09f903114dc0bd1ad8ce5c54fbc089e187cb0820a9746b58b2b9a81cfe7b9da0

Analysis

max time kernel
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe
Size

168KB
MD5

997b69bd4741f3499228a182f1c496bc
SHA1

cb00a3caf0d7fdec7ca8324ffa0af43be96898d3
SHA256

09f903114dc0bd1ad8ce5c54fbc089e187cb0820a9746b58b2b9a81cfe7b9da0
SHA512

d1154249f0b13cbba64618ee6fefa7a6cf699f0e417890e0ecf1a7f9f7aee86f6ce03f72fe52ceff350fbceb36f97a53bc9f89c4fc0673beb7c5bb2b43829d99
SSDEEP

1536:1EGh0o0lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o0lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023362-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233af-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023362-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233af-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023362-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233af-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023362-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233af-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023362-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233af-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023362-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000233af-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54B75F4-29F0-4425-A223-E97027DF155A}	{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{709F0F57-23A7-4192-8284-A022C96E893E}	{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{709F0F57-23A7-4192-8284-A022C96E893E}\stubpath = "C:\\Windows\\{709F0F57-23A7-4192-8284-A022C96E893E}.exe"	{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18159541-C062-4623-88C1-C0627AE5DF80}	{CCE01FF8-0C18-4662-A693-A5969FEEA667}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E54B75F4-29F0-4425-A223-E97027DF155A}\stubpath = "C:\\Windows\\{E54B75F4-29F0-4425-A223-E97027DF155A}.exe"	{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23C39E12-FB82-4123-88BB-F4F2302FB480}	{E54B75F4-29F0-4425-A223-E97027DF155A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD13B1D-4068-4d46-A958-26B791DA2F0C}	{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919ACE82-134D-4ef9-831E-EC6B3E6B8758}	{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCE01FF8-0C18-4662-A693-A5969FEEA667}\stubpath = "C:\\Windows\\{CCE01FF8-0C18-4662-A693-A5969FEEA667}.exe"	{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}	2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}\stubpath = "C:\\Windows\\{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe"	2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23C39E12-FB82-4123-88BB-F4F2302FB480}\stubpath = "C:\\Windows\\{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe"	{E54B75F4-29F0-4425-A223-E97027DF155A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{048E0011-285E-4775-B585-8E986C32EED9}\stubpath = "C:\\Windows\\{048E0011-285E-4775-B585-8E986C32EED9}.exe"	{709F0F57-23A7-4192-8284-A022C96E893E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}	{048E0011-285E-4775-B585-8E986C32EED9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}\stubpath = "C:\\Windows\\{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe"	{048E0011-285E-4775-B585-8E986C32EED9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6C550F-4B01-4bca-AB56-B6123D960F47}	{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD13B1D-4068-4d46-A958-26B791DA2F0C}\stubpath = "C:\\Windows\\{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe"	{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCE01FF8-0C18-4662-A693-A5969FEEA667}	{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18159541-C062-4623-88C1-C0627AE5DF80}\stubpath = "C:\\Windows\\{18159541-C062-4623-88C1-C0627AE5DF80}.exe"	{CCE01FF8-0C18-4662-A693-A5969FEEA667}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{048E0011-285E-4775-B585-8E986C32EED9}	{709F0F57-23A7-4192-8284-A022C96E893E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6C550F-4B01-4bca-AB56-B6123D960F47}\stubpath = "C:\\Windows\\{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe"	{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}	{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}\stubpath = "C:\\Windows\\{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe"	{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919ACE82-134D-4ef9-831E-EC6B3E6B8758}\stubpath = "C:\\Windows\\{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe"	{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe

Executes dropped EXE 12 IoCs

pid	Process
4828	{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe
2036	{E54B75F4-29F0-4425-A223-E97027DF155A}.exe
4124	{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe
1540	{709F0F57-23A7-4192-8284-A022C96E893E}.exe
2424	{048E0011-285E-4775-B585-8E986C32EED9}.exe
4048	{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe
4236	{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe
3180	{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe
2076	{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe
4296	{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe
3520	{CCE01FF8-0C18-4662-A693-A5969FEEA667}.exe
1832	{18159541-C062-4623-88C1-C0627AE5DF80}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe	2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe
File created	C:\Windows\{E54B75F4-29F0-4425-A223-E97027DF155A}.exe	{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe
File created	C:\Windows\{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe	{E54B75F4-29F0-4425-A223-E97027DF155A}.exe
File created	C:\Windows\{048E0011-285E-4775-B585-8E986C32EED9}.exe	{709F0F57-23A7-4192-8284-A022C96E893E}.exe
File created	C:\Windows\{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe	{048E0011-285E-4775-B585-8E986C32EED9}.exe
File created	C:\Windows\{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe	{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe
File created	C:\Windows\{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe	{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe
File created	C:\Windows\{18159541-C062-4623-88C1-C0627AE5DF80}.exe	{CCE01FF8-0C18-4662-A693-A5969FEEA667}.exe
File created	C:\Windows\{709F0F57-23A7-4192-8284-A022C96E893E}.exe	{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe
File created	C:\Windows\{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe	{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe
File created	C:\Windows\{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe	{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe
File created	C:\Windows\{CCE01FF8-0C18-4662-A693-A5969FEEA667}.exe	{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3908	2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4828	{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe
Token: SeIncBasePriorityPrivilege	2036	{E54B75F4-29F0-4425-A223-E97027DF155A}.exe
Token: SeIncBasePriorityPrivilege	4124	{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe
Token: SeIncBasePriorityPrivilege	1540	{709F0F57-23A7-4192-8284-A022C96E893E}.exe
Token: SeIncBasePriorityPrivilege	2424	{048E0011-285E-4775-B585-8E986C32EED9}.exe
Token: SeIncBasePriorityPrivilege	4048	{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe
Token: SeIncBasePriorityPrivilege	4236	{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe
Token: SeIncBasePriorityPrivilege	3180	{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe
Token: SeIncBasePriorityPrivilege	2076	{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe
Token: SeIncBasePriorityPrivilege	4296	{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe
Token: SeIncBasePriorityPrivilege	3520	{CCE01FF8-0C18-4662-A693-A5969FEEA667}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 4828	3908	2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe	84
PID 3908 wrote to memory of 4828	3908	2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe	84
PID 3908 wrote to memory of 4828	3908	2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe	84
PID 3908 wrote to memory of 3712	3908	2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe	85
PID 3908 wrote to memory of 3712	3908	2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe	85
PID 3908 wrote to memory of 3712	3908	2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe	85
PID 4828 wrote to memory of 2036	4828	{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe	86
PID 4828 wrote to memory of 2036	4828	{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe	86
PID 4828 wrote to memory of 2036	4828	{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe	86
PID 4828 wrote to memory of 4728	4828	{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe	87
PID 4828 wrote to memory of 4728	4828	{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe	87
PID 4828 wrote to memory of 4728	4828	{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe	87
PID 2036 wrote to memory of 4124	2036	{E54B75F4-29F0-4425-A223-E97027DF155A}.exe	88
PID 2036 wrote to memory of 4124	2036	{E54B75F4-29F0-4425-A223-E97027DF155A}.exe	88
PID 2036 wrote to memory of 4124	2036	{E54B75F4-29F0-4425-A223-E97027DF155A}.exe	88
PID 2036 wrote to memory of 1476	2036	{E54B75F4-29F0-4425-A223-E97027DF155A}.exe	89
PID 2036 wrote to memory of 1476	2036	{E54B75F4-29F0-4425-A223-E97027DF155A}.exe	89
PID 2036 wrote to memory of 1476	2036	{E54B75F4-29F0-4425-A223-E97027DF155A}.exe	89
PID 4124 wrote to memory of 1540	4124	{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe	90
PID 4124 wrote to memory of 1540	4124	{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe	90
PID 4124 wrote to memory of 1540	4124	{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe	90
PID 4124 wrote to memory of 4000	4124	{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe	91
PID 4124 wrote to memory of 4000	4124	{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe	91
PID 4124 wrote to memory of 4000	4124	{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe	91
PID 1540 wrote to memory of 2424	1540	{709F0F57-23A7-4192-8284-A022C96E893E}.exe	92
PID 1540 wrote to memory of 2424	1540	{709F0F57-23A7-4192-8284-A022C96E893E}.exe	92
PID 1540 wrote to memory of 2424	1540	{709F0F57-23A7-4192-8284-A022C96E893E}.exe	92
PID 1540 wrote to memory of 4604	1540	{709F0F57-23A7-4192-8284-A022C96E893E}.exe	93
PID 1540 wrote to memory of 4604	1540	{709F0F57-23A7-4192-8284-A022C96E893E}.exe	93
PID 1540 wrote to memory of 4604	1540	{709F0F57-23A7-4192-8284-A022C96E893E}.exe	93
PID 2424 wrote to memory of 4048	2424	{048E0011-285E-4775-B585-8E986C32EED9}.exe	94
PID 2424 wrote to memory of 4048	2424	{048E0011-285E-4775-B585-8E986C32EED9}.exe	94
PID 2424 wrote to memory of 4048	2424	{048E0011-285E-4775-B585-8E986C32EED9}.exe	94
PID 2424 wrote to memory of 1144	2424	{048E0011-285E-4775-B585-8E986C32EED9}.exe	95
PID 2424 wrote to memory of 1144	2424	{048E0011-285E-4775-B585-8E986C32EED9}.exe	95
PID 2424 wrote to memory of 1144	2424	{048E0011-285E-4775-B585-8E986C32EED9}.exe	95
PID 4048 wrote to memory of 4236	4048	{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe	96
PID 4048 wrote to memory of 4236	4048	{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe	96
PID 4048 wrote to memory of 4236	4048	{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe	96
PID 4048 wrote to memory of 1284	4048	{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe	97
PID 4048 wrote to memory of 1284	4048	{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe	97
PID 4048 wrote to memory of 1284	4048	{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe	97
PID 4236 wrote to memory of 3180	4236	{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe	98
PID 4236 wrote to memory of 3180	4236	{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe	98
PID 4236 wrote to memory of 3180	4236	{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe	98
PID 4236 wrote to memory of 4720	4236	{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe	99
PID 4236 wrote to memory of 4720	4236	{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe	99
PID 4236 wrote to memory of 4720	4236	{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe	99
PID 3180 wrote to memory of 2076	3180	{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe	100
PID 3180 wrote to memory of 2076	3180	{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe	100
PID 3180 wrote to memory of 2076	3180	{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe	100
PID 3180 wrote to memory of 4400	3180	{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe	101
PID 3180 wrote to memory of 4400	3180	{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe	101
PID 3180 wrote to memory of 4400	3180	{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe	101
PID 2076 wrote to memory of 4296	2076	{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe	102
PID 2076 wrote to memory of 4296	2076	{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe	102
PID 2076 wrote to memory of 4296	2076	{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe	102
PID 2076 wrote to memory of 3456	2076	{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe	103
PID 2076 wrote to memory of 3456	2076	{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe	103
PID 2076 wrote to memory of 3456	2076	{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe	103
PID 4296 wrote to memory of 3520	4296	{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe	104
PID 4296 wrote to memory of 3520	4296	{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe	104
PID 4296 wrote to memory of 3520	4296	{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe	104
PID 4296 wrote to memory of 4480	4296	{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_997b69bd4741f3499228a182f1c496bc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe
  C:\Windows\{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\{E54B75F4-29F0-4425-A223-E97027DF155A}.exe
    C:\Windows\{E54B75F4-29F0-4425-A223-E97027DF155A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe
      C:\Windows\{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Windows\{709F0F57-23A7-4192-8284-A022C96E893E}.exe
        
        C:\Windows\{709F0F57-23A7-4192-8284-A022C96E893E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\{048E0011-285E-4775-B585-8E986C32EED9}.exe
        
        C:\Windows\{048E0011-285E-4775-B585-8E986C32EED9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe
        
        C:\Windows\{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe
        
        C:\Windows\{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe
        
        C:\Windows\{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe
        
        C:\Windows\{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe
        
        C:\Windows\{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{CCE01FF8-0C18-4662-A693-A5969FEEA667}.exe
        
        C:\Windows\{CCE01FF8-0C18-4662-A693-A5969FEEA667}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Windows\{18159541-C062-4623-88C1-C0627AE5DF80}.exe
        
        C:\Windows\{18159541-C062-4623-88C1-C0627AE5DF80}.exe
        13⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCE01~1.EXE > nul
        13⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{919AC~1.EXE > nul
        12⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B393~1.EXE > nul
        11⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DD13~1.EXE > nul
        10⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE6C5~1.EXE > nul
        9⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BFC7~1.EXE > nul
        8⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{048E0~1.EXE > nul
        7⤵
        
        PID:1144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{709F0~1.EXE > nul
        6⤵
        
        PID:4604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23C39~1.EXE > nul
        5⤵
        
        PID:4000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E54B7~1.EXE > nul
      4⤵
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF8C~1.EXE > nul
    3⤵
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{048E0011-285E-4775-B585-8E986C32EED9}.exe

Filesize
168KB

MD5
089e1d9a16ebaac4d89f7f56fe9adc82

SHA1
4e87221416dfe9791b5549f03fda1228fef22d54

SHA256
a68fbf7ba8b51ffbd813a78f7e980b0682b25279ee1cafa388b995b7bc317f23

SHA512
dd38ee5f18c74b5a583516c6b20645026dacd6b1f59ae58c869ae0a730c11b27953cf67a39318ceffa5c92615bb24a8e7f63a20415da99e3e6407ac74c25cda7

Download Submit
C:\Windows\{18159541-C062-4623-88C1-C0627AE5DF80}.exe

Filesize
168KB

MD5
3bec722980c63636deb760649b6bf04e

SHA1
62dde9ddb83b6ad2d197e6d6aebb8e3640e9d545

SHA256
724b40ca0de4d39c451faf790d415ba133974bce9998e0de97f648324aac424c

SHA512
cae321c6c486250750d857dd377bd42eda57afc1fbec7ba1ad30d7b549333bb8c9589dacbd873905d8fa52ea02d11623c16e7614f28cb8b65acf70355cd3c8d2

Download Submit
C:\Windows\{23C39E12-FB82-4123-88BB-F4F2302FB480}.exe

Filesize
168KB

MD5
9b3e5c13f4008d392dfc3562f0bb1681

SHA1
b72cf79d22c9a4592690f3e3683441593fa7d771

SHA256
2c565abd5341d8cb348e819692683893b5bcff181e8c67e08053069eb331f73c

SHA512
c5a3455bdb97cfb31c3b0ba5d43a08b249ac218401c2c6ce7e6030545341e582323b5f19c8b7e35d9b7089b33bf1a956c31a06433e7c2d7473fead6044c63333

Download Submit
C:\Windows\{2BFC7B5E-38BD-44a8-BD2F-66168F2E8EB2}.exe

Filesize
168KB

MD5
182daa79955ece8fde2af67c8a9e15b6

SHA1
022bc3175ae4651a50df7712a02418eca971894a

SHA256
1b2d4f21e4e4365b1a0912b886fb5f91d4a8a56726e6737568a4b23092f8f5a5

SHA512
c028980eab6b063dcd8191da8853759bf205506a5eeadd7844b917a57c428440cd0dcf91f518a113f252caa569d5218ab40b634fba637a77bcf3662418a0c204

Download Submit
C:\Windows\{2DD13B1D-4068-4d46-A958-26B791DA2F0C}.exe

Filesize
168KB

MD5
4169245b8611e31b407a674065a06be7

SHA1
683993578f13a4f33447c7a577d9defe0a8b7fab

SHA256
1497ddafbcc12bcdbd5435156ef678d5b9bd29b9a0c8d894614473c2bf1bcfc9

SHA512
8c6332312e16df9cd868136931e1f1fe2beca02b0a68e925073e2e6b2471afa31704820abae9d06fb69449592ff22aef56d260b24835fd8d85245b8eb310c6b0

Download Submit
C:\Windows\{5FF8CB0C-77F7-46ba-B400-E3912F57D4DE}.exe

Filesize
168KB

MD5
671d7677b1f31c7d41329e6cf0f83643

SHA1
0662c5cf363a7499514d98ca81146b4fb64941d6

SHA256
1c30b556daf3527cb5153c0956e27dedf3911f91794b69123f93a0ed2527cb1f

SHA512
3f61b3e8f5327a3181787f89ef8deb8cf388ff54dd6e75873e58fefd9d433332ed636d679dde7ac6d3eecd60bd650aed4b2a4267fbd129b157842591b54c3af7

Download Submit
C:\Windows\{709F0F57-23A7-4192-8284-A022C96E893E}.exe

Filesize
168KB

MD5
f8610cd3bfc61c99c9d2a27ca18ba636

SHA1
91d4984e4e9141e7763b6ee3e780c0d064228a50

SHA256
965bf29fbaa91a8f924c6e3f309db2c9e13ed23d4ae0bd1caf7fa196ea74b7f2

SHA512
0ec60cb5dc9edb424c146459d5b0816d9bdcebc3570ef6d692a6cdc46358de502f05c77c3b0bb0fea30be4a157a8867a992dab03ebd742c49e2305349ccc4185

Download Submit
C:\Windows\{8B393E01-6EDB-4d77-87C7-F87120F6E6EB}.exe

Filesize
168KB

MD5
b9b42d53e8541f0a9415294f912d310c

SHA1
361e787c71835a7aeaccdfc24489a1457e677520

SHA256
d1019417c6ffb911eb33abaabd8665bd1a14b440bc0c26439675fce44cf1768c

SHA512
fd2346f654a1a1c57113cd66b696cf8fc353cdaffc90387d6182bf50914aaedb5dca7392a081042f75d86d763ca88ac1bffb688e9c06f5575be86c9edb8a6d59

Download Submit
C:\Windows\{919ACE82-134D-4ef9-831E-EC6B3E6B8758}.exe

Filesize
168KB

MD5
6a6470998b998729c2e7d0fb091c3198

SHA1
f0ed9df980d717dea06a22da71faf724d0b7bf30

SHA256
76a6bb48238bf178fba4fc42fb9d767b90bb5fda331452b5a56001b862719173

SHA512
f575279c1bac7cb1b053ba1231813aa382dc4b24f10367d0a5b13f29fac771cdef0dfa06b4823c86a0cc5a69e8569bda65d49226216d8bf0e4d1a72f03210d53

Download Submit
C:\Windows\{CCE01FF8-0C18-4662-A693-A5969FEEA667}.exe

Filesize
168KB

MD5
e97a6bf0f1cced1232d4f509433d0ff6

SHA1
411c4a843f9bea3d275bc1092bb49a45e70166dd

SHA256
35797d53990704f25027f9a1f7c40cc05a0eaffdd3dcc13e242bc8822f9a26b3

SHA512
9c1e521baed1a0b6e49d5ca3b07c2c9318717f5db2a6f91f0b3ddbe03ddf2b3c486fe0a284038c58a6c7c1216f8d83ff737de93c3b83078b1c8d0ffd9da38a5c

Download Submit
C:\Windows\{E54B75F4-29F0-4425-A223-E97027DF155A}.exe

Filesize
168KB

MD5
b22d816f8c5d1b724cf281ee59fc11cf

SHA1
fbfcf6a5f826b0f21ce0f5422e82eb75493ddca1

SHA256
6c8a722d25c48939c2409bc551aac37e66435d9befedee2a85d9e15d96e9e541

SHA512
313c72e852b966a601f991284dcbfef63a445e218b8d05a43facfbf6001c884e79995825d0bf6d0605d81ec9b9ce7bbdc9169e0fc837f5f9f2750c3c2609fb4c

Download Submit
C:\Windows\{FE6C550F-4B01-4bca-AB56-B6123D960F47}.exe

Filesize
168KB

MD5
f1f262b3e75032dadeec1a9c65e705f0

SHA1
4888e7fc2ab394e2e90479ad1c391cc659607dcd

SHA256
0d1f5627f776b2c4d147b2ecbdc6641a7a90fa6514f46d99e8beef73b032b16f

SHA512
9f604ca5972895c66dbf763d531715605208281cd3444d535ec7a82ee41a091f34cd076d74ec7d502bc2f400400f8d113c1f443841f27f4dac2e3229b225a8ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads