e84b04c013bf0e2b75cd1c0474a7605c5d16e706dff11a4d4b7bb5b478fb09ac

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe
Size

197KB
MD5

3b40c3c465d01f8ff5d2c11cece73a24
SHA1

64453721d4908ba7b89fa83a43c19fdc33a464d9
SHA256

e84b04c013bf0e2b75cd1c0474a7605c5d16e706dff11a4d4b7bb5b478fb09ac
SHA512

a63164b28094daa2778a27b9193cd34e2fcac58646b3cda1a053537c9a6bc2df0a504b7ffb7f41e7410f462172a8b89bd888b28377c911b9a54fb266162d185a
SSDEEP

3072:jEGh0oRl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGnlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AF566D5-C5A2-470d-ACEB-78A9BF199784}	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4D04D6-01D4-4b22-862D-DD133621848B}	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4D04D6-01D4-4b22-862D-DD133621848B}\stubpath = "C:\\Windows\\{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe"	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB76B793-E250-42b1-884B-E2B9BE4321EF}	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A4319ED-D826-4937-A0E0-4F3867A14796}	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A4319ED-D826-4937-A0E0-4F3867A14796}\stubpath = "C:\\Windows\\{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe"	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6707D65B-D6ED-44af-ABCF-4222A4AE2482}\stubpath = "C:\\Windows\\{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe"	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B03DB0-1D18-4edd-B853-A71CE86832C7}	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B03DB0-1D18-4edd-B853-A71CE86832C7}\stubpath = "C:\\Windows\\{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe"	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAEFDB7B-E80C-4529-AA57-F958A76FA337}\stubpath = "C:\\Windows\\{DAEFDB7B-E80C-4529-AA57-F958A76FA337}.exe"	{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{838E1156-9240-4425-BA47-5E24A812DFEF}\stubpath = "C:\\Windows\\{838E1156-9240-4425-BA47-5E24A812DFEF}.exe"	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6707D65B-D6ED-44af-ABCF-4222A4AE2482}	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D77C31B-4416-4197-8863-197114E665A4}\stubpath = "C:\\Windows\\{1D77C31B-4416-4197-8863-197114E665A4}.exe"	{DAEFDB7B-E80C-4529-AA57-F958A76FA337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}	202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}\stubpath = "C:\\Windows\\{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe"	202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AF566D5-C5A2-470d-ACEB-78A9BF199784}\stubpath = "C:\\Windows\\{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe"	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB76B793-E250-42b1-884B-E2B9BE4321EF}\stubpath = "C:\\Windows\\{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe"	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}\stubpath = "C:\\Windows\\{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe"	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAEFDB7B-E80C-4529-AA57-F958A76FA337}	{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}\stubpath = "C:\\Windows\\{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe"	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{838E1156-9240-4425-BA47-5E24A812DFEF}	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D77C31B-4416-4197-8863-197114E665A4}	{DAEFDB7B-E80C-4529-AA57-F958A76FA337}.exe

Executes dropped EXE 12 IoCs

pid	Process
2724	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe
4404	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe
4320	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe
632	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe
1928	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe
2264	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe
1544	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe
4984	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe
4844	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe
1256	{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe
1176	{DAEFDB7B-E80C-4529-AA57-F958A76FA337}.exe
3220	{1D77C31B-4416-4197-8863-197114E665A4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe
File created	C:\Windows\{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe
File created	C:\Windows\{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe
File created	C:\Windows\{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe
File created	C:\Windows\{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe
File created	C:\Windows\{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe
File created	C:\Windows\{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe
File created	C:\Windows\{838E1156-9240-4425-BA47-5E24A812DFEF}.exe	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe
File created	C:\Windows\{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe
File created	C:\Windows\{DAEFDB7B-E80C-4529-AA57-F958A76FA337}.exe	{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe
File created	C:\Windows\{1D77C31B-4416-4197-8863-197114E665A4}.exe	{DAEFDB7B-E80C-4529-AA57-F958A76FA337}.exe
File created	C:\Windows\{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe	202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DAEFDB7B-E80C-4529-AA57-F958A76FA337}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D77C31B-4416-4197-8863-197114E665A4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4920	202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe
Token: SeIncBasePriorityPrivilege	2724	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe
Token: SeIncBasePriorityPrivilege	4404	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe
Token: SeIncBasePriorityPrivilege	4320	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe
Token: SeIncBasePriorityPrivilege	632	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe
Token: SeIncBasePriorityPrivilege	1928	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe
Token: SeIncBasePriorityPrivilege	2264	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe
Token: SeIncBasePriorityPrivilege	1544	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe
Token: SeIncBasePriorityPrivilege	4984	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe
Token: SeIncBasePriorityPrivilege	4844	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe
Token: SeIncBasePriorityPrivilege	1256	{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe
Token: SeIncBasePriorityPrivilege	1176	{DAEFDB7B-E80C-4529-AA57-F958A76FA337}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 2724	4920	202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe	93
PID 4920 wrote to memory of 2724	4920	202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe	93
PID 4920 wrote to memory of 2724	4920	202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe	93
PID 4920 wrote to memory of 2696	4920	202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe	94
PID 4920 wrote to memory of 2696	4920	202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe	94
PID 4920 wrote to memory of 2696	4920	202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe	94
PID 2724 wrote to memory of 4404	2724	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe	95
PID 2724 wrote to memory of 4404	2724	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe	95
PID 2724 wrote to memory of 4404	2724	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe	95
PID 2724 wrote to memory of 1396	2724	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe	96
PID 2724 wrote to memory of 1396	2724	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe	96
PID 2724 wrote to memory of 1396	2724	{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe	96
PID 4404 wrote to memory of 4320	4404	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe	99
PID 4404 wrote to memory of 4320	4404	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe	99
PID 4404 wrote to memory of 4320	4404	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe	99
PID 4404 wrote to memory of 2492	4404	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe	100
PID 4404 wrote to memory of 2492	4404	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe	100
PID 4404 wrote to memory of 2492	4404	{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe	100
PID 4320 wrote to memory of 632	4320	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe	101
PID 4320 wrote to memory of 632	4320	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe	101
PID 4320 wrote to memory of 632	4320	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe	101
PID 4320 wrote to memory of 2268	4320	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe	102
PID 4320 wrote to memory of 2268	4320	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe	102
PID 4320 wrote to memory of 2268	4320	{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe	102
PID 632 wrote to memory of 1928	632	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe	103
PID 632 wrote to memory of 1928	632	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe	103
PID 632 wrote to memory of 1928	632	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe	103
PID 632 wrote to memory of 2608	632	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe	104
PID 632 wrote to memory of 2608	632	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe	104
PID 632 wrote to memory of 2608	632	{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe	104
PID 1928 wrote to memory of 2264	1928	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe	105
PID 1928 wrote to memory of 2264	1928	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe	105
PID 1928 wrote to memory of 2264	1928	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe	105
PID 1928 wrote to memory of 1300	1928	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe	106
PID 1928 wrote to memory of 1300	1928	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe	106
PID 1928 wrote to memory of 1300	1928	{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe	106
PID 2264 wrote to memory of 1544	2264	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe	107
PID 2264 wrote to memory of 1544	2264	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe	107
PID 2264 wrote to memory of 1544	2264	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe	107
PID 2264 wrote to memory of 4308	2264	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe	108
PID 2264 wrote to memory of 4308	2264	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe	108
PID 2264 wrote to memory of 4308	2264	{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe	108
PID 1544 wrote to memory of 4984	1544	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe	109
PID 1544 wrote to memory of 4984	1544	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe	109
PID 1544 wrote to memory of 4984	1544	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe	109
PID 1544 wrote to memory of 3088	1544	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe	110
PID 1544 wrote to memory of 3088	1544	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe	110
PID 1544 wrote to memory of 3088	1544	{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe	110
PID 4984 wrote to memory of 4844	4984	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe	111
PID 4984 wrote to memory of 4844	4984	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe	111
PID 4984 wrote to memory of 4844	4984	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe	111
PID 4984 wrote to memory of 2528	4984	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe	112
PID 4984 wrote to memory of 2528	4984	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe	112
PID 4984 wrote to memory of 2528	4984	{838E1156-9240-4425-BA47-5E24A812DFEF}.exe	112
PID 4844 wrote to memory of 1256	4844	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe	113
PID 4844 wrote to memory of 1256	4844	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe	113
PID 4844 wrote to memory of 1256	4844	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe	113
PID 4844 wrote to memory of 1668	4844	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe	114
PID 4844 wrote to memory of 1668	4844	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe	114
PID 4844 wrote to memory of 1668	4844	{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe	114
PID 1256 wrote to memory of 1176	1256	{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe	115
PID 1256 wrote to memory of 1176	1256	{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe	115
PID 1256 wrote to memory of 1176	1256	{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe	115
PID 1256 wrote to memory of 4936	1256	{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe	116

C:\Users\Admin\AppData\Local\Temp\202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\202409063b40c3c465d01f8ff5d2c11cece73a24goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe
  C:\Windows\{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe
    C:\Windows\{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe
      C:\Windows\{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Windows\{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe
        
        C:\Windows\{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe
        
        C:\Windows\{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe
        
        C:\Windows\{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe
        
        C:\Windows\{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\{838E1156-9240-4425-BA47-5E24A812DFEF}.exe
        
        C:\Windows\{838E1156-9240-4425-BA47-5E24A812DFEF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe
        
        C:\Windows\{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe
        
        C:\Windows\{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\{DAEFDB7B-E80C-4529-AA57-F958A76FA337}.exe
        
        C:\Windows\{DAEFDB7B-E80C-4529-AA57-F958A76FA337}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\Windows\{1D77C31B-4416-4197-8863-197114E665A4}.exe
        
        C:\Windows\{1D77C31B-4416-4197-8863-197114E665A4}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAEFD~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35B03~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6707D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{838E1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A431~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0F1A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9C5F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB76B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A4D0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3AF56~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A94CF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D77C31B-4416-4197-8863-197114E665A4}.exe

Filesize
197KB

MD5
afe9038ce5bd3b2646a32c94fa1a94cc

SHA1
4645dbd5f0214a366bf4fb1a79c3413ebf361717

SHA256
ac0d8e0fe72ffb99a50bac99018797d7cc5656a15b7737aeae9c96d9c91d8dd6

SHA512
cfd78c6860bc35945c61c79ebb2277291b8b247e76939985c3a455798d75d884c834cd42551e9f536a18479f30021bd41692ed78db635dba82edd1e3dc3c10cd

Download Submit
C:\Windows\{35B03DB0-1D18-4edd-B853-A71CE86832C7}.exe

Filesize
197KB

MD5
6ea005b116b0562ebf71d8925d7413ac

SHA1
01cf06a99f554cd80b9baa0f943f4c00d83e7831

SHA256
73fce884d373fee8aef734db72e7cb6be90554ff002034d274ffbae9105ab473

SHA512
0b0735067653bc0332af9bf98723e5077a61d5a41d271860dfd6c830df86632d81f0857c88779d2f69b1d62414a624d394b65a0ab2482cb9e9896fe74c1f5b0c

Download Submit
C:\Windows\{3AF566D5-C5A2-470d-ACEB-78A9BF199784}.exe

Filesize
197KB

MD5
2a26300474d2653270636f2830877ccb

SHA1
86d31b2132138074204fa10271223157fdae46d0

SHA256
ed6a235c9320d3a0b48db18caadec7d88b66c57571b6648e2f557597bc0d96e5

SHA512
01f090fed89e0e0356800f6cce89d4ba36b4a1c4885944b18d5e14dedb6b6c23e76e68425a36070b4570a531ea09d7c2e86bf78259e9c198e9e56cfa9dc9fd23

Download Submit
C:\Windows\{4A4D04D6-01D4-4b22-862D-DD133621848B}.exe

Filesize
197KB

MD5
f83a3329fe3ae1bae0c5dd5a6795ed9e

SHA1
e5095ec593e1330c77087fe0160a85d885773a09

SHA256
bff1f5918c46aa4c07890a3a64f6dcf5a686be4f259fe57d9d41fa4be3c63926

SHA512
4f1dd603a2983174062fe8835360a51ddc72b0fee20ae2395a631f7a66422ac4410bff2493ccd2261ad62755b37222f94174522862d9a85954f4259929356a5c

Download Submit
C:\Windows\{6707D65B-D6ED-44af-ABCF-4222A4AE2482}.exe

Filesize
197KB

MD5
b71d82b259f338d383a404a904525049

SHA1
ad3847ac277ffaf87964e445ced8ead1a7b55d31

SHA256
5382254ec0d34b5218386bc1e863c2eaa71ac7568875f6d4e582629e92c6836e

SHA512
07c393995cee6bab5417d6435d2897060638b9d211f1e84e78fb4e0aadb39890045933124c91960fdaa301c89274b813e49793b5956aa47c11474c4d783e7ceb

Download Submit
C:\Windows\{6A4319ED-D826-4937-A0E0-4F3867A14796}.exe

Filesize
197KB

MD5
2eddaee77fe53016a9e4a9d7b5c05727

SHA1
eec0bc7a7527a405f989a2994d0990eb05be011b

SHA256
77a24aadcde36cc1efe157b9b8541af47fa2857f99651f18c3450194a0717a75

SHA512
2f9d36fb9849e5082eb44ee0b414fac52c929c9aef9193a42e3b59cb26a07b1d3a5fc41ecd41d08c8f847cfbbfb7c150bdc7917da85163f50df62085ef9fc3be

Download Submit
C:\Windows\{838E1156-9240-4425-BA47-5E24A812DFEF}.exe

Filesize
197KB

MD5
5830112fa5288d3af853a6e86b33d788

SHA1
b0ea1ce03e228e74298e7cc5261bfa5457eb626c

SHA256
49c580f40a87ac0a07a426da9d009b2045d033b3a7321df432815f20d0980dd6

SHA512
f73b303ccd6f6efffbc0c992ae3c501220c10c81ac852d5f2db76e50484bdef56e9b203ac8871e126d4f8c56c6f39b572572a2c91522f4263c7f03455a7edbc6

Download Submit
C:\Windows\{A0F1A3CD-C789-4767-A410-D15EBEFA9E7B}.exe

Filesize
197KB

MD5
4fc1844f08728710d661db12f44c5967

SHA1
1b5f925d212f7978762451db907943957c0184b9

SHA256
bf2938fe810d8ee90c747a35da06304e494f8ff6951f33d323217b5bc45a65a6

SHA512
030f7eacfd2a8952c021bbba8b9c99aef1eba730e39e908464f8a12b230ae28c94a18cf2e1c05f56d9a1fba97f0ae7cac584615c23295a520b61fc9c5d7aa1a7

Download Submit
C:\Windows\{A94CFA0D-08E2-4a5c-B9D4-4AAA2E9A0048}.exe

Filesize
197KB

MD5
b2ff4ea130d464dc742374a626145d7a

SHA1
4d02d72fadc9953c94913c890aef484c53f97a27

SHA256
b5ddb70049b69e4e94a8295395981fbce91bec24f320d61f17e3769f831dbfb6

SHA512
f2265dddf8740505b7ae10b3b990b58c06f41d6db5b84a0d8bd73dd376bfb421b7e9e09d4090f3f98ed7b2cf348f5edcf6a5af73034221dd032f15fe7140f858

Download Submit
C:\Windows\{DAEFDB7B-E80C-4529-AA57-F958A76FA337}.exe

Filesize
197KB

MD5
22f61a4dda0a30bce6c43d2da1bdd7fd

SHA1
9d34603306930eafcf38cdd3a4138088838e91be

SHA256
2dadc0d2f3d90fc5404b13afefdd1321e5ff048d0a0fdca58f9dc57d5eced060

SHA512
5fe34e0b5b1a05cfeff01b9a9cdaddb2c6bd33437ea217da1d4b5553a57181f909b7e26088617168324ce5cb7a695ce121712501322c49cac9fe1ef370bb7543

Download Submit
C:\Windows\{E9C5F1B0-5C59-4a00-9112-F9C6F05D593B}.exe

Filesize
197KB

MD5
8d526cc75ed0f5200eaa98e501380820

SHA1
7161c89e2520e062c072cd8a1830718d71bc133a

SHA256
c8936e8690f4f4f9ef306223f97e60bfd59f7475020f3f3585a54d15d21f7b02

SHA512
3da20418bc24b529862085487ef73bbdfd1103b652b753e152a5e94d0458b16727c36f914121e3ab619dd29ce8fdba3ae2160b52d4a6daf701415b8810f8a8c2

Download Submit
C:\Windows\{FB76B793-E250-42b1-884B-E2B9BE4321EF}.exe

Filesize
197KB

MD5
1c84ac27a94e21d555ec7e9040a0edf8

SHA1
e4c11d4fb588cbf856fb6147dee477c399fdfa16

SHA256
eb35e941738eed018a6039868bf1b140c24b9be7112ea9def0c82ae9d0caea61

SHA512
792505b592fc28480c6619a693032f63e0c5b9ba26f52a1e45a4eb5822b309809b8b6d81ace4ba7a82a77125d47800686b2bfe6ccd4e128411e848c126be343f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads