73a5ddc6fd7b55869dcd0dfd21bc948386a7d58c3b66c235e1afd1e38304bb35

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240906b058d60e02378a272481c4603cf3c246goldeneye.exe
Size

408KB
MD5

b058d60e02378a272481c4603cf3c246
SHA1

bec78dd7b65073ddee62cdd626baecb3899dbaa6
SHA256

73a5ddc6fd7b55869dcd0dfd21bc948386a7d58c3b66c235e1afd1e38304bb35
SHA512

7b4482ca0be4f6569f75bc4f9b8ce97bdbffbd191d870fff1822e99957eb6785ff6bc5fca5d5e3110af8c8c29a7dc8974f561f1e01ce4a1f71e0c1a70cc2250d
SSDEEP

3072:CEGh0o4l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGmldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{225F0465-35A5-4a9e-BB5A-AAE9B5F08AC2}\stubpath = "C:\\Windows\\{225F0465-35A5-4a9e-BB5A-AAE9B5F08AC2}.exe"	{126C5201-9546-4a96-B2E7-9C9D1005C863}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}\stubpath = "C:\\Windows\\{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe"	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B97A208-7B36-463c-A0E2-66154BB3F590}	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08DC9914-B5F0-41fd-B11D-7518000D95EC}	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}\stubpath = "C:\\Windows\\{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe"	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9155E8BF-7916-4385-A242-FB9CE8B5716E}\stubpath = "C:\\Windows\\{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe"	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}\stubpath = "C:\\Windows\\{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe"	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{126C5201-9546-4a96-B2E7-9C9D1005C863}\stubpath = "C:\\Windows\\{126C5201-9546-4a96-B2E7-9C9D1005C863}.exe"	{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED65D16F-D87F-486a-8265-DE81D170E380}	20240906b058d60e02378a272481c4603cf3c246goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}\stubpath = "C:\\Windows\\{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe"	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}\stubpath = "C:\\Windows\\{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe"	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{225F0465-35A5-4a9e-BB5A-AAE9B5F08AC2}	{126C5201-9546-4a96-B2E7-9C9D1005C863}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED65D16F-D87F-486a-8265-DE81D170E380}\stubpath = "C:\\Windows\\{ED65D16F-D87F-486a-8265-DE81D170E380}.exe"	20240906b058d60e02378a272481c4603cf3c246goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B97A208-7B36-463c-A0E2-66154BB3F590}\stubpath = "C:\\Windows\\{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe"	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58E9C91B-D287-4da0-93AD-E286352E3CB1}	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58E9C91B-D287-4da0-93AD-E286352E3CB1}\stubpath = "C:\\Windows\\{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe"	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{126C5201-9546-4a96-B2E7-9C9D1005C863}	{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08DC9914-B5F0-41fd-B11D-7518000D95EC}\stubpath = "C:\\Windows\\{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe"	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9155E8BF-7916-4385-A242-FB9CE8B5716E}	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3336	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe
4308	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe
4588	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe
1872	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe
2256	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe
4436	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe
5100	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe
3124	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe
964	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe
2584	{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe
3384	{126C5201-9546-4a96-B2E7-9C9D1005C863}.exe
1796	{225F0465-35A5-4a9e-BB5A-AAE9B5F08AC2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe
File created	C:\Windows\{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe
File created	C:\Windows\{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe
File created	C:\Windows\{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe
File created	C:\Windows\{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe
File created	C:\Windows\{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe
File created	C:\Windows\{ED65D16F-D87F-486a-8265-DE81D170E380}.exe	20240906b058d60e02378a272481c4603cf3c246goldeneye.exe
File created	C:\Windows\{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe
File created	C:\Windows\{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe
File created	C:\Windows\{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe
File created	C:\Windows\{126C5201-9546-4a96-B2E7-9C9D1005C863}.exe	{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe
File created	C:\Windows\{225F0465-35A5-4a9e-BB5A-AAE9B5F08AC2}.exe	{126C5201-9546-4a96-B2E7-9C9D1005C863}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{126C5201-9546-4a96-B2E7-9C9D1005C863}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240906b058d60e02378a272481c4603cf3c246goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{225F0465-35A5-4a9e-BB5A-AAE9B5F08AC2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4204	20240906b058d60e02378a272481c4603cf3c246goldeneye.exe
Token: SeIncBasePriorityPrivilege	3336	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe
Token: SeIncBasePriorityPrivilege	4308	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe
Token: SeIncBasePriorityPrivilege	4588	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe
Token: SeIncBasePriorityPrivilege	1872	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe
Token: SeIncBasePriorityPrivilege	2256	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe
Token: SeIncBasePriorityPrivilege	4436	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe
Token: SeIncBasePriorityPrivilege	5100	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe
Token: SeIncBasePriorityPrivilege	3124	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe
Token: SeIncBasePriorityPrivilege	964	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe
Token: SeIncBasePriorityPrivilege	2584	{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe
Token: SeIncBasePriorityPrivilege	3384	{126C5201-9546-4a96-B2E7-9C9D1005C863}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 3336	4204	20240906b058d60e02378a272481c4603cf3c246goldeneye.exe	96
PID 4204 wrote to memory of 3336	4204	20240906b058d60e02378a272481c4603cf3c246goldeneye.exe	96
PID 4204 wrote to memory of 3336	4204	20240906b058d60e02378a272481c4603cf3c246goldeneye.exe	96
PID 4204 wrote to memory of 3384	4204	20240906b058d60e02378a272481c4603cf3c246goldeneye.exe	97
PID 4204 wrote to memory of 3384	4204	20240906b058d60e02378a272481c4603cf3c246goldeneye.exe	97
PID 4204 wrote to memory of 3384	4204	20240906b058d60e02378a272481c4603cf3c246goldeneye.exe	97
PID 3336 wrote to memory of 4308	3336	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe	98
PID 3336 wrote to memory of 4308	3336	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe	98
PID 3336 wrote to memory of 4308	3336	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe	98
PID 3336 wrote to memory of 4400	3336	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe	99
PID 3336 wrote to memory of 4400	3336	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe	99
PID 3336 wrote to memory of 4400	3336	{ED65D16F-D87F-486a-8265-DE81D170E380}.exe	99
PID 4308 wrote to memory of 4588	4308	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe	101
PID 4308 wrote to memory of 4588	4308	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe	101
PID 4308 wrote to memory of 4588	4308	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe	101
PID 4308 wrote to memory of 3952	4308	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe	102
PID 4308 wrote to memory of 3952	4308	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe	102
PID 4308 wrote to memory of 3952	4308	{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe	102
PID 4588 wrote to memory of 1872	4588	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe	103
PID 4588 wrote to memory of 1872	4588	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe	103
PID 4588 wrote to memory of 1872	4588	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe	103
PID 4588 wrote to memory of 1588	4588	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe	104
PID 4588 wrote to memory of 1588	4588	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe	104
PID 4588 wrote to memory of 1588	4588	{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe	104
PID 1872 wrote to memory of 2256	1872	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe	105
PID 1872 wrote to memory of 2256	1872	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe	105
PID 1872 wrote to memory of 2256	1872	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe	105
PID 1872 wrote to memory of 4220	1872	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe	106
PID 1872 wrote to memory of 4220	1872	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe	106
PID 1872 wrote to memory of 4220	1872	{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe	106
PID 2256 wrote to memory of 4436	2256	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe	107
PID 2256 wrote to memory of 4436	2256	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe	107
PID 2256 wrote to memory of 4436	2256	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe	107
PID 2256 wrote to memory of 2308	2256	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe	108
PID 2256 wrote to memory of 2308	2256	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe	108
PID 2256 wrote to memory of 2308	2256	{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe	108
PID 4436 wrote to memory of 5100	4436	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe	110
PID 4436 wrote to memory of 5100	4436	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe	110
PID 4436 wrote to memory of 5100	4436	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe	110
PID 4436 wrote to memory of 3884	4436	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe	111
PID 4436 wrote to memory of 3884	4436	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe	111
PID 4436 wrote to memory of 3884	4436	{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe	111
PID 5100 wrote to memory of 3124	5100	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe	112
PID 5100 wrote to memory of 3124	5100	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe	112
PID 5100 wrote to memory of 3124	5100	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe	112
PID 5100 wrote to memory of 2820	5100	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe	113
PID 5100 wrote to memory of 2820	5100	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe	113
PID 5100 wrote to memory of 2820	5100	{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe	113
PID 3124 wrote to memory of 964	3124	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe	114
PID 3124 wrote to memory of 964	3124	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe	114
PID 3124 wrote to memory of 964	3124	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe	114
PID 3124 wrote to memory of 4956	3124	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe	115
PID 3124 wrote to memory of 4956	3124	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe	115
PID 3124 wrote to memory of 4956	3124	{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe	115
PID 964 wrote to memory of 2584	964	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe	116
PID 964 wrote to memory of 2584	964	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe	116
PID 964 wrote to memory of 2584	964	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe	116
PID 964 wrote to memory of 2168	964	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe	117
PID 964 wrote to memory of 2168	964	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe	117
PID 964 wrote to memory of 2168	964	{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe	117
PID 2584 wrote to memory of 3384	2584	{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe	118
PID 2584 wrote to memory of 3384	2584	{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe	118
PID 2584 wrote to memory of 3384	2584	{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe	118
PID 2584 wrote to memory of 5056	2584	{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe	119

C:\Users\Admin\AppData\Local\Temp\20240906b058d60e02378a272481c4603cf3c246goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\20240906b058d60e02378a272481c4603cf3c246goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\{ED65D16F-D87F-486a-8265-DE81D170E380}.exe
  C:\Windows\{ED65D16F-D87F-486a-8265-DE81D170E380}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe
    C:\Windows\{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe
      C:\Windows\{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe
        
        C:\Windows\{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Windows\{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe
        
        C:\Windows\{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe
        
        C:\Windows\{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe
        
        C:\Windows\{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe
        
        C:\Windows\{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe
        
        C:\Windows\{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe
        
        C:\Windows\{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\{126C5201-9546-4a96-B2E7-9C9D1005C863}.exe
        
        C:\Windows\{126C5201-9546-4a96-B2E7-9C9D1005C863}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Windows\{225F0465-35A5-4a9e-BB5A-AAE9B5F08AC2}.exe
        
        C:\Windows\{225F0465-35A5-4a9e-BB5A-AAE9B5F08AC2}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{126C5~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4E82~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58E9C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9155E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE1CF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65B1B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36F6F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B97A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08DC9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DC0A2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ED65D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08DC9914-B5F0-41fd-B11D-7518000D95EC}.exe

Filesize
408KB

MD5
f48e8beb9b3a933f5963e4fa9a9ed126

SHA1
54991cc6c54b1f2c38d8a870d4b4f89f97a02f42

SHA256
b5d12d00967e6df573eeba3aaaa9a549d5385986b47651376f8fa7adf3c37255

SHA512
e33a3c248a51a456ee8254c466cc802e485303d0ef94684afd8a6f3ede24ef5d8354d6075234fdc707a49d7062da48a906ec2f6df19a9a81e448dd790cc0a717

Download Submit
C:\Windows\{126C5201-9546-4a96-B2E7-9C9D1005C863}.exe

Filesize
408KB

MD5
baadf0c6d32208caf8550fd07dcaa64d

SHA1
3e10174445052075ced4951ed5d294fbd63a42e2

SHA256
ba410c605cbc6d317dac58f1d86767a3efcf178550bf54f897f1e4617b3585c4

SHA512
19602644e5b23e1af7c0fbdd735dfbd93a03d71f9b97226bfcae5bfb3614d05877870011a67804beb8a7b2bac84065f0b97860521aca25d5c248705762777e33

Download Submit
C:\Windows\{1B97A208-7B36-463c-A0E2-66154BB3F590}.exe

Filesize
408KB

MD5
4c8556631a9c75ff780a0a4e33807c95

SHA1
6fbb2b072c3901219e2af243bbbe7c170b18f68a

SHA256
4fd3172046bee27fd1a15b2843354ab776c82f52a85f977a8a89f67d61cefef9

SHA512
899d8c4a3dcccf060a96d2df54698d66ab8fea551a3ca48c8c0357c75c64f83146b4b976226809e26669117ce249838e7d601acd5c131a58420257865b04a82b

Download Submit
C:\Windows\{225F0465-35A5-4a9e-BB5A-AAE9B5F08AC2}.exe

Filesize
408KB

MD5
6a6d0b05114ab3fb8d8f2a722cddd1bd

SHA1
552facb68be7d64658332cfc8465947f47c50afd

SHA256
7f142ca09be967e3381c56f2f3a087f9202483acd37b5fef90fc54599d1d87d0

SHA512
8f5b7329fbef7ae09c97cf124b59d2c94e33f960eba5813589426bd434e1ef47c55644d84c490250ec1bddbdb0837b97e9b8b580a54f55033861daf24e42c4ae

Download Submit
C:\Windows\{36F6F413-DECA-4c23-9E7C-38E335CFE1D5}.exe

Filesize
408KB

MD5
23dab1eda21ce09545b4e688cc791bd5

SHA1
fac36526e195e1ec2b42d2f17f21acd31dbb6dc9

SHA256
394d7fc5dc6f106f0dd9f55c07c0f471078cfd6d25de1a451ccc53a0ca23c810

SHA512
765f28dbec1f851832d856099763be60a60a79b3f667bc63be16b5b6c1188fed058a6faeac04884f0e01a4c1b7c69e58017a7b6aaf96fcf48b3825c8ce8982c4

Download Submit
C:\Windows\{58E9C91B-D287-4da0-93AD-E286352E3CB1}.exe

Filesize
408KB

MD5
5ce49835a6bb765de62a8df7a8cafe8a

SHA1
5dcdbb6d12d7dcb51c4679f4e73688f8e4d2299d

SHA256
36d887555d6384c31e82aafbc4a401834347766192eb1003f1d1232ba9d3bbfe

SHA512
549865e526a9c51729748e332bec6ccee95d1b7d2858c2da6c4efad643f2de3a50caf16468c8fe952cadaace977217fca08ebe47c51dc26df3746bf6c3611f3b

Download Submit
C:\Windows\{65B1BCAB-6629-42ec-8C76-01AFB9FBC114}.exe

Filesize
408KB

MD5
291e920179a3e8cfc35f964a96a87e3a

SHA1
a3fd67dfb81b1e933bf9163d7d8c2890bd73c731

SHA256
a05bcdb9593e7387102c4df6dd5c726bc58aa414dafbe291f7efbc700c5effaa

SHA512
e687c1b8debee6f2b29866a684a05b99bb895a7f567f8bbddc0a47b1501273d6261ed351985146741553548947a052b3638b221f2ad4d9a16e73b133fd03d51d

Download Submit
C:\Windows\{9155E8BF-7916-4385-A242-FB9CE8B5716E}.exe

Filesize
408KB

MD5
31e05f7330d46fe1e16307d98d96a9ba

SHA1
2bdbd7d5b5e2b7135a45f23a01cd1282ca81ebc2

SHA256
dc446cbabc79cf9500c355c979adaaea2d6f57102caf4d2c8fd476b0a982f4ae

SHA512
ca06220565c17b5d9ed0ef6d04e994f97e59dc7ddf45dfcb2b3384d8e3d3b0b968a1d39733b2832aae2c23772e09039fd2de0e45ce75a1e281efe8036553a280

Download Submit
C:\Windows\{BE1CFDB5-A5F8-4832-9117-3A66B94642E1}.exe

Filesize
408KB

MD5
d37d8da1baad93f652fdc8abf7037d2a

SHA1
5f95e6e30ffcda53f66cc6772d213e27c6563f4a

SHA256
3bf68378f2cf708ac68852c750e5596706dfd141a96d8530b54abe1797f013d0

SHA512
16a53c89774fd37e9a5776daad1d606d3e6bdc1b72e3f8561e625908f551574670e63587fe6ba94341ada305d7d62c9f9d53d2cf1143e20aa1047fda2178cd02

Download Submit
C:\Windows\{C4E822C7-30F3-4f90-9A7C-DC6F09480DC2}.exe

Filesize
408KB

MD5
f58857781af776e08ef052b79fb986c1

SHA1
303dd7b8f2ada3f819c3aa8d32e0b5b1aa2afce8

SHA256
ae99109cca815da336aaa3234bece3e1bf84912749b459be91891d649acd4727

SHA512
eb95826737d085a31f5a0601b49dedf9fbec78d9eb9057c3d13f1070a1dd8dad2cd8560ce5dd61e8db21216069f18fbec4b1b0ce015ec44209faf993b4e9d31e

Download Submit
C:\Windows\{DC0A2A48-3906-4320-98BF-DC04BF1FBC75}.exe

Filesize
408KB

MD5
bcfe55bdf28a931e7505dbacd2d04349

SHA1
5163de525bcba9a8928a158b061d5f6d654da524

SHA256
e0ef3bae3585db3ce665643767ab8374787ce29dccdbcaece48177d572ffecb4

SHA512
b73096ff64cdcaad09c8be2aa386b1ca1b38bbb952b8cead423b4f6e88d2a6e044298c50965c6858593d2fefd6a76eb50a881a639fb20ff522821c0b600986ec

Download Submit
C:\Windows\{ED65D16F-D87F-486a-8265-DE81D170E380}.exe

Filesize
408KB

MD5
a81a0e38d42c9d69c290275568400477

SHA1
1dba99a348febce3c7c9b896a105406438abd3b4

SHA256
27c9bde4cb9919e3f781abbc56cb780235a362190c2bdffc7233b8a26e9fd45d

SHA512
154182c87f3510aff2a06df706ca659ceb40aaada085580a22d508342d6f7fa3e926de4b12ae91b776b7d3d5316146a420574d154d06fb34d17d11f10639982f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads