62529e2d48959c64889c5b9ed3335da2c9f18f110a2ff3541e2c0d3262cf20fe

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
Size

197KB
MD5

4dbe5698a8ed98a0ff32405470ecfbdb
SHA1

864efbcf74c8a9835805b8016214fba7285119fc
SHA256

62529e2d48959c64889c5b9ed3335da2c9f18f110a2ff3541e2c0d3262cf20fe
SHA512

f45907a5f29fb44fc77f3af49a08d2713ecba9d77f22a39ef4e71a9056a8db84a7edaf37c036e9ddad61d4f468989c086ca95292bcda27f53eab68920c75c00f
SSDEEP

3072:jEGh0oml+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGElEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5219EB4D-0BE1-454a-91EA-14E22384A2D1}	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{283BEF99-60D0-4b7c-98DD-90B84C343BD6}\stubpath = "C:\\Windows\\{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe"	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AF9FBB-BA5C-48db-956E-735DD4C7516D}	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AF9FBB-BA5C-48db-956E-735DD4C7516D}\stubpath = "C:\\Windows\\{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe"	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}	{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}	{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB6F0009-4022-4319-9F8B-D11F9B449E7C}	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5219EB4D-0BE1-454a-91EA-14E22384A2D1}\stubpath = "C:\\Windows\\{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe"	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{283BEF99-60D0-4b7c-98DD-90B84C343BD6}	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}\stubpath = "C:\\Windows\\{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe"	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}\stubpath = "C:\\Windows\\{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe"	{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB6F0009-4022-4319-9F8B-D11F9B449E7C}\stubpath = "C:\\Windows\\{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe"	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{644FC49E-C4DD-479b-A91E-E520A22B5D1E}\stubpath = "C:\\Windows\\{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe"	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}\stubpath = "C:\\Windows\\{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe"	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}\stubpath = "C:\\Windows\\{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}.exe"	{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{644FC49E-C4DD-479b-A91E-E520A22B5D1E}	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}\stubpath = "C:\\Windows\\{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe"	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}\stubpath = "C:\\Windows\\{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe"	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}\stubpath = "C:\\Windows\\{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe"	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe

Executes dropped EXE 12 IoCs

pid	Process
2892	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe
4708	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe
1260	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe
1568	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe
1828	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe
2992	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe
5068	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe
1696	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe
2664	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe
1324	{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe
1600	{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe
1624	{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe
File created	C:\Windows\{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe
File created	C:\Windows\{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe
File created	C:\Windows\{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe
File created	C:\Windows\{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}.exe	{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe
File created	C:\Windows\{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
File created	C:\Windows\{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe
File created	C:\Windows\{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe
File created	C:\Windows\{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe
File created	C:\Windows\{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe
File created	C:\Windows\{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe
File created	C:\Windows\{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe	{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	880	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2892	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe
Token: SeIncBasePriorityPrivilege	4708	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe
Token: SeIncBasePriorityPrivilege	1260	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe
Token: SeIncBasePriorityPrivilege	1568	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe
Token: SeIncBasePriorityPrivilege	1828	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe
Token: SeIncBasePriorityPrivilege	2992	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe
Token: SeIncBasePriorityPrivilege	5068	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe
Token: SeIncBasePriorityPrivilege	1696	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe
Token: SeIncBasePriorityPrivilege	2664	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe
Token: SeIncBasePriorityPrivilege	1324	{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe
Token: SeIncBasePriorityPrivilege	1600	{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2892	880	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	86
PID 880 wrote to memory of 2892	880	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	86
PID 880 wrote to memory of 2892	880	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	86
PID 880 wrote to memory of 4264	880	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	87
PID 880 wrote to memory of 4264	880	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	87
PID 880 wrote to memory of 4264	880	2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe	87
PID 2892 wrote to memory of 4708	2892	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe	88
PID 2892 wrote to memory of 4708	2892	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe	88
PID 2892 wrote to memory of 4708	2892	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe	88
PID 2892 wrote to memory of 2968	2892	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe	89
PID 2892 wrote to memory of 2968	2892	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe	89
PID 2892 wrote to memory of 2968	2892	{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe	89
PID 4708 wrote to memory of 1260	4708	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe	93
PID 4708 wrote to memory of 1260	4708	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe	93
PID 4708 wrote to memory of 1260	4708	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe	93
PID 4708 wrote to memory of 3916	4708	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe	94
PID 4708 wrote to memory of 3916	4708	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe	94
PID 4708 wrote to memory of 3916	4708	{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe	94
PID 1260 wrote to memory of 1568	1260	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe	95
PID 1260 wrote to memory of 1568	1260	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe	95
PID 1260 wrote to memory of 1568	1260	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe	95
PID 1260 wrote to memory of 2460	1260	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe	96
PID 1260 wrote to memory of 2460	1260	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe	96
PID 1260 wrote to memory of 2460	1260	{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe	96
PID 1568 wrote to memory of 1828	1568	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe	97
PID 1568 wrote to memory of 1828	1568	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe	97
PID 1568 wrote to memory of 1828	1568	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe	97
PID 1568 wrote to memory of 696	1568	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe	98
PID 1568 wrote to memory of 696	1568	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe	98
PID 1568 wrote to memory of 696	1568	{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe	98
PID 1828 wrote to memory of 2992	1828	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe	99
PID 1828 wrote to memory of 2992	1828	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe	99
PID 1828 wrote to memory of 2992	1828	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe	99
PID 1828 wrote to memory of 1752	1828	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe	100
PID 1828 wrote to memory of 1752	1828	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe	100
PID 1828 wrote to memory of 1752	1828	{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe	100
PID 2992 wrote to memory of 5068	2992	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe	101
PID 2992 wrote to memory of 5068	2992	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe	101
PID 2992 wrote to memory of 5068	2992	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe	101
PID 2992 wrote to memory of 1680	2992	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe	102
PID 2992 wrote to memory of 1680	2992	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe	102
PID 2992 wrote to memory of 1680	2992	{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe	102
PID 5068 wrote to memory of 1696	5068	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe	103
PID 5068 wrote to memory of 1696	5068	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe	103
PID 5068 wrote to memory of 1696	5068	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe	103
PID 5068 wrote to memory of 1808	5068	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe	104
PID 5068 wrote to memory of 1808	5068	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe	104
PID 5068 wrote to memory of 1808	5068	{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe	104
PID 1696 wrote to memory of 2664	1696	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe	105
PID 1696 wrote to memory of 2664	1696	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe	105
PID 1696 wrote to memory of 2664	1696	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe	105
PID 1696 wrote to memory of 3240	1696	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe	106
PID 1696 wrote to memory of 3240	1696	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe	106
PID 1696 wrote to memory of 3240	1696	{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe	106
PID 2664 wrote to memory of 1324	2664	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe	107
PID 2664 wrote to memory of 1324	2664	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe	107
PID 2664 wrote to memory of 1324	2664	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe	107
PID 2664 wrote to memory of 1944	2664	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe	108
PID 2664 wrote to memory of 1944	2664	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe	108
PID 2664 wrote to memory of 1944	2664	{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe	108
PID 1324 wrote to memory of 1600	1324	{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe	109
PID 1324 wrote to memory of 1600	1324	{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe	109
PID 1324 wrote to memory of 1600	1324	{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe	109
PID 1324 wrote to memory of 3640	1324	{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4dbe5698a8ed98a0ff32405470ecfbdb_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe
  C:\Windows\{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe
    C:\Windows\{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe
      C:\Windows\{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Windows\{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe
        
        C:\Windows\{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe
        
        C:\Windows\{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe
        
        C:\Windows\{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe
        
        C:\Windows\{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe
        
        C:\Windows\{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe
        
        C:\Windows\{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe
        
        C:\Windows\{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe
        
        C:\Windows\{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}.exe
        
        C:\Windows\{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD7D5~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B345~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F9A2~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F602~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16AF9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{283BE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{129D9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5219E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C0D0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{644FC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EB6F0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C0D08FC-5808-47d3-99FC-48E905CEF0E3}.exe

Filesize
197KB

MD5
21acff72f037f495b301118e11d90601

SHA1
8d611c9d248a2dd7053ac22476de15edb9137bbe

SHA256
5cf3e3f0ebe2bead4e211b2b7b7adc30d2fee127e1cff471980d92e9bdac2b65

SHA512
96ee17ea7260dcbb01bee23822c9583af4e7625ece8666f7791319da4dc6a91b49b3cd396d279b08a01b979bd69f8292d3487f7f3f02013456f6838c406f21ee

Download Submit
C:\Windows\{129D9FBE-EA22-4fc5-B9D6-032D60AF15D4}.exe

Filesize
197KB

MD5
7b682d5ae72c21ad4f7dd07890d6461f

SHA1
102aebc0d6fc8444648d5272446e87599d976184

SHA256
b687ead78bac890f7cc3995fdaadf9c1d3a6c498d344fa36b047ff8ccc0b4573

SHA512
3e37c5b0784f3f7cf6cd3c793d51b55a09dd3a16f402729dc04124b99301637afdf022779534b4d56130f9b4fbe7917ddf6e75169082ac4261c24af9727c01cc

Download Submit
C:\Windows\{16AF9FBB-BA5C-48db-956E-735DD4C7516D}.exe

Filesize
197KB

MD5
7292121b26ff969179c55832e6b9c5ac

SHA1
75bf220d603b24ff7a5d5553301f9878d333d91c

SHA256
2cc0d39a5e4d67d6713fe38f2ef94844d1ad56033c6fda07169657aeffdcb755

SHA512
e18708c5f9fa230c65b92c9e01f7f4dcd46ff1febaa5382c2d45a1fe2633732b5b960be4c9144eee3cfa2a1602676fa843baeb9fa6f51ec247d66580d924432f

Download Submit
C:\Windows\{283BEF99-60D0-4b7c-98DD-90B84C343BD6}.exe

Filesize
197KB

MD5
5171f2ad2112748c830d200062bc5933

SHA1
b45b3333c09382b41dfc9a0a9df59794ebab4af2

SHA256
44ed8726c84d2604af81eb58bc91f46885106b0a5674a4b3663d42f33ad013b9

SHA512
11133eef523e7f60fd386b6f5fac1dc5fd51b8229fa579a6d3c3ba8508e7c2acf2c65e68a1198401d058e888dde57e56c3a0ecb8e20476b2347ce207ec32baf1

Download Submit
C:\Windows\{2B3459E6-EBDD-485c-98EF-1955A1B0C0C2}.exe

Filesize
197KB

MD5
38934e09e257d6b4a63dd038e0f56004

SHA1
a57cc807bc21f36fdd6c8d7de0690ad9eee132df

SHA256
f773f101ef3d7376ea81feffeb0b8bd66874fbcf99cf9f2354ab910283a55ed7

SHA512
0512810e5386d70cce09b9376c71a0bd1daa9b06fd9de66e8f25b09e968f73ed90ea3b6df539010ef4da80ef6faed8ab246803503f5b74111c9135b153c227f1

Download Submit
C:\Windows\{5219EB4D-0BE1-454a-91EA-14E22384A2D1}.exe

Filesize
197KB

MD5
cd53b07b2c50974a7b20d4d89ee13efc

SHA1
d37386da443e25a6a59d4d42e2998a390e4d241a

SHA256
05e300e74c601bf86f34970fdb5fc51aabb090a3a2b09ada7c23327a26d1f277

SHA512
f7a3e88b3cdf0685be90e37b4cc592394460c805db9c76655e7885b9d0068bf6a5f1a2c7ff8c749281045fbeeaafcae06952a16c360e0c9ce5e7d9aa2c1438ca

Download Submit
C:\Windows\{644FC49E-C4DD-479b-A91E-E520A22B5D1E}.exe

Filesize
197KB

MD5
a0e33f853f52a40491b01ce417569586

SHA1
49b9d52337f6c57d1dfb627d710c2c2736b5c0f9

SHA256
5424a162e96b23c5f67363cf5567615d7a0fec7c839bb80706f223ec05e66783

SHA512
7855acb482c0867512c7296197e9aca5340c6f24627db396e34d01ba72d8349f10ad5b7213c5739061ef2388e71bfcc5fddc15faea9a15bdb2b83c8f5edcb4a8

Download Submit
C:\Windows\{67A3F923-B33C-4561-A6A7-E2D8A41B4C0E}.exe

Filesize
197KB

MD5
27164f71f44d1998fbfa7c0e44676a4b

SHA1
948c2d0bfadb774f28acf5b953b860680a4bc682

SHA256
3253cbf3c3bc5acf5d12bcca10f380be3c3d655744e0ad35081ce9a431e0aa13

SHA512
75c98292e59986f3fdad9c76c216bad7d00296bca9dfdec51f290a9db600c0ba940ce619ca51e6953f636be6845cc76b7f8c2e1d7dbee4a76a3deb5222bfe83d

Download Submit
C:\Windows\{6F9A2088-F535-4ff5-B37A-F8C4551A5AEA}.exe

Filesize
197KB

MD5
2f389002e70ab688b196700dc5e799d6

SHA1
316e8e4d9df583a4f2bfc26005dc909cdc88c8b4

SHA256
2c9ab5db765a28461c225b70989a5b6fdfb446e096e557c95c02e1ab9135cd86

SHA512
1c4d4e50caf0e8f53ce66c241976f5124f968b1d594183e9510d312b4d1bbd56e0684cf4ef82adf44c34e08a1edeceb2be6b9730f19da065fef1ded5cc28ef6e

Download Submit
C:\Windows\{8F60272F-7FA7-43c5-B399-5D7DCCBC956A}.exe

Filesize
197KB

MD5
c1bdc9d3fbae086ac18b6054a1f5fbf9

SHA1
08974050a294172a66606bbf9da6c74995424742

SHA256
c38dcb99d0008544ee1692cd851377ade369745985aceee0ac54aee9090fed1f

SHA512
6e2c124a5e01a6e4daab96a625ce9bdf17aecb044f8e57918c537bad8cd3e54e42e30d7d135340f60bf727af658c9868ddce5f3b3ac59f22964ea6473f1bf0c4

Download Submit
C:\Windows\{CD7D5024-62E6-4ffe-B74B-979FB7360AA1}.exe

Filesize
197KB

MD5
e6b31042d3af356bf467c5f90c85c39b

SHA1
e3bf89630e886ee8e2c502e3bded2d34fc820dae

SHA256
b7bf9a1eeaf34bd99ea48e9e3f0e9c72c93ded25c12159d1986023e5a082e55d

SHA512
f3881f086e440f6d9a0a9d3ba8592e83d6459a007ad2ca371bc877082925936e93dfd320dc0d688bc3f501f7d52b599848a8133a1588e814769c6f25ab2e16af

Download Submit
C:\Windows\{EB6F0009-4022-4319-9F8B-D11F9B449E7C}.exe

Filesize
197KB

MD5
68a656c894e8c5831633a8dcaa76add2

SHA1
601472e846fd3a14428049d6315c3aa3ce5e06d7

SHA256
718af2e07515037737746a46d76606dbb7b8430ac6921e3faf8288eaff301c2c

SHA512
4449a0134bef7111bf924af030fdc7d58351008f48533c0a990dd321c2bef41b3319d089123ed267b042809d6ab36615838fd997252fee98f8fbc718703d679e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads