98a61fca7bc1c06e9eb6e3c72997cad860bef7663578bd0cf18feb061b77fd93

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 10:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe
Size

192KB
MD5

e2bde25590cb0cdf2fbcaf3ac8b9bca9
SHA1

33a89950aa1a7a1ccd67051a503fbf306d24b450
SHA256

98a61fca7bc1c06e9eb6e3c72997cad860bef7663578bd0cf18feb061b77fd93
SHA512

597e7a7009254b7e9c2af38cbbdd965e967316a6331ddc7504c9da30a031d3a4b7e6dffc7bdae08fc24369b488dd267130a3b7afc4995b1b9623385edf6534c9
SSDEEP

1536:1EGh0oKl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oKl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022a48-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000232ea-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002353a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002353e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023544-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002353e-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023544-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002353e-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023544-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000000002f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000000074f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}\stubpath = "C:\\Windows\\{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe"	{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}\stubpath = "C:\\Windows\\{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe"	2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33644431-1E2A-44ae-80C1-9F603AE73747}\stubpath = "C:\\Windows\\{33644431-1E2A-44ae-80C1-9F603AE73747}.exe"	{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}\stubpath = "C:\\Windows\\{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe"	{33644431-1E2A-44ae-80C1-9F603AE73747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}	{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EAD1486-7383-4a38-B747-FB4358AC6293}	{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}	{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}\stubpath = "C:\\Windows\\{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe"	{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43DE5422-21EB-4487-8265-F413B12B4384}	{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F9059E1-6C16-45b6-9312-1877DC7E94B6}\stubpath = "C:\\Windows\\{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe"	{43DE5422-21EB-4487-8265-F413B12B4384}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}	2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}	{33644431-1E2A-44ae-80C1-9F603AE73747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}	{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EAD1486-7383-4a38-B747-FB4358AC6293}\stubpath = "C:\\Windows\\{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe"	{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00A28322-0414-4e79-B52A-97E459B02018}\stubpath = "C:\\Windows\\{00A28322-0414-4e79-B52A-97E459B02018}.exe"	{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}\stubpath = "C:\\Windows\\{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}.exe"	{00A28322-0414-4e79-B52A-97E459B02018}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3540644-9AD7-45ea-940D-AFB27CE58F87}	{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3540644-9AD7-45ea-940D-AFB27CE58F87}\stubpath = "C:\\Windows\\{D3540644-9AD7-45ea-940D-AFB27CE58F87}.exe"	{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00A28322-0414-4e79-B52A-97E459B02018}	{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}	{00A28322-0414-4e79-B52A-97E459B02018}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33644431-1E2A-44ae-80C1-9F603AE73747}	{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}\stubpath = "C:\\Windows\\{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe"	{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43DE5422-21EB-4487-8265-F413B12B4384}\stubpath = "C:\\Windows\\{43DE5422-21EB-4487-8265-F413B12B4384}.exe"	{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F9059E1-6C16-45b6-9312-1877DC7E94B6}	{43DE5422-21EB-4487-8265-F413B12B4384}.exe

Executes dropped EXE 12 IoCs

pid	Process
732	{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe
4028	{33644431-1E2A-44ae-80C1-9F603AE73747}.exe
1444	{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe
4476	{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe
4468	{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe
5008	{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe
3912	{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe
3128	{43DE5422-21EB-4487-8265-F413B12B4384}.exe
4244	{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe
4340	{00A28322-0414-4e79-B52A-97E459B02018}.exe
3984	{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}.exe
2028	{D3540644-9AD7-45ea-940D-AFB27CE58F87}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{00A28322-0414-4e79-B52A-97E459B02018}.exe	{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe
File created	C:\Windows\{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}.exe	{00A28322-0414-4e79-B52A-97E459B02018}.exe
File created	C:\Windows\{D3540644-9AD7-45ea-940D-AFB27CE58F87}.exe	{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}.exe
File created	C:\Windows\{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe	{33644431-1E2A-44ae-80C1-9F603AE73747}.exe
File created	C:\Windows\{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe	{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe
File created	C:\Windows\{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe	{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe
File created	C:\Windows\{43DE5422-21EB-4487-8265-F413B12B4384}.exe	{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe
File created	C:\Windows\{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe	{43DE5422-21EB-4487-8265-F413B12B4384}.exe
File created	C:\Windows\{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe	2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe
File created	C:\Windows\{33644431-1E2A-44ae-80C1-9F603AE73747}.exe	{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe
File created	C:\Windows\{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe	{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe
File created	C:\Windows\{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe	{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4924	2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	732	{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe
Token: SeIncBasePriorityPrivilege	4028	{33644431-1E2A-44ae-80C1-9F603AE73747}.exe
Token: SeIncBasePriorityPrivilege	1444	{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe
Token: SeIncBasePriorityPrivilege	4476	{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe
Token: SeIncBasePriorityPrivilege	4468	{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe
Token: SeIncBasePriorityPrivilege	5008	{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe
Token: SeIncBasePriorityPrivilege	3912	{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe
Token: SeIncBasePriorityPrivilege	3128	{43DE5422-21EB-4487-8265-F413B12B4384}.exe
Token: SeIncBasePriorityPrivilege	4244	{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe
Token: SeIncBasePriorityPrivilege	4340	{00A28322-0414-4e79-B52A-97E459B02018}.exe
Token: SeIncBasePriorityPrivilege	3984	{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 732	4924	2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe	95
PID 4924 wrote to memory of 732	4924	2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe	95
PID 4924 wrote to memory of 732	4924	2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe	95
PID 4924 wrote to memory of 2956	4924	2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe	96
PID 4924 wrote to memory of 2956	4924	2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe	96
PID 4924 wrote to memory of 2956	4924	2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe	96
PID 732 wrote to memory of 4028	732	{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe	97
PID 732 wrote to memory of 4028	732	{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe	97
PID 732 wrote to memory of 4028	732	{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe	97
PID 732 wrote to memory of 4428	732	{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe	98
PID 732 wrote to memory of 4428	732	{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe	98
PID 732 wrote to memory of 4428	732	{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe	98
PID 4028 wrote to memory of 1444	4028	{33644431-1E2A-44ae-80C1-9F603AE73747}.exe	101
PID 4028 wrote to memory of 1444	4028	{33644431-1E2A-44ae-80C1-9F603AE73747}.exe	101
PID 4028 wrote to memory of 1444	4028	{33644431-1E2A-44ae-80C1-9F603AE73747}.exe	101
PID 4028 wrote to memory of 3604	4028	{33644431-1E2A-44ae-80C1-9F603AE73747}.exe	102
PID 4028 wrote to memory of 3604	4028	{33644431-1E2A-44ae-80C1-9F603AE73747}.exe	102
PID 4028 wrote to memory of 3604	4028	{33644431-1E2A-44ae-80C1-9F603AE73747}.exe	102
PID 1444 wrote to memory of 4476	1444	{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe	107
PID 1444 wrote to memory of 4476	1444	{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe	107
PID 1444 wrote to memory of 4476	1444	{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe	107
PID 1444 wrote to memory of 3540	1444	{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe	108
PID 1444 wrote to memory of 3540	1444	{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe	108
PID 1444 wrote to memory of 3540	1444	{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe	108
PID 4476 wrote to memory of 4468	4476	{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe	110
PID 4476 wrote to memory of 4468	4476	{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe	110
PID 4476 wrote to memory of 4468	4476	{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe	110
PID 4476 wrote to memory of 1604	4476	{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe	111
PID 4476 wrote to memory of 1604	4476	{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe	111
PID 4476 wrote to memory of 1604	4476	{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe	111
PID 4468 wrote to memory of 5008	4468	{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe	112
PID 4468 wrote to memory of 5008	4468	{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe	112
PID 4468 wrote to memory of 5008	4468	{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe	112
PID 4468 wrote to memory of 728	4468	{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe	113
PID 4468 wrote to memory of 728	4468	{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe	113
PID 4468 wrote to memory of 728	4468	{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe	113
PID 5008 wrote to memory of 3912	5008	{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe	114
PID 5008 wrote to memory of 3912	5008	{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe	114
PID 5008 wrote to memory of 3912	5008	{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe	114
PID 5008 wrote to memory of 3536	5008	{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe	115
PID 5008 wrote to memory of 3536	5008	{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe	115
PID 5008 wrote to memory of 3536	5008	{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe	115
PID 3912 wrote to memory of 3128	3912	{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe	116
PID 3912 wrote to memory of 3128	3912	{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe	116
PID 3912 wrote to memory of 3128	3912	{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe	116
PID 3912 wrote to memory of 1776	3912	{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe	117
PID 3912 wrote to memory of 1776	3912	{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe	117
PID 3912 wrote to memory of 1776	3912	{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe	117
PID 3128 wrote to memory of 4244	3128	{43DE5422-21EB-4487-8265-F413B12B4384}.exe	118
PID 3128 wrote to memory of 4244	3128	{43DE5422-21EB-4487-8265-F413B12B4384}.exe	118
PID 3128 wrote to memory of 4244	3128	{43DE5422-21EB-4487-8265-F413B12B4384}.exe	118
PID 3128 wrote to memory of 4088	3128	{43DE5422-21EB-4487-8265-F413B12B4384}.exe	119
PID 3128 wrote to memory of 4088	3128	{43DE5422-21EB-4487-8265-F413B12B4384}.exe	119
PID 3128 wrote to memory of 4088	3128	{43DE5422-21EB-4487-8265-F413B12B4384}.exe	119
PID 4244 wrote to memory of 4340	4244	{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe	120
PID 4244 wrote to memory of 4340	4244	{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe	120
PID 4244 wrote to memory of 4340	4244	{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe	120
PID 4244 wrote to memory of 4656	4244	{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe	121
PID 4244 wrote to memory of 4656	4244	{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe	121
PID 4244 wrote to memory of 4656	4244	{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe	121
PID 4340 wrote to memory of 3984	4340	{00A28322-0414-4e79-B52A-97E459B02018}.exe	122
PID 4340 wrote to memory of 3984	4340	{00A28322-0414-4e79-B52A-97E459B02018}.exe	122
PID 4340 wrote to memory of 3984	4340	{00A28322-0414-4e79-B52A-97E459B02018}.exe	122
PID 4340 wrote to memory of 2372	4340	{00A28322-0414-4e79-B52A-97E459B02018}.exe	123

C:\Users\Admin\AppData\Local\Temp\2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_e2bde25590cb0cdf2fbcaf3ac8b9bca9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe
  C:\Windows\{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\{33644431-1E2A-44ae-80C1-9F603AE73747}.exe
    C:\Windows\{33644431-1E2A-44ae-80C1-9F603AE73747}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe
      C:\Windows\{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Windows\{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe
        
        C:\Windows\{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe
        
        C:\Windows\{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe
        
        C:\Windows\{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe
        
        C:\Windows\{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\{43DE5422-21EB-4487-8265-F413B12B4384}.exe
        
        C:\Windows\{43DE5422-21EB-4487-8265-F413B12B4384}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe
        
        C:\Windows\{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\{00A28322-0414-4e79-B52A-97E459B02018}.exe
        
        C:\Windows\{00A28322-0414-4e79-B52A-97E459B02018}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}.exe
        
        C:\Windows\{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3984
        
        C:\Windows\{D3540644-9AD7-45ea-940D-AFB27CE58F87}.exe
        
        C:\Windows\{D3540644-9AD7-45ea-940D-AFB27CE58F87}.exe
        13⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACF74~1.EXE > nul
        13⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00A28~1.EXE > nul
        12⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F905~1.EXE > nul
        11⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43DE5~1.EXE > nul
        10⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2C67~1.EXE > nul
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EAD1~1.EXE > nul
        8⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B69F~1.EXE > nul
        7⤵
        
        PID:728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C56A~1.EXE > nul
        6⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69172~1.EXE > nul
        5⤵
        
        PID:3540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{33644~1.EXE > nul
      4⤵
      PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{010AD~1.EXE > nul
    3⤵
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3144,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00A28322-0414-4e79-B52A-97E459B02018}.exe

Filesize
192KB

MD5
ab85fa4bbb6cd3517d282a0ad811599a

SHA1
aa60942ea6942e1372dc5944900a5bcb47579d98

SHA256
6827d3bcfe1f766e19b0719eaa2ba6400c5889b47ec9f812cda8121e1436b2e8

SHA512
0deb897f27511c3346e306af7f9c2f8fe5d4ee0e8deb0a0638fa6db4d6e40c8e2fb90042b1eff91b8796b5246deba62d1f17c9c0128234d2a3b010f6e9c9ad93

Download Submit
C:\Windows\{010AD8C6-4E01-4114-BFCD-3A0B12E1B6C4}.exe

Filesize
192KB

MD5
b0d70ead85b96a9371f26cf4131ba2a1

SHA1
2e31efd87c118f77a324a625fe8ca0a105841072

SHA256
df9f8c54d29145b24926d372e9842a14b5b96bf14138e0c9296e735a1f09815a

SHA512
50ed7a9a09aedea7ef86f3d6c20602c1923723a3f3eff3080b4d6c6f3cb874f7e43a18049d9ccf04ced0638b42456000b41693ce62803abb64e6d35e083a385b

Download Submit
C:\Windows\{0EAD1486-7383-4a38-B747-FB4358AC6293}.exe

Filesize
192KB

MD5
6c708e6445d669e7797eb648485a2d39

SHA1
e1f1875c6909e24077c6e935931b1b2768cd2fe9

SHA256
68342aaf47a5762383b38c44eed177e0656fe08a8c51a05c82a619c6771c4fd5

SHA512
c2588bad74f12b2379daae29afba2f4d4b2b3798a7d316f12c6f7ad98de647eb2b51e59772b3da04579eb9eca3db3504fe168d9c812b828c70e69664ce088fce

Download Submit
C:\Windows\{33644431-1E2A-44ae-80C1-9F603AE73747}.exe

Filesize
192KB

MD5
542c058e6fdecd9582903ea988fc77fc

SHA1
188e6fefe1e0a6741babb438c118bcae53c6500a

SHA256
9cd8acb1295c87e10fcbb4708d41a44697e85c62b0cbeffc8494100d4e5b3c2a

SHA512
22577dd64e77902e210b9be64162225e018d836dc79aa17a5a2d819a210736c587723cb6b9001691dd823fe10a56f12e06824acc69c84a4191a26581509193e2

Download Submit
C:\Windows\{43DE5422-21EB-4487-8265-F413B12B4384}.exe

Filesize
192KB

MD5
1f76484fda3c9e02e20f97e18e9a380e

SHA1
c8c5d96ccb598ddaaddb914a9a9493368e21ec6f

SHA256
33963d13ad4302f1ebe6bad230460adb5457dc8612891f90c30cfcecdc7b35e7

SHA512
216e0fcf85b1963bbac9463989313b97738b26baefd57b7b3bd33ea4a0b9fc8d7a815ce5246eed442c11482c9eed01e5e8f110c838fb7940c15602a8176f41b2

Download Submit
C:\Windows\{4C56A6AA-FB85-4fa9-A683-F4B908E2E00A}.exe

Filesize
192KB

MD5
042ff108d93c690c909e34cd8b0597b3

SHA1
b17cbdb486ec5af270e93e0db6bd23d535595788

SHA256
8f0810349e30a6e5e8e9807ee202b59f938b2a39f8c632ed0f092d50c56f041a

SHA512
36ca2e3426bdccf6f1044fef83b6c761641a3fb5ad0e30f9f4609a9e09d76ddb79058fe70320d1386928dcc30a0c0828c1d7add4b80237e2ea9d5a35e1d6c705

Download Submit
C:\Windows\{69172E9E-D3FF-4ee2-AF2C-6A51E28ADE59}.exe

Filesize
192KB

MD5
5a6b9604fd773ff15e873019702f9a2e

SHA1
b6216d3bf969a582fe4ced8b3a2003083c18fe41

SHA256
6f3f548e1f337419fb05eb884d217c2ec37c6003ab355fb9e33e1c32c445d42f

SHA512
14d4d3e3c8254d3e84b4432a9dc1e990999f3bfca5588499f117583b781f1a5980ba57f292ecd4c7eaef1dc1d902184a5c8aeb33c63cfcc2bb34a3ba67c80aac

Download Submit
C:\Windows\{6B69F0F1-C08F-4189-9A7B-3963A256AA8E}.exe

Filesize
192KB

MD5
411824e59389e8281fd2fd1a44f62479

SHA1
e1b164a39ecb1864870b781988ea2995a1558de2

SHA256
1dfa564e1aa88ba365c70b3e37168cb208a19f466d689603b2cef11e2ecd1010

SHA512
3e2911f56a4cc22368a13c6ccdf1b4cb42f6eedbf4ed6f7b348e43aacf3af49448c094855346858ed4a72aaf8ff2b6d3a13a649f082c596dd14f1761a3a77760

Download Submit
C:\Windows\{8F9059E1-6C16-45b6-9312-1877DC7E94B6}.exe

Filesize
192KB

MD5
855fa1436b0b5a31634e6a111c24a3f5

SHA1
76f1cee5af59c0e1fef99d778382c4fbe8e84f74

SHA256
e129601ec2c3113c8c275c723387eea36ff65dcb695a3aa5380deb43609ef0d7

SHA512
2ce2634c9e572ac408819b1981d0829cc1f7fc54e393ba2b55b13432a42fb3d332fb4b02e51fbe31d80bb8195c99cb02f44bfde1991ee7ff2713d7e57c692f0a

Download Submit
C:\Windows\{ACF74978-EC72-4b85-A945-0AAFD71AD9DB}.exe

Filesize
192KB

MD5
cabf0da2e759b62f63f62dc8330d9eca

SHA1
68b1d68e18e3f24aa8470a34b1bb001e8a93a450

SHA256
9648d77e1b9fe1c141a4dce1dfa9cb5dee6d0486a826f616c2fbd4bce20fae30

SHA512
d5ff88a0688f20cf8c467b3ebdb9529305525b0804df8aab35381a5286fa458b90ac74c315b43ad5ed620f46c87872e593cee6149ecbd50ecd8e4f1d19e0d6f1

Download Submit
C:\Windows\{D3540644-9AD7-45ea-940D-AFB27CE58F87}.exe

Filesize
192KB

MD5
42dde166faf6eba8137872eb18f2e8a4

SHA1
0c17c1b948f0661bdfa8a70ffa1e604a521acfd9

SHA256
70dabfa2490392939feee9e1a29bc1441ffb57b0e49bb1f42932c169f9506e0f

SHA512
fae9b0e52ca1adeb165b14fd26448ebfc7e455440c36ab8d18bffcbfd305f3ea7fe1d25205bfe7874ad05963d9103eaa4d75c58e4739aa1955a48a82b9675870

Download Submit
C:\Windows\{E2C6756E-632A-425c-A8F0-9C41CF8AAF18}.exe

Filesize
192KB

MD5
95df58963d6d1df6922a23a6b17a9e6c

SHA1
546e43ce0fc2eb5de764188e0c309c86555c29b3

SHA256
2d697bad8ff888ae8e6c8c0910bbc0f6fc2b0ddb413ccc17cfbfcf1a007b886c

SHA512
16249b75d427142b590158d79509b48c6dd5d84d4b67e500e599accefec675227ced0602bcc39e18d0f70541eecc25e2dffd6067e88d1d807de51055faaef9d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads