0ee81c93a89ca0a83ea87e1f099472caf701de2d5a485ad6bb0142905b47dd35

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
Size

204KB
MD5

1f7f74e25d1ecc6a897ef77add504f83
SHA1

dd7f1ea03d636876efecfd3f61fe87f50782af07
SHA256

0ee81c93a89ca0a83ea87e1f099472caf701de2d5a485ad6bb0142905b47dd35
SHA512

b0614121fe527b035a43a84b71f9146a08bff0affc108b9c9cbd7b8f9ffe20432afe8efe156850996a92e29376c90fa107ec07fd8c5e74da17938f00c596870d
SSDEEP

1536:1EGh0otl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0otl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}\stubpath = "C:\\Windows\\{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe"	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}\stubpath = "C:\\Windows\\{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe"	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE85726F-9BBB-4d15-AD66-693215F2836D}	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE85726F-9BBB-4d15-AD66-693215F2836D}\stubpath = "C:\\Windows\\{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe"	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEB9FFEC-4EA8-4034-A224-5F1350779169}	{1155D882-0B1F-432c-AD69-6B494736948C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F581DDF-13FE-4e7f-BF9B-D5AC7041A166}	{A42F5E44-F6CF-4554-83C3-207801894D9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB19653B-1E55-4719-BF6C-6122A37A7E3C}\stubpath = "C:\\Windows\\{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe"	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E61E666E-54A1-4b00-897E-3C455B0718BF}	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E61E666E-54A1-4b00-897E-3C455B0718BF}\stubpath = "C:\\Windows\\{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe"	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1155D882-0B1F-432c-AD69-6B494736948C}	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB19653B-1E55-4719-BF6C-6122A37A7E3C}	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}\stubpath = "C:\\Windows\\{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe"	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1155D882-0B1F-432c-AD69-6B494736948C}\stubpath = "C:\\Windows\\{1155D882-0B1F-432c-AD69-6B494736948C}.exe"	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEB9FFEC-4EA8-4034-A224-5F1350779169}\stubpath = "C:\\Windows\\{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe"	{1155D882-0B1F-432c-AD69-6B494736948C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42F5E44-F6CF-4554-83C3-207801894D9F}\stubpath = "C:\\Windows\\{A42F5E44-F6CF-4554-83C3-207801894D9F}.exe"	{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F581DDF-13FE-4e7f-BF9B-D5AC7041A166}\stubpath = "C:\\Windows\\{5F581DDF-13FE-4e7f-BF9B-D5AC7041A166}.exe"	{A42F5E44-F6CF-4554-83C3-207801894D9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}\stubpath = "C:\\Windows\\{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe"	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCECD950-5EA0-4f7f-B350-430AF81950BD}	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCECD950-5EA0-4f7f-B350-430AF81950BD}\stubpath = "C:\\Windows\\{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe"	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A42F5E44-F6CF-4554-83C3-207801894D9F}	{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe

Executes dropped EXE 12 IoCs

pid	Process
4504	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe
4900	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe
2176	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe
4496	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe
60	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe
4272	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe
4628	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe
516	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe
1600	{1155D882-0B1F-432c-AD69-6B494736948C}.exe
4772	{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe
1952	{A42F5E44-F6CF-4554-83C3-207801894D9F}.exe
2692	{5F581DDF-13FE-4e7f-BF9B-D5AC7041A166}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
File created	C:\Windows\{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe
File created	C:\Windows\{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe
File created	C:\Windows\{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe
File created	C:\Windows\{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe
File created	C:\Windows\{A42F5E44-F6CF-4554-83C3-207801894D9F}.exe	{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe
File created	C:\Windows\{5F581DDF-13FE-4e7f-BF9B-D5AC7041A166}.exe	{A42F5E44-F6CF-4554-83C3-207801894D9F}.exe
File created	C:\Windows\{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe
File created	C:\Windows\{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe
File created	C:\Windows\{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe
File created	C:\Windows\{1155D882-0B1F-432c-AD69-6B494736948C}.exe	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe
File created	C:\Windows\{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe	{1155D882-0B1F-432c-AD69-6B494736948C}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F581DDF-13FE-4e7f-BF9B-D5AC7041A166}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A42F5E44-F6CF-4554-83C3-207801894D9F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1155D882-0B1F-432c-AD69-6B494736948C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4324	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
Token: SeIncBasePriorityPrivilege	4504	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe
Token: SeIncBasePriorityPrivilege	4900	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe
Token: SeIncBasePriorityPrivilege	2176	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe
Token: SeIncBasePriorityPrivilege	4496	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe
Token: SeIncBasePriorityPrivilege	60	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe
Token: SeIncBasePriorityPrivilege	4272	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe
Token: SeIncBasePriorityPrivilege	4628	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe
Token: SeIncBasePriorityPrivilege	516	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe
Token: SeIncBasePriorityPrivilege	1600	{1155D882-0B1F-432c-AD69-6B494736948C}.exe
Token: SeIncBasePriorityPrivilege	4772	{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe
Token: SeIncBasePriorityPrivilege	1952	{A42F5E44-F6CF-4554-83C3-207801894D9F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 4504	4324	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	92
PID 4324 wrote to memory of 4504	4324	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	92
PID 4324 wrote to memory of 4504	4324	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	92
PID 4324 wrote to memory of 1512	4324	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	93
PID 4324 wrote to memory of 1512	4324	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	93
PID 4324 wrote to memory of 1512	4324	202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe	93
PID 4504 wrote to memory of 4900	4504	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe	96
PID 4504 wrote to memory of 4900	4504	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe	96
PID 4504 wrote to memory of 4900	4504	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe	96
PID 4504 wrote to memory of 2280	4504	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe	97
PID 4504 wrote to memory of 2280	4504	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe	97
PID 4504 wrote to memory of 2280	4504	{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe	97
PID 4900 wrote to memory of 2176	4900	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe	99
PID 4900 wrote to memory of 2176	4900	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe	99
PID 4900 wrote to memory of 2176	4900	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe	99
PID 4900 wrote to memory of 2352	4900	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe	100
PID 4900 wrote to memory of 2352	4900	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe	100
PID 4900 wrote to memory of 2352	4900	{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe	100
PID 2176 wrote to memory of 4496	2176	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe	102
PID 2176 wrote to memory of 4496	2176	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe	102
PID 2176 wrote to memory of 4496	2176	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe	102
PID 2176 wrote to memory of 1708	2176	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe	103
PID 2176 wrote to memory of 1708	2176	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe	103
PID 2176 wrote to memory of 1708	2176	{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe	103
PID 4496 wrote to memory of 60	4496	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe	104
PID 4496 wrote to memory of 60	4496	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe	104
PID 4496 wrote to memory of 60	4496	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe	104
PID 4496 wrote to memory of 3184	4496	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe	105
PID 4496 wrote to memory of 3184	4496	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe	105
PID 4496 wrote to memory of 3184	4496	{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe	105
PID 60 wrote to memory of 4272	60	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe	106
PID 60 wrote to memory of 4272	60	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe	106
PID 60 wrote to memory of 4272	60	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe	106
PID 60 wrote to memory of 3484	60	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe	107
PID 60 wrote to memory of 3484	60	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe	107
PID 60 wrote to memory of 3484	60	{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe	107
PID 4272 wrote to memory of 4628	4272	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe	108
PID 4272 wrote to memory of 4628	4272	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe	108
PID 4272 wrote to memory of 4628	4272	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe	108
PID 4272 wrote to memory of 4788	4272	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe	109
PID 4272 wrote to memory of 4788	4272	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe	109
PID 4272 wrote to memory of 4788	4272	{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe	109
PID 4628 wrote to memory of 516	4628	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe	110
PID 4628 wrote to memory of 516	4628	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe	110
PID 4628 wrote to memory of 516	4628	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe	110
PID 4628 wrote to memory of 2316	4628	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe	111
PID 4628 wrote to memory of 2316	4628	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe	111
PID 4628 wrote to memory of 2316	4628	{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe	111
PID 516 wrote to memory of 1600	516	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe	112
PID 516 wrote to memory of 1600	516	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe	112
PID 516 wrote to memory of 1600	516	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe	112
PID 516 wrote to memory of 1816	516	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe	113
PID 516 wrote to memory of 1816	516	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe	113
PID 516 wrote to memory of 1816	516	{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe	113
PID 1600 wrote to memory of 4772	1600	{1155D882-0B1F-432c-AD69-6B494736948C}.exe	114
PID 1600 wrote to memory of 4772	1600	{1155D882-0B1F-432c-AD69-6B494736948C}.exe	114
PID 1600 wrote to memory of 4772	1600	{1155D882-0B1F-432c-AD69-6B494736948C}.exe	114
PID 1600 wrote to memory of 1652	1600	{1155D882-0B1F-432c-AD69-6B494736948C}.exe	115
PID 1600 wrote to memory of 1652	1600	{1155D882-0B1F-432c-AD69-6B494736948C}.exe	115
PID 1600 wrote to memory of 1652	1600	{1155D882-0B1F-432c-AD69-6B494736948C}.exe	115
PID 4772 wrote to memory of 1952	4772	{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe	116
PID 4772 wrote to memory of 1952	4772	{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe	116
PID 4772 wrote to memory of 1952	4772	{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe	116
PID 4772 wrote to memory of 2956	4772	{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe	117

C:\Users\Admin\AppData\Local\Temp\202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\202409061f7f74e25d1ecc6a897ef77add504f83goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe
  C:\Windows\{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe
    C:\Windows\{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe
      C:\Windows\{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe
        
        C:\Windows\{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Windows\{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe
        
        C:\Windows\{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe
        
        C:\Windows\{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe
        
        C:\Windows\{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe
        
        C:\Windows\{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\{1155D882-0B1F-432c-AD69-6B494736948C}.exe
        
        C:\Windows\{1155D882-0B1F-432c-AD69-6B494736948C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe
        
        C:\Windows\{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\{A42F5E44-F6CF-4554-83C3-207801894D9F}.exe
        
        C:\Windows\{A42F5E44-F6CF-4554-83C3-207801894D9F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\{5F581DDF-13FE-4e7f-BF9B-D5AC7041A166}.exe
        
        C:\Windows\{5F581DDF-13FE-4e7f-BF9B-D5AC7041A166}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A42F5~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEB9F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1155D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE857~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCECD~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E61E6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40BE1~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E29D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3BA2~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BB196~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D77C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1155D882-0B1F-432c-AD69-6B494736948C}.exe

Filesize
204KB

MD5
80a0b6ef39aff217b1c07ecfa0eee174

SHA1
5ccfdac35806aa6b580b014cbf326f376d708f15

SHA256
6a979f4f199c250a17537a85039241360fdadd98fa33968735958b382d543fee

SHA512
bee9334cc2cc628700a79e59b4cf9ef2d0579b09a457e1e154b451810248f24afa7d40b464acb50f6c5bfd222a230c1e68a2907bc113a399026958da84a7fe46

Download Submit
C:\Windows\{2D77CEBD-EB5E-4c55-AB49-C8EFD271D035}.exe

Filesize
204KB

MD5
327ce8da67f4c4f2a3c4bc57a1a57946

SHA1
2c5f4c596629aed3c88bdb6851dfaacffc341c1e

SHA256
0e8369cc8b885f066efa8c3d456994a75b565c9dcb97cb47acb25e6cf80cbf7f

SHA512
e7854c87f620002c725aa350fbda496097aae60785c7030eb28e2860cca79619bcef46bc6535a02d8dcc023012a228ce8e213dff0aeb23d8dc6a5e7f55b045e3

Download Submit
C:\Windows\{40BE1CDF-90FC-4527-AA02-A35DC1BD1C7E}.exe

Filesize
204KB

MD5
c806f1e2ddfe425f3f9f08ddbc1f42e7

SHA1
f7f3906252edaf36e4e0253d1858088cb3e5fdcc

SHA256
db25bfbe3819b2dc8960d51c0f0e336ce72631f62737104a9ef30fe2ff148b4c

SHA512
423280dc36d58c8b98cf2abe97c48bb1115841f9985e2be645d7e9533ca8c58af2f353584c688dba3c812a7ed72e28d8399a9dabdc22127ca329a27cd00aa1a4

Download Submit
C:\Windows\{5E29D8DD-A701-4dc1-88FC-80F266D1AD1A}.exe

Filesize
204KB

MD5
d5c7316fee53ff1d09f2f0648380a6c0

SHA1
1fad6ebe1fd12e469707b0e98951602cdfec960b

SHA256
9ac2b7578ae7b148bae17dad8a3f02b6acdfcfe988d5fce4e560bca4b88e4590

SHA512
72f9df855fc82e709ba0609c9bc275c7e937d504c8562f1bf161924be5aa3e1a64c394507f70769edd703afff14268ea73ca48a44288d5bd10caef8bf3a2775b

Download Submit
C:\Windows\{5F581DDF-13FE-4e7f-BF9B-D5AC7041A166}.exe

Filesize
204KB

MD5
34c9689e9ca6fbed0e5db32d7ed9f242

SHA1
2f2086bc6df2173abd7fe72b19d1aadecd03adfe

SHA256
31cfbcee97129c74b6bb754a30dfb41e463de6b40fd4b5fde3b711ef9ce2ed97

SHA512
e0e4da092a2f848068085f853cb7fa7bcf57324e56b60614a8b9100caa15503ad6c09eacd86369d2aedeb0ece4ed30fb9127674887cd59a6f4ac8cd2edf0a89b

Download Submit
C:\Windows\{A42F5E44-F6CF-4554-83C3-207801894D9F}.exe

Filesize
204KB

MD5
46decde4383f08d072d1990327700f6c

SHA1
9a7001deb79a978f4879c2d6be55e96169f9bb48

SHA256
3fab20c5b098d888230a83af1980b8dfa584df94f6dcf39130f0439460c078f0

SHA512
1817b3cbf5a9af0f520c8c559893007c896e1bce4be31df1277a6e82837eb02cc2fe46f10557298793481b63b5c93b0d89ec4ae5e143d785f9ae10881d813f7b

Download Submit
C:\Windows\{BB19653B-1E55-4719-BF6C-6122A37A7E3C}.exe

Filesize
204KB

MD5
75c947917818d30ff1aaa5764c99461c

SHA1
b8346745f76f7e06c7c937d5a30a5f4506376697

SHA256
95ccd69acb110aae332b993736d24090ea3ba6a36cfbdbc5f886b4894a25310f

SHA512
55fedea3dbb464c544bddf586520f245cdd66749d7f6d401caeef08de1eb468fa3d064c75c372ac5b6150c16fa05150ef61b03c749437dfe63ca16949726eb4f

Download Submit
C:\Windows\{CE85726F-9BBB-4d15-AD66-693215F2836D}.exe

Filesize
204KB

MD5
ac540899c3e5660d8371a094ddcc20ad

SHA1
b92ca4870f9d5cff66a840034bebbdc57267a511

SHA256
1544fd3df077965c1def9f4d9d35358970b6f15745a214cc97d9b1825f036c81

SHA512
8149a17a3c66842fb60b00e1cb5ae2cadd19077ba9cc24a4d476f01f951f5c4d7a6cd074f3f4185d0a1ff9f4dc0c585c3e0619616c9f7331c6c67e0217c7d765

Download Submit
C:\Windows\{D3BA2EC3-36BA-4c0c-98BB-D561ACF88F41}.exe

Filesize
204KB

MD5
625214369370a068bcc6f1502df493d2

SHA1
4fc11e40b6be9c2dd70c7c6ee431dd4643e1c81e

SHA256
c6d9a0f4a6a5fcd270e49ded35b04cf49984cb31935a2b76d694b0c32e794f4d

SHA512
3af32f9aaae92902c2dff3e9c71da87483e1a2c33890bb5bd7c9c76c788570e7c0a9a73c16c8ec1143b8a133d404cc04448b8cc32e334eaf63e782645776eaa2

Download Submit
C:\Windows\{E61E666E-54A1-4b00-897E-3C455B0718BF}.exe

Filesize
204KB

MD5
a34612a323f1d35a86a31172f576dfa8

SHA1
04f81013d49cc31661a43ac57b2849f5bac0ca61

SHA256
51bf758871e8d1554eed2443ce864c828c3977c7da2489f5527cae511339b9f1

SHA512
7f13509d458260272c83df528017369c20ce175c1f48fc572e4d5f4b4f966bdd36452fec7e9a33139b5841e83b90fc9699ced05e829ff6d15392dae65838a7d1

Download Submit
C:\Windows\{FCECD950-5EA0-4f7f-B350-430AF81950BD}.exe

Filesize
204KB

MD5
f2c6c59026c208dafc8d6a21470266fd

SHA1
7e4da3b03ff4e903892219cb855fcce2137bafa3

SHA256
df7cc184cafb1f58caa78266ca77e81f33a336d1a8c354a7dae333eb041fd6d8

SHA512
2a2bd65062b4acc45b2ecbc99b96addab0dd5e23114cc67afc6c38ce7594643644de8bf39bedc8802e3e257bf96dc24fece6beaae42362a9db71df1f43f345e1

Download Submit
C:\Windows\{FEB9FFEC-4EA8-4034-A224-5F1350779169}.exe

Filesize
204KB

MD5
76db88effc67d600192b40757167664d

SHA1
eb4fa7cec9bac35a396ba99081e9f6d97ef82510

SHA256
99a1c8f0dd99246b67f07c50645bf0eaa689ec7e003a5ac3723c58ad67589172

SHA512
789be9d67f334bd6c2f34bf04ea0df02a77fbcba11c331829e5bd9cfa1b09d72f6ad3b252c399376611333a058d95e9d8830d2b86a88ab60c98c84627d92e9d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads