49db031a395709625fa94c8be9a150deff3bc4d554074f21f410bb71cc4ac731

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
Size

372KB
MD5

9be373f9a39bc56e186458b2eed19784
SHA1

c6d4aa37a92ce985202ac874e667ff614a481de4
SHA256

49db031a395709625fa94c8be9a150deff3bc4d554074f21f410bb71cc4ac731
SHA512

79132d480c55f8f3342edc59636b1443846c7fe2cd4ac470eb22dd5e55e64f654a60ab489fd23882949a0d150829a9a89d7ad112c5b2013818ad94345a4ada93
SSDEEP

3072:CEGh0oflMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGVlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}\stubpath = "C:\\Windows\\{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe"	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95D05984-380E-4fab-98C9-81D17406EE77}\stubpath = "C:\\Windows\\{95D05984-380E-4fab-98C9-81D17406EE77}.exe"	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7337DF0C-D3D3-4a36-9155-35CA115B76BD}\stubpath = "C:\\Windows\\{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe"	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}\stubpath = "C:\\Windows\\{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe"	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4813B47-83AF-499f-A990-C7737C1D18CE}	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4813B47-83AF-499f-A990-C7737C1D18CE}\stubpath = "C:\\Windows\\{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe"	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83A07019-C1D3-40ea-84AA-5349D02F50BB}\stubpath = "C:\\Windows\\{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe"	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7337DF0C-D3D3-4a36-9155-35CA115B76BD}	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}	{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}\stubpath = "C:\\Windows\\{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}.exe"	{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B66E3DF8-8476-4ff7-9240-9C8C17B78DD8}	{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3572A91-F6CF-492b-8F7B-C48B01C6A301}	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83A07019-C1D3-40ea-84AA-5349D02F50BB}	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95D05984-380E-4fab-98C9-81D17406EE77}	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{982E4860-CBDC-48c5-B8B1-0CF50266C91C}	{95D05984-380E-4fab-98C9-81D17406EE77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A2B46A5-ABAF-451b-9B52-064E02018CFD}	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A2B46A5-ABAF-451b-9B52-064E02018CFD}\stubpath = "C:\\Windows\\{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe"	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}\stubpath = "C:\\Windows\\{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe"	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{982E4860-CBDC-48c5-B8B1-0CF50266C91C}\stubpath = "C:\\Windows\\{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe"	{95D05984-380E-4fab-98C9-81D17406EE77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B66E3DF8-8476-4ff7-9240-9C8C17B78DD8}\stubpath = "C:\\Windows\\{B66E3DF8-8476-4ff7-9240-9C8C17B78DD8}.exe"	{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3572A91-F6CF-492b-8F7B-C48B01C6A301}\stubpath = "C:\\Windows\\{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe"	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe

Executes dropped EXE 12 IoCs

pid	Process
1800	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe
448	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe
2808	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe
3380	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe
4292	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe
4448	{95D05984-380E-4fab-98C9-81D17406EE77}.exe
4940	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe
3132	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe
2460	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe
2152	{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe
4640	{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}.exe
2488	{B66E3DF8-8476-4ff7-9240-9C8C17B78DD8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe
File created	C:\Windows\{B66E3DF8-8476-4ff7-9240-9C8C17B78DD8}.exe	{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}.exe
File created	C:\Windows\{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
File created	C:\Windows\{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe	{95D05984-380E-4fab-98C9-81D17406EE77}.exe
File created	C:\Windows\{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe
File created	C:\Windows\{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe
File created	C:\Windows\{95D05984-380E-4fab-98C9-81D17406EE77}.exe	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe
File created	C:\Windows\{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe
File created	C:\Windows\{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe
File created	C:\Windows\{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}.exe	{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe
File created	C:\Windows\{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe
File created	C:\Windows\{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95D05984-380E-4fab-98C9-81D17406EE77}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B66E3DF8-8476-4ff7-9240-9C8C17B78DD8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3100	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1800	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe
Token: SeIncBasePriorityPrivilege	448	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe
Token: SeIncBasePriorityPrivilege	2808	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe
Token: SeIncBasePriorityPrivilege	3380	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe
Token: SeIncBasePriorityPrivilege	4292	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe
Token: SeIncBasePriorityPrivilege	4448	{95D05984-380E-4fab-98C9-81D17406EE77}.exe
Token: SeIncBasePriorityPrivilege	4940	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe
Token: SeIncBasePriorityPrivilege	3132	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe
Token: SeIncBasePriorityPrivilege	2460	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe
Token: SeIncBasePriorityPrivilege	2152	{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe
Token: SeIncBasePriorityPrivilege	4640	{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 1800	3100	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	94
PID 3100 wrote to memory of 1800	3100	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	94
PID 3100 wrote to memory of 1800	3100	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	94
PID 3100 wrote to memory of 4392	3100	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	95
PID 3100 wrote to memory of 4392	3100	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	95
PID 3100 wrote to memory of 4392	3100	2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe	95
PID 1800 wrote to memory of 448	1800	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe	96
PID 1800 wrote to memory of 448	1800	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe	96
PID 1800 wrote to memory of 448	1800	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe	96
PID 1800 wrote to memory of 3200	1800	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe	97
PID 1800 wrote to memory of 3200	1800	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe	97
PID 1800 wrote to memory of 3200	1800	{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe	97
PID 448 wrote to memory of 2808	448	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe	101
PID 448 wrote to memory of 2808	448	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe	101
PID 448 wrote to memory of 2808	448	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe	101
PID 448 wrote to memory of 548	448	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe	102
PID 448 wrote to memory of 548	448	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe	102
PID 448 wrote to memory of 548	448	{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe	102
PID 2808 wrote to memory of 3380	2808	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe	103
PID 2808 wrote to memory of 3380	2808	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe	103
PID 2808 wrote to memory of 3380	2808	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe	103
PID 2808 wrote to memory of 3860	2808	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe	104
PID 2808 wrote to memory of 3860	2808	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe	104
PID 2808 wrote to memory of 3860	2808	{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe	104
PID 3380 wrote to memory of 4292	3380	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe	105
PID 3380 wrote to memory of 4292	3380	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe	105
PID 3380 wrote to memory of 4292	3380	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe	105
PID 3380 wrote to memory of 1260	3380	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe	106
PID 3380 wrote to memory of 1260	3380	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe	106
PID 3380 wrote to memory of 1260	3380	{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe	106
PID 4292 wrote to memory of 4448	4292	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe	108
PID 4292 wrote to memory of 4448	4292	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe	108
PID 4292 wrote to memory of 4448	4292	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe	108
PID 4292 wrote to memory of 3024	4292	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe	109
PID 4292 wrote to memory of 3024	4292	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe	109
PID 4292 wrote to memory of 3024	4292	{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe	109
PID 4448 wrote to memory of 4940	4448	{95D05984-380E-4fab-98C9-81D17406EE77}.exe	110
PID 4448 wrote to memory of 4940	4448	{95D05984-380E-4fab-98C9-81D17406EE77}.exe	110
PID 4448 wrote to memory of 4940	4448	{95D05984-380E-4fab-98C9-81D17406EE77}.exe	110
PID 4448 wrote to memory of 1596	4448	{95D05984-380E-4fab-98C9-81D17406EE77}.exe	111
PID 4448 wrote to memory of 1596	4448	{95D05984-380E-4fab-98C9-81D17406EE77}.exe	111
PID 4448 wrote to memory of 1596	4448	{95D05984-380E-4fab-98C9-81D17406EE77}.exe	111
PID 4940 wrote to memory of 3132	4940	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe	117
PID 4940 wrote to memory of 3132	4940	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe	117
PID 4940 wrote to memory of 3132	4940	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe	117
PID 4940 wrote to memory of 1704	4940	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe	118
PID 4940 wrote to memory of 1704	4940	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe	118
PID 4940 wrote to memory of 1704	4940	{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe	118
PID 3132 wrote to memory of 2460	3132	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe	121
PID 3132 wrote to memory of 2460	3132	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe	121
PID 3132 wrote to memory of 2460	3132	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe	121
PID 3132 wrote to memory of 5020	3132	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe	122
PID 3132 wrote to memory of 5020	3132	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe	122
PID 3132 wrote to memory of 5020	3132	{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe	122
PID 2460 wrote to memory of 2152	2460	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe	123
PID 2460 wrote to memory of 2152	2460	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe	123
PID 2460 wrote to memory of 2152	2460	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe	123
PID 2460 wrote to memory of 384	2460	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe	124
PID 2460 wrote to memory of 384	2460	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe	124
PID 2460 wrote to memory of 384	2460	{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe	124
PID 2152 wrote to memory of 4640	2152	{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe	127
PID 2152 wrote to memory of 4640	2152	{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe	127
PID 2152 wrote to memory of 4640	2152	{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe	127
PID 2152 wrote to memory of 3932	2152	{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-26_9be373f9a39bc56e186458b2eed19784_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe
  C:\Windows\{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe
    C:\Windows\{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe
      C:\Windows\{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe
        
        C:\Windows\{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3380
      - C:\Windows\{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe
        
        C:\Windows\{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\{95D05984-380E-4fab-98C9-81D17406EE77}.exe
        
        C:\Windows\{95D05984-380E-4fab-98C9-81D17406EE77}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe
        
        C:\Windows\{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe
        
        C:\Windows\{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe
        
        C:\Windows\{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe
        
        C:\Windows\{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}.exe
        
        C:\Windows\{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\{B66E3DF8-8476-4ff7-9240-9C8C17B78DD8}.exe
        
        C:\Windows\{B66E3DF8-8476-4ff7-9240-9C8C17B78DD8}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51F4B~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12EE7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7337D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83A07~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{982E4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95D05~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADBCC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5ACD8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3572~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7A2B4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D4813~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12EE773E-DEC3-42a7-AA64-C3EA043A44BB}.exe

Filesize
372KB

MD5
7dab10b8c59da9cd62a6ef2741529a94

SHA1
84fb99fcfc3fe4e7d6b5dd027b224353edd14273

SHA256
39d921f21e79397328d53a0b4b8e58b27c49acd13be1a43d45239562d0692f80

SHA512
75e4f97ecac70fb8e8c668c177ece9ffa729bedc69b296783247e9e65f0fa74fb7e48b78340cb0c5b3e2e9ce8df1bd49cff5a033d432224807f577dbfa9b2745

Download Submit
C:\Windows\{51F4BBC1-ED38-44dc-BFC8-D76C536F891F}.exe

Filesize
372KB

MD5
559741a83b4ca1776a7fca609e4a9ded

SHA1
a86bddc014e988e4ac666b25eada1c4cca9b4770

SHA256
6a00433b3221cb72a09167367af10dfd7fd416aa35946bccde1465f1bc315910

SHA512
1bb89e2326f76aa50fc64976f79a72e52b7ef0c77775e1aad2fc4d66c711436b452455b1fccff0734037b23ac31465af8277bce3eeebb03cf228fa9c4fb5ef12

Download Submit
C:\Windows\{5ACD8DEC-266B-41a7-8E25-E8B329D1784C}.exe

Filesize
372KB

MD5
5d30f7ece7d4c79267bb952e4bb63b94

SHA1
f0c3df1402d33ed28a13dc1a96e413728b134f72

SHA256
8e16ce37a9f1daf217d71183add226b2106c9910de41a70d54db1655a6680269

SHA512
b33fe184b8dc42bcc84476f45e4b8f385082de26e83c2c334d6a8ee1c49f74166b55a90b6767c892e00fcfdaece2fbb4080d31b8a52e31630f1e5d7f0dea6560

Download Submit
C:\Windows\{7337DF0C-D3D3-4a36-9155-35CA115B76BD}.exe

Filesize
372KB

MD5
365a721914faeb28ff466365b19caa5a

SHA1
fc4e5ef7a0dab26062dacaf312bc8f7a172d6c95

SHA256
caa9915889b75aff98536510996032e98ceba84be19e914a845526fe92b8cfff

SHA512
021374c1ee97277c851bf53a248ab297d9f72731bed993c048b8a5858dc44d245a06995bec757ebf295446a9ef93458535467727881cd75048cb744617a75f2f

Download Submit
C:\Windows\{7A2B46A5-ABAF-451b-9B52-064E02018CFD}.exe

Filesize
372KB

MD5
ab29918eb0e733d0114d022838c1fb52

SHA1
e9a5b74780e76adc43f6c0e62a8acb3c02f2208a

SHA256
487da9c4ef6cf4e4eca49e5643108aba9fd58b19e3e5088ff60965d7362da4bd

SHA512
835f3550af6ec11ed91407ecde98cbbee0a84431bb2911f12d3b97e9a9638583c77504b1aa5c2da95482dfb1805d8281e486c83fb149132c21e0339a68bf3b81

Download Submit
C:\Windows\{83A07019-C1D3-40ea-84AA-5349D02F50BB}.exe

Filesize
372KB

MD5
8dc92497ea077f772e8016c51f514a59

SHA1
4b51714e1d1a960fd254ac29bc8285778e855bd4

SHA256
94eea32986b4ef09e3a79ae035afea87089f723a763c43ccb19e7728d3739a8b

SHA512
b63dff8f56d859506788cbe327ec3637cfa8fd1adccce4a0e94e9fe3bc3febb68dfc90332091f2d44a260e8433551121f026afe34f39270e32b628045885285a

Download Submit
C:\Windows\{95D05984-380E-4fab-98C9-81D17406EE77}.exe

Filesize
372KB

MD5
18ac50d8e0f6b2df9f09a84deec5605f

SHA1
87bf44c01694124339372bd63da395c020545f84

SHA256
a04481e52f7e0862352ac71efa61e2bbd0a7b524a46dba8947d254d010ab8c3a

SHA512
d53295a291c2c1f10f3874b90e4868d5235859006ee1cf6ed12ffe9f2c8f91c9b960b2453b690f3c34cca6e47b9782743b5ca6c684dd0a275415c072cca2b0be

Download Submit
C:\Windows\{982E4860-CBDC-48c5-B8B1-0CF50266C91C}.exe

Filesize
372KB

MD5
5e351bec4549af7cf5959a4f08b20546

SHA1
21f7e6bad2daff2e1a8e4e243081465777acc5b7

SHA256
ee79fc36f18273dfd54176d3b96779a917b6c019e0af58f5387a441f4e16062d

SHA512
c6eea51d32fdbf7ce59b9f6fb90720f111f7c6816a31315ff87c6d9cabd962f062bcad2d72a14158e308783b75f65de61fce68e6a73bff030cf4f6feb616647d

Download Submit
C:\Windows\{A3572A91-F6CF-492b-8F7B-C48B01C6A301}.exe

Filesize
372KB

MD5
69787414e9d7449c63117288f0fd3c79

SHA1
982994e5de1637760324dc69d7fd89af297f1b7a

SHA256
8815d5113f28796dac397d22344993a442cbdad7aee9299edc329aaeb9bb302f

SHA512
7d65480e7bd79061b4d0d755e42da996c8ac9b126b8ae12e2e1f6f88dfe43931da14b5a74b500ba9a49032bddf64bf08f99ca711e924aeb9d0f03982ce251182

Download Submit
C:\Windows\{ADBCC22C-042D-45c3-B530-E48BA3CE44C6}.exe

Filesize
372KB

MD5
ffeb25b043698deda941bd06d8681cb9

SHA1
bc9965f09be6e327ce0525a2e82944a97d5edcfb

SHA256
3eac12b60b5ac60a72f0202d473c5ec15cce685bfb0e346bfc0222f271448f76

SHA512
04c8c22581843fbd2f3b1c8ec060eecfe057b715fa5268e53554bb121910f1fac9aaafe587b31884b363869cef911011af169704311a2761536abe7124795b82

Download Submit
C:\Windows\{B66E3DF8-8476-4ff7-9240-9C8C17B78DD8}.exe

Filesize
372KB

MD5
15e8cc06716c00e088fdfed843ea57e7

SHA1
09ae53a9af743093879093061258241b4de45954

SHA256
31ba48eb08cc16e65048dbb1ce2fd8ec309630e7918c497a4c9bb24cb26556cd

SHA512
31e035a99f3e2fe1a4fb46e13f16f96e7e29a201a6177278fbf17c1fedcdbb917862285d65745a3a811a37d822c3f8fdc6178acc74d97ce6e160b9ebe22b62f8

Download Submit
C:\Windows\{D4813B47-83AF-499f-A990-C7737C1D18CE}.exe

Filesize
372KB

MD5
98176326da157873787d48dc0a38b917

SHA1
713552ed9ab9e1ea188ac8d4ce8deeb88c3bac97

SHA256
db9f3950a6deebc9fac02c0d84749c3d84fe81d6410fd962cfc0996d57ed5b39

SHA512
674a580eb752424e3e9e4102da0986587da7aec1c0c6e239d26cf5a76548a206118afe3129be3df4525b3dd1640eb6bf5e7d3616cd83ba288ee3fa883f92ae5d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads