
PID 1620 wrote to memory of 720	1620	{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe	117
PID 1620 wrote to memory of 720	1620	{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe	117
PID 320 wrote to memory of 2120	320	{CA1E4715-7037-429b-83E1-24E3F1122901}.exe	118
PID 320 wrote to memory of 2120	320	{CA1E4715-7037-429b-83E1-24E3F1122901}.exe	118
PID 320 wrote to memory of 2120	320	{CA1E4715-7037-429b-83E1-24E3F1122901}.exe	118
PID 320 wrote to memory of 3256	320	{CA1E4715-7037-429b-83E1-24E3F1122901}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_07f5b0e454e04d3818d62a1c20854ebf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe
  C:\Windows\{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe
    C:\Windows\{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe
      C:\Windows\{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe
        
        C:\Windows\{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Windows\{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe
        
        C:\Windows\{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\{663503CE-D823-44df-8DFB-1F4F888F2129}.exe
        
        C:\Windows\{663503CE-D823-44df-8DFB-1F4F888F2129}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe
        
        C:\Windows\{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe
        
        C:\Windows\{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe
        
        C:\Windows\{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{CA1E4715-7037-429b-83E1-24E3F1122901}.exe
        
        C:\Windows\{CA1E4715-7037-429b-83E1-24E3F1122901}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\{5712EC2E-372A-4a18-9B6F-7FA560C43300}.exe
        
        C:\Windows\{5712EC2E-372A-4a18-9B6F-7FA560C43300}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{256E30EF-4328-4c95-A3CD-FE4FAC852948}.exe
        
        C:\Windows\{256E30EF-4328-4c95-A3CD-FE4FAC852948}.exe
        13⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5712E~1.EXE > nul
        13⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA1E4~1.EXE > nul
        12⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC225~1.EXE > nul
        11⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADF99~1.EXE > nul
        10⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87D9C~1.EXE > nul
        9⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66350~1.EXE > nul
        8⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92B79~1.EXE > nul
        7⤵
        
        PID:1832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06596~1.EXE > nul
        6⤵
        
        PID:912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B564D~1.EXE > nul
        5⤵
        
        PID:4308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{091D6~1.EXE > nul
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{83E4F~1.EXE > nul
    3⤵
    PID:4400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{065960FF-6607-4bb6-B5EB-4A2E99AB918E}.exe

Filesize
380KB

MD5
8fd8bfac18743cc1e5a1a7a2ec0c9031

SHA1
dd526ff9fe282fb71d00f0d364ef4f1c834f1081

SHA256
2e72cb7eb1448cb606496e7000ea525802f2d2a737e01aed0cb4adcda0abc742

SHA512
2455ad3061ed31e5c4a387b6be70c5a5b8b905acbaa7dd9c95155a88125f3fcbd0152c286810fb5bfbb8c614c1fdc06abb1ac44291cc34b363ef2a8f3adb4755

Download Submit
C:\Windows\{091D6FC6-016F-4880-AC13-7FBFE045EDC2}.exe

Filesize
380KB

MD5
bda085d47f4ba4b4291f96669146d95a

SHA1
80e8c1fccba6c5c7cfbbb2554f0a9a712464a4a1

SHA256
84c362ac7e99d03024e2159a6e8c325aa489eb027afb8ad9f53c45957492c0e9

SHA512
eed36b39b09c51d3b48e1a564babed462cb403ed7ef57a1f651cc56a875a1f5fea56224968ae411347ff2c75d4e3815f45037164f35e5be19f1e8618da159b40

Download Submit
C:\Windows\{256E30EF-4328-4c95-A3CD-FE4FAC852948}.exe

Filesize
380KB

MD5
05141c7ed751c1c656d6c83ee46537de

SHA1
0d3b097704adb1123f2b2852ec896e150e0a3c57

SHA256
b6b45c967c396219bceffccc891aa539e4ffdfdaa066ab56110d3c0d0bb1be08

SHA512
2c14f1f6fac8be45f1e492fb67c0b5757469896ae5e0145c45db81a2a309d905797c477ff7b99daddd6348ebf65d8c3ba85ae3742d9d4b4c1cda9f0abbf70015

Download Submit
C:\Windows\{5712EC2E-372A-4a18-9B6F-7FA560C43300}.exe

Filesize
380KB

MD5
036ba5821005ac1fa2040396e3741982

SHA1
88d0f79f812d774385c4e24183c3ed22950af0c5

SHA256
0fb6e5e25de069399f919c1b148150c347c1f8314398d3d43113cfb255afa452

SHA512
97641ec17ad8029c1552e9ee5c2b215ae9a8262b1e8ea51ab96179ee24851aa889d85b5a9de78292f4f35c79714bd979fa814eb24add309434559f07e92990fe

Download Submit
C:\Windows\{663503CE-D823-44df-8DFB-1F4F888F2129}.exe

Filesize
380KB

MD5
0cd66c340ecb615a44144082988de53d

SHA1
3de6c2de482864078a45e8c08427dcb897a1d0a5

SHA256
dfed43176deec65bce731dec61d8f490fe08e30f35fb5e18697422904b28e6a4

SHA512
4f001a8215060b946ef6ce8c081508661e5cb01962d4992aabd540f9b35bc288c682eeec824a1ee36592cb0f4122892ff5a03a528c51008989f695b94c94e268

Download Submit
C:\Windows\{83E4FB88-9DE0-4043-AF2D-8C786D534CDD}.exe

Filesize
380KB

MD5
107e6a89aa92141e1d58cbdc6d18b724

SHA1
798a5c70215fc2781bfbb0fa333047d8a94d20f0

SHA256
d205f1b0f4fa5dbaafde6903c1cfd8bdac6bacd4ae5f6b5cf2624d7d18f7866d

SHA512
34a7794fe389297256a5b85f2e740044e5369199d40dba267bf49af77f00e288849026e12d49811275b0699e543c12a2d68edd72782af93f48d0d3628a7d0f8c

Download Submit
C:\Windows\{87D9C1CD-FC3D-427e-B5E0-1A4C55A2DECB}.exe

Filesize
380KB

MD5
771610dcebae1c64ba6d51b0526d50b5

SHA1
e7f29dbfd0d2d9916062fe44d5a6cc5a9d609f96

SHA256
93a36d3b27ea7beb0d151b1d9927ca474897c9acb963b089ce4a5eb4abeee3ca

SHA512
1f1d0cbe18bb1494f07d3447b54d2ae0d3e74e386e3799b7b30379d66c3e8da64ae99b06ed94f013b331ba71c231e53ec235a1bf65d0453dbc47f461abc720a0

Download Submit
C:\Windows\{92B7968F-689C-4adc-9F3C-E784E3E34502}.exe

Filesize
380KB

MD5
183a4d747c2e06b1ac2cfc22929aab71

SHA1
1bef65b43204ab7aa3e93115fc7f71b213c292df

SHA256
7bd4daac961db86cda80f1aef9e6dfc6beca803f8b68c3334cf57e745b5be994

SHA512
7d82b697419b37aa45d23dfd631f3ea55d93cc3733adb15ca80f1e1074f1706edad482899786db2eec602850973ffe952d24412f8232b4e344f85f464129b219

Download Submit
C:\Windows\{ADF99D7E-72AD-4a0c-81E0-597E38E423FB}.exe

Filesize
380KB

MD5
98f67694d6814762aad3e377e6bfa6db

SHA1
14007ea7425cb32e214b441cac1c80bcf689759f

SHA256
2e8709ced5d2e9b309e6135ccba250e35f37307ccd32d40bc34f8e7c310de03a

SHA512
5101737dce139913379ea3f1bd008f942c3bfa8f54fda0a9bc32bdfc6c7061945c95de700ca1e5c16681842ade43abc737c6c43bd31931e775a42020621f73da

Download Submit
C:\Windows\{B564D97D-C145-495b-A8C4-707452D9CF0A}.exe

Filesize
380KB

MD5
e9bacc73b8df84a321937ea8d388dd1a

SHA1
106174f2b22e3b461e00b69e8188d08bad42520f

SHA256
13c65c7e17360517820aa4095021e376d93e76efdcfed93001487b88032d532b

SHA512
5ef19ad59e8cc8ae550c9508c490f3949df57b84c940811c0254512ffaa06d0f9217d56ced85b882159865cb337f51e2fdbea15b9527cda0bfdee2b772df57ff

Download Submit
C:\Windows\{BC225078-5F36-4a70-B0EE-4095718DC1FD}.exe

Filesize
380KB

MD5
f7589ff6ede8348d92adf86fe00323a4

SHA1
4e64e92651c52b01b1d6dcb459011327d382bba9

SHA256
e35ddeb0cc0f7319f87dce12c145fe4532690e00c4cfec10ef40413099c83b5f

SHA512
77e54db7258074a939565ea86c3e5ccfdf6a44cfa62e94886111dfbc2574d2f2d494a6b5c36a31877d12dc2823f9c9a45e3fe29435b88cfdaa5ddec72ec19e36

Download Submit
C:\Windows\{CA1E4715-7037-429b-83E1-24E3F1122901}.exe

Filesize
380KB

MD5
b907279310b897844680518e01c0dc0f

SHA1
29ccece987a1a7ef721eaa47450436ca33e3ce6a

SHA256
a55779c5c50aabf7c8374493a3c12b0265ee6b1988f0dd7f09160c6eabe4a88c

SHA512
df796de3639a1e9b8388d8b169b60c270bc5ef8106458052e768150fa9edf8277bfd6f249239763076518407fc08c441f546a04fef87ad9b529699b3c68759e9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads