56ca2e8e34fe11512a44604bd526d4ec6dfc3be32ded318d1bd8b72be1a30b32

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 15:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20240906b2a94d20c06f08e18186769605414060goldeneye.exe
Size

168KB
MD5

b2a94d20c06f08e18186769605414060
SHA1

ef98825dfeecf8806a3de882e83f468b6dca44db
SHA256

56ca2e8e34fe11512a44604bd526d4ec6dfc3be32ded318d1bd8b72be1a30b32
SHA512

ab2efcb3a03ae75861161848ae848d275ff20717378a88e5aa03479492c40906e0bf94eb90ab43b507ec84e526c6920f0ade33dd6b4ea8261a1d557abf194b1f
SSDEEP

1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F621118-1C9D-4289-B1D5-51A951E22B3E}\stubpath = "C:\\Windows\\{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe"	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA301D1B-B8DB-447f-BDDA-61C195AE404A}\stubpath = "C:\\Windows\\{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe"	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0307FE96-087D-4572-A3F1-67A84177403B}	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7D04141-66A2-4128-9091-C1E923D992CA}\stubpath = "C:\\Windows\\{F7D04141-66A2-4128-9091-C1E923D992CA}.exe"	20240906b2a94d20c06f08e18186769605414060goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58F81C37-5A70-4e47-ABE8-64A3376F419B}	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47504F85-05B9-44ef-B604-D10838E53C9E}\stubpath = "C:\\Windows\\{47504F85-05B9-44ef-B604-D10838E53C9E}.exe"	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4E4625F-949F-44ab-9F16-A929B4052FEF}	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F621118-1C9D-4289-B1D5-51A951E22B3E}	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}	{0307FE96-087D-4572-A3F1-67A84177403B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1BC88C0-5459-4d74-8773-96CD74176AFC}	{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}\stubpath = "C:\\Windows\\{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe"	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A96DD93D-382C-478b-AADF-B8D651B56ADF}\stubpath = "C:\\Windows\\{A96DD93D-382C-478b-AADF-B8D651B56ADF}.exe"	{D1BC88C0-5459-4d74-8773-96CD74176AFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}\stubpath = "C:\\Windows\\{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe"	{0307FE96-087D-4572-A3F1-67A84177403B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A96DD93D-382C-478b-AADF-B8D651B56ADF}	{D1BC88C0-5459-4d74-8773-96CD74176AFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7D04141-66A2-4128-9091-C1E923D992CA}	20240906b2a94d20c06f08e18186769605414060goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58F81C37-5A70-4e47-ABE8-64A3376F419B}\stubpath = "C:\\Windows\\{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe"	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47504F85-05B9-44ef-B604-D10838E53C9E}	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4E4625F-949F-44ab-9F16-A929B4052FEF}\stubpath = "C:\\Windows\\{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe"	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A451156-5538-4aaa-B010-B941E77B1DFF}	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A451156-5538-4aaa-B010-B941E77B1DFF}\stubpath = "C:\\Windows\\{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe"	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA301D1B-B8DB-447f-BDDA-61C195AE404A}	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0307FE96-087D-4572-A3F1-67A84177403B}\stubpath = "C:\\Windows\\{0307FE96-087D-4572-A3F1-67A84177403B}.exe"	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1BC88C0-5459-4d74-8773-96CD74176AFC}\stubpath = "C:\\Windows\\{D1BC88C0-5459-4d74-8773-96CD74176AFC}.exe"	{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe

Executes dropped EXE 12 IoCs

pid	Process
3752	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe
1524	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe
1756	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe
4388	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe
1096	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe
4344	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe
2248	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe
552	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe
4700	{0307FE96-087D-4572-A3F1-67A84177403B}.exe
3120	{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe
4576	{D1BC88C0-5459-4d74-8773-96CD74176AFC}.exe
2192	{A96DD93D-382C-478b-AADF-B8D651B56ADF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe
File created	C:\Windows\{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe
File created	C:\Windows\{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe
File created	C:\Windows\{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe
File created	C:\Windows\{0307FE96-087D-4572-A3F1-67A84177403B}.exe	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe
File created	C:\Windows\{A96DD93D-382C-478b-AADF-B8D651B56ADF}.exe	{D1BC88C0-5459-4d74-8773-96CD74176AFC}.exe
File created	C:\Windows\{F7D04141-66A2-4128-9091-C1E923D992CA}.exe	20240906b2a94d20c06f08e18186769605414060goldeneye.exe
File created	C:\Windows\{47504F85-05B9-44ef-B604-D10838E53C9E}.exe	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe
File created	C:\Windows\{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe
File created	C:\Windows\{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe
File created	C:\Windows\{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe	{0307FE96-087D-4572-A3F1-67A84177403B}.exe
File created	C:\Windows\{D1BC88C0-5459-4d74-8773-96CD74176AFC}.exe	{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D1BC88C0-5459-4d74-8773-96CD74176AFC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0307FE96-087D-4572-A3F1-67A84177403B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240906b2a94d20c06f08e18186769605414060goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A96DD93D-382C-478b-AADF-B8D651B56ADF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2388	20240906b2a94d20c06f08e18186769605414060goldeneye.exe
Token: SeIncBasePriorityPrivilege	3752	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe
Token: SeIncBasePriorityPrivilege	1524	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe
Token: SeIncBasePriorityPrivilege	1756	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe
Token: SeIncBasePriorityPrivilege	4388	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe
Token: SeIncBasePriorityPrivilege	1096	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe
Token: SeIncBasePriorityPrivilege	4344	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe
Token: SeIncBasePriorityPrivilege	2248	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe
Token: SeIncBasePriorityPrivilege	552	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe
Token: SeIncBasePriorityPrivilege	4700	{0307FE96-087D-4572-A3F1-67A84177403B}.exe
Token: SeIncBasePriorityPrivilege	3120	{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe
Token: SeIncBasePriorityPrivilege	4576	{D1BC88C0-5459-4d74-8773-96CD74176AFC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3752	2388	20240906b2a94d20c06f08e18186769605414060goldeneye.exe	94
PID 2388 wrote to memory of 3752	2388	20240906b2a94d20c06f08e18186769605414060goldeneye.exe	94
PID 2388 wrote to memory of 3752	2388	20240906b2a94d20c06f08e18186769605414060goldeneye.exe	94
PID 2388 wrote to memory of 1056	2388	20240906b2a94d20c06f08e18186769605414060goldeneye.exe	95
PID 2388 wrote to memory of 1056	2388	20240906b2a94d20c06f08e18186769605414060goldeneye.exe	95
PID 2388 wrote to memory of 1056	2388	20240906b2a94d20c06f08e18186769605414060goldeneye.exe	95
PID 3752 wrote to memory of 1524	3752	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe	96
PID 3752 wrote to memory of 1524	3752	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe	96
PID 3752 wrote to memory of 1524	3752	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe	96
PID 3752 wrote to memory of 2192	3752	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe	97
PID 3752 wrote to memory of 2192	3752	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe	97
PID 3752 wrote to memory of 2192	3752	{F7D04141-66A2-4128-9091-C1E923D992CA}.exe	97
PID 1524 wrote to memory of 1756	1524	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe	99
PID 1524 wrote to memory of 1756	1524	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe	99
PID 1524 wrote to memory of 1756	1524	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe	99
PID 1524 wrote to memory of 3084	1524	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe	100
PID 1524 wrote to memory of 3084	1524	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe	100
PID 1524 wrote to memory of 3084	1524	{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe	100
PID 1756 wrote to memory of 4388	1756	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe	102
PID 1756 wrote to memory of 4388	1756	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe	102
PID 1756 wrote to memory of 4388	1756	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe	102
PID 1756 wrote to memory of 4664	1756	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe	103
PID 1756 wrote to memory of 4664	1756	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe	103
PID 1756 wrote to memory of 4664	1756	{47504F85-05B9-44ef-B604-D10838E53C9E}.exe	103
PID 4388 wrote to memory of 1096	4388	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe	104
PID 4388 wrote to memory of 1096	4388	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe	104
PID 4388 wrote to memory of 1096	4388	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe	104
PID 4388 wrote to memory of 1908	4388	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe	105
PID 4388 wrote to memory of 1908	4388	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe	105
PID 4388 wrote to memory of 1908	4388	{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe	105
PID 1096 wrote to memory of 4344	1096	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe	106
PID 1096 wrote to memory of 4344	1096	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe	106
PID 1096 wrote to memory of 4344	1096	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe	106
PID 1096 wrote to memory of 1688	1096	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe	107
PID 1096 wrote to memory of 1688	1096	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe	107
PID 1096 wrote to memory of 1688	1096	{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe	107
PID 4344 wrote to memory of 2248	4344	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe	108
PID 4344 wrote to memory of 2248	4344	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe	108
PID 4344 wrote to memory of 2248	4344	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe	108
PID 4344 wrote to memory of 1572	4344	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe	109
PID 4344 wrote to memory of 1572	4344	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe	109
PID 4344 wrote to memory of 1572	4344	{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe	109
PID 2248 wrote to memory of 552	2248	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe	110
PID 2248 wrote to memory of 552	2248	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe	110
PID 2248 wrote to memory of 552	2248	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe	110
PID 2248 wrote to memory of 228	2248	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe	111
PID 2248 wrote to memory of 228	2248	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe	111
PID 2248 wrote to memory of 228	2248	{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe	111
PID 552 wrote to memory of 4700	552	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe	112
PID 552 wrote to memory of 4700	552	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe	112
PID 552 wrote to memory of 4700	552	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe	112
PID 552 wrote to memory of 2204	552	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe	113
PID 552 wrote to memory of 2204	552	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe	113
PID 552 wrote to memory of 2204	552	{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe	113
PID 4700 wrote to memory of 3120	4700	{0307FE96-087D-4572-A3F1-67A84177403B}.exe	114
PID 4700 wrote to memory of 3120	4700	{0307FE96-087D-4572-A3F1-67A84177403B}.exe	114
PID 4700 wrote to memory of 3120	4700	{0307FE96-087D-4572-A3F1-67A84177403B}.exe	114
PID 4700 wrote to memory of 2520	4700	{0307FE96-087D-4572-A3F1-67A84177403B}.exe	115
PID 4700 wrote to memory of 2520	4700	{0307FE96-087D-4572-A3F1-67A84177403B}.exe	115
PID 4700 wrote to memory of 2520	4700	{0307FE96-087D-4572-A3F1-67A84177403B}.exe	115
PID 3120 wrote to memory of 4576	3120	{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe	116
PID 3120 wrote to memory of 4576	3120	{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe	116
PID 3120 wrote to memory of 4576	3120	{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe	116
PID 3120 wrote to memory of 1512	3120	{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe	117

C:\Users\Admin\AppData\Local\Temp\20240906b2a94d20c06f08e18186769605414060goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\20240906b2a94d20c06f08e18186769605414060goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\{F7D04141-66A2-4128-9091-C1E923D992CA}.exe
  C:\Windows\{F7D04141-66A2-4128-9091-C1E923D992CA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe
    C:\Windows\{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\{47504F85-05B9-44ef-B604-D10838E53C9E}.exe
      C:\Windows\{47504F85-05B9-44ef-B604-D10838E53C9E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Windows\{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe
        
        C:\Windows\{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe
        
        C:\Windows\{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe
        
        C:\Windows\{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe
        
        C:\Windows\{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe
        
        C:\Windows\{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\{0307FE96-087D-4572-A3F1-67A84177403B}.exe
        
        C:\Windows\{0307FE96-087D-4572-A3F1-67A84177403B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe
        
        C:\Windows\{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\{D1BC88C0-5459-4d74-8773-96CD74176AFC}.exe
        
        C:\Windows\{D1BC88C0-5459-4d74-8773-96CD74176AFC}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
        
        C:\Windows\{A96DD93D-382C-478b-AADF-B8D651B56ADF}.exe
        
        C:\Windows\{A96DD93D-382C-478b-AADF-B8D651B56ADF}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1BC8~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1CDE~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0307F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDDFF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA301~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A451~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F621~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4E46~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47504~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58F81~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F7D04~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\202409~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0307FE96-087D-4572-A3F1-67A84177403B}.exe

Filesize
168KB

MD5
adccafd9e79c00df4c5a0e27d488998a

SHA1
eaf0b6d3a2d692670c3fed7a622280157f5672ac

SHA256
e28ed26cb92615f7607db08c499c048ed42609a50dee1e90ef7b6f96528d9580

SHA512
0145e95daca9eb28ff146dcd7a3b527785ddbf54549c2466e057474b9aa003b7e50bbddc8e9149002cb97f0ab2f5d6336e9bcf9755fba2daefde8f55a1d56590

Download Submit
C:\Windows\{3A451156-5538-4aaa-B010-B941E77B1DFF}.exe

Filesize
168KB

MD5
d8e3ddd8dfe675f8afa8aaa3a7a2ece4

SHA1
8d74b8822a2466031ecc7863694c1ab2bb2a9553

SHA256
a1ceaba6a6e89989fded1b16f526d196a893c071493b47e7e12c75925bc3e9f5

SHA512
abe1083b6ec6f6529869db958f7bda27a9e22d78f77bf628d71fbeba244e0470e8edaae578a519a57895fb6aea16040155247172356960e423464b8edfa8ebc7

Download Submit
C:\Windows\{47504F85-05B9-44ef-B604-D10838E53C9E}.exe

Filesize
168KB

MD5
862e6c49801e5ab7bdeb11a2229213ac

SHA1
5fc058fc8f43cb75847f8f825beb312114864091

SHA256
a1b848c92e546088329a8021bdb5d5f82e556d53f62154bff081a59e25f747a0

SHA512
e94d176ab9a1abe4eefaba2b984cd746003e7e197245d5c85e466afebc0c45629a28b8f4194203c79aa5768db2c61b7c136fb47a1febb5f62ffa548d10fe00e2

Download Submit
C:\Windows\{58F81C37-5A70-4e47-ABE8-64A3376F419B}.exe

Filesize
168KB

MD5
2767ecf86d8260aab3694de4f5250e0e

SHA1
d66cdb4307d44e8bbbd53bd2c386a56626acb260

SHA256
ef62c78214422b571e49e0d86e755d3495bf18128d8d07b7e748b0d55372ebcc

SHA512
51c3ffeb324932482fef5e6fda8fb8bc4348dcde4c378f7307db5c01f3d534afac54220c5c8afe10f0bf40fe93bc8bed04d289ca7c93af05d5713fe123bf0c08

Download Submit
C:\Windows\{6F621118-1C9D-4289-B1D5-51A951E22B3E}.exe

Filesize
168KB

MD5
a8e94cf9e5a7602dc7d1b9e6985e6ec7

SHA1
d51507ec8f0efd2024befe104cc1de2b6d601b2a

SHA256
68999f5071406d25ae6248e9b32001a47cce3f74344c06bd9be3fbc6660e959c

SHA512
426b00b26c2fe64ae93dd46394cd1ebb6a79e22ab9abbefe4597281a4852ae73b4564a1760f4f030a814f8361115558b1b9948d048a021feb7ca1fc8a0d0aa4e

Download Submit
C:\Windows\{A96DD93D-382C-478b-AADF-B8D651B56ADF}.exe

Filesize
168KB

MD5
725be11ceed67e46c939f4b5a08554a6

SHA1
161feedc21d74087adec68b2bb8ad9ad1d430f9f

SHA256
c1542ce2153c496a3b999f2bbe2fbfddf285c03d50c25c7a113c384330aedd22

SHA512
10b45ff485105bec2d2b4291d09a1214d19b61aa8d6082c779dbe8fd900d11c3cfc1f8fc90c8dfaf27c4b589d65175a86eda45152f515fc08bdf43f0faa15bcb

Download Submit
C:\Windows\{C1CDE770-5CFB-4cee-8C87-4B91AD36680A}.exe

Filesize
168KB

MD5
44d767835960c95e2d688cb5149bfc98

SHA1
bac7c289765d8652a91a47aa6452319bb8dee6e6

SHA256
3504ea94b99b4fd5a433af15e17b3aa24ead9c088e7325450ed8318d22ce04b3

SHA512
376d4effd4bbf222cd959b5d904fd924e46e4d153871f1f930a2721c3d99bbadada4597e06b230762a7756e10ba3731d8b33ec9083303b45d30651a9c865e1d4

Download Submit
C:\Windows\{D1BC88C0-5459-4d74-8773-96CD74176AFC}.exe

Filesize
168KB

MD5
eb2e7694461e0590c1ffbb5f9052795a

SHA1
9909e21fd9193b6221971e49677946d95260be7b

SHA256
9a55e3a17808c43465e4413f2546585658ba07efc53e290e8bd32448c2b53aaa

SHA512
81d23a7b745b877d9f737f662f18f74eefb9964228969f0fcb27b56023022518cb628125e81a1faef3eba9e897b2d1bb90d688d7c6027c0587612a9d9b2aa583

Download Submit
C:\Windows\{DDDFF2E6-FBF6-4ca9-96CA-590867BDE651}.exe

Filesize
168KB

MD5
f34302ba40299407ae3dc95a93eff6b8

SHA1
a14a4567b57979eac2121f59465b2fd6bb301ba9

SHA256
81c2445b0f536ee4dea3b70af3e83e0acc6dce379beb6de93902c85b03dc50bb

SHA512
9d5a8e28c08759f405ace709f59923c433dff644aed78250db421250ed30014900972856a533021350a4b35320be6da8e867ac8e2afa644de5f3241816b8f866

Download Submit
C:\Windows\{F4E4625F-949F-44ab-9F16-A929B4052FEF}.exe

Filesize
168KB

MD5
95ff22d2cc0a6fca9e932e9366a317df

SHA1
3d1aff906bc771d987d876b47e4701964a7735f7

SHA256
666d46dd31e99cc4566e0c70762760fb95fb8489a0a7498184563c9f2770ccb2

SHA512
27edb78ed4db7b1975e6e421c4b0d613205b5253327a8d832919bbc38d55b1b626cae5d78956a8831fa3f90c5a051587307081c17dfd22e053434367456430c8

Download Submit
C:\Windows\{F7D04141-66A2-4128-9091-C1E923D992CA}.exe

Filesize
168KB

MD5
32e87c36ff5b735d2cb568fa33da3d3d

SHA1
8887ea17d06ba26507cc8e7c9b7e7ca98209c46f

SHA256
a246982e5e5f475d6b35c50ef0eeb6292834a5e3787b2447051a2fbc30d05260

SHA512
991adb9bcf3e8a64ba60882acc88fcfacbb4b81dd269ac2aece0077377756a07d9259d427cce0a6271ce3fa63313aa869bd0214348ede0139187ee2307b8e725

Download Submit
C:\Windows\{FA301D1B-B8DB-447f-BDDA-61C195AE404A}.exe

Filesize
168KB

MD5
cc23a811262ab27f26cc56a840234147

SHA1
138a76bf3391c993a199f933df76770e8f4f6ea9

SHA256
c9487dba0b10dcd29c0901eb997fbca364513b20d6a80dd4b46372ec89ef0375

SHA512
66f487e678aee61f2a030617c5f8b7e3608d16e32a3df17dde45f02252892d00659a361e73a21307d5ba1aa2626206546b1a9d09364fa22ed729d15c7fa914ce

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads