20fa314168ae4737d0396a1f34e054ad38d84ae27b1f09cba8d5f840bb0bb315

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 06:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe
Size

197KB
MD5

5d0bb79a241d19673b9172d34aae6fb6
SHA1

e4cf9d5dac400109b80f7d80ca7e44c765272a0d
SHA256

20fa314168ae4737d0396a1f34e054ad38d84ae27b1f09cba8d5f840bb0bb315
SHA512

75133d1c5da914da821d083a9136113965adfbf2113e130df907f55664410d6ea6d69e36f5add5f4ebc6879155434ea4c3f150c6f00ecb1be24425effc5dd517
SSDEEP

3072:jEGh0oKl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGIlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}\stubpath = "C:\\Windows\\{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe"	2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E599C8DC-0465-45d0-8F93-2BE008834135}	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{764AAE68-AD51-4934-8D5D-479F7DD88DE9}	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67D3AF5C-EAEE-4f12-A942-8A1D40025449}\stubpath = "C:\\Windows\\{67D3AF5C-EAEE-4f12-A942-8A1D40025449}.exe"	{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F8EE2ED-D272-4625-A199-689F1A461999}	{67D3AF5C-EAEE-4f12-A942-8A1D40025449}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F8EE2ED-D272-4625-A199-689F1A461999}\stubpath = "C:\\Windows\\{5F8EE2ED-D272-4625-A199-689F1A461999}.exe"	{67D3AF5C-EAEE-4f12-A942-8A1D40025449}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}\stubpath = "C:\\Windows\\{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe"	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}\stubpath = "C:\\Windows\\{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe"	{827055FB-9120-4ebf-8A11-386B18637150}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}\stubpath = "C:\\Windows\\{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe"	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}	2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}\stubpath = "C:\\Windows\\{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe"	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90A15E1D-423D-4535-89FE-540A9C801518}	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90A15E1D-423D-4535-89FE-540A9C801518}\stubpath = "C:\\Windows\\{90A15E1D-423D-4535-89FE-540A9C801518}.exe"	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD9AAD39-3E52-448d-8668-C14EC091A75D}	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD9AAD39-3E52-448d-8668-C14EC091A75D}\stubpath = "C:\\Windows\\{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe"	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E599C8DC-0465-45d0-8F93-2BE008834135}\stubpath = "C:\\Windows\\{E599C8DC-0465-45d0-8F93-2BE008834135}.exe"	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{827055FB-9120-4ebf-8A11-386B18637150}	{90A15E1D-423D-4535-89FE-540A9C801518}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{827055FB-9120-4ebf-8A11-386B18637150}\stubpath = "C:\\Windows\\{827055FB-9120-4ebf-8A11-386B18637150}.exe"	{90A15E1D-423D-4535-89FE-540A9C801518}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}	{827055FB-9120-4ebf-8A11-386B18637150}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{764AAE68-AD51-4934-8D5D-479F7DD88DE9}\stubpath = "C:\\Windows\\{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe"	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67D3AF5C-EAEE-4f12-A942-8A1D40025449}	{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe

Executes dropped EXE 12 IoCs

pid	Process
384	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe
1308	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe
1656	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe
2240	{90A15E1D-423D-4535-89FE-540A9C801518}.exe
4312	{827055FB-9120-4ebf-8A11-386B18637150}.exe
4956	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe
2468	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe
3652	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe
4656	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe
3156	{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe
1208	{67D3AF5C-EAEE-4f12-A942-8A1D40025449}.exe
3236	{5F8EE2ED-D272-4625-A199-689F1A461999}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe
File created	C:\Windows\{E599C8DC-0465-45d0-8F93-2BE008834135}.exe	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe
File created	C:\Windows\{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe
File created	C:\Windows\{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe	2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe
File created	C:\Windows\{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe
File created	C:\Windows\{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe
File created	C:\Windows\{90A15E1D-423D-4535-89FE-540A9C801518}.exe	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe
File created	C:\Windows\{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe	{827055FB-9120-4ebf-8A11-386B18637150}.exe
File created	C:\Windows\{67D3AF5C-EAEE-4f12-A942-8A1D40025449}.exe	{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe
File created	C:\Windows\{5F8EE2ED-D272-4625-A199-689F1A461999}.exe	{67D3AF5C-EAEE-4f12-A942-8A1D40025449}.exe
File created	C:\Windows\{827055FB-9120-4ebf-8A11-386B18637150}.exe	{90A15E1D-423D-4535-89FE-540A9C801518}.exe
File created	C:\Windows\{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{90A15E1D-423D-4535-89FE-540A9C801518}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F8EE2ED-D272-4625-A199-689F1A461999}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{827055FB-9120-4ebf-8A11-386B18637150}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67D3AF5C-EAEE-4f12-A942-8A1D40025449}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4480	2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	384	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe
Token: SeIncBasePriorityPrivilege	1308	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe
Token: SeIncBasePriorityPrivilege	1656	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe
Token: SeIncBasePriorityPrivilege	2240	{90A15E1D-423D-4535-89FE-540A9C801518}.exe
Token: SeIncBasePriorityPrivilege	4312	{827055FB-9120-4ebf-8A11-386B18637150}.exe
Token: SeIncBasePriorityPrivilege	4956	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe
Token: SeIncBasePriorityPrivilege	2468	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe
Token: SeIncBasePriorityPrivilege	3652	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe
Token: SeIncBasePriorityPrivilege	4656	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe
Token: SeIncBasePriorityPrivilege	3156	{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe
Token: SeIncBasePriorityPrivilege	1208	{67D3AF5C-EAEE-4f12-A942-8A1D40025449}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 384	4480	2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe	95
PID 4480 wrote to memory of 384	4480	2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe	95
PID 4480 wrote to memory of 384	4480	2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe	95
PID 4480 wrote to memory of 1524	4480	2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe	96
PID 4480 wrote to memory of 1524	4480	2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe	96
PID 4480 wrote to memory of 1524	4480	2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe	96
PID 384 wrote to memory of 1308	384	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe	97
PID 384 wrote to memory of 1308	384	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe	97
PID 384 wrote to memory of 1308	384	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe	97
PID 384 wrote to memory of 776	384	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe	98
PID 384 wrote to memory of 776	384	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe	98
PID 384 wrote to memory of 776	384	{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe	98
PID 1308 wrote to memory of 1656	1308	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe	102
PID 1308 wrote to memory of 1656	1308	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe	102
PID 1308 wrote to memory of 1656	1308	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe	102
PID 1308 wrote to memory of 116	1308	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe	103
PID 1308 wrote to memory of 116	1308	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe	103
PID 1308 wrote to memory of 116	1308	{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe	103
PID 1656 wrote to memory of 2240	1656	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe	104
PID 1656 wrote to memory of 2240	1656	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe	104
PID 1656 wrote to memory of 2240	1656	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe	104
PID 1656 wrote to memory of 3740	1656	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe	105
PID 1656 wrote to memory of 3740	1656	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe	105
PID 1656 wrote to memory of 3740	1656	{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe	105
PID 2240 wrote to memory of 4312	2240	{90A15E1D-423D-4535-89FE-540A9C801518}.exe	106
PID 2240 wrote to memory of 4312	2240	{90A15E1D-423D-4535-89FE-540A9C801518}.exe	106
PID 2240 wrote to memory of 4312	2240	{90A15E1D-423D-4535-89FE-540A9C801518}.exe	106
PID 2240 wrote to memory of 4308	2240	{90A15E1D-423D-4535-89FE-540A9C801518}.exe	107
PID 2240 wrote to memory of 4308	2240	{90A15E1D-423D-4535-89FE-540A9C801518}.exe	107
PID 2240 wrote to memory of 4308	2240	{90A15E1D-423D-4535-89FE-540A9C801518}.exe	107
PID 4312 wrote to memory of 4956	4312	{827055FB-9120-4ebf-8A11-386B18637150}.exe	109
PID 4312 wrote to memory of 4956	4312	{827055FB-9120-4ebf-8A11-386B18637150}.exe	109
PID 4312 wrote to memory of 4956	4312	{827055FB-9120-4ebf-8A11-386B18637150}.exe	109
PID 4312 wrote to memory of 5000	4312	{827055FB-9120-4ebf-8A11-386B18637150}.exe	110
PID 4312 wrote to memory of 5000	4312	{827055FB-9120-4ebf-8A11-386B18637150}.exe	110
PID 4312 wrote to memory of 5000	4312	{827055FB-9120-4ebf-8A11-386B18637150}.exe	110
PID 4956 wrote to memory of 2468	4956	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe	111
PID 4956 wrote to memory of 2468	4956	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe	111
PID 4956 wrote to memory of 2468	4956	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe	111
PID 4956 wrote to memory of 3236	4956	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe	112
PID 4956 wrote to memory of 3236	4956	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe	112
PID 4956 wrote to memory of 3236	4956	{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe	112
PID 2468 wrote to memory of 3652	2468	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe	113
PID 2468 wrote to memory of 3652	2468	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe	113
PID 2468 wrote to memory of 3652	2468	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe	113
PID 2468 wrote to memory of 968	2468	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe	114
PID 2468 wrote to memory of 968	2468	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe	114
PID 2468 wrote to memory of 968	2468	{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe	114
PID 3652 wrote to memory of 4656	3652	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe	123
PID 3652 wrote to memory of 4656	3652	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe	123
PID 3652 wrote to memory of 4656	3652	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe	123
PID 3652 wrote to memory of 2428	3652	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe	124
PID 3652 wrote to memory of 2428	3652	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe	124
PID 3652 wrote to memory of 2428	3652	{E599C8DC-0465-45d0-8F93-2BE008834135}.exe	124
PID 4656 wrote to memory of 3156	4656	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe	125
PID 4656 wrote to memory of 3156	4656	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe	125
PID 4656 wrote to memory of 3156	4656	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe	125
PID 4656 wrote to memory of 1384	4656	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe	126
PID 4656 wrote to memory of 1384	4656	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe	126
PID 4656 wrote to memory of 1384	4656	{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe	126
PID 3156 wrote to memory of 1208	3156	{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe	129
PID 3156 wrote to memory of 1208	3156	{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe	129
PID 3156 wrote to memory of 1208	3156	{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe	129
PID 3156 wrote to memory of 1464	3156	{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-24_5d0bb79a241d19673b9172d34aae6fb6_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe
  C:\Windows\{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe
    C:\Windows\{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe
      C:\Windows\{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\{90A15E1D-423D-4535-89FE-540A9C801518}.exe
        
        C:\Windows\{90A15E1D-423D-4535-89FE-540A9C801518}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\{827055FB-9120-4ebf-8A11-386B18637150}.exe
        
        C:\Windows\{827055FB-9120-4ebf-8A11-386B18637150}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe
        
        C:\Windows\{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe
        
        C:\Windows\{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{E599C8DC-0465-45d0-8F93-2BE008834135}.exe
        
        C:\Windows\{E599C8DC-0465-45d0-8F93-2BE008834135}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe
        
        C:\Windows\{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe
        
        C:\Windows\{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\{67D3AF5C-EAEE-4f12-A942-8A1D40025449}.exe
        
        C:\Windows\{67D3AF5C-EAEE-4f12-A942-8A1D40025449}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\{5F8EE2ED-D272-4625-A199-689F1A461999}.exe
        
        C:\Windows\{5F8EE2ED-D272-4625-A199-689F1A461999}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67D3A~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EFEC~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{764AA~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E599C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD9AA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EE23~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82705~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90A15~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEBF3~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7EFF5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7EBF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5EFEC01A-A421-4d31-BEFC-6746BB017B1C}.exe

Filesize
197KB

MD5
5f943ac3c09b4e7124271202a1d3eb40

SHA1
a8104cba458871052c688696bd370b0331b72710

SHA256
d474f949945f70af315074d17f302cf935a3a6250b633e0a821f2d4df0eac339

SHA512
bf4916db8f2451d9e4d2b02e83a2abe679b2eb6a2ebda316c1fcf29cadba680ce191e0c1f7f6a87e45e396c452c008245af52667ea3beb2583ffceb036bb08c5

Download Submit
C:\Windows\{5F8EE2ED-D272-4625-A199-689F1A461999}.exe

Filesize
197KB

MD5
6930f631ca8db164e6390fb0aee21fb7

SHA1
5b5d7fd9d3ae931d93aca20163e17ca5a8524ed7

SHA256
d1f71c9a853a23044358a0133e5e23ddc6f03bef69f67b4052990ceb6d7c34cc

SHA512
dc3673bc92f50982dbf46fc148a3e73ed6af8fd5a92e6fd3ae1fbdadf1814c2980ec37e0c7437767a9d7ebaef58de914ea2eeafb3f279dd289d0fa2c5bcdeae8

Download Submit
C:\Windows\{67D3AF5C-EAEE-4f12-A942-8A1D40025449}.exe

Filesize
197KB

MD5
66bf1f31880799c6e88f5c5419ef33c6

SHA1
b4c89f9bd44ad5f4331fd41c64633291236cec54

SHA256
d0ace6d3bab14a145826e2e486090926d2cfcfd7d3c35e4751255ef5ddb9cbd5

SHA512
7aeaa7123b55758c27b29b9058229180bc26ef62f67cc94e5b0db899d3e0348b12728498018d72cb9eb92872e0ea7e3b74996c5f9abccb40369b9cfc508924cc

Download Submit
C:\Windows\{764AAE68-AD51-4934-8D5D-479F7DD88DE9}.exe

Filesize
197KB

MD5
89dd51cb3e3a8bc6b653c236f5587a62

SHA1
04a4ba6c39c3d409be976a9c0f4f0a18bf19837f

SHA256
90e313f4208462f1bb6a01de7316c4f157c8d8c86f312fe1e5396e64d0f1e4be

SHA512
d2ed6f1070c9fefa218f8930e74ba61335c0c33ad9b8f5d1056dade6bc0d6d8e3a6a32d62ec7502ed1c693596035bd0ca841ecf51095718e6d882e638f1c9490

Download Submit
C:\Windows\{7EFF552F-3DE3-42c8-8506-9BCC2CD8BE89}.exe

Filesize
197KB

MD5
b1d0c7db9eb11568ca3b00678af7aad3

SHA1
d7cfc24a56f966081d7b462c3ffbf2991f41189d

SHA256
ebef0aa01f97b3ac4ac0683d1f78aecc8b647747ab914f04b998fc2659697809

SHA512
6368c58a497973a26c4efcffaef6c6496bd24de03b5a33341a59226171d8a99fa6ed03053193338d877ff8b85fc930168043299c90941c176b60cf62f3b46ed5

Download Submit
C:\Windows\{827055FB-9120-4ebf-8A11-386B18637150}.exe

Filesize
197KB

MD5
b3bb379fe94c48b3866db5d4a4bc8805

SHA1
6a1752f4ee94a8528ce86468708f4a3f39e34900

SHA256
62e8c9f660897556ee423fb474f98ef31c95ef972010c198dec1ed8f9bbfdd5e

SHA512
f04ae4511f3e1680f0f92040e080d7129ded5cf5a98ad38d29793829edb2012a1ebb84281c596f3ff0e9fec5d1e7af4abc99515008253d1055a55ccb4220cfea

Download Submit
C:\Windows\{90A15E1D-423D-4535-89FE-540A9C801518}.exe

Filesize
197KB

MD5
2c76f43ee594c1e078c2bfcc69ba7e77

SHA1
c55f7310ab1020a16e46a98d3d75e077782a8037

SHA256
029f0159529fd7286b2a2eea75fd82d2cc993026e2222a3e874a38866e65644c

SHA512
66ade57c5113b6f35266f6ab646d4ef945fa9b170e4cf3948b50f313e48f8ff16d98728a13a7c30a06c510367b2a0f798bbf88da9d77bd6fe1417db40b88b9ad

Download Submit
C:\Windows\{9EE2328A-DA26-4202-8F1A-AE7A54EB2B00}.exe

Filesize
197KB

MD5
8209def2300713f97cd7cd1454433367

SHA1
77c04992d3599699d337ebe211fff802998e3d2a

SHA256
b19fc0385b6626f031474894f0a42af821321e81c3c021cb40a9a1dfa68efc5e

SHA512
b3ef0bbe8628cfc3be49ca6900330fff11af1605bd373d63b5ea60cda5b6b2b6f36ab1b09c43d2ba4151b5cb26b545ec4f71cd6cb53a086b850e05abbff70b6f

Download Submit
C:\Windows\{BD9AAD39-3E52-448d-8668-C14EC091A75D}.exe

Filesize
197KB

MD5
dc1f47328f053bf0902c80629746c95e

SHA1
78ff46032c53a51a4ca78f368cb15317241fe948

SHA256
117159f187f4a586e16663f69caa2573b9a756d5fd0a15386b96c088971a5a31

SHA512
aa5fe34eb4707d04bebf1143644698cc04826150f376db889bb3910edc245499461ff427c1cdcceab33783794a7270e37217b43cd4bc3558ccdc017731370768

Download Submit
C:\Windows\{C7EBFC3C-FC00-40cf-BC66-03CDAD781DBC}.exe

Filesize
197KB

MD5
2b7408fc049a24042a1477a5ecfddedb

SHA1
6a167940a20f2fae3d75032caabb691c98e39b9e

SHA256
4b2930aab60e121f95149a700c565c085871011ccc55c78c370f84021ae4e30c

SHA512
69fa25a8005ba8ed17f070c025b6b01662579b833729b18dc789f33ef427a3a18cc8d13d99f45cc95df3564a568a4d90d7ee61f0edfabcb9de41f9c9aebf61f9

Download Submit
C:\Windows\{E599C8DC-0465-45d0-8F93-2BE008834135}.exe

Filesize
197KB

MD5
29695230bc2a403e9b5c9adf408032e0

SHA1
608fcab6ba132e54c17413a8969c3e2a0b898db4

SHA256
ec6caca806dd2ae262ac3487f0a42970667616732330ec33a5a0dfc0a318555a

SHA512
9c85e35f8b02285984b05c3aa2e7d4ce930fecc53cce396c5a5563856f73afa8e15bc37cd3c102023542006f05f445524e69af91b49661e289cc9433b26cdbdb

Download Submit
C:\Windows\{FEBF3027-B4CF-4bf8-B3E2-761525B3B374}.exe

Filesize
197KB

MD5
1402b8c75b2e23d45e2b5b165b58b0eb

SHA1
96ad365c37da7876107edb9734a0afbec53e367e

SHA256
cc6ac76ca794350cdb3ef06aa31246c6dbb110a6e8340399e7da0c1b0beef9fa

SHA512
b09726a1da3734ff3ffab9dc48f2e20d9c5d4a0749be4202e51026dd62cbca7444922a67362b08c3bcdb0bc52a5f84d766f64149bf53bd79c3919c2dec868c4e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads