b9125ce6a26cf789339e26872ff6d63ff2108d81dd3172d81190070afe1a53bc

Analysis

max time kernel
149s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe
Size

344KB
MD5

692eb2216fae43dcd755d3a5be625e7a
SHA1

bd26f7ef9ba93fda37eb7cf2c9c9aa96d62af055
SHA256

b9125ce6a26cf789339e26872ff6d63ff2108d81dd3172d81190070afe1a53bc
SHA512

0b853e9447398fe0bb355cba9d1916d6f5703eb8316b7524a6f8a12ac4dcf0ecba3311d170e2ddad8c66a0baff420d40984684a47c58af8ffce8d37865aaa48e
SSDEEP

3072:mEGh0oBlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG3lqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}	20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6806353-427A-4bc9-AF6C-FE7347B84E93}	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6806353-427A-4bc9-AF6C-FE7347B84E93}\stubpath = "C:\\Windows\\{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe"	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}\stubpath = "C:\\Windows\\{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe"	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA08805F-4375-4436-8EA5-0571F7FF8737}	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D61661F8-631C-4e87-91CF-3A1FB82C15B4}	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}\stubpath = "C:\\Windows\\{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}.exe"	{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DA56547-EC77-496d-8C28-9DF202DD7162}\stubpath = "C:\\Windows\\{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe"	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28F92077-2C84-4fca-95FA-B4EF12733C62}	{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}\stubpath = "C:\\Windows\\{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe"	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}\stubpath = "C:\\Windows\\{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe"	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FEBC103-8AEA-4ae6-861A-69D38C17704F}	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D61661F8-631C-4e87-91CF-3A1FB82C15B4}\stubpath = "C:\\Windows\\{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe"	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DA56547-EC77-496d-8C28-9DF202DD7162}	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28F92077-2C84-4fca-95FA-B4EF12733C62}\stubpath = "C:\\Windows\\{28F92077-2C84-4fca-95FA-B4EF12733C62}.exe"	{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}\stubpath = "C:\\Windows\\{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe"	20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}\stubpath = "C:\\Windows\\{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe"	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA08805F-4375-4436-8EA5-0571F7FF8737}\stubpath = "C:\\Windows\\{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe"	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FEBC103-8AEA-4ae6-861A-69D38C17704F}\stubpath = "C:\\Windows\\{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe"	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}	{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe

Executes dropped EXE 12 IoCs

pid	Process
1912	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe
3252	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe
4504	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe
2968	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe
4868	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe
4388	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe
2068	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe
1472	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe
4268	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe
2160	{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe
3156	{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}.exe
1384	{28F92077-2C84-4fca-95FA-B4EF12733C62}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe
File created	C:\Windows\{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe
File created	C:\Windows\{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe
File created	C:\Windows\{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe	20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe
File created	C:\Windows\{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe
File created	C:\Windows\{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe
File created	C:\Windows\{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe
File created	C:\Windows\{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe
File created	C:\Windows\{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}.exe	{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe
File created	C:\Windows\{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe
File created	C:\Windows\{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe
File created	C:\Windows\{28F92077-2C84-4fca-95FA-B4EF12733C62}.exe	{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28F92077-2C84-4fca-95FA-B4EF12733C62}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe
Token: SeIncBasePriorityPrivilege	1912	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe
Token: SeIncBasePriorityPrivilege	3252	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe
Token: SeIncBasePriorityPrivilege	4504	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe
Token: SeIncBasePriorityPrivilege	2968	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe
Token: SeIncBasePriorityPrivilege	4868	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe
Token: SeIncBasePriorityPrivilege	4388	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe
Token: SeIncBasePriorityPrivilege	2068	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe
Token: SeIncBasePriorityPrivilege	1472	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe
Token: SeIncBasePriorityPrivilege	4268	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe
Token: SeIncBasePriorityPrivilege	2160	{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe
Token: SeIncBasePriorityPrivilege	3156	{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1912	2356	20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe	94
PID 2356 wrote to memory of 1912	2356	20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe	94
PID 2356 wrote to memory of 1912	2356	20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe	94
PID 2356 wrote to memory of 2156	2356	20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe	95
PID 2356 wrote to memory of 2156	2356	20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe	95
PID 2356 wrote to memory of 2156	2356	20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe	95
PID 1912 wrote to memory of 3252	1912	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe	96
PID 1912 wrote to memory of 3252	1912	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe	96
PID 1912 wrote to memory of 3252	1912	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe	96
PID 1912 wrote to memory of 3696	1912	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe	97
PID 1912 wrote to memory of 3696	1912	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe	97
PID 1912 wrote to memory of 3696	1912	{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe	97
PID 3252 wrote to memory of 4504	3252	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe	100
PID 3252 wrote to memory of 4504	3252	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe	100
PID 3252 wrote to memory of 4504	3252	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe	100
PID 3252 wrote to memory of 2532	3252	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe	101
PID 3252 wrote to memory of 2532	3252	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe	101
PID 3252 wrote to memory of 2532	3252	{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe	101
PID 4504 wrote to memory of 2968	4504	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe	102
PID 4504 wrote to memory of 2968	4504	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe	102
PID 4504 wrote to memory of 2968	4504	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe	102
PID 4504 wrote to memory of 1116	4504	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe	103
PID 4504 wrote to memory of 1116	4504	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe	103
PID 4504 wrote to memory of 1116	4504	{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe	103
PID 2968 wrote to memory of 4868	2968	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe	104
PID 2968 wrote to memory of 4868	2968	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe	104
PID 2968 wrote to memory of 4868	2968	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe	104
PID 2968 wrote to memory of 1308	2968	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe	105
PID 2968 wrote to memory of 1308	2968	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe	105
PID 2968 wrote to memory of 1308	2968	{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe	105
PID 4868 wrote to memory of 4388	4868	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe	106
PID 4868 wrote to memory of 4388	4868	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe	106
PID 4868 wrote to memory of 4388	4868	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe	106
PID 4868 wrote to memory of 2340	4868	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe	107
PID 4868 wrote to memory of 2340	4868	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe	107
PID 4868 wrote to memory of 2340	4868	{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe	107
PID 4388 wrote to memory of 2068	4388	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe	108
PID 4388 wrote to memory of 2068	4388	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe	108
PID 4388 wrote to memory of 2068	4388	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe	108
PID 4388 wrote to memory of 4800	4388	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe	109
PID 4388 wrote to memory of 4800	4388	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe	109
PID 4388 wrote to memory of 4800	4388	{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe	109
PID 2068 wrote to memory of 1472	2068	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe	110
PID 2068 wrote to memory of 1472	2068	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe	110
PID 2068 wrote to memory of 1472	2068	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe	110
PID 2068 wrote to memory of 1792	2068	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe	111
PID 2068 wrote to memory of 1792	2068	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe	111
PID 2068 wrote to memory of 1792	2068	{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe	111
PID 1472 wrote to memory of 4268	1472	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe	112
PID 1472 wrote to memory of 4268	1472	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe	112
PID 1472 wrote to memory of 4268	1472	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe	112
PID 1472 wrote to memory of 2816	1472	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe	113
PID 1472 wrote to memory of 2816	1472	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe	113
PID 1472 wrote to memory of 2816	1472	{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe	113
PID 4268 wrote to memory of 2160	4268	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe	114
PID 4268 wrote to memory of 2160	4268	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe	114
PID 4268 wrote to memory of 2160	4268	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe	114
PID 4268 wrote to memory of 2940	4268	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe	115
PID 4268 wrote to memory of 2940	4268	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe	115
PID 4268 wrote to memory of 2940	4268	{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe	115
PID 2160 wrote to memory of 3156	2160	{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe	116
PID 2160 wrote to memory of 3156	2160	{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe	116
PID 2160 wrote to memory of 3156	2160	{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe	116
PID 2160 wrote to memory of 700	2160	{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe	117

C:\Users\Admin\AppData\Local\Temp\20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\20240905692eb2216fae43dcd755d3a5be625e7agoldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe
  C:\Windows\{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe
    C:\Windows\{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe
      C:\Windows\{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Windows\{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe
        
        C:\Windows\{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe
        
        C:\Windows\{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe
        
        C:\Windows\{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe
        
        C:\Windows\{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe
        
        C:\Windows\{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe
        
        C:\Windows\{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe
        
        C:\Windows\{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}.exe
        
        C:\Windows\{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
        
        C:\Windows\{28F92077-2C84-4fca-95FA-B4EF12733C62}.exe
        
        C:\Windows\{28F92077-2C84-4fca-95FA-B4EF12733C62}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D75B~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DA56~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6166~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FEBC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D762D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA4F7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA088~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B1A9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FC4E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A6806~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{89BFE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{28F92077-2C84-4fca-95FA-B4EF12733C62}.exe

Filesize
344KB

MD5
918c6d447897ba4d4abbdc9b0a6eb41a

SHA1
023a65849c417af202b5d6eea95bc86431f55efd

SHA256
e7087c2ed7577464e7d7dbaf6e654810d1af37708d95db73346f75a45a972df1

SHA512
613e94bc27c7ccf06d2976503897886d61d3cd4fb031b4fe80496a223c426b88b40cef8bb11dac0d2514fb5d6a8ac1dcda2ed33d0ac12f1c829b6abea10e7cd8

Download Submit
C:\Windows\{2FC4E564-0F9C-481e-BA95-3F10C911DE9A}.exe

Filesize
344KB

MD5
f7429c9f0536c29c47984101ba09bfcb

SHA1
155d800d9a78f85e1e7158059176e49d772c6a36

SHA256
3884dd264adfbef3ec3e1f8d63cc1276aef3834628f9b1d08b54a435b7f1d431

SHA512
9d26c1c33aa675f5db0981a20743ed019548eb7c845022c72ceb3869af8ac8b2b7878171277058311aae4695b73e77de11482f989c9796a38d409de1b93087dd

Download Submit
C:\Windows\{5D75B5B8-963E-433f-BAA4-9BDCB602E7DA}.exe

Filesize
344KB

MD5
1d12c085a5a14efcf04bd9bd483ae329

SHA1
d85281fabee52cdb1fc3b62ba2d19918c03aa173

SHA256
48a12cdc243570d0ad0ce6b3d6941fb87f38898e201f8b187a19b4713be75012

SHA512
12113a469837fc0e3c9273e49bee4a217722551a4a9b0d47f889fb1c945299fd4c61dae66c329cf807d21df41fbbe8a742cacb1d6091c54985ff6b0f54d1f3b3

Download Submit
C:\Windows\{6FEBC103-8AEA-4ae6-861A-69D38C17704F}.exe

Filesize
344KB

MD5
83886a7ad093cbd13995287355794f29

SHA1
3f53b1c18f66a87d023714ae931c7c643f6e9dab

SHA256
ba7adf8758c463cecc880d0d2997c60ad890db50e13cdb6f4db059d18a91be62

SHA512
b596f76f9451e05c7f99792f5464573c16687bf203f18767f295d1b2f57f40989e7f0e01d08489694dbf238fa739100a6fd099557e88bb5a267b872fab39ed32

Download Submit
C:\Windows\{7DA56547-EC77-496d-8C28-9DF202DD7162}.exe

Filesize
344KB

MD5
3c5fd44df9597d3f2dc8d723c3faf153

SHA1
06895535a814c67d91158d8fae23c2413d4bf515

SHA256
880605cc76540e78909dd41dc024f6a9fad7123735b8546c86f68bc4e8c85661

SHA512
cd7786c84151ae93e177f47912d8784df8b6df6f9b60112c2ca41f414cfe300681822f8273c56385800563e47dde6aed69190c8e0365eed1f3ab5cd7c90b87dd

Download Submit
C:\Windows\{89BFE785-D1AC-4f10-B9F4-3F238EDC5ACE}.exe

Filesize
344KB

MD5
6f5aab455b797084a7b12555ed834aac

SHA1
4c629e7857b2d77b7fbbed57bd8e60e9ed72b5bd

SHA256
c056bc20373a695ac4f2b300040dedba98e5be6617deae5c9ac79c34fddf7737

SHA512
4cf1c0c631a7d49354064c2550b5c0aadcc49ee8c65fb0708cdbef39f61551412e9839c70952eb29f6ecc277782af8f1b053167c05709cfd81227031159b2a0c

Download Submit
C:\Windows\{9B1A9AD5-CBFB-4d6a-9AEC-2FF3471CF066}.exe

Filesize
344KB

MD5
594360ec07a3cf783aaa1214dc8f75c5

SHA1
52f9ee5399ada2479444cb055e2d2806beb8a4b0

SHA256
2ac6da4110074f24c50771e71870d112b9ec54bb17bf410b484b80ee790ebfb6

SHA512
0918992e3a65ced890a6e54f696ec4af2c8ba6d8e6f9cfa8082dc32070ad4531cbc7e39acd78d8ef0a9664dfe56258bfc59026feb3927043f4efa669ad59e3ee

Download Submit
C:\Windows\{A6806353-427A-4bc9-AF6C-FE7347B84E93}.exe

Filesize
344KB

MD5
aa8e146fe40f451c3b67b4678bf08076

SHA1
12c93ac6b3d32d562cbcd426b02e7581cacbed92

SHA256
ad3450e5457b11b2e2347a1b61de21c5623868b05648afe45611766dd48e8c9c

SHA512
442d0262563fcda4a935408579865d46a36b485dad8fac6f6cde396deb84af8fbafbe1d3682b379f9f3b1f27f1b94aed2927ab78d7eabe0837668cd1d34e2e3b

Download Submit
C:\Windows\{CA08805F-4375-4436-8EA5-0571F7FF8737}.exe

Filesize
344KB

MD5
49f895d0249e80e6b388da5209b34bf3

SHA1
820804908fc8cc4eba8a851e74a12127167ab7b9

SHA256
2f92591e90e56ab250cd3c9f6e253fd58e1c8c5a2158703b8fcc415706ccd769

SHA512
76b29690332d31c4d06ce5f4be25fdb2a5faa6a2e259de447603aa10eeca6276222ae43209ac9da0534d77e4186d18c701afd567d538019f0a3d4dc65dcdcd5c

Download Submit
C:\Windows\{D61661F8-631C-4e87-91CF-3A1FB82C15B4}.exe

Filesize
344KB

MD5
d0d29e4f2890c2091ed0170819568162

SHA1
889611b8e7fae7a929633e480dd44246bd1afaa7

SHA256
9501ff30038f86b65deceab129e5f0b236238b92f2fb3271bc80bd0010cc0169

SHA512
d2b5181797929298ce0297fd99b3433f7e5773dd35b2d98c1d9d976c10c20b150b2fc00ccffd80e98264fa08adbd82c0365760d65010cdea2dc8a1b113757dff

Download Submit
C:\Windows\{D762DCC3-9BD9-40eb-BD4F-D5EDCAA39B8F}.exe

Filesize
344KB

MD5
a78777b2753c244462fb87b336c24d59

SHA1
a6977affbc2124355f4ee98906cdbb2f2a882f97

SHA256
537e41991d607932761555eaba036155d739ad78e726dfa714209585092d61d4

SHA512
244ac67c9ced0912aa453da75960b9a4d7d27dac75280776323398b2e2e221a319a4f09ac35261d5cfcb03cae5a00f504b30e8a2f5a493597c897498b3736e17

Download Submit
C:\Windows\{DA4F7523-84BA-46e9-91C7-6AFA2C22B0D5}.exe

Filesize
344KB

MD5
24bf9b17772f4a600c7bc0a7bd4b57f6

SHA1
f57ee1801ebff1f94231fc1e98423e212f566840

SHA256
e74412cba01983f9aa82bb65b0e15d1c8c44121d982b4ba4078fe98649c1ac94

SHA512
1cf750abba2702e6a2d0bbc4a25682ff36957ae1e2e52d12306c78bb472f1d45146d93b49d742e11f660cd3df34caf311f24dee0c61699158481161375c8accb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads