59db01a86ac8e6ea57c2f2da54c8b3b5030fa34088e9b11f453aaa61170ad8b7

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 10:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe
Size

204KB
MD5

19b1503eec824f210597d56b6e429d74
SHA1

f659f7083707dfdc91cf26e374c309b835ff2de0
SHA256

59db01a86ac8e6ea57c2f2da54c8b3b5030fa34088e9b11f453aaa61170ad8b7
SHA512

6f3c06cbf4cdf1bb976e52c30dcf8f9eddfb15fa15edbfd631fd4d8ccaad404ca37d4dc442cb260d2b7a21e2729e846e78d8e218b5ff9274b034dc77acf61ee4
SSDEEP

1536:1EGh0oAkl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oAkl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e32b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023257-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002325d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023257-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002325d-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219e9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000219ea-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000026-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000507-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3100D672-C207-48d8-B875-6F99282E67DC}	2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{094C48B5-2106-4d4b-B286-6B1574A2D975}\stubpath = "C:\\Windows\\{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe"	{3100D672-C207-48d8-B875-6F99282E67DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}	{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}\stubpath = "C:\\Windows\\{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe"	{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B665C793-A8DF-47df-BEE6-399499FC10F8}	{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}	{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}\stubpath = "C:\\Windows\\{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe"	{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}\stubpath = "C:\\Windows\\{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe"	{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E74C409A-112F-47ff-9F63-AD3DB30DB956}	{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF0E5CDC-F074-42e9-8EB2-A7993B95519B}\stubpath = "C:\\Windows\\{AF0E5CDC-F074-42e9-8EB2-A7993B95519B}.exe"	{E74C409A-112F-47ff-9F63-AD3DB30DB956}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3100D672-C207-48d8-B875-6F99282E67DC}\stubpath = "C:\\Windows\\{3100D672-C207-48d8-B875-6F99282E67DC}.exe"	2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}	{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}\stubpath = "C:\\Windows\\{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe"	{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5485D23-2156-45d1-90FC-AE58644E43BD}\stubpath = "C:\\Windows\\{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe"	{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E74C409A-112F-47ff-9F63-AD3DB30DB956}\stubpath = "C:\\Windows\\{E74C409A-112F-47ff-9F63-AD3DB30DB956}.exe"	{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{094C48B5-2106-4d4b-B286-6B1574A2D975}	{3100D672-C207-48d8-B875-6F99282E67DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5485D23-2156-45d1-90FC-AE58644E43BD}	{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}\stubpath = "C:\\Windows\\{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe"	{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}\stubpath = "C:\\Windows\\{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe"	{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}	{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B665C793-A8DF-47df-BEE6-399499FC10F8}\stubpath = "C:\\Windows\\{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe"	{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}	{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}	{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF0E5CDC-F074-42e9-8EB2-A7993B95519B}	{E74C409A-112F-47ff-9F63-AD3DB30DB956}.exe

Executes dropped EXE 12 IoCs

pid	Process
3532	{3100D672-C207-48d8-B875-6F99282E67DC}.exe
2936	{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe
3104	{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe
4820	{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe
4340	{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe
2256	{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe
3900	{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe
4156	{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe
1572	{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe
3992	{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe
3996	{E74C409A-112F-47ff-9F63-AD3DB30DB956}.exe
5044	{AF0E5CDC-F074-42e9-8EB2-A7993B95519B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3100D672-C207-48d8-B875-6F99282E67DC}.exe	2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe
File created	C:\Windows\{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe	{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe
File created	C:\Windows\{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe	{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe
File created	C:\Windows\{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe	{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe
File created	C:\Windows\{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe	{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe
File created	C:\Windows\{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe	{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe
File created	C:\Windows\{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe	{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe
File created	C:\Windows\{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe	{3100D672-C207-48d8-B875-6F99282E67DC}.exe
File created	C:\Windows\{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe	{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe
File created	C:\Windows\{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe	{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe
File created	C:\Windows\{E74C409A-112F-47ff-9F63-AD3DB30DB956}.exe	{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe
File created	C:\Windows\{AF0E5CDC-F074-42e9-8EB2-A7993B95519B}.exe	{E74C409A-112F-47ff-9F63-AD3DB30DB956}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1420	2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3532	{3100D672-C207-48d8-B875-6F99282E67DC}.exe
Token: SeIncBasePriorityPrivilege	2936	{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe
Token: SeIncBasePriorityPrivilege	3104	{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe
Token: SeIncBasePriorityPrivilege	4820	{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe
Token: SeIncBasePriorityPrivilege	4340	{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe
Token: SeIncBasePriorityPrivilege	2256	{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe
Token: SeIncBasePriorityPrivilege	3900	{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe
Token: SeIncBasePriorityPrivilege	4156	{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe
Token: SeIncBasePriorityPrivilege	1572	{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe
Token: SeIncBasePriorityPrivilege	3992	{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe
Token: SeIncBasePriorityPrivilege	3996	{E74C409A-112F-47ff-9F63-AD3DB30DB956}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 3532	1420	2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe	94
PID 1420 wrote to memory of 3532	1420	2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe	94
PID 1420 wrote to memory of 3532	1420	2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe	94
PID 1420 wrote to memory of 3512	1420	2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe	95
PID 1420 wrote to memory of 3512	1420	2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe	95
PID 1420 wrote to memory of 3512	1420	2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe	95
PID 3532 wrote to memory of 2936	3532	{3100D672-C207-48d8-B875-6F99282E67DC}.exe	100
PID 3532 wrote to memory of 2936	3532	{3100D672-C207-48d8-B875-6F99282E67DC}.exe	100
PID 3532 wrote to memory of 2936	3532	{3100D672-C207-48d8-B875-6F99282E67DC}.exe	100
PID 3532 wrote to memory of 5012	3532	{3100D672-C207-48d8-B875-6F99282E67DC}.exe	101
PID 3532 wrote to memory of 5012	3532	{3100D672-C207-48d8-B875-6F99282E67DC}.exe	101
PID 3532 wrote to memory of 5012	3532	{3100D672-C207-48d8-B875-6F99282E67DC}.exe	101
PID 2936 wrote to memory of 3104	2936	{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe	104
PID 2936 wrote to memory of 3104	2936	{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe	104
PID 2936 wrote to memory of 3104	2936	{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe	104
PID 2936 wrote to memory of 2224	2936	{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe	105
PID 2936 wrote to memory of 2224	2936	{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe	105
PID 2936 wrote to memory of 2224	2936	{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe	105
PID 3104 wrote to memory of 4820	3104	{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe	107
PID 3104 wrote to memory of 4820	3104	{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe	107
PID 3104 wrote to memory of 4820	3104	{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe	107
PID 3104 wrote to memory of 2828	3104	{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe	108
PID 3104 wrote to memory of 2828	3104	{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe	108
PID 3104 wrote to memory of 2828	3104	{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe	108
PID 4820 wrote to memory of 4340	4820	{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe	109
PID 4820 wrote to memory of 4340	4820	{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe	109
PID 4820 wrote to memory of 4340	4820	{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe	109
PID 4820 wrote to memory of 4988	4820	{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe	110
PID 4820 wrote to memory of 4988	4820	{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe	110
PID 4820 wrote to memory of 4988	4820	{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe	110
PID 4340 wrote to memory of 2256	4340	{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe	111
PID 4340 wrote to memory of 2256	4340	{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe	111
PID 4340 wrote to memory of 2256	4340	{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe	111
PID 4340 wrote to memory of 2320	4340	{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe	112
PID 4340 wrote to memory of 2320	4340	{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe	112
PID 4340 wrote to memory of 2320	4340	{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe	112
PID 2256 wrote to memory of 3900	2256	{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe	113
PID 2256 wrote to memory of 3900	2256	{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe	113
PID 2256 wrote to memory of 3900	2256	{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe	113
PID 2256 wrote to memory of 3540	2256	{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe	114
PID 2256 wrote to memory of 3540	2256	{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe	114
PID 2256 wrote to memory of 3540	2256	{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe	114
PID 3900 wrote to memory of 4156	3900	{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe	115
PID 3900 wrote to memory of 4156	3900	{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe	115
PID 3900 wrote to memory of 4156	3900	{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe	115
PID 3900 wrote to memory of 1416	3900	{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe	116
PID 3900 wrote to memory of 1416	3900	{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe	116
PID 3900 wrote to memory of 1416	3900	{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe	116
PID 4156 wrote to memory of 1572	4156	{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe	117
PID 4156 wrote to memory of 1572	4156	{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe	117
PID 4156 wrote to memory of 1572	4156	{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe	117
PID 4156 wrote to memory of 776	4156	{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe	118
PID 4156 wrote to memory of 776	4156	{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe	118
PID 4156 wrote to memory of 776	4156	{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe	118
PID 1572 wrote to memory of 3992	1572	{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe	119
PID 1572 wrote to memory of 3992	1572	{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe	119
PID 1572 wrote to memory of 3992	1572	{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe	119
PID 1572 wrote to memory of 3416	1572	{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe	120
PID 1572 wrote to memory of 3416	1572	{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe	120
PID 1572 wrote to memory of 3416	1572	{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe	120
PID 3992 wrote to memory of 3996	3992	{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe	121
PID 3992 wrote to memory of 3996	3992	{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe	121
PID 3992 wrote to memory of 3996	3992	{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe	121
PID 3992 wrote to memory of 3464	3992	{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_19b1503eec824f210597d56b6e429d74_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\{3100D672-C207-48d8-B875-6F99282E67DC}.exe
  C:\Windows\{3100D672-C207-48d8-B875-6F99282E67DC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe
    C:\Windows\{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe
      C:\Windows\{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Windows\{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe
        
        C:\Windows\{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Windows\{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe
        
        C:\Windows\{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe
        
        C:\Windows\{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe
        
        C:\Windows\{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe
        
        C:\Windows\{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe
        
        C:\Windows\{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe
        
        C:\Windows\{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\{E74C409A-112F-47ff-9F63-AD3DB30DB956}.exe
        
        C:\Windows\{E74C409A-112F-47ff-9F63-AD3DB30DB956}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\{AF0E5CDC-F074-42e9-8EB2-A7993B95519B}.exe
        
        C:\Windows\{AF0E5CDC-F074-42e9-8EB2-A7993B95519B}.exe
        13⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E74C4~1.EXE > nul
        13⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE86C~1.EXE > nul
        12⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCE0E~1.EXE > nul
        11⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F38DB~1.EXE > nul
        10⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1CC3~1.EXE > nul
        9⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B665C~1.EXE > nul
        8⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5485~1.EXE > nul
        7⤵
        
        PID:2320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0D88~1.EXE > nul
        6⤵
        
        PID:4988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3E53~1.EXE > nul
        5⤵
        
        PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{094C4~1.EXE > nul
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3100D~1.EXE > nul
    3⤵
    PID:5012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{094C48B5-2106-4d4b-B286-6B1574A2D975}.exe

Filesize
204KB

MD5
b98ebf306b2b6213f67bca80b1feb6c9

SHA1
c6f3d679a05a738968c0a6b62cde62a36c4b9364

SHA256
be3183b28b85e2e995035e605216d5aaef4ec084632d25d860e2626caeba071c

SHA512
3a5d6125891b5c39d6b2eb1555dae4c9314cf3a29e5500f87b0bc5c14c244e638716cef5308c75263ddd3e5ac9b5831b78d3a08817720e73430c71029b8f45af

Download Submit
C:\Windows\{3100D672-C207-48d8-B875-6F99282E67DC}.exe

Filesize
204KB

MD5
c28d8c106a70ee9e339bc27f1fba8350

SHA1
ad627e81533733b78e20a19eb80f7af411c3f262

SHA256
04879daa52e642b3414e7e65051f5d2045770cbab88fe41b3958a53d12fec23e

SHA512
a4e23970a74b5c47dc073cd6d1fc17432771c8e8692f59a8aa94768691cd67b802a33a77a2c8b02055098255d9fb4b5a8e3b75bbe04c2336935f3326cd9f556d

Download Submit
C:\Windows\{AF0E5CDC-F074-42e9-8EB2-A7993B95519B}.exe

Filesize
204KB

MD5
f9c646313a8b7a1271cd57bf7ff12eb6

SHA1
f07ba4d7d45c986efb2c8368dede4ed453a4859f

SHA256
2a5a0ed810bfc5a6e1fd8002d02eaa28edeb3184e6207a426416a3f5bc02f760

SHA512
ca9f708b7ce2349bdbaa0cb0451146ed0f9282fd73e1aa15019f00d679771d9f3b951fe8c52fc8b79e6e737f9e7b88edc3260e78d14bcefc827b3636071f7029

Download Submit
C:\Windows\{B1CC3450-2017-4c03-96DE-5E35EBB3D0D8}.exe

Filesize
204KB

MD5
660c154423bbfd8b92daf78a9e58899d

SHA1
c681542c927b00eb8fedd70b7bc21136712c5e21

SHA256
f381ac860d6286580f3cfa73304230e2a9a1e2f3b9d96c1a9f099b8cdd2d30bf

SHA512
6748f31b4ef6634b34200b5ec743d7603c6c7329ce7d18e16de5b67d79c2131e3c9f86a9ee36aeaab7c375ac95a734e8d24e9663ea62cf5adb71ba4c53d45674

Download Submit
C:\Windows\{B665C793-A8DF-47df-BEE6-399499FC10F8}.exe

Filesize
204KB

MD5
2283ebcc9e20d7c015056da6abd22c93

SHA1
32aa36ea522beaab1fda650e35604bb383ade7d2

SHA256
f761f9135d43bdad0824030d17798556bc3af352513445c4d2db8b9a6711d390

SHA512
cdf9de6cfacd411de15040ac6e4bac87ab94b01bcad5910506c6df6d39c6d5798007f2fdc2006fae62c18c0c969848e33325d4fb263985bd52d748c9e7ef7720

Download Submit
C:\Windows\{BE86CE97-E788-4b5a-8AF4-C64CF5D526C2}.exe

Filesize
204KB

MD5
cd66958978af313d6c9827d123d8eab6

SHA1
370dba836c3373137e343eac94a961df276e73b1

SHA256
08558b8009f41abf240be2d7d9cfe2f4f95676466e3c32da0ff89ef5f83a531e

SHA512
70e5d8654000444af177d5a07ae8ea9231932b8cb1a1a53b7b13f2ea028fd211c50404910abbc773e232daa0d86a0cce2729ef70a4dec721d3656cecea56e124

Download Submit
C:\Windows\{C3E53331-4F4A-4606-B2BE-4188BAA3AA41}.exe

Filesize
204KB

MD5
0c75a36f0a07c1e8a6180703d6affc55

SHA1
e88173e1248408536a840418fbb4856e423c7453

SHA256
67b665b1ea912c73b41c3edc441a42909bf7ce72980315bf0bfeee2305b950ff

SHA512
06ada626b4965d8546143be31ae489382f913392aee1f647e6446c3f57b295598f42de713661a49bf6cf07763fc5b114e899d227002026c27b047387fe303a83

Download Submit
C:\Windows\{D0D885AB-47EC-4f0c-9E70-4C7A8BA520C0}.exe

Filesize
204KB

MD5
7f5adf6192a7c8deda6f8baf0173f46f

SHA1
689f1bf122023b6179cf8aed14819fa0c25e053a

SHA256
172cd21ef7dfe8b455ee88c6189ee24d90aaffb2a22db57ea6a998db28aa4078

SHA512
7ab06ce0682ad80e263623e400b72707061a640082f42e5077e264c54e910244e00926533700810f14b9925f3e561854d0b5585d0848573fafafd32c3e95b5c2

Download Submit
C:\Windows\{E5485D23-2156-45d1-90FC-AE58644E43BD}.exe

Filesize
204KB

MD5
18c46baf3f57735c0e5ee4445a26047d

SHA1
04ce4f58d5f5f76a777b206a90edf82852dad1e4

SHA256
f477920b4c6c721a21d56bb625cdf7448e9104cdd1e3b4e4c6fbb8a64f57b023

SHA512
920f6fc960ba7a806b06bec0ff3d42863d8c984b903ad7bfe8ae0aee2f831c830d4b43ccaa1d28e2fea5930375a75ca01e657634bf6c2d5e336e6a56ceee8e1c

Download Submit
C:\Windows\{E74C409A-112F-47ff-9F63-AD3DB30DB956}.exe

Filesize
204KB

MD5
284d59bd32e05a5abe4e553a4b30300f

SHA1
77e4b22bdc5c44ad1b671d34fe1dd786b9344c1d

SHA256
91ded424f4700ca940d546a491329efc67c88d6fa641ec4f0c43dacfa2b0977b

SHA512
be8b7bcff06aa41a182937a9360cc085ac556bdf0ed8997460aee6a0246fd81531d7a4ba296d23ed74d42d1c936ee97b80f9a83c4308a30e6463f45ac3567374

Download Submit
C:\Windows\{F38DB532-27BB-4f07-B5E6-EEE0AC87AF85}.exe

Filesize
204KB

MD5
11d14f277176a29e6c8870df9050b0ba

SHA1
e90ca90269e4943b6126ea77983b43c07fca535f

SHA256
f558dae98571e5c2ab02eafa82d36932546b2573e920dc45d2fcad18d0dd5055

SHA512
8061862664f104ebded4ae6452af65e773d7d8a79a1dd479f2ff8e4620c0e6bb859df387be71dc4e46b1ab2913827ee29be580e8c873ad2ec436705ba48a3829

Download Submit
C:\Windows\{FCE0E6F5-964C-4d3d-92EE-C140ABADC968}.exe

Filesize
204KB

MD5
edccc75996f0a30c708e85e5758cbd2d

SHA1
68cfb54453cfe30b7cf13f1d9c09dc74b4d1cc71

SHA256
dc94e186ac79991003b26bff3b165893eb3f2bac18cd54774a15a82adfaaea0c

SHA512
fda22fda6f93be932afa7e671232bd8bdd23a7757bffc40afa763fbeded6b241584305b84ec3e08dcfb351da80411d0dbb57c43bca91c096f797c30c604961c2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads