63f79f5dbb1e9ffa96d0824da6f1d2053f299e341287aabe4290edfad7443b88

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
Size

408KB
MD5

adfcd647fdda4ac0dd5ff34eb8fe3505
SHA1

1409694f76fe7f132e7a60721593e1059b949cee
SHA256

63f79f5dbb1e9ffa96d0824da6f1d2053f299e341287aabe4290edfad7443b88
SHA512

5dc6402e0cdc1130e419c1966efce0f39ff66c2e89fe1a74890b743befb9bd99264e3a30210a8482b7a2b1d9ca920181fa28f2d01fd0b37c2c71e2891928121f
SSDEEP

3072:CEGh0odl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG3ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023657-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023656-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023373-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023656-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023373-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023656-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023373-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023656-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023373-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023656-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023650-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023656-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E91AA165-2423-4673-B1CC-ECCB8F0CE002}\stubpath = "C:\\Windows\\{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe"	{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}\stubpath = "C:\\Windows\\{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe"	{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C729A304-9240-468f-89A2-ADE3940372A7}	{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C729A304-9240-468f-89A2-ADE3940372A7}\stubpath = "C:\\Windows\\{C729A304-9240-468f-89A2-ADE3940372A7}.exe"	{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E848F47-22B4-4d24-A38A-5F508878CC90}	{FF8BF137-5707-4c21-A770-A3D756B3D580}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AD32861-75C0-47b0-966A-D8F1BE7034E7}	{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}\stubpath = "C:\\Windows\\{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe"	{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB4A1741-CA9A-4972-8D94-0865D71AD83A}\stubpath = "C:\\Windows\\{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe"	{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C95B116E-A6D5-4215-B3FF-FB61EC18D750}\stubpath = "C:\\Windows\\{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe"	{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}\stubpath = "C:\\Windows\\{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe"	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}	{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E91AA165-2423-4673-B1CC-ECCB8F0CE002}	{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C95B116E-A6D5-4215-B3FF-FB61EC18D750}	{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF8BF137-5707-4c21-A770-A3D756B3D580}	{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}\stubpath = "C:\\Windows\\{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe"	{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB4A1741-CA9A-4972-8D94-0865D71AD83A}	{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}	{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}\stubpath = "C:\\Windows\\{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe"	{C729A304-9240-468f-89A2-ADE3940372A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF8BF137-5707-4c21-A770-A3D756B3D580}\stubpath = "C:\\Windows\\{FF8BF137-5707-4c21-A770-A3D756B3D580}.exe"	{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E848F47-22B4-4d24-A38A-5F508878CC90}\stubpath = "C:\\Windows\\{0E848F47-22B4-4d24-A38A-5F508878CC90}.exe"	{FF8BF137-5707-4c21-A770-A3D756B3D580}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AD32861-75C0-47b0-966A-D8F1BE7034E7}\stubpath = "C:\\Windows\\{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe"	{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}	{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}	{C729A304-9240-468f-89A2-ADE3940372A7}.exe

Executes dropped EXE 12 IoCs

pid	Process
4276	{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe
4004	{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe
3640	{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe
1532	{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe
3876	{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe
4304	{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe
2864	{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe
1576	{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe
1800	{C729A304-9240-468f-89A2-ADE3940372A7}.exe
3336	{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe
1380	{FF8BF137-5707-4c21-A770-A3D756B3D580}.exe
4500	{0E848F47-22B4-4d24-A38A-5F508878CC90}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe	{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe
File created	C:\Windows\{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe	{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe
File created	C:\Windows\{C729A304-9240-468f-89A2-ADE3940372A7}.exe	{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe
File created	C:\Windows\{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe	{C729A304-9240-468f-89A2-ADE3940372A7}.exe
File created	C:\Windows\{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
File created	C:\Windows\{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe	{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe
File created	C:\Windows\{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe	{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe
File created	C:\Windows\{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe	{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe
File created	C:\Windows\{FF8BF137-5707-4c21-A770-A3D756B3D580}.exe	{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe
File created	C:\Windows\{0E848F47-22B4-4d24-A38A-5F508878CC90}.exe	{FF8BF137-5707-4c21-A770-A3D756B3D580}.exe
File created	C:\Windows\{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe	{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe
File created	C:\Windows\{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe	{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1016	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4276	{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe
Token: SeIncBasePriorityPrivilege	4004	{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe
Token: SeIncBasePriorityPrivilege	3640	{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe
Token: SeIncBasePriorityPrivilege	1532	{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe
Token: SeIncBasePriorityPrivilege	3876	{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe
Token: SeIncBasePriorityPrivilege	4304	{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe
Token: SeIncBasePriorityPrivilege	2864	{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe
Token: SeIncBasePriorityPrivilege	1576	{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe
Token: SeIncBasePriorityPrivilege	1800	{C729A304-9240-468f-89A2-ADE3940372A7}.exe
Token: SeIncBasePriorityPrivilege	3336	{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe
Token: SeIncBasePriorityPrivilege	1380	{FF8BF137-5707-4c21-A770-A3D756B3D580}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 4276	1016	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	93
PID 1016 wrote to memory of 4276	1016	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	93
PID 1016 wrote to memory of 4276	1016	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	93
PID 1016 wrote to memory of 2276	1016	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	94
PID 1016 wrote to memory of 2276	1016	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	94
PID 1016 wrote to memory of 2276	1016	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	94
PID 4276 wrote to memory of 4004	4276	{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe	95
PID 4276 wrote to memory of 4004	4276	{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe	95
PID 4276 wrote to memory of 4004	4276	{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe	95
PID 4276 wrote to memory of 620	4276	{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe	96
PID 4276 wrote to memory of 620	4276	{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe	96
PID 4276 wrote to memory of 620	4276	{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe	96
PID 4004 wrote to memory of 3640	4004	{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe	100
PID 4004 wrote to memory of 3640	4004	{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe	100
PID 4004 wrote to memory of 3640	4004	{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe	100
PID 4004 wrote to memory of 436	4004	{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe	101
PID 4004 wrote to memory of 436	4004	{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe	101
PID 4004 wrote to memory of 436	4004	{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe	101
PID 3640 wrote to memory of 1532	3640	{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe	102
PID 3640 wrote to memory of 1532	3640	{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe	102
PID 3640 wrote to memory of 1532	3640	{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe	102
PID 3640 wrote to memory of 2592	3640	{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe	103
PID 3640 wrote to memory of 2592	3640	{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe	103
PID 3640 wrote to memory of 2592	3640	{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe	103
PID 1532 wrote to memory of 3876	1532	{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe	104
PID 1532 wrote to memory of 3876	1532	{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe	104
PID 1532 wrote to memory of 3876	1532	{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe	104
PID 1532 wrote to memory of 4884	1532	{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe	105
PID 1532 wrote to memory of 4884	1532	{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe	105
PID 1532 wrote to memory of 4884	1532	{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe	105
PID 3876 wrote to memory of 4304	3876	{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe	106
PID 3876 wrote to memory of 4304	3876	{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe	106
PID 3876 wrote to memory of 4304	3876	{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe	106
PID 3876 wrote to memory of 1168	3876	{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe	107
PID 3876 wrote to memory of 1168	3876	{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe	107
PID 3876 wrote to memory of 1168	3876	{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe	107
PID 4304 wrote to memory of 2864	4304	{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe	108
PID 4304 wrote to memory of 2864	4304	{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe	108
PID 4304 wrote to memory of 2864	4304	{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe	108
PID 4304 wrote to memory of 2408	4304	{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe	109
PID 4304 wrote to memory of 2408	4304	{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe	109
PID 4304 wrote to memory of 2408	4304	{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe	109
PID 2864 wrote to memory of 1576	2864	{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe	110
PID 2864 wrote to memory of 1576	2864	{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe	110
PID 2864 wrote to memory of 1576	2864	{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe	110
PID 2864 wrote to memory of 4268	2864	{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe	111
PID 2864 wrote to memory of 4268	2864	{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe	111
PID 2864 wrote to memory of 4268	2864	{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe	111
PID 1576 wrote to memory of 1800	1576	{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe	112
PID 1576 wrote to memory of 1800	1576	{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe	112
PID 1576 wrote to memory of 1800	1576	{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe	112
PID 1576 wrote to memory of 3480	1576	{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe	113
PID 1576 wrote to memory of 3480	1576	{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe	113
PID 1576 wrote to memory of 3480	1576	{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe	113
PID 1800 wrote to memory of 3336	1800	{C729A304-9240-468f-89A2-ADE3940372A7}.exe	114
PID 1800 wrote to memory of 3336	1800	{C729A304-9240-468f-89A2-ADE3940372A7}.exe	114
PID 1800 wrote to memory of 3336	1800	{C729A304-9240-468f-89A2-ADE3940372A7}.exe	114
PID 1800 wrote to memory of 3228	1800	{C729A304-9240-468f-89A2-ADE3940372A7}.exe	115
PID 1800 wrote to memory of 3228	1800	{C729A304-9240-468f-89A2-ADE3940372A7}.exe	115
PID 1800 wrote to memory of 3228	1800	{C729A304-9240-468f-89A2-ADE3940372A7}.exe	115
PID 3336 wrote to memory of 1380	3336	{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe	116
PID 3336 wrote to memory of 1380	3336	{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe	116
PID 3336 wrote to memory of 1380	3336	{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe	116
PID 3336 wrote to memory of 2948	3336	{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe
  C:\Windows\{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe
    C:\Windows\{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe
      C:\Windows\{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Windows\{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe
        
        C:\Windows\{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Windows\{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe
        
        C:\Windows\{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe
        
        C:\Windows\{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe
        
        C:\Windows\{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe
        
        C:\Windows\{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{C729A304-9240-468f-89A2-ADE3940372A7}.exe
        
        C:\Windows\{C729A304-9240-468f-89A2-ADE3940372A7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe
        
        C:\Windows\{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\{FF8BF137-5707-4c21-A770-A3D756B3D580}.exe
        
        C:\Windows\{FF8BF137-5707-4c21-A770-A3D756B3D580}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\{0E848F47-22B4-4d24-A38A-5F508878CC90}.exe
        
        C:\Windows\{0E848F47-22B4-4d24-A38A-5F508878CC90}.exe
        13⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF8BF~1.EXE > nul
        13⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFA01~1.EXE > nul
        12⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C729A~1.EXE > nul
        11⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C95B1~1.EXE > nul
        10⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4D68~1.EXE > nul
        9⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB4A1~1.EXE > nul
        8⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E91AA~1.EXE > nul
        7⤵
        
        PID:1168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8ED81~1.EXE > nul
        6⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6856~1.EXE > nul
        5⤵
        
        PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7AD32~1.EXE > nul
      4⤵
      PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DD9E6~1.EXE > nul
    3⤵
    PID:620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E848F47-22B4-4d24-A38A-5F508878CC90}.exe

Filesize
408KB

MD5
bcb3c5d1117a22ebe5ecd70beb91e4ed

SHA1
918857a7ddbbf3a787d973bd2b68bcb8f57624c2

SHA256
9384468cb15d2d44db6517d98aab3e92e8a0c1a9f5050ff3c77749f7936e0835

SHA512
e96557ab3d56d84ce11bd0665750a3d6dd43d1bb1f543aba85241b4480694cb1e7175a46774d25e25a36244167068642892bef02566e781843856409b93d1eb4

Download Submit
C:\Windows\{7AD32861-75C0-47b0-966A-D8F1BE7034E7}.exe

Filesize
408KB

MD5
3c1f36c1e0070c6e2971b1f27501e845

SHA1
c4f8f2bd9f220f4c117a2f49c5d96147a19aa751

SHA256
a43025eb57cde41b95e75cb34bdc06b3010a09e20e66dee3a1a46e18ddde2559

SHA512
b04c0810ce22cb395c1b46e0e596489902d9a4cfb4e70bb911038f40bbe81dc122b79668b87208e4e3ccd7c47dc6bb3873939ad505e910c238656ed894de4818

Download Submit
C:\Windows\{8ED814BE-B4E6-4b68-AFEA-2A47D9B79622}.exe

Filesize
408KB

MD5
8f64522de9a8e87114e44aeea6950d86

SHA1
e7ef30bdef5f8ed981b3040d483ab9f5a313964a

SHA256
3697247cad8baae351742d64a11e2cca983b5953efecd1876e5f919a9a6395c6

SHA512
d62dbb4dddad033391c58ffa53b8717c0edc8ce86130b9b3c25b238d469c7b9a14f84d1a2f4341c6988c45e3cf9443cc938cdb46d567d4523b60c988c043085a

Download Submit
C:\Windows\{AFA013EE-8CEA-4f01-8D76-6FE6A69883EB}.exe

Filesize
408KB

MD5
c857e274b96f6265ead301b85f918ad8

SHA1
7688726f9f9491c96fbbf608ab2e2169390573ac

SHA256
895735200ce3cad0cae2acf18326a12d15104e1e871201f3bbe5b7c37c409493

SHA512
7d20a153af210355053228b9ad3fedb5d23befb9edea66761681b69fc66d166ffe1c950760f078a8363088f1d5022c5723acef7df2e9d95631a08f69ecfd56b1

Download Submit
C:\Windows\{B6856D3C-0E7D-434a-A8A9-1223028C7CA1}.exe

Filesize
408KB

MD5
62d3a409fe86f133b5b0ae5fdcb524c9

SHA1
831004e6d0591629aa0048312c586a02a547515b

SHA256
be3ad07aabe5d33f9c0b1830956f4115ee2f643d31ff1d0b69add6cad53bd059

SHA512
b00f0c68da73d11d6f675fdc5891812e017fb92c325ef0d31c1ebaf9ea7f89ac975ce0a6bf6ed95766ff397016fd2c3d37414539c996d9aefec3c2730d78a977

Download Submit
C:\Windows\{BB4A1741-CA9A-4972-8D94-0865D71AD83A}.exe

Filesize
408KB

MD5
0222c990cabf40fad526b9d13445db2e

SHA1
5ae7225bbb2fe8346f86c1d63695537d900294bd

SHA256
f3d4ac2d1ed222a6424e23e3165a1a3d7add6ac28b8fa1c48e77a12c60949ecf

SHA512
daa9dc5b29e3bab67cccd8e4bb712ae8d6558f5d5a5690f1adcfbf113cf1d87ddce7a806b7323a043d5e38bcf73465cb248d118822fd7dba14f97d16758b130f

Download Submit
C:\Windows\{C729A304-9240-468f-89A2-ADE3940372A7}.exe

Filesize
408KB

MD5
c7f64400e65c82faaecbd12ef1bdd974

SHA1
a0453ae88c0e124862022879eb844ea84738c049

SHA256
20e1c6d25525d947179f5763cd37ba5d0378bc041e196b7d5e24b47bcc085600

SHA512
3d89ba9a5fc0f8db9d532266f6fd2e19f74f19c46fd7809880d54759eacc5b79026883f50f02b8aaa661ef8892ccd45c6723c7bd1ed46db5b81631855db5832c

Download Submit
C:\Windows\{C95B116E-A6D5-4215-B3FF-FB61EC18D750}.exe

Filesize
408KB

MD5
ae72d613b01ff5893b79c64a747a22f4

SHA1
6ec087c1c6ed213ccf82bfea330c5c6af415dbbb

SHA256
1a753cd880e1914a6a526e7f2441dc6557f491edbfafda113838fc20e0026bcf

SHA512
37c57133b7491d9f5d70097546ae7c52cbefad8f19b87f289e491861162c51e1fb59da3089155773e0bab4b3a01f253aee60f408de9812126040c5f6b1ecbecd

Download Submit
C:\Windows\{DD9E614D-58EB-4da6-A4A2-29E0A69961D0}.exe

Filesize
408KB

MD5
8df5b4e7bd94a1feca3b4da0832b98f7

SHA1
f5f50d992159aefe2b28f01d1fff0b922a917ea3

SHA256
d846840aad6455becbebfb5d16a0bdef3102777d84b9f971fc4d49407d7533a8

SHA512
ee5aaaa6cc7255b418a75b3af8dd263855fd8b87b5bf7a04b155eed2fa846a6b8b98f5c31ce8f4e8eb77b0486ac75f9de4061b79abf2ff975f6dad70d948ee4a

Download Submit
C:\Windows\{E4D68CDA-42C6-4ca5-BF12-39DF650DC207}.exe

Filesize
408KB

MD5
c0608bbcc763f2eb207dc9f7c81ff640

SHA1
b0093589609fd1fc1d17e309b908d30d9c0dd454

SHA256
84e9c82024fa28b36d692c8c67c1cbf880c56ee485d9483698c610673ab211a5

SHA512
ad76909d3d868e97cda47a6f95af78e44cc205be7017a97bd653eeb39d2c1282046285a260d7fbf251ff98ae8503a50d4aa3a1fb781cf779b92adb908cec989d

Download Submit
C:\Windows\{E91AA165-2423-4673-B1CC-ECCB8F0CE002}.exe

Filesize
408KB

MD5
6956ab61cf02b17ec8eeb8fb645fe092

SHA1
7d0f8c091cec872f180b77c5cf0f1415bc9bb18b

SHA256
839264d9fa294dd8be9a3a5bba86a9d9fbdb7fe1586c5885730d79e84c07749c

SHA512
f5bfead14a2628efff2a895fc49749ee894a013dab991995bc319d48110359812143c247a62ef2846d8a9ba04382617fb1719220ff7992a242410488d2377f97

Download Submit
C:\Windows\{FF8BF137-5707-4c21-A770-A3D756B3D580}.exe

Filesize
408KB

MD5
356c2c4d9084b667f4cb59da02841cfb

SHA1
e2a4772ec3bde1703debb3562166adf56e9fe441

SHA256
3f348d65310451126f7bf80b0930b855c6227ca87c467bb49be75aec823b6536

SHA512
5b38da261e2a889371252a9b0a23042f1bf5b15dffc3180d0ebf8827a2c6b393ac72afa25784515fb7cf5d5cf04db8b51e6ccc9bdecb5a187011e5d0d9155bd7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads