2ddf476168da433fee09bd5cba071f7e1dfa14b7bbb6c585eb3888b2b3c36e98

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 15:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe
Size

180KB
MD5

a6bbc04be70e456017dac4bcda8bd50b
SHA1

7dbed2b890996d815cbb69a1a7606002d4583d54
SHA256

2ddf476168da433fee09bd5cba071f7e1dfa14b7bbb6c585eb3888b2b3c36e98
SHA512

555f457b6ab1aec697f0caed053b461c35b4ef546bd70d52e3018598fe93952b47346f6f98b5793358f04307b5239729da5b701b939f279bb3d84bc932080f56
SSDEEP

3072:jEGh0oElfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG6l5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1601A129-11E9-4c04-AB56-7AD9C7D115A1}\stubpath = "C:\\Windows\\{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe"	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51F6025A-BC74-4630-B183-1515436DEB61}\stubpath = "C:\\Windows\\{51F6025A-BC74-4630-B183-1515436DEB61}.exe"	{814532C0-6228-4dad-84F6-6C1492301D9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{866C95F3-C381-4ce9-A1A5-C063A1BC8914}	20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}\stubpath = "C:\\Windows\\{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe"	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F86A9CD-7CDF-479c-A595-2BABC9151870}	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{426E0C54-B3AA-446c-8270-5E0FF1516E0E}	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{426E0C54-B3AA-446c-8270-5E0FF1516E0E}\stubpath = "C:\\Windows\\{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe"	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{470CF5B5-4A19-41b3-A5FF-61D40451F061}	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{866C95F3-C381-4ce9-A1A5-C063A1BC8914}\stubpath = "C:\\Windows\\{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe"	20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}\stubpath = "C:\\Windows\\{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe"	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D21B361-4AC6-487a-9DA8-64D106BC92CA}\stubpath = "C:\\Windows\\{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe"	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}\stubpath = "C:\\Windows\\{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe"	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{470CF5B5-4A19-41b3-A5FF-61D40451F061}\stubpath = "C:\\Windows\\{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe"	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F86A9CD-7CDF-479c-A595-2BABC9151870}\stubpath = "C:\\Windows\\{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe"	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1601A129-11E9-4c04-AB56-7AD9C7D115A1}	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{814532C0-6228-4dad-84F6-6C1492301D9D}\stubpath = "C:\\Windows\\{814532C0-6228-4dad-84F6-6C1492301D9D}.exe"	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51F6025A-BC74-4630-B183-1515436DEB61}	{814532C0-6228-4dad-84F6-6C1492301D9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4A957A0-1672-4bb5-8B85-46775C1F2B61}	{51F6025A-BC74-4630-B183-1515436DEB61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D21B361-4AC6-487a-9DA8-64D106BC92CA}	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{814532C0-6228-4dad-84F6-6C1492301D9D}	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4A957A0-1672-4bb5-8B85-46775C1F2B61}\stubpath = "C:\\Windows\\{E4A957A0-1672-4bb5-8B85-46775C1F2B61}.exe"	{51F6025A-BC74-4630-B183-1515436DEB61}.exe

Executes dropped EXE 12 IoCs

pid	Process
4312	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe
2724	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe
2788	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe
5036	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe
3176	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe
4588	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe
2612	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe
3172	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe
1304	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe
3696	{814532C0-6228-4dad-84F6-6C1492301D9D}.exe
4308	{51F6025A-BC74-4630-B183-1515436DEB61}.exe
1844	{E4A957A0-1672-4bb5-8B85-46775C1F2B61}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe
File created	C:\Windows\{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe
File created	C:\Windows\{51F6025A-BC74-4630-B183-1515436DEB61}.exe	{814532C0-6228-4dad-84F6-6C1492301D9D}.exe
File created	C:\Windows\{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe	20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe
File created	C:\Windows\{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe
File created	C:\Windows\{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe
File created	C:\Windows\{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe
File created	C:\Windows\{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe
File created	C:\Windows\{814532C0-6228-4dad-84F6-6C1492301D9D}.exe	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe
File created	C:\Windows\{E4A957A0-1672-4bb5-8B85-46775C1F2B61}.exe	{51F6025A-BC74-4630-B183-1515436DEB61}.exe
File created	C:\Windows\{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe
File created	C:\Windows\{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4A957A0-1672-4bb5-8B85-46775C1F2B61}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51F6025A-BC74-4630-B183-1515436DEB61}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{814532C0-6228-4dad-84F6-6C1492301D9D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3256	20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe
Token: SeIncBasePriorityPrivilege	4312	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe
Token: SeIncBasePriorityPrivilege	2724	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe
Token: SeIncBasePriorityPrivilege	2788	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe
Token: SeIncBasePriorityPrivilege	5036	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe
Token: SeIncBasePriorityPrivilege	3176	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe
Token: SeIncBasePriorityPrivilege	4588	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe
Token: SeIncBasePriorityPrivilege	2612	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe
Token: SeIncBasePriorityPrivilege	3172	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe
Token: SeIncBasePriorityPrivilege	1304	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe
Token: SeIncBasePriorityPrivilege	3696	{814532C0-6228-4dad-84F6-6C1492301D9D}.exe
Token: SeIncBasePriorityPrivilege	4308	{51F6025A-BC74-4630-B183-1515436DEB61}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 4312	3256	20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe	92
PID 3256 wrote to memory of 4312	3256	20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe	92
PID 3256 wrote to memory of 4312	3256	20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe	92
PID 3256 wrote to memory of 736	3256	20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe	93
PID 3256 wrote to memory of 736	3256	20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe	93
PID 3256 wrote to memory of 736	3256	20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe	93
PID 4312 wrote to memory of 2724	4312	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe	96
PID 4312 wrote to memory of 2724	4312	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe	96
PID 4312 wrote to memory of 2724	4312	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe	96
PID 4312 wrote to memory of 3180	4312	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe	97
PID 4312 wrote to memory of 3180	4312	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe	97
PID 4312 wrote to memory of 3180	4312	{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe	97
PID 2724 wrote to memory of 2788	2724	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe	100
PID 2724 wrote to memory of 2788	2724	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe	100
PID 2724 wrote to memory of 2788	2724	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe	100
PID 2724 wrote to memory of 2840	2724	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe	101
PID 2724 wrote to memory of 2840	2724	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe	101
PID 2724 wrote to memory of 2840	2724	{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe	101
PID 2788 wrote to memory of 5036	2788	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe	102
PID 2788 wrote to memory of 5036	2788	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe	102
PID 2788 wrote to memory of 5036	2788	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe	102
PID 2788 wrote to memory of 3544	2788	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe	103
PID 2788 wrote to memory of 3544	2788	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe	103
PID 2788 wrote to memory of 3544	2788	{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe	103
PID 5036 wrote to memory of 3176	5036	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe	104
PID 5036 wrote to memory of 3176	5036	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe	104
PID 5036 wrote to memory of 3176	5036	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe	104
PID 5036 wrote to memory of 2816	5036	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe	105
PID 5036 wrote to memory of 2816	5036	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe	105
PID 5036 wrote to memory of 2816	5036	{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe	105
PID 3176 wrote to memory of 4588	3176	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe	106
PID 3176 wrote to memory of 4588	3176	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe	106
PID 3176 wrote to memory of 4588	3176	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe	106
PID 3176 wrote to memory of 1820	3176	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe	107
PID 3176 wrote to memory of 1820	3176	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe	107
PID 3176 wrote to memory of 1820	3176	{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe	107
PID 4588 wrote to memory of 2612	4588	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe	108
PID 4588 wrote to memory of 2612	4588	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe	108
PID 4588 wrote to memory of 2612	4588	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe	108
PID 4588 wrote to memory of 1180	4588	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe	109
PID 4588 wrote to memory of 1180	4588	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe	109
PID 4588 wrote to memory of 1180	4588	{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe	109
PID 2612 wrote to memory of 3172	2612	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe	110
PID 2612 wrote to memory of 3172	2612	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe	110
PID 2612 wrote to memory of 3172	2612	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe	110
PID 2612 wrote to memory of 876	2612	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe	111
PID 2612 wrote to memory of 876	2612	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe	111
PID 2612 wrote to memory of 876	2612	{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe	111
PID 3172 wrote to memory of 1304	3172	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe	112
PID 3172 wrote to memory of 1304	3172	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe	112
PID 3172 wrote to memory of 1304	3172	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe	112
PID 3172 wrote to memory of 672	3172	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe	113
PID 3172 wrote to memory of 672	3172	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe	113
PID 3172 wrote to memory of 672	3172	{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe	113
PID 1304 wrote to memory of 3696	1304	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe	114
PID 1304 wrote to memory of 3696	1304	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe	114
PID 1304 wrote to memory of 3696	1304	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe	114
PID 1304 wrote to memory of 3080	1304	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe	115
PID 1304 wrote to memory of 3080	1304	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe	115
PID 1304 wrote to memory of 3080	1304	{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe	115
PID 3696 wrote to memory of 4308	3696	{814532C0-6228-4dad-84F6-6C1492301D9D}.exe	116
PID 3696 wrote to memory of 4308	3696	{814532C0-6228-4dad-84F6-6C1492301D9D}.exe	116
PID 3696 wrote to memory of 4308	3696	{814532C0-6228-4dad-84F6-6C1492301D9D}.exe	116
PID 3696 wrote to memory of 2592	3696	{814532C0-6228-4dad-84F6-6C1492301D9D}.exe	117

C:\Users\Admin\AppData\Local\Temp\20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\20240906a6bbc04be70e456017dac4bcda8bd50bgoldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe
  C:\Windows\{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe
    C:\Windows\{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe
      C:\Windows\{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe
        
        C:\Windows\{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
      - C:\Windows\{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe
        
        C:\Windows\{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe
        
        C:\Windows\{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe
        
        C:\Windows\{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe
        
        C:\Windows\{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe
        
        C:\Windows\{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\{814532C0-6228-4dad-84F6-6C1492301D9D}.exe
        
        C:\Windows\{814532C0-6228-4dad-84F6-6C1492301D9D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\{51F6025A-BC74-4630-B183-1515436DEB61}.exe
        
        C:\Windows\{51F6025A-BC74-4630-B183-1515436DEB61}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\{E4A957A0-1672-4bb5-8B85-46775C1F2B61}.exe
        
        C:\Windows\{E4A957A0-1672-4bb5-8B85-46775C1F2B61}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51F60~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81453~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{470CF~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{426E0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1601A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F86A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E932~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D21B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{453B9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CD26C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{866C9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1601A129-11E9-4c04-AB56-7AD9C7D115A1}.exe

Filesize
180KB

MD5
776310b79938b338cdeb0d91ebfe97d4

SHA1
80d549455f27578edb5065b88daf8ea459f84d54

SHA256
5bb7f38aefd872232c5e275b27a833ea8716d590ff3d1dea47b6403fc192406a

SHA512
8cd973afffa1d7cdddbf0dad48d8b5e9e1ad9597f0c03283873344368324347ed3135a2ddaec0af75519ebd8f08ea0975b4b063af268b1b496d1b7a96ac9be06

Download Submit
C:\Windows\{2D21B361-4AC6-487a-9DA8-64D106BC92CA}.exe

Filesize
180KB

MD5
45fc1379a700a45aa45502390aac18e8

SHA1
c262ea1a37bb5ce84caa27423505506b357012b5

SHA256
162b1dc884ec3aaf5d6e1649c8cfd8198fcc62281d3a566ebe0c768a73d61351

SHA512
3601fdbf4589c6392ad0d1ea99eb95e3e6e4384166c055ca34fe7fd2999f087a8169f8ddc52afa3d58cfb3dbe3dc197f8c77181f376908fd854d11367010d6c1

Download Submit
C:\Windows\{3F86A9CD-7CDF-479c-A595-2BABC9151870}.exe

Filesize
180KB

MD5
333aa0774c77a68ecf39dc411dde95f1

SHA1
7b5928728526677b5b5522098b537e0fe35e5a49

SHA256
d7224ee3c1258338cfad324b654811913f263d8b143a7fdecf12914c354db6a7

SHA512
f9dcad51db8bc0cc4b5c5ead5fbd870f3a5bf327c5b1ec0a2fc0930f8e227a6de197ff6a25db846631ff3ea8bd2d208a6e52e27d9ab2efd0692aed57a26193b8

Download Submit
C:\Windows\{426E0C54-B3AA-446c-8270-5E0FF1516E0E}.exe

Filesize
180KB

MD5
cf23cf807178c23e068d4e366f827795

SHA1
eecb11b0e5d21e504d47e2b0a8ddb4dce61d67ac

SHA256
ad2249af055f60b3a2ee91b9968a4e38d13c723b34c81252901248e29a24956f

SHA512
4e5c79c1351e8c80cc60c7ed3608454e5d36e8a9e3d6288cfb704a52ddfcdd08a31f99183859eb7e09e78264aadf8c914b7c48774a48c9150b67666124ec7b43

Download Submit
C:\Windows\{453B9484-4B71-447d-AB8C-1E5CD6FFA80C}.exe

Filesize
180KB

MD5
aad7bce864b3f64075f90414c2950387

SHA1
16ecf108e81da037f95d1edb790c80e37aeab8af

SHA256
415ad7725a56559fa5828285e8d709e02db36f8aa701c33705afc93db7d41588

SHA512
fbd329a86b5bb77994bd4bb3191ca2c1de289ff8192056d8a47c1a1973a2b18a473dd02a69417a7f270eda7618b4701b76c9d89fa17b71fdd3cb47d62f3bed7d

Download Submit
C:\Windows\{470CF5B5-4A19-41b3-A5FF-61D40451F061}.exe

Filesize
180KB

MD5
0f0c3f130c374edab7bc030c7d3bb31a

SHA1
301ab8ae4ddd3eff85aef9083ee402d16a05a5cc

SHA256
5fd6c2914f9622f8d70cc75faed4e301caa236b2f6c1a61e32870771ead8f116

SHA512
2bd101a3ac3c84e4d2b6d539e881830e5b335ea1f180d7b50cb61d2efa17fa773e7a042b53646e74525f5b725d726e11b67c4f71b9c09cbf57b3b427bf69c4ce

Download Submit
C:\Windows\{51F6025A-BC74-4630-B183-1515436DEB61}.exe

Filesize
180KB

MD5
5916b063bf8521e97f60bd41998f8263

SHA1
d8268839d4dd0c9be71070425600a95ec49429a9

SHA256
8645943f561ddbf6a2fc447c104ab8ec1fadfa1344d1a0ebfcbcd94f665ac3be

SHA512
7d22841134cbd9075cdf267af6a576db28b62ace1909e19ee510ae9497849db22cf76306e3af9317135028ca92e7a2d6871e105fe3440e7ee3c037098abfb959

Download Submit
C:\Windows\{5E9328D8-A3FB-4f09-A118-6B33030E8C4F}.exe

Filesize
180KB

MD5
ae00210fa2e91ae2f33de7503df5f72f

SHA1
546bc63dc81a26a5ac93aa6f9fcd85d693642c21

SHA256
9adcb8c9e8da67e60303d3ef1913f2eafb369f0381f41bc05e0c9df5736c2cbd

SHA512
d51103e023fb1527be41680f317e5ec257004a29f5d31ba6ef745559e05c97d6b3900befbea85568b7ac71db4363c3d92f6f98a9ee6d616903db89a705d07e5b

Download Submit
C:\Windows\{814532C0-6228-4dad-84F6-6C1492301D9D}.exe

Filesize
180KB

MD5
b1b1e3fbf9cd9190cea3ec15f8371f02

SHA1
5f42af2c2178ef4d52cbc3cf97084735f905ca5c

SHA256
c9df091f01f76d3f2c949c41cbcfeb7da1368ce16e332097c373a5781c989c85

SHA512
d1822415fd462f6b1ab107f3f0296d981a317236d55d0400e1bfff620e73ba01abbf5595830ac29a18e2821b62089f70d20d146ed1dee75fbc4adb3415a2cf9a

Download Submit
C:\Windows\{866C95F3-C381-4ce9-A1A5-C063A1BC8914}.exe

Filesize
180KB

MD5
4569cc35298e82ce38116d16d2214c86

SHA1
711cdf0caae71e1691ee0ba74953e5bbe27e67b3

SHA256
dab9a1c76e5fd052f1fdb7286f3b3892efa2df68e029e126a54d48e76a01ea8f

SHA512
91ea276b0934aafc686eb12f6363bfc5214819b4c8c43a9d3aa9efb9df7f0113e61bbc36d398bee322ca55efa346ba7a31bda789d57a25213bf93d267d3bce26

Download Submit
C:\Windows\{CD26CCBF-01BE-47dd-88E9-AE211F68BF4C}.exe

Filesize
180KB

MD5
93a4b263a6d1a2b93482314a031d5620

SHA1
fc7fb49ca4798d68f295dab5efbb3e725d6c7140

SHA256
28e5eec6888f2af931fcd82b5579ee1701f3cfde161de5bf12a6056f63fe01c8

SHA512
114af2b058889e0ce79f7d9dc0c2c10a5bdf823d66acfcac06286f488842bd439f9fb46ea9389b15d89abc619c2b570697a95e58432a06e93958815502797f6d

Download Submit
C:\Windows\{E4A957A0-1672-4bb5-8B85-46775C1F2B61}.exe

Filesize
180KB

MD5
6d38cee0aeb322b229c013b69aa385d7

SHA1
12f0a0074ab42273c9c262b7d4e518f261530d04

SHA256
205952777a79f8f68157ba3675ba5538d61f4671ce799c5fef050d0ce34f7314

SHA512
356789558f4ef0407b5931c236d81a694bdc85666c48cd71bcb48f3b2080f920e5e4af6f11cec4c108fc65079d9e53dce4136625887724ca04fef6393700b868

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads