8536ee0896650800994d166b6fe4c517c650ee05262fad18e42bbae57d38865e

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
Size

372KB
MD5

e130a98aff45ca1d5e5faae0dc6babb7
SHA1

9af2004dba73c082c9907c4e67a6629120a0a5e1
SHA256

8536ee0896650800994d166b6fe4c517c650ee05262fad18e42bbae57d38865e
SHA512

8766c9a0f10a14a1ab3d737bf832db872dc3a032d9ff94a5bfae3c1cee05146a3ed918cf2306c0ce4f8effba8bbf21450692341d9fd104bc6d8172652e95ede7
SSDEEP

3072:CEGh0oClMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGglkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002362f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023624-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000168a4-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023624-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000168a4-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023624-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000168a4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023646-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000229d4-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002335f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002361e-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002335f-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F45A1C-5473-4fdf-B132-F5104976FA8A}	{C53E1A51-E00F-41a1-90BE-0B9915514DFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}	{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5DAE1E4-E351-404e-9744-5367F9D40CAF}\stubpath = "C:\\Windows\\{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe"	{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}	{EC4E8582-5A54-4320-A601-67E735362F31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C53E1A51-E00F-41a1-90BE-0B9915514DFE}\stubpath = "C:\\Windows\\{C53E1A51-E00F-41a1-90BE-0B9915514DFE}.exe"	{26440308-7894-4fac-9C2D-D0B74548DA55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC4E8582-5A54-4320-A601-67E735362F31}\stubpath = "C:\\Windows\\{EC4E8582-5A54-4320-A601-67E735362F31}.exe"	{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F45A1C-5473-4fdf-B132-F5104976FA8A}\stubpath = "C:\\Windows\\{69F45A1C-5473-4fdf-B132-F5104976FA8A}.exe"	{C53E1A51-E00F-41a1-90BE-0B9915514DFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{302E0115-E292-4960-BCB9-1601CBEA95FD}	{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{302E0115-E292-4960-BCB9-1601CBEA95FD}\stubpath = "C:\\Windows\\{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe"	{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}\stubpath = "C:\\Windows\\{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe"	{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC4E8582-5A54-4320-A601-67E735362F31}	{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0775B862-F325-4078-A590-1066495AF001}\stubpath = "C:\\Windows\\{0775B862-F325-4078-A590-1066495AF001}.exe"	{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{654B256F-C5DA-42cb-B13F-8FF551551A04}	{0775B862-F325-4078-A590-1066495AF001}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26440308-7894-4fac-9C2D-D0B74548DA55}\stubpath = "C:\\Windows\\{26440308-7894-4fac-9C2D-D0B74548DA55}.exe"	{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C53E1A51-E00F-41a1-90BE-0B9915514DFE}	{26440308-7894-4fac-9C2D-D0B74548DA55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}\stubpath = "C:\\Windows\\{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe"	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5DAE1E4-E351-404e-9744-5367F9D40CAF}	{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0775B862-F325-4078-A590-1066495AF001}	{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26440308-7894-4fac-9C2D-D0B74548DA55}	{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}	{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}\stubpath = "C:\\Windows\\{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe"	{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{654B256F-C5DA-42cb-B13F-8FF551551A04}\stubpath = "C:\\Windows\\{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe"	{0775B862-F325-4078-A590-1066495AF001}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}\stubpath = "C:\\Windows\\{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe"	{EC4E8582-5A54-4320-A601-67E735362F31}.exe

Executes dropped EXE 12 IoCs

pid	Process
4032	{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe
2624	{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe
2300	{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe
4788	{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe
3684	{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe
3164	{0775B862-F325-4078-A590-1066495AF001}.exe
2348	{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe
4000	{EC4E8582-5A54-4320-A601-67E735362F31}.exe
512	{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe
1648	{26440308-7894-4fac-9C2D-D0B74548DA55}.exe
1052	{C53E1A51-E00F-41a1-90BE-0B9915514DFE}.exe
3972	{69F45A1C-5473-4fdf-B132-F5104976FA8A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{26440308-7894-4fac-9C2D-D0B74548DA55}.exe	{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe
File created	C:\Windows\{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe	{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe
File created	C:\Windows\{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe	{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe
File created	C:\Windows\{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe	{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe
File created	C:\Windows\{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe	{0775B862-F325-4078-A590-1066495AF001}.exe
File created	C:\Windows\{EC4E8582-5A54-4320-A601-67E735362F31}.exe	{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe
File created	C:\Windows\{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe	{EC4E8582-5A54-4320-A601-67E735362F31}.exe
File created	C:\Windows\{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
File created	C:\Windows\{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe	{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe
File created	C:\Windows\{0775B862-F325-4078-A590-1066495AF001}.exe	{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe
File created	C:\Windows\{C53E1A51-E00F-41a1-90BE-0B9915514DFE}.exe	{26440308-7894-4fac-9C2D-D0B74548DA55}.exe
File created	C:\Windows\{69F45A1C-5473-4fdf-B132-F5104976FA8A}.exe	{C53E1A51-E00F-41a1-90BE-0B9915514DFE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2340	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4032	{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe
Token: SeIncBasePriorityPrivilege	2624	{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe
Token: SeIncBasePriorityPrivilege	2300	{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe
Token: SeIncBasePriorityPrivilege	4788	{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe
Token: SeIncBasePriorityPrivilege	3684	{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe
Token: SeIncBasePriorityPrivilege	3164	{0775B862-F325-4078-A590-1066495AF001}.exe
Token: SeIncBasePriorityPrivilege	2348	{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe
Token: SeIncBasePriorityPrivilege	4000	{EC4E8582-5A54-4320-A601-67E735362F31}.exe
Token: SeIncBasePriorityPrivilege	512	{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe
Token: SeIncBasePriorityPrivilege	1648	{26440308-7894-4fac-9C2D-D0B74548DA55}.exe
Token: SeIncBasePriorityPrivilege	1052	{C53E1A51-E00F-41a1-90BE-0B9915514DFE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 4032	2340	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	102
PID 2340 wrote to memory of 4032	2340	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	102
PID 2340 wrote to memory of 4032	2340	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	102
PID 2340 wrote to memory of 4632	2340	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	103
PID 2340 wrote to memory of 4632	2340	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	103
PID 2340 wrote to memory of 4632	2340	2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe	103
PID 4032 wrote to memory of 2624	4032	{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe	104
PID 4032 wrote to memory of 2624	4032	{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe	104
PID 4032 wrote to memory of 2624	4032	{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe	104
PID 4032 wrote to memory of 3652	4032	{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe	105
PID 4032 wrote to memory of 3652	4032	{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe	105
PID 4032 wrote to memory of 3652	4032	{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe	105
PID 2624 wrote to memory of 2300	2624	{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe	109
PID 2624 wrote to memory of 2300	2624	{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe	109
PID 2624 wrote to memory of 2300	2624	{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe	109
PID 2624 wrote to memory of 2204	2624	{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe	110
PID 2624 wrote to memory of 2204	2624	{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe	110
PID 2624 wrote to memory of 2204	2624	{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe	110
PID 2300 wrote to memory of 4788	2300	{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe	111
PID 2300 wrote to memory of 4788	2300	{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe	111
PID 2300 wrote to memory of 4788	2300	{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe	111
PID 2300 wrote to memory of 2344	2300	{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe	112
PID 2300 wrote to memory of 2344	2300	{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe	112
PID 2300 wrote to memory of 2344	2300	{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe	112
PID 4788 wrote to memory of 3684	4788	{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe	113
PID 4788 wrote to memory of 3684	4788	{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe	113
PID 4788 wrote to memory of 3684	4788	{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe	113
PID 4788 wrote to memory of 4900	4788	{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe	114
PID 4788 wrote to memory of 4900	4788	{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe	114
PID 4788 wrote to memory of 4900	4788	{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe	114
PID 3684 wrote to memory of 3164	3684	{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe	116
PID 3684 wrote to memory of 3164	3684	{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe	116
PID 3684 wrote to memory of 3164	3684	{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe	116
PID 3684 wrote to memory of 1440	3684	{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe	117
PID 3684 wrote to memory of 1440	3684	{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe	117
PID 3684 wrote to memory of 1440	3684	{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe	117
PID 3164 wrote to memory of 2348	3164	{0775B862-F325-4078-A590-1066495AF001}.exe	118
PID 3164 wrote to memory of 2348	3164	{0775B862-F325-4078-A590-1066495AF001}.exe	118
PID 3164 wrote to memory of 2348	3164	{0775B862-F325-4078-A590-1066495AF001}.exe	118
PID 3164 wrote to memory of 4456	3164	{0775B862-F325-4078-A590-1066495AF001}.exe	119
PID 3164 wrote to memory of 4456	3164	{0775B862-F325-4078-A590-1066495AF001}.exe	119
PID 3164 wrote to memory of 4456	3164	{0775B862-F325-4078-A590-1066495AF001}.exe	119
PID 2348 wrote to memory of 4000	2348	{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe	124
PID 2348 wrote to memory of 4000	2348	{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe	124
PID 2348 wrote to memory of 4000	2348	{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe	124
PID 2348 wrote to memory of 4120	2348	{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe	125
PID 2348 wrote to memory of 4120	2348	{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe	125
PID 2348 wrote to memory of 4120	2348	{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe	125
PID 4000 wrote to memory of 512	4000	{EC4E8582-5A54-4320-A601-67E735362F31}.exe	129
PID 4000 wrote to memory of 512	4000	{EC4E8582-5A54-4320-A601-67E735362F31}.exe	129
PID 4000 wrote to memory of 512	4000	{EC4E8582-5A54-4320-A601-67E735362F31}.exe	129
PID 4000 wrote to memory of 1472	4000	{EC4E8582-5A54-4320-A601-67E735362F31}.exe	130
PID 4000 wrote to memory of 1472	4000	{EC4E8582-5A54-4320-A601-67E735362F31}.exe	130
PID 4000 wrote to memory of 1472	4000	{EC4E8582-5A54-4320-A601-67E735362F31}.exe	130
PID 512 wrote to memory of 1648	512	{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe	131
PID 512 wrote to memory of 1648	512	{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe	131
PID 512 wrote to memory of 1648	512	{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe	131
PID 512 wrote to memory of 4440	512	{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe	132
PID 512 wrote to memory of 4440	512	{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe	132
PID 512 wrote to memory of 4440	512	{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe	132
PID 1648 wrote to memory of 1052	1648	{26440308-7894-4fac-9C2D-D0B74548DA55}.exe	136
PID 1648 wrote to memory of 1052	1648	{26440308-7894-4fac-9C2D-D0B74548DA55}.exe	136
PID 1648 wrote to memory of 1052	1648	{26440308-7894-4fac-9C2D-D0B74548DA55}.exe	136
PID 1648 wrote to memory of 532	1648	{26440308-7894-4fac-9C2D-D0B74548DA55}.exe	137

C:\Users\Admin\AppData\Local\Temp\2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_e130a98aff45ca1d5e5faae0dc6babb7_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe
  C:\Windows\{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe
    C:\Windows\{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe
      C:\Windows\{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe
        
        C:\Windows\{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe
        
        C:\Windows\{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\{0775B862-F325-4078-A590-1066495AF001}.exe
        
        C:\Windows\{0775B862-F325-4078-A590-1066495AF001}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe
        
        C:\Windows\{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{EC4E8582-5A54-4320-A601-67E735362F31}.exe
        
        C:\Windows\{EC4E8582-5A54-4320-A601-67E735362F31}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe
        
        C:\Windows\{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\{26440308-7894-4fac-9C2D-D0B74548DA55}.exe
        
        C:\Windows\{26440308-7894-4fac-9C2D-D0B74548DA55}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{C53E1A51-E00F-41a1-90BE-0B9915514DFE}.exe
        
        C:\Windows\{C53E1A51-E00F-41a1-90BE-0B9915514DFE}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\{69F45A1C-5473-4fdf-B132-F5104976FA8A}.exe
        
        C:\Windows\{69F45A1C-5473-4fdf-B132-F5104976FA8A}.exe
        13⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C53E1~1.EXE > nul
        13⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26440~1.EXE > nul
        12⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7243D~1.EXE > nul
        11⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC4E8~1.EXE > nul
        10⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{654B2~1.EXE > nul
        9⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0775B~1.EXE > nul
        8⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5DAE~1.EXE > nul
        7⤵
        
        PID:1440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40D1A~1.EXE > nul
        6⤵
        
        PID:4900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A42E9~1.EXE > nul
        5⤵
        
        PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{302E0~1.EXE > nul
      4⤵
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DDD2A~1.EXE > nul
    3⤵
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4472,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:8
1⤵
PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0775B862-F325-4078-A590-1066495AF001}.exe

Filesize
372KB

MD5
a8cfdf42f254ab095ec70973df1c2f77

SHA1
f1d3d4ee2cc3df057eafc659f38b016167188685

SHA256
6294a4e29f6f4245ab1e024d20e48530dc66fc2ed1ffac21c647baa7b9688359

SHA512
e5867fcd54bbbdae25995227f4190c3034ac134594bfde2490e1ffdb50e90e5267f5f1f9d6c5b7bccc44366117fa227b998dbcf00e894cafbbdaaef5e2703f6c

Download Submit
C:\Windows\{26440308-7894-4fac-9C2D-D0B74548DA55}.exe

Filesize
372KB

MD5
0b909db5382012790318e5484991bf01

SHA1
9e8ec8915f88b3de962b27d119eb817fd7314722

SHA256
77cdfd5137dccef407cfa65e8f29ed37ee8fa7a6b3fa04eac22fc616ccf56458

SHA512
527c3fe401ef28dd8a78f6808d06a00d6bd3c6833f06dd1fcd4d4391d4b5f41e123b12deddc0e0ea06cc9d2d3d6cdc4153460d58cdd93399209b76e666fceac0

Download Submit
C:\Windows\{302E0115-E292-4960-BCB9-1601CBEA95FD}.exe

Filesize
372KB

MD5
d9975813578d99460a8cb6249bb66b41

SHA1
0d8f830a3a6709c61c36a5f7e0b7ca8d58aa9f50

SHA256
1888c76ef7e996b6dc02cc8461f150d2f03c626b5caa55dec917e65f921d4e54

SHA512
d0a585011c0d95e4fc0307d85b260e86dc07795a86dbb0c44cb816c43592b1a794bdd96c9a5733fea2d49714fc7ef1e2f97fb92c82a08847410e19edd5be8b9e

Download Submit
C:\Windows\{40D1AC85-C8A4-43e5-A1CA-CDC7583B0E1A}.exe

Filesize
372KB

MD5
7167d0f6d86ba20b42499eb8a4f9c1f6

SHA1
65b84149ddcca9eba13ee85ef33f115fe15c56a8

SHA256
81d42515c7f1e0d74d55c6f753ef7e72944a72f5f5ec95af7bf90762d814197c

SHA512
84806d012d542b4907b59cc83474d04a4febc3e9345404ffc5c1b7022cc922d7f5b06ba2dc0169f8e2e1307a319b3dd20d4405206a0376e4eb2f5cb10c6a465d

Download Submit
C:\Windows\{654B256F-C5DA-42cb-B13F-8FF551551A04}.exe

Filesize
372KB

MD5
0f07ed323c47dc4eea5963ba263016e5

SHA1
b0a8010cf856d8f6aee2a7786f4891eebf707695

SHA256
82cf37e7ee212808ee8ca8d8377214f6b69baf436d4e600cd4fd2d7c08a543a8

SHA512
8ad380978adcfc1a20465cc0325356ac543febc9ee752bba31f774e7c787c216cfccd37449249130f598add3b1cb69d32a20ba1984c4ac4702f1d6397548c763

Download Submit
C:\Windows\{69F45A1C-5473-4fdf-B132-F5104976FA8A}.exe

Filesize
372KB

MD5
e95f66203e3bb89e5b8484581fba574b

SHA1
765c92db643acc76f251f0588da446c1aefaee6b

SHA256
f13be99eb1dbe43624525834d398dd3991554cfe5a3943370fb9773a855f40d1

SHA512
1df6df650cec3520be5632e64b9274ea707e2a400947650199540a46d80b06af07aded110ac0763a892ff3e878f33983e0677f848346dc72a2d49fb42a1825fb

Download Submit
C:\Windows\{7243D60E-FF2C-4ea0-888C-D2D006E8FC6B}.exe

Filesize
372KB

MD5
7afd2a70c3195703df6af99795670754

SHA1
67d340e8a4a0389c9b9d891d0f36f92149976de3

SHA256
01b2b37442075b62cc87da94844dda75d1c85d94011586daa97d797c4db4f116

SHA512
2f983234f2a025e3475f92cea7d4fe9efebce7d6d452f84f795ea60e874b540778dc71f1278518e0bde5aac97afe724e963dffd8a8016ac4ded9c80c5e079879

Download Submit
C:\Windows\{A42E9E0C-18BF-4200-A7EE-43AE4715B97C}.exe

Filesize
372KB

MD5
d10f10f0922499447ff478b5629f623b

SHA1
f6ca264be7ec63461b601c088ad068d9981a2c07

SHA256
01854b54d4ff04d5fcad76281fe1322b302485bd824e2dfbe739e1a99bd09135

SHA512
b317f7ca65f939f48acc3ea4dcc5376108e474cb32d29473f7c95494fa621806110f018d9f77c37c9dd194a6511786b623f9ce907bf6ed214aeb0cfb662b39c1

Download Submit
C:\Windows\{A5DAE1E4-E351-404e-9744-5367F9D40CAF}.exe

Filesize
372KB

MD5
e6e483b2912d629d15adef2b55eb7e97

SHA1
1e2b24f431bccc1386bc0509f2abaa9a0c81a4f4

SHA256
f323ccd409efe265e261d2c7dca8c961c5db4fd739df02f46e3dd9950ff844cc

SHA512
798f14bb2b48641eb778c5824c226f4837864c5912bafc5fdf6ab4ccd6c8531b81aeafe833575afd4eca1ffb1b4d1454142258129b1a44413fddbcd4c1507f12

Download Submit
C:\Windows\{C53E1A51-E00F-41a1-90BE-0B9915514DFE}.exe

Filesize
372KB

MD5
997a7d1466737fe613da8d17235752bb

SHA1
329551203864de2f2c95146cdf19de0952d67a6d

SHA256
d440274289b961a1d02e5ebbba5e2de7491d9d545292d8c8a43f7a7de8670a25

SHA512
bc1ba3f547dc00ddda1cffbc75c78f3e4d96bf764d305e17f7ebb9071b2abec48cc54a1d9b0cb162fdb6aafadec170f7eb36dc9a5ea11825799d647807326b9f

Download Submit
C:\Windows\{DDD2A08B-94A4-4c55-A3A6-433B0C7057EC}.exe

Filesize
372KB

MD5
3395a20b3e021d7f3952bf08490e32e4

SHA1
710a2063c764bfece84c0f58fc89198578cf912c

SHA256
dddd7af9a5d7a3380e88a43466a8166cb89677eeaa07d0930a7820ba35577a90

SHA512
7f2710dfb86607ac061d1fe4958670c879c9a45d3c52490b6c01fffe63a7ad633614ae2bc2cf9cd2a0af4a6096b0b0a4088600d69c3c9d46d8b8976727f323bb

Download Submit
C:\Windows\{EC4E8582-5A54-4320-A601-67E735362F31}.exe

Filesize
372KB

MD5
0d21e881602c8a656ef25f933996a770

SHA1
168f04a106be0e10f51c49b749e215b60d959818

SHA256
a3b4150d971694091b66939dfe3620e66df377e5365b1aa538f7cbf4fa0b3c3e

SHA512
dc4f148ffd6d3703a4a6347cee2e627f23aaa23550a863abcf4594ec2309204f4cc59fdfc6d94ec85b95d7d50c9e48f1ae505352d458a43a4305af6c3a3c3b89

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads