964349fda40fa6ab312a9e1b07f2190e2f3fd4f6e2108a191a86f6ee48ea334d

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe
Size

380KB
MD5

8d8e5fbb390ed26cc694d682c7a09d50
SHA1

313d09cabfafc69a678f34d1eef3ea373e110f5f
SHA256

964349fda40fa6ab312a9e1b07f2190e2f3fd4f6e2108a191a86f6ee48ea334d
SHA512

0443759bcbce03e420a37a4a5f80dc733ea708157b469242020518b8cb0a36247d4eabd1b045ae6a4dc3d5539682c72cdc0b23a548df00bcb836f845b42d5c04
SSDEEP

3072:mEGh0oWlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGUl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002326f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233ed-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233f4-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233ed-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233f4-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233ed-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233f4-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233ed-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233f4-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233ed-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233f4-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233ed-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44FE9CCE-E6E4-410a-AD47-992377C9F961}	{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BC7047E-0924-4bdc-87B9-0D572C016A87}\stubpath = "C:\\Windows\\{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe"	{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}	{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C25CA9A-296C-4d16-99E7-380B72B76751}	{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C25CA9A-296C-4d16-99E7-380B72B76751}\stubpath = "C:\\Windows\\{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe"	{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98F52986-9AC0-43b5-B07D-DA09BE8DB410}	{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF0B3096-2ACC-4675-95C5-DF9F061E391D}\stubpath = "C:\\Windows\\{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe"	2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC4411AF-8846-48c1-B865-706D517F303B}	{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC4411AF-8846-48c1-B865-706D517F303B}\stubpath = "C:\\Windows\\{BC4411AF-8846-48c1-B865-706D517F303B}.exe"	{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}\stubpath = "C:\\Windows\\{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe"	{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}	{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98F52986-9AC0-43b5-B07D-DA09BE8DB410}\stubpath = "C:\\Windows\\{98F52986-9AC0-43b5-B07D-DA09BE8DB410}.exe"	{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B44A7CF-5C86-4c76-9926-31BAB1081577}\stubpath = "C:\\Windows\\{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe"	{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B44A7CF-5C86-4c76-9926-31BAB1081577}	{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0081747-2E7B-41c5-847F-8F8C104CA305}\stubpath = "C:\\Windows\\{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe"	{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C341200-70C0-46a9-91D3-B9B55A7C70D8}	{BC4411AF-8846-48c1-B865-706D517F303B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E436C9-2D7A-4d6e-897B-3F2C93019833}	{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BC7047E-0924-4bdc-87B9-0D572C016A87}	{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}\stubpath = "C:\\Windows\\{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}.exe"	{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF0B3096-2ACC-4675-95C5-DF9F061E391D}	2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0081747-2E7B-41c5-847F-8F8C104CA305}	{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C341200-70C0-46a9-91D3-B9B55A7C70D8}\stubpath = "C:\\Windows\\{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe"	{BC4411AF-8846-48c1-B865-706D517F303B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E436C9-2D7A-4d6e-897B-3F2C93019833}\stubpath = "C:\\Windows\\{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe"	{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44FE9CCE-E6E4-410a-AD47-992377C9F961}\stubpath = "C:\\Windows\\{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe"	{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe

Executes dropped EXE 12 IoCs

pid	Process
3248	{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe
4428	{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe
4084	{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe
100	{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe
3544	{BC4411AF-8846-48c1-B865-706D517F303B}.exe
4668	{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe
4596	{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe
4800	{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe
368	{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe
3328	{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe
4600	{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}.exe
3232	{98F52986-9AC0-43b5-B07D-DA09BE8DB410}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe	2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe
File created	C:\Windows\{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe	{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe
File created	C:\Windows\{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe	{BC4411AF-8846-48c1-B865-706D517F303B}.exe
File created	C:\Windows\{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe	{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe
File created	C:\Windows\{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe	{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe
File created	C:\Windows\{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe	{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe
File created	C:\Windows\{98F52986-9AC0-43b5-B07D-DA09BE8DB410}.exe	{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}.exe
File created	C:\Windows\{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe	{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe
File created	C:\Windows\{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe	{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe
File created	C:\Windows\{BC4411AF-8846-48c1-B865-706D517F303B}.exe	{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe
File created	C:\Windows\{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe	{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe
File created	C:\Windows\{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}.exe	{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4792	2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3248	{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe
Token: SeIncBasePriorityPrivilege	4428	{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe
Token: SeIncBasePriorityPrivilege	4084	{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe
Token: SeIncBasePriorityPrivilege	100	{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe
Token: SeIncBasePriorityPrivilege	3544	{BC4411AF-8846-48c1-B865-706D517F303B}.exe
Token: SeIncBasePriorityPrivilege	4668	{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe
Token: SeIncBasePriorityPrivilege	4596	{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe
Token: SeIncBasePriorityPrivilege	4800	{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe
Token: SeIncBasePriorityPrivilege	368	{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe
Token: SeIncBasePriorityPrivilege	3328	{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe
Token: SeIncBasePriorityPrivilege	4600	{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 3248	4792	2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe	81
PID 4792 wrote to memory of 3248	4792	2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe	81
PID 4792 wrote to memory of 3248	4792	2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe	81
PID 4792 wrote to memory of 1692	4792	2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe	82
PID 4792 wrote to memory of 1692	4792	2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe	82
PID 4792 wrote to memory of 1692	4792	2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe	82
PID 3248 wrote to memory of 4428	3248	{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe	83
PID 3248 wrote to memory of 4428	3248	{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe	83
PID 3248 wrote to memory of 4428	3248	{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe	83
PID 3248 wrote to memory of 4156	3248	{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe	84
PID 3248 wrote to memory of 4156	3248	{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe	84
PID 3248 wrote to memory of 4156	3248	{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe	84
PID 4428 wrote to memory of 4084	4428	{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe	87
PID 4428 wrote to memory of 4084	4428	{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe	87
PID 4428 wrote to memory of 4084	4428	{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe	87
PID 4428 wrote to memory of 1460	4428	{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe	88
PID 4428 wrote to memory of 1460	4428	{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe	88
PID 4428 wrote to memory of 1460	4428	{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe	88
PID 4084 wrote to memory of 100	4084	{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe	89
PID 4084 wrote to memory of 100	4084	{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe	89
PID 4084 wrote to memory of 100	4084	{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe	89
PID 4084 wrote to memory of 1704	4084	{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe	90
PID 4084 wrote to memory of 1704	4084	{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe	90
PID 4084 wrote to memory of 1704	4084	{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe	90
PID 100 wrote to memory of 3544	100	{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe	91
PID 100 wrote to memory of 3544	100	{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe	91
PID 100 wrote to memory of 3544	100	{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe	91
PID 100 wrote to memory of 4216	100	{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe	92
PID 100 wrote to memory of 4216	100	{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe	92
PID 100 wrote to memory of 4216	100	{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe	92
PID 3544 wrote to memory of 4668	3544	{BC4411AF-8846-48c1-B865-706D517F303B}.exe	93
PID 3544 wrote to memory of 4668	3544	{BC4411AF-8846-48c1-B865-706D517F303B}.exe	93
PID 3544 wrote to memory of 4668	3544	{BC4411AF-8846-48c1-B865-706D517F303B}.exe	93
PID 3544 wrote to memory of 4252	3544	{BC4411AF-8846-48c1-B865-706D517F303B}.exe	94
PID 3544 wrote to memory of 4252	3544	{BC4411AF-8846-48c1-B865-706D517F303B}.exe	94
PID 3544 wrote to memory of 4252	3544	{BC4411AF-8846-48c1-B865-706D517F303B}.exe	94
PID 4668 wrote to memory of 4596	4668	{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe	95
PID 4668 wrote to memory of 4596	4668	{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe	95
PID 4668 wrote to memory of 4596	4668	{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe	95
PID 4668 wrote to memory of 4344	4668	{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe	96
PID 4668 wrote to memory of 4344	4668	{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe	96
PID 4668 wrote to memory of 4344	4668	{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe	96
PID 4596 wrote to memory of 4800	4596	{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe	97
PID 4596 wrote to memory of 4800	4596	{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe	97
PID 4596 wrote to memory of 4800	4596	{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe	97
PID 4596 wrote to memory of 400	4596	{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe	98
PID 4596 wrote to memory of 400	4596	{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe	98
PID 4596 wrote to memory of 400	4596	{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe	98
PID 4800 wrote to memory of 368	4800	{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe	99
PID 4800 wrote to memory of 368	4800	{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe	99
PID 4800 wrote to memory of 368	4800	{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe	99
PID 4800 wrote to memory of 4536	4800	{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe	100
PID 4800 wrote to memory of 4536	4800	{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe	100
PID 4800 wrote to memory of 4536	4800	{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe	100
PID 368 wrote to memory of 3328	368	{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe	101
PID 368 wrote to memory of 3328	368	{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe	101
PID 368 wrote to memory of 3328	368	{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe	101
PID 368 wrote to memory of 1228	368	{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe	102
PID 368 wrote to memory of 1228	368	{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe	102
PID 368 wrote to memory of 1228	368	{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe	102
PID 3328 wrote to memory of 4600	3328	{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe	103
PID 3328 wrote to memory of 4600	3328	{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe	103
PID 3328 wrote to memory of 4600	3328	{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe	103
PID 3328 wrote to memory of 1376	3328	{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_8d8e5fbb390ed26cc694d682c7a09d50_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe
  C:\Windows\{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe
    C:\Windows\{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe
      C:\Windows\{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe
        
        C:\Windows\{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:100
      - C:\Windows\{BC4411AF-8846-48c1-B865-706D517F303B}.exe
        
        C:\Windows\{BC4411AF-8846-48c1-B865-706D517F303B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe
        
        C:\Windows\{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe
        
        C:\Windows\{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe
        
        C:\Windows\{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe
        
        C:\Windows\{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe
        
        C:\Windows\{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}.exe
        
        C:\Windows\{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
        
        C:\Windows\{98F52986-9AC0-43b5-B07D-DA09BE8DB410}.exe
        
        C:\Windows\{98F52986-9AC0-43b5-B07D-DA09BE8DB410}.exe
        13⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BB83~1.EXE > nul
        13⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C25C~1.EXE > nul
        12⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6DE0~1.EXE > nul
        11⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BC70~1.EXE > nul
        10⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09E43~1.EXE > nul
        9⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C341~1.EXE > nul
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC441~1.EXE > nul
        7⤵
        
        PID:4252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0081~1.EXE > nul
        6⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44FE9~1.EXE > nul
        5⤵
        
        PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5B44A~1.EXE > nul
      4⤵
      PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BF0B3~1.EXE > nul
    3⤵
    PID:4156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09E436C9-2D7A-4d6e-897B-3F2C93019833}.exe

Filesize
380KB

MD5
bc96853acda0fa2e5a3b94cd61491e5c

SHA1
5f5b4639bd03621b48baab33551668bcd6920f90

SHA256
9fdc42247e9047b9f8a3341fcb449bde0ebfd812f87e1bdc8b306bcf400caa4b

SHA512
4a46066e7719f17672eed35d0946170480cef6ef49b83ca44e0b82319dc68b0ac8bef9aab2e87fbdd4699bc1794f526421b879ac1148daaf1548dd6b63669f61

Download Submit
C:\Windows\{3BB83CC7-A6B6-4b50-BFD3-01A6958F5C41}.exe

Filesize
380KB

MD5
fa37e2ec8ef0b4fac7af43d65ceb6908

SHA1
48aee29c1814cbdb65b5ed32c00d633a8234aaec

SHA256
a2058caea43cde417bfb0b7030780175c15b8f26726d721873e82beac58f6264

SHA512
64605e2b941c0c62926c0bad7dc3879dd5fde1acce70f19ad38cfafccc5617d4abeeffacbcb36668cd0c2ce39f80adc94a66d1edd1f651acdd2bf46d45d2219c

Download Submit
C:\Windows\{3C341200-70C0-46a9-91D3-B9B55A7C70D8}.exe

Filesize
380KB

MD5
b8ef3ead796cccb8db12969284c089d7

SHA1
a16872da87d7c98aed44763a10c9397ba43fe931

SHA256
d22595807ba992906cccb88f4dd845cddac3b0eea37c31510fff4b71e74f82dd

SHA512
383122cfcd9621b8a3852eca797ca7f7c315ca7beb3b7fd15d3e84350c0d3e353bde8f2945e9dc48e2490238245d5e14127f05255a481eaa861a4af9d382843e

Download Submit
C:\Windows\{44FE9CCE-E6E4-410a-AD47-992377C9F961}.exe

Filesize
380KB

MD5
457b6753f200fb7a82ad92e63a6423a4

SHA1
84eff3485eb832f5b4910311f6d10f268705bd3d

SHA256
275c02d6ec3f1af7bd1e74566126af5d9b118390aca2aa0984a94cab8216f654

SHA512
c69a93afd438dd63739726da4a093392f5746676161fd5c64f7ee1508dee13317d6200512205502cdb454d09883696093477facf0e9c86fefcecff28740719be

Download Submit
C:\Windows\{4BC7047E-0924-4bdc-87B9-0D572C016A87}.exe

Filesize
380KB

MD5
e77dbe66d43493ffff6240ecc8ba82ce

SHA1
3510e338a1b6ae2961e889fccab533a610278892

SHA256
e20659685ffa00e0459ccd6e2ee56ed9a93e57320df9b9cd256e8b3e24524dc8

SHA512
a056e0faea09becaf456e6188086283c6f85524e85a51a353261e860405fa73f85249c9172974e0386d3f612f3aced3c460e9b5ce89dac2a2375b7f9995369d4

Download Submit
C:\Windows\{5B44A7CF-5C86-4c76-9926-31BAB1081577}.exe

Filesize
380KB

MD5
ca1df3835258ba4a6bfd1b32df08c8dd

SHA1
f8ec428922da7433fde5fdcda7e2c13393bee13c

SHA256
7c8b71c9f9a8b39210f0ed9e8c008448dae2f5aac9d8e41e6216755cf3d9c52a

SHA512
bb6871238872ad9f0996ed12af7b0ddc2a3a82fcd9372846e40263cb0b0ae40ef8497964da0bad395fec5d4947df1b07cb866f1f9616f2533e039ea27c9b8058

Download Submit
C:\Windows\{8C25CA9A-296C-4d16-99E7-380B72B76751}.exe

Filesize
380KB

MD5
3dbb2fccbc0982e57e59f2a879aee93e

SHA1
1203446fb74a42d02b17555231c53a74a45e4a94

SHA256
8fba617b47ef3be0a805c52b9b84a9545438042eee7932c02c9b14409737b06f

SHA512
992cd8ffc124dab8adf6bb8b6c6946c6486b072c764785c1d0bb266dbb32a117f9a3f7deeeb2efd459b5987e50f1d9acef4f100907463072430e23dc6de308d4

Download Submit
C:\Windows\{98F52986-9AC0-43b5-B07D-DA09BE8DB410}.exe

Filesize
380KB

MD5
0dbd593b4f3bdfa8adbd5553acb5b638

SHA1
c61060de1f9533518ba614cb313375e4e10d1787

SHA256
6b46054b37be24f37dff066d7c668636606591dc8c59a6d864395e0b43421033

SHA512
c7c317e6e3fcdae5a33d5d6ee253e7f2109f597ae4575773d2b1cd030d27dd679fd4b873b4156d2f4efb715692b62b925a176fd6753aa6cc5d42b94ecc5ce0e4

Download Submit
C:\Windows\{B0081747-2E7B-41c5-847F-8F8C104CA305}.exe

Filesize
380KB

MD5
815fc588c742e1e4a4f1db919631a763

SHA1
7eba141a5492845c5b9e88f7dc31f5368daacf3b

SHA256
613ce1755e1433523bdd2268c13a0548c6dc7960a2b897fd60cd1eefed95004e

SHA512
c6493deb5c8674256d162d0628dc28362f44cfe075fb13de7a6fd643982b980e48ffabeff53867233a1864699ef19982adb5654333d55466961335b1e23e8767

Download Submit
C:\Windows\{B6DE0636-C4FA-46e7-BE32-818A2E866CDB}.exe

Filesize
380KB

MD5
0fe8640a14e397bf0d3aa99a99f8814a

SHA1
4f8cac74ec348d54572b436af6347ad8375756cf

SHA256
cdadac629306b77d0e999965ef6d283b36b6cbb824c3f2c6d2ef8eb0aecb7b9d

SHA512
26c844c0d4ff87aab65c54ecf039a08ccf81a76e739376cbf6365e305052ab428b427f26c8fe46c48a41d71fff6c11755031e18048a1f5183d3482030d0dd6c2

Download Submit
C:\Windows\{BC4411AF-8846-48c1-B865-706D517F303B}.exe

Filesize
380KB

MD5
354d693dd8d0682cba576fa21c4ed55f

SHA1
0169335559dd5a4db8e4023593e2f4f012ba850e

SHA256
47ab4bf9e5335ce9496a52d5579b9739bb3b4b7cd45fb37c69b82671c1d8204b

SHA512
378e8c042cb4023d56a8b03d81161077e0cf9b1babbe1d4b8cc3200633e43d2fc0e10dead2798b2a3ccedda53177fe121201095b427809f33cfa3c91be15c95c

Download Submit
C:\Windows\{BF0B3096-2ACC-4675-95C5-DF9F061E391D}.exe

Filesize
380KB

MD5
38f67f103520f9c33a70e3ce6f30b87d

SHA1
f0dbee87d61aabe5215553b2a611ff4d25ca0ec4

SHA256
3843da3bfaf750cfc8b0cd4ac4b9cafd020892bfb386ff19d860162c1ec7c2ab

SHA512
2f70d18ba412f7332e700eae99dde57e7476387e2cb4b2c30fb654895f80452c7b1dd4032bb09a0b6fa48a900d41f0659d0839535bc8ba1532ee82cc87903f7e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads