a89d38a4f4e619d9e1618505529de1b5b2009ffd77fdb1176fd772bbaa12b714

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe
Size

380KB
MD5

93f1c64202f4b2a3607ffe094cfe506d
SHA1

5403ee056eda0cb128ba580013ae5b47356461ec
SHA256

a89d38a4f4e619d9e1618505529de1b5b2009ffd77fdb1176fd772bbaa12b714
SHA512

4c93118896685fe152d29a0b388c81cdf2fd53aa83e39b278a62b923c61c3f51586ccd0fa4fd58d99f6195c1abe98c381a7a76e04d2921599bf75ffe04a5067a
SSDEEP

3072:mEGh0ojlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG1l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F036DCF-9EC7-4736-A992-DB912D1B659B}\stubpath = "C:\\Windows\\{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe"	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}	2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8903123-203E-4deb-8955-10386EC58E45}\stubpath = "C:\\Windows\\{F8903123-203E-4deb-8955-10386EC58E45}.exe"	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCB706C2-B8B8-428b-823A-D08DA955F130}	{F8903123-203E-4deb-8955-10386EC58E45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16C607C2-C5F8-484e-8440-B7309428B898}	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16C607C2-C5F8-484e-8440-B7309428B898}\stubpath = "C:\\Windows\\{16C607C2-C5F8-484e-8440-B7309428B898}.exe"	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB37F8DE-F82D-4eb3-B695-8D846878E478}	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F036DCF-9EC7-4736-A992-DB912D1B659B}	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCB706C2-B8B8-428b-823A-D08DA955F130}\stubpath = "C:\\Windows\\{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe"	{F8903123-203E-4deb-8955-10386EC58E45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB37F8DE-F82D-4eb3-B695-8D846878E478}\stubpath = "C:\\Windows\\{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe"	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}\stubpath = "C:\\Windows\\{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe"	2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}\stubpath = "C:\\Windows\\{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe"	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B9581E5-215A-44b3-A809-538B67ED498F}	{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACA146C0-531F-44fa-84F9-0AFFAC467CB9}	{8B9581E5-215A-44b3-A809-538B67ED498F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8903123-203E-4deb-8955-10386EC58E45}	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5030CDFB-16D0-4b87-B522-F8B860A1A93E}	{16C607C2-C5F8-484e-8440-B7309428B898}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5030CDFB-16D0-4b87-B522-F8B860A1A93E}\stubpath = "C:\\Windows\\{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe"	{16C607C2-C5F8-484e-8440-B7309428B898}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}\stubpath = "C:\\Windows\\{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe"	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}\stubpath = "C:\\Windows\\{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe"	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B9581E5-215A-44b3-A809-538B67ED498F}\stubpath = "C:\\Windows\\{8B9581E5-215A-44b3-A809-538B67ED498F}.exe"	{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACA146C0-531F-44fa-84F9-0AFFAC467CB9}\stubpath = "C:\\Windows\\{ACA146C0-531F-44fa-84F9-0AFFAC467CB9}.exe"	{8B9581E5-215A-44b3-A809-538B67ED498F}.exe

Executes dropped EXE 12 IoCs

pid	Process
3588	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe
2524	{F8903123-203E-4deb-8955-10386EC58E45}.exe
2120	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe
1400	{16C607C2-C5F8-484e-8440-B7309428B898}.exe
448	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe
3104	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe
2408	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe
2676	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe
1584	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe
1964	{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe
5020	{8B9581E5-215A-44b3-A809-538B67ED498F}.exe
4276	{ACA146C0-531F-44fa-84F9-0AFFAC467CB9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe
File created	C:\Windows\{8B9581E5-215A-44b3-A809-538B67ED498F}.exe	{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe
File created	C:\Windows\{ACA146C0-531F-44fa-84F9-0AFFAC467CB9}.exe	{8B9581E5-215A-44b3-A809-538B67ED498F}.exe
File created	C:\Windows\{F8903123-203E-4deb-8955-10386EC58E45}.exe	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe
File created	C:\Windows\{16C607C2-C5F8-484e-8440-B7309428B898}.exe	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe
File created	C:\Windows\{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe
File created	C:\Windows\{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe
File created	C:\Windows\{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe
File created	C:\Windows\{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe	2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe
File created	C:\Windows\{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe	{F8903123-203E-4deb-8955-10386EC58E45}.exe
File created	C:\Windows\{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe	{16C607C2-C5F8-484e-8440-B7309428B898}.exe
File created	C:\Windows\{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16C607C2-C5F8-484e-8440-B7309428B898}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8903123-203E-4deb-8955-10386EC58E45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACA146C0-531F-44fa-84F9-0AFFAC467CB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B9581E5-215A-44b3-A809-538B67ED498F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1488	2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe
Token: SeIncBasePriorityPrivilege	3588	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe
Token: SeIncBasePriorityPrivilege	2524	{F8903123-203E-4deb-8955-10386EC58E45}.exe
Token: SeIncBasePriorityPrivilege	2120	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe
Token: SeIncBasePriorityPrivilege	1400	{16C607C2-C5F8-484e-8440-B7309428B898}.exe
Token: SeIncBasePriorityPrivilege	448	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe
Token: SeIncBasePriorityPrivilege	3104	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe
Token: SeIncBasePriorityPrivilege	2408	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe
Token: SeIncBasePriorityPrivilege	2676	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe
Token: SeIncBasePriorityPrivilege	1584	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe
Token: SeIncBasePriorityPrivilege	1964	{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe
Token: SeIncBasePriorityPrivilege	5020	{8B9581E5-215A-44b3-A809-538B67ED498F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3588	1488	2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe	96
PID 1488 wrote to memory of 3588	1488	2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe	96
PID 1488 wrote to memory of 3588	1488	2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe	96
PID 1488 wrote to memory of 3008	1488	2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe	97
PID 1488 wrote to memory of 3008	1488	2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe	97
PID 1488 wrote to memory of 3008	1488	2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe	97
PID 3588 wrote to memory of 2524	3588	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe	98
PID 3588 wrote to memory of 2524	3588	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe	98
PID 3588 wrote to memory of 2524	3588	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe	98
PID 3588 wrote to memory of 2420	3588	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe	99
PID 3588 wrote to memory of 2420	3588	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe	99
PID 3588 wrote to memory of 2420	3588	{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe	99
PID 2524 wrote to memory of 2120	2524	{F8903123-203E-4deb-8955-10386EC58E45}.exe	102
PID 2524 wrote to memory of 2120	2524	{F8903123-203E-4deb-8955-10386EC58E45}.exe	102
PID 2524 wrote to memory of 2120	2524	{F8903123-203E-4deb-8955-10386EC58E45}.exe	102
PID 2524 wrote to memory of 3116	2524	{F8903123-203E-4deb-8955-10386EC58E45}.exe	103
PID 2524 wrote to memory of 3116	2524	{F8903123-203E-4deb-8955-10386EC58E45}.exe	103
PID 2524 wrote to memory of 3116	2524	{F8903123-203E-4deb-8955-10386EC58E45}.exe	103
PID 2120 wrote to memory of 1400	2120	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe	104
PID 2120 wrote to memory of 1400	2120	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe	104
PID 2120 wrote to memory of 1400	2120	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe	104
PID 2120 wrote to memory of 536	2120	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe	105
PID 2120 wrote to memory of 536	2120	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe	105
PID 2120 wrote to memory of 536	2120	{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe	105
PID 1400 wrote to memory of 448	1400	{16C607C2-C5F8-484e-8440-B7309428B898}.exe	106
PID 1400 wrote to memory of 448	1400	{16C607C2-C5F8-484e-8440-B7309428B898}.exe	106
PID 1400 wrote to memory of 448	1400	{16C607C2-C5F8-484e-8440-B7309428B898}.exe	106
PID 1400 wrote to memory of 2376	1400	{16C607C2-C5F8-484e-8440-B7309428B898}.exe	107
PID 1400 wrote to memory of 2376	1400	{16C607C2-C5F8-484e-8440-B7309428B898}.exe	107
PID 1400 wrote to memory of 2376	1400	{16C607C2-C5F8-484e-8440-B7309428B898}.exe	107
PID 448 wrote to memory of 3104	448	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe	108
PID 448 wrote to memory of 3104	448	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe	108
PID 448 wrote to memory of 3104	448	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe	108
PID 448 wrote to memory of 3768	448	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe	109
PID 448 wrote to memory of 3768	448	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe	109
PID 448 wrote to memory of 3768	448	{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe	109
PID 3104 wrote to memory of 2408	3104	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe	110
PID 3104 wrote to memory of 2408	3104	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe	110
PID 3104 wrote to memory of 2408	3104	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe	110
PID 3104 wrote to memory of 4616	3104	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe	111
PID 3104 wrote to memory of 4616	3104	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe	111
PID 3104 wrote to memory of 4616	3104	{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe	111
PID 2408 wrote to memory of 2676	2408	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe	112
PID 2408 wrote to memory of 2676	2408	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe	112
PID 2408 wrote to memory of 2676	2408	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe	112
PID 2408 wrote to memory of 976	2408	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe	113
PID 2408 wrote to memory of 976	2408	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe	113
PID 2408 wrote to memory of 976	2408	{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe	113
PID 2676 wrote to memory of 1584	2676	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe	114
PID 2676 wrote to memory of 1584	2676	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe	114
PID 2676 wrote to memory of 1584	2676	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe	114
PID 2676 wrote to memory of 2908	2676	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe	115
PID 2676 wrote to memory of 2908	2676	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe	115
PID 2676 wrote to memory of 2908	2676	{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe	115
PID 1584 wrote to memory of 1964	1584	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe	116
PID 1584 wrote to memory of 1964	1584	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe	116
PID 1584 wrote to memory of 1964	1584	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe	116
PID 1584 wrote to memory of 468	1584	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe	117
PID 1584 wrote to memory of 468	1584	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe	117
PID 1584 wrote to memory of 468	1584	{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe	117
PID 1964 wrote to memory of 5020	1964	{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe	118
PID 1964 wrote to memory of 5020	1964	{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe	118
PID 1964 wrote to memory of 5020	1964	{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe	118
PID 1964 wrote to memory of 4824	1964	{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024090693f1c64202f4b2a3607ffe094cfe506dgoldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe
  C:\Windows\{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\{F8903123-203E-4deb-8955-10386EC58E45}.exe
    C:\Windows\{F8903123-203E-4deb-8955-10386EC58E45}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe
      C:\Windows\{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\{16C607C2-C5F8-484e-8440-B7309428B898}.exe
        
        C:\Windows\{16C607C2-C5F8-484e-8440-B7309428B898}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
      - C:\Windows\{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe
        
        C:\Windows\{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe
        
        C:\Windows\{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe
        
        C:\Windows\{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe
        
        C:\Windows\{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe
        
        C:\Windows\{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe
        
        C:\Windows\{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{8B9581E5-215A-44b3-A809-538B67ED498F}.exe
        
        C:\Windows\{8B9581E5-215A-44b3-A809-538B67ED498F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
        
        C:\Windows\{ACA146C0-531F-44fa-84F9-0AFFAC467CB9}.exe
        
        C:\Windows\{ACA146C0-531F-44fa-84F9-0AFFAC467CB9}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B958~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83AE0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F036~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB37F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5720~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4AB9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5030C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16C60~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCB70~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F8903~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{82AB6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16C607C2-C5F8-484e-8440-B7309428B898}.exe

Filesize
380KB

MD5
ef8db797cd19d0c1020b67e91a12a988

SHA1
5deec9e9ffdc7c706000fb93de83d34af5fa9f12

SHA256
603c14ec07e435fb5cea0f41d5fd8c80de8598ba93105fa833547ea053c2e33d

SHA512
766713cd318dc0f98e7be3f5bb360fb288d66f81071a51bb6172111648a6f2beac554a536dad60c5d4a4d91c16de22c0e9b7b50fe709a5c8ca9f46be7006bdc4

Download Submit
C:\Windows\{5030CDFB-16D0-4b87-B522-F8B860A1A93E}.exe

Filesize
380KB

MD5
bbe7ad43debf9bf030762881dc717aa9

SHA1
22986a8c44b667d815f788ce5d387a63dd918057

SHA256
4aad2c3ac3bcbc6cd8accb3b8327c2e410146a7075df93d085d9a1893e405557

SHA512
1f68e2334867c1bdfe05f29ff9f65e8a4ba4663ecfbe10640a8a4bd75b23d6473042652306281cfd8944dd4ddac8a18f0fbbb81947fdd5965a913f7b36035267

Download Submit
C:\Windows\{82AB60E6-6C7F-4a24-8DC0-0A40112FCE23}.exe

Filesize
380KB

MD5
35fde0f0629c133679959d7475654e5b

SHA1
da3105c05f37b4aeb28e92f55c37be2e70d06c5d

SHA256
a91dcc6d76cdcf6db6f2b48e6734e8e6a1a6c5996936e3231126f10bc5bf9fac

SHA512
c2e808f485a5c90852c89cecaa4a75869e46cdad9f206d15b279e0bdc6b37fab2f47f72189cef6d75f693021c792c4869892b93bf7af4f048cbb3c41b53ca395

Download Submit
C:\Windows\{83AE06F7-B1D1-4e32-991D-D9EBE2BBBD0D}.exe

Filesize
380KB

MD5
bfd0d764d9d033c8126418e3ac8fd3a2

SHA1
563144e9e5a52b91425513745158837001500003

SHA256
5e1d5dba12b30d769f5c3d05cb706bb84cb8310f1f70a4c74bc6eb9b120582e2

SHA512
e0e8f449e4b29289513070dbe3292fe554f52d27f6c0cbbe796ae22a3fa38b247bd837741c95e64b94a90261db8572229abbdcd322edd7197660375ca2949074

Download Submit
C:\Windows\{8B9581E5-215A-44b3-A809-538B67ED498F}.exe

Filesize
380KB

MD5
500a866453c2011a794a58f224bf1449

SHA1
036170bf9dfa4e32292d27f1ab23307470b46418

SHA256
b651a3bbc479a6095a24ca112d3387f9526670a7445082c2fe79d3087b02c880

SHA512
6ece73fc1712c5867c26cfbbe8d158ab0516207416d1625ca87ddea35213739d733268224fc849a28c01c9f595b9de866bc2904a126fe9a1b4a6029b5147ee96

Download Submit
C:\Windows\{9F036DCF-9EC7-4736-A992-DB912D1B659B}.exe

Filesize
380KB

MD5
92d949d68b4caa2c417b6c8c3353221e

SHA1
4c100ee208907440c7479e19a8fd447e42b5939e

SHA256
e6446612ce47ce7209aa938ff97d4d661caa6c3619d16b558583facb6fb69d6b

SHA512
1a495832f3761803b6978fc0382a2ad1d18811c7610a8be910ae3b33336848dcd51ecae594cb70f1a56cdecda3ec985e53d2e6c75c1921c0fdcfac28c6c4e7c7

Download Submit
C:\Windows\{ACA146C0-531F-44fa-84F9-0AFFAC467CB9}.exe

Filesize
380KB

MD5
730e45e7046abbcbdeb7869d29d443ef

SHA1
203dc7cd5fee8053cf2a1720e46a3375d146e442

SHA256
5490896172cf3601d0e462905b50a64822029072f0edf1b36c3f7751de6dc943

SHA512
21586f4180a4ca826d156c22025f24984fdcbfbdd852c47136cd805da54468fb334148b1bcc8eeede22c3fcb5555eadbbea7d6a5d4de9ce44e84e2d2a65cc50c

Download Submit
C:\Windows\{B5720A6E-9D2C-40a3-BAFC-22FFB905F332}.exe

Filesize
380KB

MD5
6f71cff0d6c40162a86209e63f60b3d7

SHA1
6a048e5232252b49b7f6e17b0294a4a5ad831455

SHA256
5cc61bca44a5fa433095b0b08893faa89bf9317504c5c6236937e3757c1f0565

SHA512
a565620fa0afec20014a67732e1ee1c65c1f07c64e4d94dc7d9084b3b68c4f88b65ebc657ce3e828d52a5ff24997bfacb2e94d35b746d70500439f48445e1793

Download Submit
C:\Windows\{BB37F8DE-F82D-4eb3-B695-8D846878E478}.exe

Filesize
380KB

MD5
3a8418b14dbd96bb6ee5fbc7ccbdb5ee

SHA1
8b2f61be1b6f0f8aaad4f1d55bb23d233bbd46e9

SHA256
2e453c14044dfbd4eae32afcb62b2788983b6668cfedd6efeed396677bb3095b

SHA512
ca2cc77d03ebebbd13b1c63a4df8c23c1d12622795f9691cb69098708f4d9c6270a859fa2d1a8a153d2e58a2f84ea686795e52626b29616dabe1d90da39c5eb0

Download Submit
C:\Windows\{DCB706C2-B8B8-428b-823A-D08DA955F130}.exe

Filesize
380KB

MD5
2c6054af27ccc452157bd34d809d274f

SHA1
8efc1525bef7c35fad2ec6da33fbd863aa6f321b

SHA256
e81d6860e896929cc56ed5174ca4ca2bf679d0e07f372b75952332a732329d95

SHA512
47c5f8ee13adff5c6b2198b6f1f9b32bb7b560ea1e2bd9d4afafcd98e6154316977b775dd2e55b40bc365c0c92025a26c33cebc7f507b2bcf6fa971a6a8973c3

Download Submit
C:\Windows\{F4AB9A2B-0CCE-4add-A4D3-EDCB6370B8C8}.exe

Filesize
380KB

MD5
ae7c374d023bc9502fdc28838a467f81

SHA1
c1713a6fc09fee4a5851a20660bea68d7996fce2

SHA256
8e6fce1482d2b71a9624dad19eebea3094bb19bcdc10f917fd1f173b0c9e524e

SHA512
d344fba02e9634ccbcab552f8c7fc2534b5551018f766088dac2fc4b94f216f87c3a133630c99c1a18cdc722c83a31b95915339c4f70c1943849de52212710ad

Download Submit
C:\Windows\{F8903123-203E-4deb-8955-10386EC58E45}.exe

Filesize
380KB

MD5
62240cab8a3ac728bd8a4b1f599d3441

SHA1
66d72720fb1cf187a558ea471e347f2babd7bac2

SHA256
e5598c01d7d173944d565caf87cbe9d69e65cb74dad2c059b45b75d945eaad1a

SHA512
6731747c4d7a5b9495afbd68190f582f3fea115c028a43391000d07cbfd5f5218e5abbfc67f1717ccabe8954578a310845b4494b6b27e7369cb37e17d82e87e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads