4f425cfd5e341e8cfbf335ea29eab527c9aabb809a8c804e44f4a187bdcf437c

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 15:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe
Size

192KB
MD5

64f9489be9057a966d6f63d67f0aa145
SHA1

7c208e0e3746ad60128c2c70afc02123f3c6354c
SHA256

4f425cfd5e341e8cfbf335ea29eab527c9aabb809a8c804e44f4a187bdcf437c
SHA512

132f1a0a2c9f12410f6ac1b9f3992a7d2d8b1838dd7e16a8ce024675799138d554392eeffaaaf2e757a756f724d4362bf8eab7fc1e8a8292d3f5f0b0a07ef1de
SSDEEP

1536:1EGh0obl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0obl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3841BE0-4EE6-4858-9F00-D48FA833A05A}	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}\stubpath = "C:\\Windows\\{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe"	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{721C0D9E-A703-4a40-9DE6-C1592E6054FB}\stubpath = "C:\\Windows\\{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe"	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7264903-9CCC-4c7f-89DF-BB077F34D79C}	2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7264903-9CCC-4c7f-89DF-BB077F34D79C}\stubpath = "C:\\Windows\\{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe"	2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75B098C0-C08A-4cac-8775-837B0E8226EF}	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75B098C0-C08A-4cac-8775-837B0E8226EF}\stubpath = "C:\\Windows\\{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe"	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E72DFE2-6C08-42e1-A388-6806902E8542}\stubpath = "C:\\Windows\\{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe"	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C31785B-35FE-4bd6-8AD8-3951A711279A}\stubpath = "C:\\Windows\\{8C31785B-35FE-4bd6-8AD8-3951A711279A}.exe"	{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E72DFE2-6C08-42e1-A388-6806902E8542}	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3841BE0-4EE6-4858-9F00-D48FA833A05A}\stubpath = "C:\\Windows\\{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe"	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F48480C-A72C-407f-A553-DBE638737CE4}	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A89C970B-CEA8-4d59-B690-6E450623E405}	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A89C970B-CEA8-4d59-B690-6E450623E405}\stubpath = "C:\\Windows\\{A89C970B-CEA8-4d59-B690-6E450623E405}.exe"	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C31785B-35FE-4bd6-8AD8-3951A711279A}	{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F48480C-A72C-407f-A553-DBE638737CE4}\stubpath = "C:\\Windows\\{6F48480C-A72C-407f-A553-DBE638737CE4}.exe"	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{721C0D9E-A703-4a40-9DE6-C1592E6054FB}	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}\stubpath = "C:\\Windows\\{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe"	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}\stubpath = "C:\\Windows\\{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}.exe"	{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}\stubpath = "C:\\Windows\\{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe"	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}	{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe

Executes dropped EXE 12 IoCs

pid	Process
4372	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe
3256	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe
1660	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe
4448	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe
1600	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe
1688	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe
1912	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe
3524	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe
1376	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe
3556	{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe
2812	{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}.exe
1600	{8C31785B-35FE-4bd6-8AD8-3951A711279A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe
File created	C:\Windows\{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe
File created	C:\Windows\{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe
File created	C:\Windows\{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}.exe	{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe
File created	C:\Windows\{8C31785B-35FE-4bd6-8AD8-3951A711279A}.exe	{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}.exe
File created	C:\Windows\{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe	2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe
File created	C:\Windows\{6F48480C-A72C-407f-A553-DBE638737CE4}.exe	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe
File created	C:\Windows\{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe
File created	C:\Windows\{A89C970B-CEA8-4d59-B690-6E450623E405}.exe	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe
File created	C:\Windows\{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe
File created	C:\Windows\{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe
File created	C:\Windows\{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C31785B-35FE-4bd6-8AD8-3951A711279A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3992	2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4372	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe
Token: SeIncBasePriorityPrivilege	3256	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe
Token: SeIncBasePriorityPrivilege	1660	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe
Token: SeIncBasePriorityPrivilege	4448	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe
Token: SeIncBasePriorityPrivilege	1600	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe
Token: SeIncBasePriorityPrivilege	1688	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe
Token: SeIncBasePriorityPrivilege	1912	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe
Token: SeIncBasePriorityPrivilege	3524	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe
Token: SeIncBasePriorityPrivilege	1376	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe
Token: SeIncBasePriorityPrivilege	3556	{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe
Token: SeIncBasePriorityPrivilege	2812	{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 4372	3992	2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe	95
PID 3992 wrote to memory of 4372	3992	2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe	95
PID 3992 wrote to memory of 4372	3992	2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe	95
PID 3992 wrote to memory of 1384	3992	2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe	96
PID 3992 wrote to memory of 1384	3992	2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe	96
PID 3992 wrote to memory of 1384	3992	2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe	96
PID 4372 wrote to memory of 3256	4372	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe	97
PID 4372 wrote to memory of 3256	4372	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe	97
PID 4372 wrote to memory of 3256	4372	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe	97
PID 4372 wrote to memory of 2708	4372	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe	98
PID 4372 wrote to memory of 2708	4372	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe	98
PID 4372 wrote to memory of 2708	4372	{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe	98
PID 3256 wrote to memory of 1660	3256	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe	102
PID 3256 wrote to memory of 1660	3256	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe	102
PID 3256 wrote to memory of 1660	3256	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe	102
PID 3256 wrote to memory of 3916	3256	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe	103
PID 3256 wrote to memory of 3916	3256	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe	103
PID 3256 wrote to memory of 3916	3256	{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe	103
PID 1660 wrote to memory of 4448	1660	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe	104
PID 1660 wrote to memory of 4448	1660	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe	104
PID 1660 wrote to memory of 4448	1660	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe	104
PID 1660 wrote to memory of 4472	1660	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe	105
PID 1660 wrote to memory of 4472	1660	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe	105
PID 1660 wrote to memory of 4472	1660	{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe	105
PID 4448 wrote to memory of 1600	4448	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe	106
PID 4448 wrote to memory of 1600	4448	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe	106
PID 4448 wrote to memory of 1600	4448	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe	106
PID 4448 wrote to memory of 432	4448	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe	107
PID 4448 wrote to memory of 432	4448	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe	107
PID 4448 wrote to memory of 432	4448	{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe	107
PID 1600 wrote to memory of 1688	1600	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe	109
PID 1600 wrote to memory of 1688	1600	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe	109
PID 1600 wrote to memory of 1688	1600	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe	109
PID 1600 wrote to memory of 2840	1600	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe	110
PID 1600 wrote to memory of 2840	1600	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe	110
PID 1600 wrote to memory of 2840	1600	{6F48480C-A72C-407f-A553-DBE638737CE4}.exe	110
PID 1688 wrote to memory of 1912	1688	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe	111
PID 1688 wrote to memory of 1912	1688	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe	111
PID 1688 wrote to memory of 1912	1688	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe	111
PID 1688 wrote to memory of 2136	1688	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe	112
PID 1688 wrote to memory of 2136	1688	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe	112
PID 1688 wrote to memory of 2136	1688	{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe	112
PID 1912 wrote to memory of 3524	1912	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe	116
PID 1912 wrote to memory of 3524	1912	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe	116
PID 1912 wrote to memory of 3524	1912	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe	116
PID 1912 wrote to memory of 4148	1912	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe	117
PID 1912 wrote to memory of 4148	1912	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe	117
PID 1912 wrote to memory of 4148	1912	{A89C970B-CEA8-4d59-B690-6E450623E405}.exe	117
PID 3524 wrote to memory of 1376	3524	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe	122
PID 3524 wrote to memory of 1376	3524	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe	122
PID 3524 wrote to memory of 1376	3524	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe	122
PID 3524 wrote to memory of 1924	3524	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe	123
PID 3524 wrote to memory of 1924	3524	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe	123
PID 3524 wrote to memory of 1924	3524	{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe	123
PID 1376 wrote to memory of 3556	1376	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe	124
PID 1376 wrote to memory of 3556	1376	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe	124
PID 1376 wrote to memory of 3556	1376	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe	124
PID 1376 wrote to memory of 3024	1376	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe	125
PID 1376 wrote to memory of 3024	1376	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe	125
PID 1376 wrote to memory of 3024	1376	{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe	125
PID 3556 wrote to memory of 2812	3556	{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe	129
PID 3556 wrote to memory of 2812	3556	{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe	129
PID 3556 wrote to memory of 2812	3556	{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe	129
PID 3556 wrote to memory of 2992	3556	{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-23_64f9489be9057a966d6f63d67f0aa145_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe
  C:\Windows\{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe
    C:\Windows\{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe
      C:\Windows\{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe
        
        C:\Windows\{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\{6F48480C-A72C-407f-A553-DBE638737CE4}.exe
        
        C:\Windows\{6F48480C-A72C-407f-A553-DBE638737CE4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe
        
        C:\Windows\{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\{A89C970B-CEA8-4d59-B690-6E450623E405}.exe
        
        C:\Windows\{A89C970B-CEA8-4d59-B690-6E450623E405}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe
        
        C:\Windows\{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe
        
        C:\Windows\{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe
        
        C:\Windows\{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}.exe
        
        C:\Windows\{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\{8C31785B-35FE-4bd6-8AD8-3951A711279A}.exe
        
        C:\Windows\{8C31785B-35FE-4bd6-8AD8-3951A711279A}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5363D~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E72D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3C9A~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4BEF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A89C9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{721C0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F484~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD4C2~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3841~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75B09~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7264~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5363D9AF-80FC-4182-92C4-EB5E7B207BD9}.exe

Filesize
192KB

MD5
27f3df2da492217e6e3fca2e32adfe9b

SHA1
e07fa86344e2764d57df46603e52df63c24a16f3

SHA256
aefe472c9d21f38c47eada8bceb6755b7bbd9ed8adbd50b5cd126c84f9dad6db

SHA512
0926a92e9aec562f95e7c09c6d868ac126342729e053e77d3ad59a15ab532e3473a026204a430f610413911e0536d1c3e6a7ffb67be86010f756d86d524f86a2

Download Submit
C:\Windows\{6F48480C-A72C-407f-A553-DBE638737CE4}.exe

Filesize
192KB

MD5
92041ecf0857126c1fe491aa41a3a733

SHA1
56619e371d24c1cddb79241d3a988bb0c879e6bf

SHA256
582e2147192fb40aff223cd09d43726dcbafbad5b2473d5550bceb429ad0fe87

SHA512
3e53f5e0a453a03a7750c56e4643e59a7989f6cb4dcad6f7ee988edf8abc22f44f73c16ccd3d6a3c1cb942598e6409b8bdc4b173bc6df53e3634945ef053dce3

Download Submit
C:\Windows\{721C0D9E-A703-4a40-9DE6-C1592E6054FB}.exe

Filesize
192KB

MD5
52bb0c1ab393f5b590343d17efa9d129

SHA1
840691b82a39e463d680ee4caed88e8edf4c84d0

SHA256
3f7dd3c2fa665b2e5a365730493ccd7b598e127d4982df2a4390feddf49701ce

SHA512
1d04053b74554848c227cfdc2db119111232f32473d29fc53fe8c5ac3c62bc9867bf31223465ec1e92b583f3127404c2bef012e33eaab5cf5d8f69b553383099

Download Submit
C:\Windows\{75B098C0-C08A-4cac-8775-837B0E8226EF}.exe

Filesize
192KB

MD5
d53079fef8b25af1699fe55e476f1479

SHA1
73d5990408154747cc34a723a4615e9072d23f0d

SHA256
94ff01d656de74cb719286bb05775c3d7de82e633d32970c6d5aad277516061c

SHA512
dd2893ba65b39ef391d1f5b7d86419d9868c3acc96ba01555d2cbb8b5f783c0afcf900436ab78f2d1ffd6e249e3601473a12dc27382ff6cd076b27dbbbc59328

Download Submit
C:\Windows\{7E72DFE2-6C08-42e1-A388-6806902E8542}.exe

Filesize
192KB

MD5
19ccc986e072f9b23f54c96cb6c7223e

SHA1
845463d0c50d0a89ebf60a02540ee529fe1138bf

SHA256
bb8156a09f2342597ea7778b0a87b6f25c6e81f59917fd6831d764ddf9804c04

SHA512
b3300d0c7230c6a619f468e518b0dcb9b39ca0db1d66e613ec910b0b6a7f68a0c308814c0e6ea573012b1c7bd31aaf2b0f4f0536bee8befb15312b8fde22837b

Download Submit
C:\Windows\{8C31785B-35FE-4bd6-8AD8-3951A711279A}.exe

Filesize
192KB

MD5
72e86aa133ea915d4fc5c4fed25814b6

SHA1
798c03c1ec67d6b846e1a89aa9672ffea68a091e

SHA256
45b7c7f3b9d3563af11463537d8431e965c33a4a06cbfa5b5941c742e3ddd744

SHA512
42f1d48813e80194144d248904509583345a90dd7a1c368e50804d3290e899efb4432ab07191818a090a3b544fe605b5ff5aa830356bf9f8cb6438542fdf3877

Download Submit
C:\Windows\{A89C970B-CEA8-4d59-B690-6E450623E405}.exe

Filesize
192KB

MD5
2f2de1652ff3e15936f3d4194f528e25

SHA1
b8d3fae05c1309e4c83ffbcb791277cc4a3e2cb2

SHA256
33ca47ca3512395ecb3684d5f8d54ef01c50bd2def986e0b7cdd795d0dfe2451

SHA512
0ecf394bb4fff2996ad6146a602953b005689e5e2ad628754baf663e630b834aeb8021354eef29a71451b61afa5f7535fd0b173b4ae0c09a14ba890c8d817ac5

Download Submit
C:\Windows\{B4BEFFD1-2F2D-4522-BF86-555F0BE0842E}.exe

Filesize
192KB

MD5
8b02a54af1fd5761a9e859212d7c3229

SHA1
c63ed21233b32fd9988b5563c39e3f614988e086

SHA256
59e62d417055db123d5d7b9073de6752d1905afebd14759c5af90139a9fc4660

SHA512
7991828f8b865682ee4c1e257d1c4f779c743b878ec81851d49fe4e6d2938481923e34e4e4d09f4cbf04dae419f7b9189c62fa5d379ae3d561c5889f3cdb4335

Download Submit
C:\Windows\{C3841BE0-4EE6-4858-9F00-D48FA833A05A}.exe

Filesize
192KB

MD5
2050d62b1017672f27776feb77d12db1

SHA1
caad03a1805416cd1edc03828e18d712ae6c042c

SHA256
9ecff65f439a7d695d13653bed263e44949c952b25e9d003198f5318a5c8b2a8

SHA512
c097e73dba996e66cc1d5c7429ca9181a055a465468635fbcecc9832d2a2174622f44dc8c14dab137335b333bcb284cb31d71f0e45ea742c6b48a98fad951f30

Download Submit
C:\Windows\{C7264903-9CCC-4c7f-89DF-BB077F34D79C}.exe

Filesize
192KB

MD5
467a0129f22c75dbc87ff9b28cd7e91e

SHA1
24aad52def009fff96caa4490dd35b5d0b8d1976

SHA256
310f080be266db0f80223eb96ee1a24e0d41f7d71d6f8385eeb9c697de66e9a4

SHA512
00ff10f3e47fc536a84b55f87175d5d179d0901acf0abac4a823649a6f761ff0e5a160d40d621430ef0c7a51b39604de57e85e437536785754c5b57c92324c64

Download Submit
C:\Windows\{DD4C2B53-5653-4bc5-B515-DB60BC25DEED}.exe

Filesize
192KB

MD5
87d2c8067e35e6b8bb6bf4994d0b1dab

SHA1
2046ab32a3d5c9770301257483a74ad0f479aeae

SHA256
7383711d8a17405590d9fb4eccbfab10d564dcac27c4b606d3a4b54d33709e42

SHA512
e07cd0d1a83b5a1ac08477341683cc9cc484f3ba86f6352719dd7ef2acf4265ef23555a6390698069b402dc2fb6e019dee4e974211e6437d5297419256e060cc

Download Submit
C:\Windows\{F3C9ACD5-02FF-4774-A5B6-8D0F6FA127DF}.exe

Filesize
192KB

MD5
0042a279d0cfab6960e5571fb1f1878a

SHA1
ed431eeac4a9ae7f8b72ce8ff8fcec7bfb82f294

SHA256
23d3c7dd4192bed985a23e6d0c5259cbff1b3d7de5d0a271d87e458b2ebb314f

SHA512
7226d5b2be088916f9926fa8215d2b3cc4a4e31b75709d22e168aab4902d44a6704c1b3cd9c19fee370a340fe1414184402c744c8c231bb25f0946468d1810bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads