13b6dfe89177ed6631fdb5529854367728c35f6238e581e7e15a7f4ddd2f4c48

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 11:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe
Size

180KB
MD5

3ecb98997e6967564b1d7f73cedb06c6
SHA1

bcc490265cfae2b57320288ec667f5e430d23a9a
SHA256

13b6dfe89177ed6631fdb5529854367728c35f6238e581e7e15a7f4ddd2f4c48
SHA512

e73271831df16e26a52ce4f260581feec5c162b8dc98dcd43de9ccf7982b538273f21ab4d6fb5aa7e35e783d87331f49b5fa137041f7a67b97344c2746c82fc5
SSDEEP

3072:jEGh0o5lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGHl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023607-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000235fb-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002360e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000235fb-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d02-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d03-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d02-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000000002f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000000002f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8126673C-0430-4df8-ADB3-87E98196416A}	{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8126673C-0430-4df8-ADB3-87E98196416A}\stubpath = "C:\\Windows\\{8126673C-0430-4df8-ADB3-87E98196416A}.exe"	{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}	{3D6692C7-5E19-42f0-A339-C8980F777396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}\stubpath = "C:\\Windows\\{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe"	{3D6692C7-5E19-42f0-A339-C8980F777396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}\stubpath = "C:\\Windows\\{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe"	{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6107CD-D512-498b-8D87-82706A3C62A3}\stubpath = "C:\\Windows\\{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe"	2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}	{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}\stubpath = "C:\\Windows\\{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe"	{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B563C2C2-F5CA-4bcb-80B8-F2F43C4520C1}\stubpath = "C:\\Windows\\{B563C2C2-F5CA-4bcb-80B8-F2F43C4520C1}.exe"	{12549073-49F0-432e-9246-0581971AD43D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F752C755-9565-473b-9D17-C387747F1454}	{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12549073-49F0-432e-9246-0581971AD43D}	{F752C755-9565-473b-9D17-C387747F1454}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12549073-49F0-432e-9246-0581971AD43D}\stubpath = "C:\\Windows\\{12549073-49F0-432e-9246-0581971AD43D}.exe"	{F752C755-9565-473b-9D17-C387747F1454}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E318938-43F6-4d72-A95E-E6E2247217FD}	{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}\stubpath = "C:\\Windows\\{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe"	{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F752C755-9565-473b-9D17-C387747F1454}\stubpath = "C:\\Windows\\{F752C755-9565-473b-9D17-C387747F1454}.exe"	{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8244B08-FC06-4d43-AEB0-FD2070765DB5}\stubpath = "C:\\Windows\\{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe"	{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}	{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6692C7-5E19-42f0-A339-C8980F777396}	{8126673C-0430-4df8-ADB3-87E98196416A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6692C7-5E19-42f0-A339-C8980F777396}\stubpath = "C:\\Windows\\{3D6692C7-5E19-42f0-A339-C8980F777396}.exe"	{8126673C-0430-4df8-ADB3-87E98196416A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6107CD-D512-498b-8D87-82706A3C62A3}	2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E318938-43F6-4d72-A95E-E6E2247217FD}\stubpath = "C:\\Windows\\{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe"	{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8244B08-FC06-4d43-AEB0-FD2070765DB5}	{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}	{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B563C2C2-F5CA-4bcb-80B8-F2F43C4520C1}	{12549073-49F0-432e-9246-0581971AD43D}.exe

Executes dropped EXE 12 IoCs

pid	Process
3688	{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe
720	{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe
1064	{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe
3172	{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe
2892	{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe
1596	{8126673C-0430-4df8-ADB3-87E98196416A}.exe
4396	{3D6692C7-5E19-42f0-A339-C8980F777396}.exe
5008	{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe
1648	{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe
3988	{F752C755-9565-473b-9D17-C387747F1454}.exe
412	{12549073-49F0-432e-9246-0581971AD43D}.exe
912	{B563C2C2-F5CA-4bcb-80B8-F2F43C4520C1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe	{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe
File created	C:\Windows\{8126673C-0430-4df8-ADB3-87E98196416A}.exe	{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe
File created	C:\Windows\{3D6692C7-5E19-42f0-A339-C8980F777396}.exe	{8126673C-0430-4df8-ADB3-87E98196416A}.exe
File created	C:\Windows\{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe	{3D6692C7-5E19-42f0-A339-C8980F777396}.exe
File created	C:\Windows\{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe	{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe
File created	C:\Windows\{12549073-49F0-432e-9246-0581971AD43D}.exe	{F752C755-9565-473b-9D17-C387747F1454}.exe
File created	C:\Windows\{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe	2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe
File created	C:\Windows\{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe	{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe
File created	C:\Windows\{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe	{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe
File created	C:\Windows\{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe	{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe
File created	C:\Windows\{F752C755-9565-473b-9D17-C387747F1454}.exe	{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe
File created	C:\Windows\{B563C2C2-F5CA-4bcb-80B8-F2F43C4520C1}.exe	{12549073-49F0-432e-9246-0581971AD43D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2164	2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3688	{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe
Token: SeIncBasePriorityPrivilege	720	{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe
Token: SeIncBasePriorityPrivilege	1064	{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe
Token: SeIncBasePriorityPrivilege	3172	{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe
Token: SeIncBasePriorityPrivilege	2892	{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe
Token: SeIncBasePriorityPrivilege	1596	{8126673C-0430-4df8-ADB3-87E98196416A}.exe
Token: SeIncBasePriorityPrivilege	4396	{3D6692C7-5E19-42f0-A339-C8980F777396}.exe
Token: SeIncBasePriorityPrivilege	5008	{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe
Token: SeIncBasePriorityPrivilege	1648	{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe
Token: SeIncBasePriorityPrivilege	3988	{F752C755-9565-473b-9D17-C387747F1454}.exe
Token: SeIncBasePriorityPrivilege	412	{12549073-49F0-432e-9246-0581971AD43D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 3688	2164	2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe	96
PID 2164 wrote to memory of 3688	2164	2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe	96
PID 2164 wrote to memory of 3688	2164	2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe	96
PID 2164 wrote to memory of 3200	2164	2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe	97
PID 2164 wrote to memory of 3200	2164	2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe	97
PID 2164 wrote to memory of 3200	2164	2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe	97
PID 3688 wrote to memory of 720	3688	{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe	98
PID 3688 wrote to memory of 720	3688	{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe	98
PID 3688 wrote to memory of 720	3688	{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe	98
PID 3688 wrote to memory of 4284	3688	{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe	99
PID 3688 wrote to memory of 4284	3688	{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe	99
PID 3688 wrote to memory of 4284	3688	{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe	99
PID 720 wrote to memory of 1064	720	{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe	102
PID 720 wrote to memory of 1064	720	{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe	102
PID 720 wrote to memory of 1064	720	{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe	102
PID 720 wrote to memory of 2012	720	{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe	103
PID 720 wrote to memory of 2012	720	{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe	103
PID 720 wrote to memory of 2012	720	{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe	103
PID 1064 wrote to memory of 3172	1064	{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe	104
PID 1064 wrote to memory of 3172	1064	{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe	104
PID 1064 wrote to memory of 3172	1064	{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe	104
PID 1064 wrote to memory of 2712	1064	{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe	105
PID 1064 wrote to memory of 2712	1064	{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe	105
PID 1064 wrote to memory of 2712	1064	{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe	105
PID 3172 wrote to memory of 2892	3172	{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe	106
PID 3172 wrote to memory of 2892	3172	{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe	106
PID 3172 wrote to memory of 2892	3172	{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe	106
PID 3172 wrote to memory of 1468	3172	{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe	107
PID 3172 wrote to memory of 1468	3172	{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe	107
PID 3172 wrote to memory of 1468	3172	{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe	107
PID 2892 wrote to memory of 1596	2892	{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe	108
PID 2892 wrote to memory of 1596	2892	{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe	108
PID 2892 wrote to memory of 1596	2892	{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe	108
PID 2892 wrote to memory of 1088	2892	{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe	109
PID 2892 wrote to memory of 1088	2892	{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe	109
PID 2892 wrote to memory of 1088	2892	{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe	109
PID 1596 wrote to memory of 4396	1596	{8126673C-0430-4df8-ADB3-87E98196416A}.exe	110
PID 1596 wrote to memory of 4396	1596	{8126673C-0430-4df8-ADB3-87E98196416A}.exe	110
PID 1596 wrote to memory of 4396	1596	{8126673C-0430-4df8-ADB3-87E98196416A}.exe	110
PID 1596 wrote to memory of 4560	1596	{8126673C-0430-4df8-ADB3-87E98196416A}.exe	111
PID 1596 wrote to memory of 4560	1596	{8126673C-0430-4df8-ADB3-87E98196416A}.exe	111
PID 1596 wrote to memory of 4560	1596	{8126673C-0430-4df8-ADB3-87E98196416A}.exe	111
PID 4396 wrote to memory of 5008	4396	{3D6692C7-5E19-42f0-A339-C8980F777396}.exe	112
PID 4396 wrote to memory of 5008	4396	{3D6692C7-5E19-42f0-A339-C8980F777396}.exe	112
PID 4396 wrote to memory of 5008	4396	{3D6692C7-5E19-42f0-A339-C8980F777396}.exe	112
PID 4396 wrote to memory of 3816	4396	{3D6692C7-5E19-42f0-A339-C8980F777396}.exe	113
PID 4396 wrote to memory of 3816	4396	{3D6692C7-5E19-42f0-A339-C8980F777396}.exe	113
PID 4396 wrote to memory of 3816	4396	{3D6692C7-5E19-42f0-A339-C8980F777396}.exe	113
PID 5008 wrote to memory of 1648	5008	{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe	114
PID 5008 wrote to memory of 1648	5008	{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe	114
PID 5008 wrote to memory of 1648	5008	{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe	114
PID 5008 wrote to memory of 2268	5008	{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe	115
PID 5008 wrote to memory of 2268	5008	{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe	115
PID 5008 wrote to memory of 2268	5008	{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe	115
PID 1648 wrote to memory of 3988	1648	{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe	116
PID 1648 wrote to memory of 3988	1648	{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe	116
PID 1648 wrote to memory of 3988	1648	{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe	116
PID 1648 wrote to memory of 2792	1648	{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe	117
PID 1648 wrote to memory of 2792	1648	{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe	117
PID 1648 wrote to memory of 2792	1648	{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe	117
PID 3988 wrote to memory of 412	3988	{F752C755-9565-473b-9D17-C387747F1454}.exe	118
PID 3988 wrote to memory of 412	3988	{F752C755-9565-473b-9D17-C387747F1454}.exe	118
PID 3988 wrote to memory of 412	3988	{F752C755-9565-473b-9D17-C387747F1454}.exe	118
PID 3988 wrote to memory of 4684	3988	{F752C755-9565-473b-9D17-C387747F1454}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_3ecb98997e6967564b1d7f73cedb06c6_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe
  C:\Windows\{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe
    C:\Windows\{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe
      C:\Windows\{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe
        
        C:\Windows\{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3172
      - C:\Windows\{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe
        
        C:\Windows\{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\{8126673C-0430-4df8-ADB3-87E98196416A}.exe
        
        C:\Windows\{8126673C-0430-4df8-ADB3-87E98196416A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\{3D6692C7-5E19-42f0-A339-C8980F777396}.exe
        
        C:\Windows\{3D6692C7-5E19-42f0-A339-C8980F777396}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe
        
        C:\Windows\{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe
        
        C:\Windows\{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{F752C755-9565-473b-9D17-C387747F1454}.exe
        
        C:\Windows\{F752C755-9565-473b-9D17-C387747F1454}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\{12549073-49F0-432e-9246-0581971AD43D}.exe
        
        C:\Windows\{12549073-49F0-432e-9246-0581971AD43D}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
        
        C:\Windows\{B563C2C2-F5CA-4bcb-80B8-F2F43C4520C1}.exe
        
        C:\Windows\{B563C2C2-F5CA-4bcb-80B8-F2F43C4520C1}.exe
        13⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12549~1.EXE > nul
        13⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F752C~1.EXE > nul
        12⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B4D7~1.EXE > nul
        11⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4964C~1.EXE > nul
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D669~1.EXE > nul
        9⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81266~1.EXE > nul
        8⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDB4F~1.EXE > nul
        7⤵
        
        PID:1088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8244~1.EXE > nul
        6⤵
        
        PID:1468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3598~1.EXE > nul
        5⤵
        
        PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3E318~1.EXE > nul
      4⤵
      PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FE610~1.EXE > nul
    3⤵
    PID:4284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4268,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12549073-49F0-432e-9246-0581971AD43D}.exe

Filesize
180KB

MD5
85a64ee514d3ce069e7517e93d315634

SHA1
94a96ed1a324a51eece4260b7b88e2e336d4848c

SHA256
b65da6aacae9ec2952b95bfd65d8df2765f43cf1784bc1f0d5221994e89e0084

SHA512
a4b582e891abcd404b31b820944c867b5e88cb42ef37272de9a20764adf6d8b7ef8b2f9846b82adf4161fd0457d0d24499d0a4a8217ba3d409623e73234bb87e

Download Submit
C:\Windows\{3D6692C7-5E19-42f0-A339-C8980F777396}.exe

Filesize
180KB

MD5
cee92682c08be66123e29caefa1cee71

SHA1
45d7e30017f86385dc5f8e18f6b025f9d4bf0aa5

SHA256
2c4db1aeadf7600f35c45a8e05d4076d9f18cbe3b98fcac293f3f744f069524a

SHA512
eaf4a6637d5d3bdbfe6af5d43c1a3ea493efdd3d717cd6261ef9dff176ebc05230861efa69f38256b885b54d5878619de738f56c42ce00b9be6eff6c664a8988

Download Submit
C:\Windows\{3E318938-43F6-4d72-A95E-E6E2247217FD}.exe

Filesize
180KB

MD5
75c1f0936067d73496b80c5162712c02

SHA1
18576309f9b3f7a081ba624a744f5c4a906b90e1

SHA256
8c0f4538f044a44a2a6e03dc7b6e3a8557db3bf9c15ab45e90a007d58af473c8

SHA512
94bb0ec49cb5d4eb9a66153a3359423a3064bf854c53770e532d26090790ccec6931a78c8a73fb2ef53c8c9bc177aea25450218a184a5f00e13a55f8a0d404c7

Download Submit
C:\Windows\{4964CE4F-B396-4b83-89F3-A7DF4BDF150E}.exe

Filesize
180KB

MD5
449b779b428ddd5e35f95bbb06cc6119

SHA1
5f919cbbfaa46adb95428acad0b5111d47eba38e

SHA256
370ade28e8fd474156049394901ebce51f7bc3c871e88c760e1554ecf5e66efe

SHA512
9cec9951a0650a40106a98ec2eb7f30f7a0c87a26462f7d7c8e37a2804167e641f9c92c8da1b10579f504f738e0be9986f107934b88babe65a5cf9c19f9861a7

Download Submit
C:\Windows\{6B4D7FA5-8981-4fb3-8B7B-DFCE8FFE79A6}.exe

Filesize
180KB

MD5
86b5320ff16c3b7a3527f8c401e83ff5

SHA1
760e8698a1c98bb26b011271be2b91e308714dd4

SHA256
7473d28a52376eb40701c3e2c56b81d628ff6fc211190a8a974d7eebd29720f5

SHA512
699105214b56f94688b5888caee828eb14d868c8576196b4d2cc33f0d3b63b46babf5064b3036fb1408ed3e388b01f97aff2a8d3a3dbd17e4cfbf4ecde0f9e05

Download Submit
C:\Windows\{8126673C-0430-4df8-ADB3-87E98196416A}.exe

Filesize
180KB

MD5
e7b45e8cc1fd474ee72f5dbc3be4d7b6

SHA1
edca31a50805346dc33732b9bf9da1e8d8bcc74b

SHA256
18f57fc955a03eedb343bae5be3e4d8bc216c9faae08a9e0bcf3444ccc4f4b6d

SHA512
ce2cf08e8e4cbf4d243c25457b3d3d718a71c3636d1433e1a2ee7f2cd5f2ebfd659d78153c21cb3347ad3e03f76db8d73f3499f9c1406aab64c9915ebe996e85

Download Submit
C:\Windows\{B563C2C2-F5CA-4bcb-80B8-F2F43C4520C1}.exe

Filesize
180KB

MD5
feb247a8635cda888f7d47ef79e27a78

SHA1
fcca30c4177e46ac7604157ed70c9f04d37aa403

SHA256
7e4c257384096bc8566e1b46a5416fce7ffef2ef874aea325ffc29a1de8cdbbf

SHA512
5b8d7154c7dcaaa63f6f519b45d1bcd8e694319dd0a6961be04003d4f6e11c12be7090af44b58f5e5591c59547a464aa0c2654f8a2a0a90ab092838efc6e8ef6

Download Submit
C:\Windows\{BDB4F0ED-7035-42fe-BBD0-5BB16F54D39A}.exe

Filesize
180KB

MD5
a23c67b8c04a6ad44f528968cc12dde1

SHA1
926fb550aa30fabf1a4f46ecc8d408364c3e8b06

SHA256
6b7cf02bcb20f5add1ebc57547a06ce773ecea826a5073a640f3cdd48be45e7e

SHA512
887220d444af114c7a3362d2e14e63f33d63fe89cb66043fe7ff3f3520997ff82bae118c225be8b1cb286821fa8d45d48de245945cd543a16aa9ece2bb67acef

Download Submit
C:\Windows\{D8244B08-FC06-4d43-AEB0-FD2070765DB5}.exe

Filesize
180KB

MD5
1fad15913d6a9773effbc906e33072ec

SHA1
b358010c27ed7d07b7880c1fc0293914136bf74f

SHA256
d29c8011394792885950379d30ec0dfb4c1e9f9080050b24d4576742f740f55c

SHA512
88732d0f8ca2311bd85cfb812bd2b558241c06dd5a408f01adce3a13446f5c96ef43654979436a16ca60752c451e4a1d3543590bc7dcbd947f443c3d4c7cafef

Download Submit
C:\Windows\{E35980E3-43B6-4e5e-8BF3-6C510E22BF05}.exe

Filesize
180KB

MD5
78b8097ef8e01728cbc41bd448685f12

SHA1
c48f36955c83d9a2cf9600ca7e4d64f86abd6f65

SHA256
09c94b984d5f1f3ea874611550433497a303fccc730aaf504c8c5582be3f0f49

SHA512
c13285bcf4920e4457ed412cb18ec3d8ff22649f726d04fa5106a3c1fb275b38b8b84dac838d2d3db60d2714227b92ec2c2a3ce61832c1801533ff9fd69c3696

Download Submit
C:\Windows\{F752C755-9565-473b-9D17-C387747F1454}.exe

Filesize
180KB

MD5
cd026219c4af47a640754c5c9fd2112a

SHA1
1d1549b37e5d62110c48532d685519aff3ffc20f

SHA256
926ad1dd2f86da188b44467d52b976e614129b12825095609f298950a55a3a6c

SHA512
36e70f2ddfa9f16c076ff4b9513c7f42ae3e860cc5e541ffc05288c18b93e22f03cb7cd60fc8a6224a6ed7fe0a3fb85efcd5eac96cf76a5c1f674ab41ded228a

Download Submit
C:\Windows\{FE6107CD-D512-498b-8D87-82706A3C62A3}.exe

Filesize
180KB

MD5
9474efdff97b2fc6a9b9940c51a5e834

SHA1
c83d940794a782fbf0ff9c2ca7f7a8863c52686c

SHA256
45a7410b8fc1e5768a0894cf27aa46c4f1f0690542907920fa9dc1199405cc7c

SHA512
0ae9271c91fa4ed543778e86d7cb6b5cd503d5a0dca81c79ce1bbe2dfdc9312b0d6d3f6f4e7bbef2dc0b66c34f7ed3fb37a970c63fc94c303041bbc8bf09572e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads