fa1dd69177530da7ff0b08ea1dc22c506e64a546c30f44e5ca97d09de8e29bc0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
Size

168KB
MD5

9eb2530884f5686fe3e88eee4b41cc48
SHA1

94c34bfc5ca51a03702f2868e8149845e6d0e62a
SHA256

fa1dd69177530da7ff0b08ea1dc22c506e64a546c30f44e5ca97d09de8e29bc0
SHA512

398e7cd2ceabeaff503b9aba280407e9fd9b20a5580e1bd4dc89dc56246934fa849436de8188d9b064350c43de188f874ea94764201844cc51c9febba68e3c6a
SSDEEP

1536:1EGh0oblq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oblqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A97A342-E37A-49aa-893D-66E0AAE96F45}\stubpath = "C:\\Windows\\{1A97A342-E37A-49aa-893D-66E0AAE96F45}.exe"	{8637B454-0232-4b60-9AE6-264214DEC97A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}\stubpath = "C:\\Windows\\{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe"	{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF7C94B-3D78-4b36-AB69-36B40C35909B}	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FF7C94B-3D78-4b36-AB69-36B40C35909B}\stubpath = "C:\\Windows\\{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe"	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8637B454-0232-4b60-9AE6-264214DEC97A}\stubpath = "C:\\Windows\\{8637B454-0232-4b60-9AE6-264214DEC97A}.exe"	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FBB1267-CE9C-413a-BAB0-2569042F76B3}\stubpath = "C:\\Windows\\{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe"	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{093AC648-8BE5-4da0-BAA5-1D0F8B45894B}\stubpath = "C:\\Windows\\{093AC648-8BE5-4da0-BAA5-1D0F8B45894B}.exe"	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}\stubpath = "C:\\Windows\\{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe"	{093AC648-8BE5-4da0-BAA5-1D0F8B45894B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}	{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{404190EA-F846-4fc5-A44A-E1F512646003}	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A97A342-E37A-49aa-893D-66E0AAE96F45}	{8637B454-0232-4b60-9AE6-264214DEC97A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}\stubpath = "C:\\Windows\\{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe"	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{831E2648-9B7E-4b86-AA04-D052F46C3FEC}	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{831E2648-9B7E-4b86-AA04-D052F46C3FEC}\stubpath = "C:\\Windows\\{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe"	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{093AC648-8BE5-4da0-BAA5-1D0F8B45894B}	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}	{093AC648-8BE5-4da0-BAA5-1D0F8B45894B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}\stubpath = "C:\\Windows\\{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe"	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{404190EA-F846-4fc5-A44A-E1F512646003}\stubpath = "C:\\Windows\\{404190EA-F846-4fc5-A44A-E1F512646003}.exe"	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FBB1267-CE9C-413a-BAB0-2569042F76B3}	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FF6223D-918B-4786-8E51-541F11962DE0}\stubpath = "C:\\Windows\\{7FF6223D-918B-4786-8E51-541F11962DE0}.exe"	{404190EA-F846-4fc5-A44A-E1F512646003}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8637B454-0232-4b60-9AE6-264214DEC97A}	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FF6223D-918B-4786-8E51-541F11962DE0}	{404190EA-F846-4fc5-A44A-E1F512646003}.exe

Executes dropped EXE 11 IoCs

pid	Process
3352	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe
4900	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe
4288	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe
2552	{093AC648-8BE5-4da0-BAA5-1D0F8B45894B}.exe
428	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe
4464	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe
1336	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe
3384	{404190EA-F846-4fc5-A44A-E1F512646003}.exe
4788	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe
4144	{8637B454-0232-4b60-9AE6-264214DEC97A}.exe
1276	{1A97A342-E37A-49aa-893D-66E0AAE96F45}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8637B454-0232-4b60-9AE6-264214DEC97A}.exe	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe
File created	C:\Windows\{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
File created	C:\Windows\{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe
File created	C:\Windows\{093AC648-8BE5-4da0-BAA5-1D0F8B45894B}.exe	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe
File created	C:\Windows\{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe	{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe
File created	C:\Windows\{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe
File created	C:\Windows\{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe
File created	C:\Windows\{7FF6223D-918B-4786-8E51-541F11962DE0}.exe	{404190EA-F846-4fc5-A44A-E1F512646003}.exe
File created	C:\Windows\{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe
File created	C:\Windows\{404190EA-F846-4fc5-A44A-E1F512646003}.exe	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe
File created	C:\Windows\{1A97A342-E37A-49aa-893D-66E0AAE96F45}.exe	{8637B454-0232-4b60-9AE6-264214DEC97A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{093AC648-8BE5-4da0-BAA5-1D0F8B45894B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8637B454-0232-4b60-9AE6-264214DEC97A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{404190EA-F846-4fc5-A44A-E1F512646003}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A97A342-E37A-49aa-893D-66E0AAE96F45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2312	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3352	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe
Token: SeIncBasePriorityPrivilege	4900	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe
Token: SeIncBasePriorityPrivilege	4288	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe
Token: SeIncBasePriorityPrivilege	3496	{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe
Token: SeIncBasePriorityPrivilege	428	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe
Token: SeIncBasePriorityPrivilege	4464	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe
Token: SeIncBasePriorityPrivilege	1336	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe
Token: SeIncBasePriorityPrivilege	3384	{404190EA-F846-4fc5-A44A-E1F512646003}.exe
Token: SeIncBasePriorityPrivilege	4788	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe
Token: SeIncBasePriorityPrivilege	4144	{8637B454-0232-4b60-9AE6-264214DEC97A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3352	2312	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	95
PID 2312 wrote to memory of 3352	2312	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	95
PID 2312 wrote to memory of 3352	2312	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	95
PID 2312 wrote to memory of 2316	2312	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	96
PID 2312 wrote to memory of 2316	2312	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	96
PID 2312 wrote to memory of 2316	2312	2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe	96
PID 3352 wrote to memory of 4900	3352	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe	97
PID 3352 wrote to memory of 4900	3352	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe	97
PID 3352 wrote to memory of 4900	3352	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe	97
PID 3352 wrote to memory of 1144	3352	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe	98
PID 3352 wrote to memory of 1144	3352	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe	98
PID 3352 wrote to memory of 1144	3352	{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe	98
PID 4900 wrote to memory of 4288	4900	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe	102
PID 4900 wrote to memory of 4288	4900	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe	102
PID 4900 wrote to memory of 4288	4900	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe	102
PID 4900 wrote to memory of 4124	4900	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe	103
PID 4900 wrote to memory of 4124	4900	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe	103
PID 4900 wrote to memory of 4124	4900	{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe	103
PID 4288 wrote to memory of 2552	4288	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe	104
PID 4288 wrote to memory of 2552	4288	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe	104
PID 4288 wrote to memory of 2552	4288	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe	104
PID 4288 wrote to memory of 4504	4288	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe	105
PID 4288 wrote to memory of 4504	4288	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe	105
PID 4288 wrote to memory of 4504	4288	{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe	105
PID 3496 wrote to memory of 428	3496	{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe	109
PID 3496 wrote to memory of 428	3496	{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe	109
PID 3496 wrote to memory of 428	3496	{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe	109
PID 3496 wrote to memory of 1876	3496	{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe	110
PID 3496 wrote to memory of 1876	3496	{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe	110
PID 3496 wrote to memory of 1876	3496	{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe	110
PID 428 wrote to memory of 4464	428	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe	111
PID 428 wrote to memory of 4464	428	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe	111
PID 428 wrote to memory of 4464	428	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe	111
PID 428 wrote to memory of 1192	428	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe	112
PID 428 wrote to memory of 1192	428	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe	112
PID 428 wrote to memory of 1192	428	{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe	112
PID 4464 wrote to memory of 1336	4464	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe	115
PID 4464 wrote to memory of 1336	4464	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe	115
PID 4464 wrote to memory of 1336	4464	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe	115
PID 4464 wrote to memory of 4532	4464	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe	116
PID 4464 wrote to memory of 4532	4464	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe	116
PID 4464 wrote to memory of 4532	4464	{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe	116
PID 1336 wrote to memory of 3384	1336	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe	122
PID 1336 wrote to memory of 3384	1336	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe	122
PID 1336 wrote to memory of 3384	1336	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe	122
PID 1336 wrote to memory of 2976	1336	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe	123
PID 1336 wrote to memory of 2976	1336	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe	123
PID 1336 wrote to memory of 2976	1336	{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe	123
PID 3384 wrote to memory of 4788	3384	{404190EA-F846-4fc5-A44A-E1F512646003}.exe	124
PID 3384 wrote to memory of 4788	3384	{404190EA-F846-4fc5-A44A-E1F512646003}.exe	124
PID 3384 wrote to memory of 4788	3384	{404190EA-F846-4fc5-A44A-E1F512646003}.exe	124
PID 3384 wrote to memory of 1536	3384	{404190EA-F846-4fc5-A44A-E1F512646003}.exe	125
PID 3384 wrote to memory of 1536	3384	{404190EA-F846-4fc5-A44A-E1F512646003}.exe	125
PID 3384 wrote to memory of 1536	3384	{404190EA-F846-4fc5-A44A-E1F512646003}.exe	125
PID 4788 wrote to memory of 4144	4788	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe	129
PID 4788 wrote to memory of 4144	4788	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe	129
PID 4788 wrote to memory of 4144	4788	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe	129
PID 4788 wrote to memory of 3464	4788	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe	130
PID 4788 wrote to memory of 3464	4788	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe	130
PID 4788 wrote to memory of 3464	4788	{7FF6223D-918B-4786-8E51-541F11962DE0}.exe	130
PID 4144 wrote to memory of 1276	4144	{8637B454-0232-4b60-9AE6-264214DEC97A}.exe	131
PID 4144 wrote to memory of 1276	4144	{8637B454-0232-4b60-9AE6-264214DEC97A}.exe	131
PID 4144 wrote to memory of 1276	4144	{8637B454-0232-4b60-9AE6-264214DEC97A}.exe	131
PID 4144 wrote to memory of 208	4144	{8637B454-0232-4b60-9AE6-264214DEC97A}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-27_9eb2530884f5686fe3e88eee4b41cc48_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe
  C:\Windows\{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe
    C:\Windows\{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe
      C:\Windows\{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Windows\{093AC648-8BE5-4da0-BAA5-1D0F8B45894B}.exe
        
        C:\Windows\{093AC648-8BE5-4da0-BAA5-1D0F8B45894B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2552
      - C:\Windows\{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe
        
        C:\Windows\{EAFB798D-D759-4fae-A66C-5E43C7DD8A7F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe
        
        C:\Windows\{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe
        
        C:\Windows\{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe
        
        C:\Windows\{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\{404190EA-F846-4fc5-A44A-E1F512646003}.exe
        
        C:\Windows\{404190EA-F846-4fc5-A44A-E1F512646003}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\{7FF6223D-918B-4786-8E51-541F11962DE0}.exe
        
        C:\Windows\{7FF6223D-918B-4786-8E51-541F11962DE0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\{8637B454-0232-4b60-9AE6-264214DEC97A}.exe
        
        C:\Windows\{8637B454-0232-4b60-9AE6-264214DEC97A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\{1A97A342-E37A-49aa-893D-66E0AAE96F45}.exe
        
        C:\Windows\{1A97A342-E37A-49aa-893D-66E0AAE96F45}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8637B~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FF62~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40419~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FF7C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3A74~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC7BE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAFB7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{093AC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{831E2~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6AA77~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2FBB1~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{093AC648-8BE5-4da0-BAA5-1D0F8B45894B}.exe

Filesize
168KB

MD5
0a2933124d7ec081cab555c9b3bff640

SHA1
7d451d9b8b8c85104af529367345c1d97b4a5d7d

SHA256
47aa3e8098dd13b336460540c538d5d27fb31d0f318b16ca302608e8f09f6556

SHA512
fdfed9203ae9c746e12d3605c9053c1a617f9956e9b4d08a29bfffcb5ae963a1ffe9ef2894691bd2998466a1b9061b15b893785434b988e0f1ebfeb8f32ac6c0

Download Submit
C:\Windows\{1A97A342-E37A-49aa-893D-66E0AAE96F45}.exe

Filesize
168KB

MD5
173b506dea63d0f05cd6a5b2495b56f5

SHA1
8284b9f79a07f34fa536fa6ea1c14cd79faee433

SHA256
7d48dca86f36130db973bb46b82d0ec746705ae2628a40e5df862fe82e6f8c8b

SHA512
cd77ef0aa1207dd9b15c710dbf428393454aba3d07c8a259c4b55007e308563e985b5829ac1ee341ae2935829a230d97fedc24aa5f605e09ed12af86e906f021

Download Submit
C:\Windows\{2FBB1267-CE9C-413a-BAB0-2569042F76B3}.exe

Filesize
168KB

MD5
9cd19bc036a1c124ff4b9fbd610e2987

SHA1
b2bdb235dee4a3b3fef19c117020775aea973ff5

SHA256
70fe38fc94295f30a7d4b6481791e08040da3a644f3d78d1b78a9d74b638f1f6

SHA512
411fb328c8c75b509f9452a699d5e3de8aee7ff241ab37041467a389167c1d1e0b60f82c06bc5aaa8f227be9cf82ee9cdf9ee72b199fc30f8418a9340bb5f4ca

Download Submit
C:\Windows\{404190EA-F846-4fc5-A44A-E1F512646003}.exe

Filesize
168KB

MD5
18525ea1c1e94dc4f7b4c59132a76d3b

SHA1
8a8a6f2b9076140dfe94980640c2efb5a1e6e47c

SHA256
5c506b4f06119b2111263cd5dd566fe8494d5c7261e4518fa0ed1ec5b6c89d20

SHA512
7420e19ecfa894ac325d231447a26f62b314ce2f68f3358be96e529965bd5e70d5f4608a599a50394f4c8636fd7da477d94da7ed82662347e31c8e964cd7b750

Download Submit
C:\Windows\{5FF7C94B-3D78-4b36-AB69-36B40C35909B}.exe

Filesize
168KB

MD5
7f15a4c20bf11c03796c22847fa010b3

SHA1
be9d2c839ded0a1e9549e5f486ba0403f84429d4

SHA256
3f2731b47c6867fb25082c594e762bf595f37d4780e91274ae2bd3949f1f6f3f

SHA512
54ff19ebd141f5b1623d5982ef1663ef0af1f2bb7be6e2e0b2b990faf0f72fdb098280890eaff176019043c6d0616fd08d6992663aaadb18068b28f969494c21

Download Submit
C:\Windows\{6AA7771D-D5B2-4163-BAAC-CF0FB3D0D3DA}.exe

Filesize
168KB

MD5
5b2ff7ff0f6ae46aabf836007765c243

SHA1
82167a3ad77c6189eaf8cc05949000ca18b27b9d

SHA256
73b38767522147cd0a37cf3ca6d799e6f61b3a04395399af507e5a694cb35c64

SHA512
ca4924bb1c953af7d0645e7e97f1d3ab306107f98b0f9a739bc59dbba1d54dc6fa366adcda673b9559f926a004c226196ac18d888aa397600b57939fbc149211

Download Submit
C:\Windows\{7FF6223D-918B-4786-8E51-541F11962DE0}.exe

Filesize
168KB

MD5
b0f9ea3f7d41add104dba99f744acad1

SHA1
d938af328c5ba6cea03c1d0980ea4fa46658a272

SHA256
3c16437802ca9067ec99ba211eeb43dab4871246630ce5cf96f4c3236f6f4c39

SHA512
cbf8b57361a855ac65ba50681d23360d03ac0118f9bfbc8c4f94959db5fef1335169ee605f687273b056ca8faa91e80e13a3ae1911526a2787b04e5bf6cb1c32

Download Submit
C:\Windows\{831E2648-9B7E-4b86-AA04-D052F46C3FEC}.exe

Filesize
168KB

MD5
4ea8eb83c40c15efbd06a6cff0795074

SHA1
2f168569aa39af6d0f285f775c5b1a28e54a83fe

SHA256
2f21f599524d2915c943417fa6ce78047d482191e99b3a72a17f8e1c23ce3912

SHA512
d918924b6b78426bd2f36caf1b36d43a7ec27eba88328bd985b8912d96383d20da8179df1d9149d84589d89d2475fd0079e8e49655f012315cf0a423684d596e

Download Submit
C:\Windows\{8637B454-0232-4b60-9AE6-264214DEC97A}.exe

Filesize
168KB

MD5
1f7525fdabbd20974f7ea7ef43669fac

SHA1
dd38a42d26d55cb26c982833f96fbc849a3e56d8

SHA256
358c381c236736971ec52f9cb58a010cc4d33c1b9f15206e33987dd31a054a2e

SHA512
6301aca906a739d75c25e1ee58000789a64e908298a303ee17063247bf29befe3c45913cff18f6273a379ae26aa96b91d5fcea233b68a0a96146a42394f492c4

Download Submit
C:\Windows\{BC7BEC39-8A70-4e8a-9E5C-297E7A7D5866}.exe

Filesize
168KB

MD5
0345198c38b9f3290630065c7ae6965e

SHA1
a599e0ca477354e993d73e21d6bf455552547767

SHA256
95e50d25464e7b2e7836f997c81f2d1a7c2179382c5c891708ce08f68bf4bec5

SHA512
26a4de4542c8249f295578e358d820ccbfac007dbc27c849f5655360c768a0a9c85c4893ed7f6a0ba17ec6e85559f4864c50d1fc00acb2890d7575ca6feb2d3e

Download Submit
C:\Windows\{F3A745A8-37C7-40b4-B886-4A97DF15B4EE}.exe

Filesize
168KB

MD5
85de1ff341d3b89e6057f3bbbf77d732

SHA1
4f779e1736a78e6a2bc746f61d3e39dd6fa6534c

SHA256
518c826ab0e5e511eafbffb4c0d18e4823d4744d79a9285bed653643b76b6f18

SHA512
ef12761deda304e5de8f6f7df56396153ead41474f21c848e98e1072cbbbbfbbb2e6b7b4d9b80b87fb103ce12a3bab3b17082b1ab932435c010ad5adb4db754d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads