72dadb9d239891deaa58ebde923eff2919c6ff218fc7ef193c16a83dba4a4abc

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe
Size

168KB
MD5

a12cc0dc8dc50f8a5ff3abbd754eef05
SHA1

e2aecaea74fc2ac3250e568df2071c3f2ee2ab50
SHA256

72dadb9d239891deaa58ebde923eff2919c6ff218fc7ef193c16a83dba4a4abc
SHA512

dca115bca57a4cfc51823e6834e41ad410d676a385e88eb5b41d82e23362171703a3ea08e76ebd6b64343e699e77a627102a6e29f0e5da257d2ce86e04d48ffa
SSDEEP

1536:1EGh0oylq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oylqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f5-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001600000002319e-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231fc-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001700000002319e-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df7-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df8-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023038-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}	{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1050B792-DF09-493b-865B-589E80266954}\stubpath = "C:\\Windows\\{1050B792-DF09-493b-865B-589E80266954}.exe"	2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ED3C2B3-A861-4266-9638-73AC58284553}\stubpath = "C:\\Windows\\{5ED3C2B3-A861-4266-9638-73AC58284553}.exe"	{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{790100C6-DB11-4264-A6E8-FB7923850D2D}	{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94588730-FE11-402f-B1DC-347BC4C6EB9C}\stubpath = "C:\\Windows\\{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe"	{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{790100C6-DB11-4264-A6E8-FB7923850D2D}\stubpath = "C:\\Windows\\{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe"	{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA54ECBD-8728-4192-9571-69A1E4B4A05A}\stubpath = "C:\\Windows\\{DA54ECBD-8728-4192-9571-69A1E4B4A05A}.exe"	{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ED3C2B3-A861-4266-9638-73AC58284553}	{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}	{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}\stubpath = "C:\\Windows\\{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe"	{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}	{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB112466-8B19-40d1-8D21-9FD9CD5A114C}	{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B34360E0-FF69-4bfa-BB73-DC62430275E2}\stubpath = "C:\\Windows\\{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe"	{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}\stubpath = "C:\\Windows\\{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}.exe"	{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA54ECBD-8728-4192-9571-69A1E4B4A05A}	{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1050B792-DF09-493b-865B-589E80266954}	2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B9D351-0C60-4983-B27F-3DE502BEEF53}	{1050B792-DF09-493b-865B-589E80266954}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2005505E-55E5-4b9b-892E-689F0F5D8810}\stubpath = "C:\\Windows\\{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe"	{5ED3C2B3-A861-4266-9638-73AC58284553}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94588730-FE11-402f-B1DC-347BC4C6EB9C}	{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB112466-8B19-40d1-8D21-9FD9CD5A114C}\stubpath = "C:\\Windows\\{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe"	{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B34360E0-FF69-4bfa-BB73-DC62430275E2}	{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B9D351-0C60-4983-B27F-3DE502BEEF53}\stubpath = "C:\\Windows\\{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe"	{1050B792-DF09-493b-865B-589E80266954}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2005505E-55E5-4b9b-892E-689F0F5D8810}	{5ED3C2B3-A861-4266-9638-73AC58284553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}\stubpath = "C:\\Windows\\{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe"	{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe

Executes dropped EXE 12 IoCs

pid	Process
4968	{1050B792-DF09-493b-865B-589E80266954}.exe
3480	{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe
2376	{5ED3C2B3-A861-4266-9638-73AC58284553}.exe
1696	{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe
3384	{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe
3156	{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe
1288	{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe
4716	{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe
540	{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe
3748	{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe
4468	{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}.exe
2492	{DA54ECBD-8728-4192-9571-69A1E4B4A05A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe	{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe
File created	C:\Windows\{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}.exe	{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe
File created	C:\Windows\{DA54ECBD-8728-4192-9571-69A1E4B4A05A}.exe	{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}.exe
File created	C:\Windows\{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe	{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe
File created	C:\Windows\{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe	{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe
File created	C:\Windows\{5ED3C2B3-A861-4266-9638-73AC58284553}.exe	{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe
File created	C:\Windows\{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe	{5ED3C2B3-A861-4266-9638-73AC58284553}.exe
File created	C:\Windows\{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe	{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe
File created	C:\Windows\{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe	{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe
File created	C:\Windows\{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe	{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe
File created	C:\Windows\{1050B792-DF09-493b-865B-589E80266954}.exe	2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe
File created	C:\Windows\{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe	{1050B792-DF09-493b-865B-589E80266954}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4988	2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4968	{1050B792-DF09-493b-865B-589E80266954}.exe
Token: SeIncBasePriorityPrivilege	3480	{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe
Token: SeIncBasePriorityPrivilege	2376	{5ED3C2B3-A861-4266-9638-73AC58284553}.exe
Token: SeIncBasePriorityPrivilege	1696	{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe
Token: SeIncBasePriorityPrivilege	3384	{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe
Token: SeIncBasePriorityPrivilege	3156	{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe
Token: SeIncBasePriorityPrivilege	1288	{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe
Token: SeIncBasePriorityPrivilege	4716	{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe
Token: SeIncBasePriorityPrivilege	540	{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe
Token: SeIncBasePriorityPrivilege	3748	{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe
Token: SeIncBasePriorityPrivilege	4468	{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4968	4988	2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe	97
PID 4988 wrote to memory of 4968	4988	2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe	97
PID 4988 wrote to memory of 4968	4988	2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe	97
PID 4988 wrote to memory of 4824	4988	2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe	98
PID 4988 wrote to memory of 4824	4988	2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe	98
PID 4988 wrote to memory of 4824	4988	2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe	98
PID 4968 wrote to memory of 3480	4968	{1050B792-DF09-493b-865B-589E80266954}.exe	99
PID 4968 wrote to memory of 3480	4968	{1050B792-DF09-493b-865B-589E80266954}.exe	99
PID 4968 wrote to memory of 3480	4968	{1050B792-DF09-493b-865B-589E80266954}.exe	99
PID 4968 wrote to memory of 1828	4968	{1050B792-DF09-493b-865B-589E80266954}.exe	100
PID 4968 wrote to memory of 1828	4968	{1050B792-DF09-493b-865B-589E80266954}.exe	100
PID 4968 wrote to memory of 1828	4968	{1050B792-DF09-493b-865B-589E80266954}.exe	100
PID 3480 wrote to memory of 2376	3480	{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe	102
PID 3480 wrote to memory of 2376	3480	{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe	102
PID 3480 wrote to memory of 2376	3480	{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe	102
PID 3480 wrote to memory of 3608	3480	{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe	103
PID 3480 wrote to memory of 3608	3480	{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe	103
PID 3480 wrote to memory of 3608	3480	{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe	103
PID 2376 wrote to memory of 1696	2376	{5ED3C2B3-A861-4266-9638-73AC58284553}.exe	104
PID 2376 wrote to memory of 1696	2376	{5ED3C2B3-A861-4266-9638-73AC58284553}.exe	104
PID 2376 wrote to memory of 1696	2376	{5ED3C2B3-A861-4266-9638-73AC58284553}.exe	104
PID 2376 wrote to memory of 3364	2376	{5ED3C2B3-A861-4266-9638-73AC58284553}.exe	105
PID 2376 wrote to memory of 3364	2376	{5ED3C2B3-A861-4266-9638-73AC58284553}.exe	105
PID 2376 wrote to memory of 3364	2376	{5ED3C2B3-A861-4266-9638-73AC58284553}.exe	105
PID 1696 wrote to memory of 3384	1696	{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe	106
PID 1696 wrote to memory of 3384	1696	{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe	106
PID 1696 wrote to memory of 3384	1696	{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe	106
PID 1696 wrote to memory of 3884	1696	{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe	107
PID 1696 wrote to memory of 3884	1696	{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe	107
PID 1696 wrote to memory of 3884	1696	{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe	107
PID 3384 wrote to memory of 3156	3384	{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe	108
PID 3384 wrote to memory of 3156	3384	{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe	108
PID 3384 wrote to memory of 3156	3384	{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe	108
PID 3384 wrote to memory of 4872	3384	{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe	109
PID 3384 wrote to memory of 4872	3384	{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe	109
PID 3384 wrote to memory of 4872	3384	{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe	109
PID 3156 wrote to memory of 1288	3156	{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe	110
PID 3156 wrote to memory of 1288	3156	{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe	110
PID 3156 wrote to memory of 1288	3156	{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe	110
PID 3156 wrote to memory of 4184	3156	{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe	111
PID 3156 wrote to memory of 4184	3156	{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe	111
PID 3156 wrote to memory of 4184	3156	{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe	111
PID 1288 wrote to memory of 4716	1288	{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe	112
PID 1288 wrote to memory of 4716	1288	{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe	112
PID 1288 wrote to memory of 4716	1288	{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe	112
PID 1288 wrote to memory of 2488	1288	{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe	113
PID 1288 wrote to memory of 2488	1288	{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe	113
PID 1288 wrote to memory of 2488	1288	{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe	113
PID 4716 wrote to memory of 540	4716	{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe	114
PID 4716 wrote to memory of 540	4716	{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe	114
PID 4716 wrote to memory of 540	4716	{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe	114
PID 4716 wrote to memory of 1244	4716	{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe	115
PID 4716 wrote to memory of 1244	4716	{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe	115
PID 4716 wrote to memory of 1244	4716	{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe	115
PID 540 wrote to memory of 3748	540	{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe	116
PID 540 wrote to memory of 3748	540	{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe	116
PID 540 wrote to memory of 3748	540	{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe	116
PID 540 wrote to memory of 2964	540	{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe	117
PID 540 wrote to memory of 2964	540	{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe	117
PID 540 wrote to memory of 2964	540	{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe	117
PID 3748 wrote to memory of 4468	3748	{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe	118
PID 3748 wrote to memory of 4468	3748	{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe	118
PID 3748 wrote to memory of 4468	3748	{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe	118
PID 3748 wrote to memory of 3716	3748	{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_a12cc0dc8dc50f8a5ff3abbd754eef05_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\{1050B792-DF09-493b-865B-589E80266954}.exe
  C:\Windows\{1050B792-DF09-493b-865B-589E80266954}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe
    C:\Windows\{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\{5ED3C2B3-A861-4266-9638-73AC58284553}.exe
      C:\Windows\{5ED3C2B3-A861-4266-9638-73AC58284553}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe
        
        C:\Windows\{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Windows\{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe
        
        C:\Windows\{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe
        
        C:\Windows\{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe
        
        C:\Windows\{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe
        
        C:\Windows\{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe
        
        C:\Windows\{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe
        
        C:\Windows\{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}.exe
        
        C:\Windows\{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
        
        C:\Windows\{DA54ECBD-8728-4192-9571-69A1E4B4A05A}.exe
        
        C:\Windows\{DA54ECBD-8728-4192-9571-69A1E4B4A05A}.exe
        13⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7946E~1.EXE > nul
        13⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3436~1.EXE > nul
        12⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB112~1.EXE > nul
        11⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79010~1.EXE > nul
        10⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94588~1.EXE > nul
        9⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67064~1.EXE > nul
        8⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B37F7~1.EXE > nul
        7⤵
        
        PID:4872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20055~1.EXE > nul
        6⤵
        
        PID:3884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5ED3C~1.EXE > nul
        5⤵
        
        PID:3364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C0B9D~1.EXE > nul
      4⤵
      PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1050B~1.EXE > nul
    3⤵
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1050B792-DF09-493b-865B-589E80266954}.exe

Filesize
168KB

MD5
6553d76d8d5b3c36c7b31232353bdeb4

SHA1
19fda9e24b6781bed29a5a3912350253715fcec4

SHA256
8a9787eed56c3ab8388bd0dc87121248f1a19c832b66af852921f852cf001199

SHA512
b910809c074c8a25bfdb26321756ff9e42170338564a907d16fff3520e7cf451263b5ac0fd916bdcbce588073601252e74653e4fb9dfead98c56268c0beb6883

Download Submit
C:\Windows\{2005505E-55E5-4b9b-892E-689F0F5D8810}.exe

Filesize
168KB

MD5
de8fefd79c45f832ad53f6a47ef474cf

SHA1
17e89bcd32888b4332bb07c694b6d30231ed25b8

SHA256
c090d340b83b5c4b7a7481b4613ee39d1fb7d14218edd3090be33eb180dc4feb

SHA512
7ce06a5de965b3907954090adac00d180887b1e5457b08d8eb1b896aedd4b695e4093739a9279e21c98a3b9bc7b5e7073122de91160930f2b9c7cdd25ed0cf46

Download Submit
C:\Windows\{5ED3C2B3-A861-4266-9638-73AC58284553}.exe

Filesize
168KB

MD5
034b3d6417e6a0c232a8413e78af4b55

SHA1
557ef6b3d4de9508b227626a2c5d572797cc943b

SHA256
72cf7d9bfd73ff833cedf46e1e7af400d2271bd6813bf344aa9e47baf53461bc

SHA512
f7f56258bcf0c1b742e471cb7b44193c4e4b8fd046c253c998a80220dee384a4275a897c0aba1abeeb773675735d8863e6f5ae82fa59f38e85f65e9851da7332

Download Submit
C:\Windows\{6706446D-94EF-482b-9C78-A0C2CAA8E5EB}.exe

Filesize
168KB

MD5
38f60d9755aa65ddbe1b88479232a05f

SHA1
5353a0fcc9a6132f339bde0c3ff8e99d3f8f9645

SHA256
fbb4f477ce5e91b9a2d8aece98233016dae87730135b130b98757ebdabd0d894

SHA512
343dfd7c019ec039ae32f5c84f76e0c4cb1943580e68cddce4fc75629b3f43695ae872107719a9e86a22b08510667adcf0e86a946dabc5ed8ef954845c32abdb

Download Submit
C:\Windows\{790100C6-DB11-4264-A6E8-FB7923850D2D}.exe

Filesize
168KB

MD5
6600c361fe17ff77a1c2813219030cf7

SHA1
ee0389e8c3dc9198f732b4b85b97a561b12ae5de

SHA256
5fabc4c829a4d01ef9555ac7189986ea7aa5bbf15dea61d419950117b561b607

SHA512
3af6351bbdb8915766f3053b2b5376242eaea5bbcb70fee00a32a3ea79baca114977e8de882e5077ce84754d3d4904fdc1bb43ca71d1041f6958d1f47193747c

Download Submit
C:\Windows\{7946E6A6-1A79-448c-ADC3-11AE12A2F37C}.exe

Filesize
168KB

MD5
71741c1afb5f67bba55d0e9317d728db

SHA1
14010fd2b1249a1d6f40de75c20775e094730051

SHA256
c7ba03fba35d55e2c7ad98428042171a71e275c4de6d838c890a0716b4d72182

SHA512
16b75f78193b4c50dd208bf395df286d8d22d342ddef466749ef65a8fc630a3c5412751554db0643efeb51e0b9a05f1f5b103e8235c7661c787f5881db9e806b

Download Submit
C:\Windows\{94588730-FE11-402f-B1DC-347BC4C6EB9C}.exe

Filesize
168KB

MD5
b1975b00abd8b547781814ddb00ee72e

SHA1
63ad738afaa8bbb0e478f3131441927d1e3c3299

SHA256
252b34742b7b172c14481e198fd4332d9780ba0ffff9475770ef9645093a8caa

SHA512
38693659c85353ea82e5824aebc155cd175d284a1f97e26c381cc61a7a5de17e9c3e9be5ae6d0d06dac6886a41c8be7e67f58bf851f342d91a4be553ea09667c

Download Submit
C:\Windows\{B34360E0-FF69-4bfa-BB73-DC62430275E2}.exe

Filesize
168KB

MD5
d331ed9ca72eaa3bba0d24d4de842736

SHA1
49838f54793b75865474ff5ea3c1d6048cb20129

SHA256
1d03f3d937b3cef85a6ce933b01a1058cb3c28dab1e75e45020748c0fbc3e2e5

SHA512
2fc4840cc894ab1662b5d29243dc1ee5a7c0434494c7624f92db3642de46874bf4d02bb4581c5dc346a2b8e650a0b4373666609980f911b206c13ddf630b801e

Download Submit
C:\Windows\{B37F709D-9F9F-4ed3-8FC6-158237AC72CD}.exe

Filesize
168KB

MD5
6bd9406740c913820948c3387536e27d

SHA1
a85c5a1452ff20f4c350b8fb5e37bed5a973435d

SHA256
778002e3e0e66ee2c7c9d0dc4ed0ae06d0df44efb20da76bd986a298049b5c6c

SHA512
73d20fde93efe0d6e953b68c8d90d380ddf3b620e8f183968c2c07226d144048a5e347ffd41f6e4535114c1c2dfb40e92f124374c42f404c5f493ede9f4aeaf0

Download Submit
C:\Windows\{C0B9D351-0C60-4983-B27F-3DE502BEEF53}.exe

Filesize
168KB

MD5
99144b2073c978880423ef6491aba7cc

SHA1
df426b5ead43d8bbf0d7c9fee820d3bb82a8e7ee

SHA256
37388d6421f8022eda553b68af55043b4e80cd4ec5615da88f59c12991a1f4d7

SHA512
9f15ee3add9791d9e7a935978897fb107636afb2940c71f6ba6a107e898a0289fe4bb4da0dea778624941802b8a621a0034fd2cf7181f0a8e77444dd3e6d427b

Download Submit
C:\Windows\{DA54ECBD-8728-4192-9571-69A1E4B4A05A}.exe

Filesize
168KB

MD5
ac1d32bfffd3fb623474424c9cc6f716

SHA1
2596d9a792a0ee123c203f60811b024423544ebb

SHA256
c032975f2b7a8e2d0afe64bdad7ff30f0d77fcd96ea51543c2a13b5f6835d8aa

SHA512
d35529e20c8bb6c8f6baff1b221f2b5a8cc16256c101fa374810b8b3434856475549d07e650f726a1d8fd9d3ad1162ed9ed6ab08758cafc877d6b3586a9e2511

Download Submit
C:\Windows\{EB112466-8B19-40d1-8D21-9FD9CD5A114C}.exe

Filesize
168KB

MD5
a7943c07728ac2dc51867dd9333963bf

SHA1
ed387dbc3d44d7642870e176e036ca8cfa9b7b76

SHA256
1424ae7b8e561b4eafb251434cf0c233c01c4b396fd23ba50309166d68f3f35c

SHA512
de1f13140125c70380a7cc3eee887d7cc52b31146ab7f218fa1bb205452cbff077d1cc49cfd1eb4ee6a88de946a3e73e239483d87ede4c641eadf6726f29a298

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads