b1befaef70ba668cd9d2b9598637b4ab52e34686d05103fde4e2b00326c28fcc

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe
Size

168KB
MD5

79c29b9daf0c8b229d5d459f8697abd3
SHA1

1f5b0d87612e12b5ab7aa39b0ca7709479571452
SHA256

b1befaef70ba668cd9d2b9598637b4ab52e34686d05103fde4e2b00326c28fcc
SHA512

c573b3d2c82cc92415f7e32d049c81c2a040a401a0ed1ef81b9bbd8e1322da86aa523bee3c28511d3b04a3fe40f0c7cc0b24863a24420a83b4767d955269a837
SSDEEP

1536:1EGh0o/lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o/lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023483-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023549-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002348a-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023549-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002348a-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023549-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002348a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023549-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002348a-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023549-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002348a-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023549-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74723D51-8E3B-4a8b-B8BA-02224DE5C934}	{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}\stubpath = "C:\\Windows\\{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe"	{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}	{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{273EE498-53F9-46b4-94D0-DF880651921E}	2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A2810F-2D3D-4532-A871-A47A5252C603}\stubpath = "C:\\Windows\\{27A2810F-2D3D-4532-A871-A47A5252C603}.exe"	{273EE498-53F9-46b4-94D0-DF880651921E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD008A5A-AA77-44dd-80AF-03FFB42B3892}	{27A2810F-2D3D-4532-A871-A47A5252C603}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}\stubpath = "C:\\Windows\\{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe"	{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5059B02-E7CC-4984-80A3-87B646E17221}	{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A49ECCB0-5618-4fa7-B285-3738F1D139D0}\stubpath = "C:\\Windows\\{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe"	{C5059B02-E7CC-4984-80A3-87B646E17221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C79860E3-8BA7-408a-B7CE-280079D6B8C2}	{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C79860E3-8BA7-408a-B7CE-280079D6B8C2}\stubpath = "C:\\Windows\\{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe"	{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A2810F-2D3D-4532-A871-A47A5252C603}	{273EE498-53F9-46b4-94D0-DF880651921E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD008A5A-AA77-44dd-80AF-03FFB42B3892}\stubpath = "C:\\Windows\\{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe"	{27A2810F-2D3D-4532-A871-A47A5252C603}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}	{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}\stubpath = "C:\\Windows\\{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}.exe"	{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E94E76B-4697-4ed5-A632-6BA6E5675667}	{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E94E76B-4697-4ed5-A632-6BA6E5675667}\stubpath = "C:\\Windows\\{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe"	{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B3A6891-868C-4ca8-A8FD-E280B0916886}\stubpath = "C:\\Windows\\{1B3A6891-868C-4ca8-A8FD-E280B0916886}.exe"	{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5059B02-E7CC-4984-80A3-87B646E17221}\stubpath = "C:\\Windows\\{C5059B02-E7CC-4984-80A3-87B646E17221}.exe"	{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A49ECCB0-5618-4fa7-B285-3738F1D139D0}	{C5059B02-E7CC-4984-80A3-87B646E17221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}	{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{273EE498-53F9-46b4-94D0-DF880651921E}\stubpath = "C:\\Windows\\{273EE498-53F9-46b4-94D0-DF880651921E}.exe"	2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74723D51-8E3B-4a8b-B8BA-02224DE5C934}\stubpath = "C:\\Windows\\{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe"	{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B3A6891-868C-4ca8-A8FD-E280B0916886}	{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}.exe

Executes dropped EXE 12 IoCs

pid	Process
4724	{273EE498-53F9-46b4-94D0-DF880651921E}.exe
5616	{27A2810F-2D3D-4532-A871-A47A5252C603}.exe
4340	{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe
1548	{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe
4748	{C5059B02-E7CC-4984-80A3-87B646E17221}.exe
5240	{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe
1172	{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe
3168	{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe
5448	{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe
1728	{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe
2516	{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}.exe
2384	{1B3A6891-868C-4ca8-A8FD-E280B0916886}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe	{27A2810F-2D3D-4532-A871-A47A5252C603}.exe
File created	C:\Windows\{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe	{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe
File created	C:\Windows\{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe	{C5059B02-E7CC-4984-80A3-87B646E17221}.exe
File created	C:\Windows\{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe	{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe
File created	C:\Windows\{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}.exe	{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe
File created	C:\Windows\{1B3A6891-868C-4ca8-A8FD-E280B0916886}.exe	{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}.exe
File created	C:\Windows\{273EE498-53F9-46b4-94D0-DF880651921E}.exe	2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe
File created	C:\Windows\{27A2810F-2D3D-4532-A871-A47A5252C603}.exe	{273EE498-53F9-46b4-94D0-DF880651921E}.exe
File created	C:\Windows\{C5059B02-E7CC-4984-80A3-87B646E17221}.exe	{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe
File created	C:\Windows\{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe	{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe
File created	C:\Windows\{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe	{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe
File created	C:\Windows\{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe	{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3792	2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4724	{273EE498-53F9-46b4-94D0-DF880651921E}.exe
Token: SeIncBasePriorityPrivilege	5616	{27A2810F-2D3D-4532-A871-A47A5252C603}.exe
Token: SeIncBasePriorityPrivilege	4340	{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe
Token: SeIncBasePriorityPrivilege	1548	{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe
Token: SeIncBasePriorityPrivilege	4748	{C5059B02-E7CC-4984-80A3-87B646E17221}.exe
Token: SeIncBasePriorityPrivilege	5240	{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe
Token: SeIncBasePriorityPrivilege	1172	{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe
Token: SeIncBasePriorityPrivilege	3168	{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe
Token: SeIncBasePriorityPrivilege	5448	{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe
Token: SeIncBasePriorityPrivilege	1728	{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe
Token: SeIncBasePriorityPrivilege	2516	{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 4724	3792	2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe	82
PID 3792 wrote to memory of 4724	3792	2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe	82
PID 3792 wrote to memory of 4724	3792	2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe	82
PID 3792 wrote to memory of 572	3792	2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe	83
PID 3792 wrote to memory of 572	3792	2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe	83
PID 3792 wrote to memory of 572	3792	2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe	83
PID 4724 wrote to memory of 5616	4724	{273EE498-53F9-46b4-94D0-DF880651921E}.exe	84
PID 4724 wrote to memory of 5616	4724	{273EE498-53F9-46b4-94D0-DF880651921E}.exe	84
PID 4724 wrote to memory of 5616	4724	{273EE498-53F9-46b4-94D0-DF880651921E}.exe	84
PID 4724 wrote to memory of 540	4724	{273EE498-53F9-46b4-94D0-DF880651921E}.exe	85
PID 4724 wrote to memory of 540	4724	{273EE498-53F9-46b4-94D0-DF880651921E}.exe	85
PID 4724 wrote to memory of 540	4724	{273EE498-53F9-46b4-94D0-DF880651921E}.exe	85
PID 5616 wrote to memory of 4340	5616	{27A2810F-2D3D-4532-A871-A47A5252C603}.exe	87
PID 5616 wrote to memory of 4340	5616	{27A2810F-2D3D-4532-A871-A47A5252C603}.exe	87
PID 5616 wrote to memory of 4340	5616	{27A2810F-2D3D-4532-A871-A47A5252C603}.exe	87
PID 5616 wrote to memory of 448	5616	{27A2810F-2D3D-4532-A871-A47A5252C603}.exe	88
PID 5616 wrote to memory of 448	5616	{27A2810F-2D3D-4532-A871-A47A5252C603}.exe	88
PID 5616 wrote to memory of 448	5616	{27A2810F-2D3D-4532-A871-A47A5252C603}.exe	88
PID 4340 wrote to memory of 1548	4340	{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe	89
PID 4340 wrote to memory of 1548	4340	{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe	89
PID 4340 wrote to memory of 1548	4340	{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe	89
PID 4340 wrote to memory of 552	4340	{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe	90
PID 4340 wrote to memory of 552	4340	{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe	90
PID 4340 wrote to memory of 552	4340	{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe	90
PID 1548 wrote to memory of 4748	1548	{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe	91
PID 1548 wrote to memory of 4748	1548	{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe	91
PID 1548 wrote to memory of 4748	1548	{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe	91
PID 1548 wrote to memory of 2984	1548	{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe	92
PID 1548 wrote to memory of 2984	1548	{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe	92
PID 1548 wrote to memory of 2984	1548	{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe	92
PID 4748 wrote to memory of 5240	4748	{C5059B02-E7CC-4984-80A3-87B646E17221}.exe	93
PID 4748 wrote to memory of 5240	4748	{C5059B02-E7CC-4984-80A3-87B646E17221}.exe	93
PID 4748 wrote to memory of 5240	4748	{C5059B02-E7CC-4984-80A3-87B646E17221}.exe	93
PID 4748 wrote to memory of 3132	4748	{C5059B02-E7CC-4984-80A3-87B646E17221}.exe	94
PID 4748 wrote to memory of 3132	4748	{C5059B02-E7CC-4984-80A3-87B646E17221}.exe	94
PID 4748 wrote to memory of 3132	4748	{C5059B02-E7CC-4984-80A3-87B646E17221}.exe	94
PID 5240 wrote to memory of 1172	5240	{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe	95
PID 5240 wrote to memory of 1172	5240	{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe	95
PID 5240 wrote to memory of 1172	5240	{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe	95
PID 5240 wrote to memory of 5724	5240	{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe	96
PID 5240 wrote to memory of 5724	5240	{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe	96
PID 5240 wrote to memory of 5724	5240	{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe	96
PID 1172 wrote to memory of 3168	1172	{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe	97
PID 1172 wrote to memory of 3168	1172	{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe	97
PID 1172 wrote to memory of 3168	1172	{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe	97
PID 1172 wrote to memory of 2360	1172	{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe	98
PID 1172 wrote to memory of 2360	1172	{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe	98
PID 1172 wrote to memory of 2360	1172	{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe	98
PID 3168 wrote to memory of 5448	3168	{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe	99
PID 3168 wrote to memory of 5448	3168	{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe	99
PID 3168 wrote to memory of 5448	3168	{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe	99
PID 3168 wrote to memory of 5428	3168	{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe	100
PID 3168 wrote to memory of 5428	3168	{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe	100
PID 3168 wrote to memory of 5428	3168	{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe	100
PID 5448 wrote to memory of 1728	5448	{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe	101
PID 5448 wrote to memory of 1728	5448	{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe	101
PID 5448 wrote to memory of 1728	5448	{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe	101
PID 5448 wrote to memory of 5072	5448	{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe	102
PID 5448 wrote to memory of 5072	5448	{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe	102
PID 5448 wrote to memory of 5072	5448	{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe	102
PID 1728 wrote to memory of 2516	1728	{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe	103
PID 1728 wrote to memory of 2516	1728	{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe	103
PID 1728 wrote to memory of 2516	1728	{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe	103
PID 1728 wrote to memory of 2412	1728	{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_79c29b9daf0c8b229d5d459f8697abd3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\{273EE498-53F9-46b4-94D0-DF880651921E}.exe
  C:\Windows\{273EE498-53F9-46b4-94D0-DF880651921E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\{27A2810F-2D3D-4532-A871-A47A5252C603}.exe
    C:\Windows\{27A2810F-2D3D-4532-A871-A47A5252C603}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5616
  - - C:\Windows\{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe
      C:\Windows\{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe
        
        C:\Windows\{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Windows\{C5059B02-E7CC-4984-80A3-87B646E17221}.exe
        
        C:\Windows\{C5059B02-E7CC-4984-80A3-87B646E17221}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe
        
        C:\Windows\{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5240
        
        C:\Windows\{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe
        
        C:\Windows\{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe
        
        C:\Windows\{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe
        
        C:\Windows\{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5448
        
        C:\Windows\{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe
        
        C:\Windows\{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}.exe
        
        C:\Windows\{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\{1B3A6891-868C-4ca8-A8FD-E280B0916886}.exe
        
        C:\Windows\{1B3A6891-868C-4ca8-A8FD-E280B0916886}.exe
        13⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABB69~1.EXE > nul
        13⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E94E~1.EXE > nul
        12⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1DF6~1.EXE > nul
        11⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74723~1.EXE > nul
        10⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7986~1.EXE > nul
        9⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A49EC~1.EXE > nul
        8⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5059~1.EXE > nul
        7⤵
        
        PID:3132
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{699A4~1.EXE > nul
        6⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD008~1.EXE > nul
        5⤵
        
        PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{27A28~1.EXE > nul
      4⤵
      PID:448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{273EE~1.EXE > nul
    3⤵
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B3A6891-868C-4ca8-A8FD-E280B0916886}.exe

Filesize
168KB

MD5
fb3e2a2004af7d4308ddf4fd30584864

SHA1
0c09dfb1caadfd3a5b8875e2a0b43e15cb39804d

SHA256
a7c1e92ef5af6657d9b99ff950a7203c950fd11897b0f8cecab622a7d1fdfd41

SHA512
cc66647b4bebb3f8059df56e2649e85b007b308ee62cf1fa45bf3620d190a41178125aa371fd204bc56acd4c85919db64b948704adc88a8fb15b491481bcaea9

Download Submit
C:\Windows\{273EE498-53F9-46b4-94D0-DF880651921E}.exe

Filesize
168KB

MD5
1bebaa11678153423522214d68abca64

SHA1
9068159f2d5bc4c53839738827f80ddb87cbd8ff

SHA256
a63783eb789bbc3ce1bd840aae212bb611658b3be06f5a39f7e25476a2575540

SHA512
d30c282dbd9c3ed00717d35905f9d31c885df24c979469e8bb26f6a663768a033ceb5cd81c2ef99018775d5fd920095f9983cad389bae5dae79d61b09c44c432

Download Submit
C:\Windows\{27A2810F-2D3D-4532-A871-A47A5252C603}.exe

Filesize
168KB

MD5
521de65a8c49f9347ad004a03d767027

SHA1
9f7e560b50e10c8e9eb46f647a648413aa530152

SHA256
d4aafaf770a2ded87a3db77f2a9bd96b57d3935196321621c1bf4b3ae68bfa0e

SHA512
55a25e58a17b7cd0fdb5280400ff41f65cf59ca359386c64387ef6275f9a17d004c5509232dbb4d4334b2dc968e3afc497ea2fa20fef6728d5a5c103c5c8e810

Download Submit
C:\Windows\{699A4E68-6F08-4e25-A73B-A78BEF8CAE6F}.exe

Filesize
168KB

MD5
1f4a8cdc9d71f7aae9474e07f0d1684e

SHA1
d95c2ada5351a98ca094b0a32b9c79a278c4b298

SHA256
7640b76da536595853d3275849c576acd177dc189be247be38267fbe8da9378f

SHA512
8caf832be84e3d4da0f6aed7d1537d6ae927ca98cbb8662b2f5dbdf7c8bc8ea562decc12d70a2006c92fa5af76eccfac125129f85b917e39a59855cb06f238c7

Download Submit
C:\Windows\{74723D51-8E3B-4a8b-B8BA-02224DE5C934}.exe

Filesize
168KB

MD5
eaedb9da5842224c8c349397bd30663b

SHA1
68231c3ec93f23f850a7234e903a79aa63ba84f5

SHA256
75c523f6385603d03b581f1dd3da0c6bbef20f31c52fdf2dbef7ad6523695649

SHA512
29b56ee1fa374d9a7f5541c169a1df4624f5dab51b79faceaae6df7f2b58ce54b5d44ea4581b109511b4b9e27ffc9cc2389bbafecab297f76b3fa9d85f01cd9e

Download Submit
C:\Windows\{9E94E76B-4697-4ed5-A632-6BA6E5675667}.exe

Filesize
168KB

MD5
c714fde945def2602b7f15087c9538a2

SHA1
61e2df11673525c07d4f70e070cf04598f3d23fc

SHA256
7da6f7889a3d3e66d1d50a630b1fe5ad37f9c8f386b2b78e0801720797ea70a1

SHA512
7d161436ccef933e435dc40472725c0bb66e1ff70b49334235c9739ed1e7cb2514ee39cfe197e29de9b83d9d991134a5988a86c94d6061ca15692c9fed4d43b8

Download Submit
C:\Windows\{A49ECCB0-5618-4fa7-B285-3738F1D139D0}.exe

Filesize
168KB

MD5
04686b275b8bf1cf97b4e3d023f81509

SHA1
c8545adfd2a48f01a00d3f9487543e99496eba98

SHA256
893d0cc182a44eb05c478531180960d73decaa7e3b96c1c9522bf668ab0ead2d

SHA512
5643d9692b2237b7899e4e6b4c7277dcb0c5bebcb6558ca28e4f4d54188d3982d9f2d486f5f8847c5ecd1d25e18558ebe3a43622ecdf4ba8320d2bbdc52da930

Download Submit
C:\Windows\{ABB6969A-3358-4eab-9DAF-CFA41FB37EA5}.exe

Filesize
168KB

MD5
832514488c7fbcd45d9645dbb8d9c556

SHA1
d15997e267c8b1e8e11a1f41c22082b0d775efaa

SHA256
73650e1417d46dc562cfabb66b76b40db5ad9121b5ea9b9d7eef3836ba1856d0

SHA512
56537e12ff0b48b0a3b56ed28edb33c8892d8ec213a6b1a68495bbfb5ff6e4070f27840d60f96747e8d01280c2a172f7555d2fed6aebb900c7711144ebe1c1d8

Download Submit
C:\Windows\{B1DF6849-3EF7-4414-8E7A-0DEBD061940A}.exe

Filesize
168KB

MD5
2d48e6246b64eebe046eb997399eff00

SHA1
c4781778beff9f15d29e5e7b6b14b8a84d4749db

SHA256
be6c9998070e166182f808bb8cf6410946f67a3adb69988c6298761df17384f8

SHA512
a491edb70b26fde2113a0706f2da3935eb4674d4f95594dae2a870bf21a5fb94476aa40bea632fc640ec6e18e3666f0a99707393fb29d7b13191b22371ba440d

Download Submit
C:\Windows\{C5059B02-E7CC-4984-80A3-87B646E17221}.exe

Filesize
168KB

MD5
ba15ef58a55b52e1402b4e00990c4c68

SHA1
d3823ee4ebbb4a06dafcf9777de062b33ca8c3b0

SHA256
a7213d20bec554a24d6eb9617c0c904698cbb331c4a4379857171aaad0e5c241

SHA512
ba6b27986dbcbf4eac16f217b7eed10cf9e72295a1a16d4957f14b5ec7a1c0c731df0bd9873325617a737fa616e11f97ba3c1fa7d935f9a6c09d8af996ac1a2d

Download Submit
C:\Windows\{C79860E3-8BA7-408a-B7CE-280079D6B8C2}.exe

Filesize
168KB

MD5
7fc1be2884f5d4a8820b11f74454a258

SHA1
b149a98fe7f6c8046ebc58eff8a24cc02bff3d6a

SHA256
613a6dc06e4ae242ff2e7c52ab4de049d62f9ead09669b8ca932522ddd6403b0

SHA512
161043b1fd2608887c568e20807e59fbaac31300c7450265bd657af77614a28333d06a179ba6d7b51524a0c6e4285b6a1bd0040c43f6a41233ba1b3b5bdbf939

Download Submit
C:\Windows\{DD008A5A-AA77-44dd-80AF-03FFB42B3892}.exe

Filesize
168KB

MD5
33d563945422554117f8d0464a0381f7

SHA1
37551922553da3e45e3efa58ea23cc2f21049035

SHA256
00a54c9811a0b350055c13a0a7a3bc427cdacd1a236a16969de6d6093c29219b

SHA512
d74ce788859b69b963ae96aa38bd8826a9377dd1b78165d8176969240f58b04a69c326a89347484da5217717976edb00742c5a0d0af67cf4249fde0beaa8270a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads