486090fd53815bb5bc59e615c9b6a2188f22675f5e45b7aa44b63ef6a16dd913

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
Size

380KB
MD5

e1b960ac52e9ece473b5221cd0a4b211
SHA1

36308d9095469d2c967d22d34b28a500190a8251
SHA256

486090fd53815bb5bc59e615c9b6a2188f22675f5e45b7aa44b63ef6a16dd913
SHA512

e8cf67d4c0ebafc7d6a7533b1989bbe919273215941e63b3c7c1d34937456a50d94a2d9a9161adb2d8bd24fc4308bcab8ac320ade060d46cc07302ea725f8bea
SSDEEP

3072:mEGh0otlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGbl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}\stubpath = "C:\\Windows\\{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe"	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B62E327-9FF2-4c3e-8F07-40163E182CDB}	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64BCB042-D77E-420d-9AAB-74E67BA797D2}	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77979554-D4CE-49ab-8FDE-24067D4EFDEB}	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}\stubpath = "C:\\Windows\\{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe"	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}\stubpath = "C:\\Windows\\{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe"	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48CA149A-F2A2-4bd9-905B-B6B38F720C82}\stubpath = "C:\\Windows\\{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe"	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B33C992A-3363-414c-A20E-BA3C11F52CE2}	{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B62E327-9FF2-4c3e-8F07-40163E182CDB}\stubpath = "C:\\Windows\\{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe"	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}\stubpath = "C:\\Windows\\{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe"	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64BCB042-D77E-420d-9AAB-74E67BA797D2}\stubpath = "C:\\Windows\\{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe"	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77979554-D4CE-49ab-8FDE-24067D4EFDEB}\stubpath = "C:\\Windows\\{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe"	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48CA149A-F2A2-4bd9-905B-B6B38F720C82}	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B33C992A-3363-414c-A20E-BA3C11F52CE2}\stubpath = "C:\\Windows\\{B33C992A-3363-414c-A20E-BA3C11F52CE2}.exe"	{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70C476D9-0B03-45a0-BE33-59FBC2A5783D}\stubpath = "C:\\Windows\\{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe"	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD85B7E4-8038-4ad6-A3EB-C7A1AE2A70AA}\stubpath = "C:\\Windows\\{BD85B7E4-8038-4ad6-A3EB-C7A1AE2A70AA}.exe"	{B33C992A-3363-414c-A20E-BA3C11F52CE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD85B7E4-8038-4ad6-A3EB-C7A1AE2A70AA}	{B33C992A-3363-414c-A20E-BA3C11F52CE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EEEE915-F244-4a02-93AD-85AF27C14A64}	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EEEE915-F244-4a02-93AD-85AF27C14A64}\stubpath = "C:\\Windows\\{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe"	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70C476D9-0B03-45a0-BE33-59FBC2A5783D}	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe

Executes dropped EXE 12 IoCs

pid	Process
1512	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe
4540	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe
4588	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe
4512	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe
1116	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe
4768	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe
5076	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe
1480	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe
2052	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe
2788	{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe
5096	{B33C992A-3363-414c-A20E-BA3C11F52CE2}.exe
908	{BD85B7E4-8038-4ad6-A3EB-C7A1AE2A70AA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe
File created	C:\Windows\{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe
File created	C:\Windows\{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe
File created	C:\Windows\{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe
File created	C:\Windows\{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe
File created	C:\Windows\{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe
File created	C:\Windows\{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe
File created	C:\Windows\{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe
File created	C:\Windows\{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe
File created	C:\Windows\{B33C992A-3363-414c-A20E-BA3C11F52CE2}.exe	{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe
File created	C:\Windows\{BD85B7E4-8038-4ad6-A3EB-C7A1AE2A70AA}.exe	{B33C992A-3363-414c-A20E-BA3C11F52CE2}.exe
File created	C:\Windows\{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD85B7E4-8038-4ad6-A3EB-C7A1AE2A70AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B33C992A-3363-414c-A20E-BA3C11F52CE2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4900	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1512	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe
Token: SeIncBasePriorityPrivilege	4540	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe
Token: SeIncBasePriorityPrivilege	4588	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe
Token: SeIncBasePriorityPrivilege	4512	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe
Token: SeIncBasePriorityPrivilege	1116	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe
Token: SeIncBasePriorityPrivilege	4768	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe
Token: SeIncBasePriorityPrivilege	5076	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe
Token: SeIncBasePriorityPrivilege	1480	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe
Token: SeIncBasePriorityPrivilege	2052	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe
Token: SeIncBasePriorityPrivilege	2788	{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe
Token: SeIncBasePriorityPrivilege	5096	{B33C992A-3363-414c-A20E-BA3C11F52CE2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1512	4900	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	86
PID 4900 wrote to memory of 1512	4900	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	86
PID 4900 wrote to memory of 1512	4900	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	86
PID 4900 wrote to memory of 4572	4900	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	87
PID 4900 wrote to memory of 4572	4900	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	87
PID 4900 wrote to memory of 4572	4900	2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe	87
PID 1512 wrote to memory of 4540	1512	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe	88
PID 1512 wrote to memory of 4540	1512	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe	88
PID 1512 wrote to memory of 4540	1512	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe	88
PID 1512 wrote to memory of 2120	1512	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe	89
PID 1512 wrote to memory of 2120	1512	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe	89
PID 1512 wrote to memory of 2120	1512	{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe	89
PID 4540 wrote to memory of 4588	4540	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe	93
PID 4540 wrote to memory of 4588	4540	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe	93
PID 4540 wrote to memory of 4588	4540	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe	93
PID 4540 wrote to memory of 1608	4540	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe	94
PID 4540 wrote to memory of 1608	4540	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe	94
PID 4540 wrote to memory of 1608	4540	{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe	94
PID 4588 wrote to memory of 4512	4588	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe	95
PID 4588 wrote to memory of 4512	4588	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe	95
PID 4588 wrote to memory of 4512	4588	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe	95
PID 4588 wrote to memory of 3340	4588	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe	96
PID 4588 wrote to memory of 3340	4588	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe	96
PID 4588 wrote to memory of 3340	4588	{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe	96
PID 4512 wrote to memory of 1116	4512	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe	97
PID 4512 wrote to memory of 1116	4512	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe	97
PID 4512 wrote to memory of 1116	4512	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe	97
PID 4512 wrote to memory of 2544	4512	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe	98
PID 4512 wrote to memory of 2544	4512	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe	98
PID 4512 wrote to memory of 2544	4512	{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe	98
PID 1116 wrote to memory of 4768	1116	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe	99
PID 1116 wrote to memory of 4768	1116	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe	99
PID 1116 wrote to memory of 4768	1116	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe	99
PID 1116 wrote to memory of 1808	1116	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe	100
PID 1116 wrote to memory of 1808	1116	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe	100
PID 1116 wrote to memory of 1808	1116	{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe	100
PID 4768 wrote to memory of 5076	4768	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe	101
PID 4768 wrote to memory of 5076	4768	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe	101
PID 4768 wrote to memory of 5076	4768	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe	101
PID 4768 wrote to memory of 2500	4768	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe	102
PID 4768 wrote to memory of 2500	4768	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe	102
PID 4768 wrote to memory of 2500	4768	{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe	102
PID 5076 wrote to memory of 1480	5076	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe	103
PID 5076 wrote to memory of 1480	5076	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe	103
PID 5076 wrote to memory of 1480	5076	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe	103
PID 5076 wrote to memory of 5112	5076	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe	104
PID 5076 wrote to memory of 5112	5076	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe	104
PID 5076 wrote to memory of 5112	5076	{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe	104
PID 1480 wrote to memory of 2052	1480	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe	105
PID 1480 wrote to memory of 2052	1480	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe	105
PID 1480 wrote to memory of 2052	1480	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe	105
PID 1480 wrote to memory of 2424	1480	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe	106
PID 1480 wrote to memory of 2424	1480	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe	106
PID 1480 wrote to memory of 2424	1480	{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe	106
PID 2052 wrote to memory of 2788	2052	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe	107
PID 2052 wrote to memory of 2788	2052	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe	107
PID 2052 wrote to memory of 2788	2052	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe	107
PID 2052 wrote to memory of 3888	2052	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe	108
PID 2052 wrote to memory of 3888	2052	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe	108
PID 2052 wrote to memory of 3888	2052	{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe	108
PID 2788 wrote to memory of 5096	2788	{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe	109
PID 2788 wrote to memory of 5096	2788	{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe	109
PID 2788 wrote to memory of 5096	2788	{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe	109
PID 2788 wrote to memory of 2428	2788	{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e1b960ac52e9ece473b5221cd0a4b211_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe
  C:\Windows\{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe
    C:\Windows\{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe
      C:\Windows\{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe
        
        C:\Windows\{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Windows\{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe
        
        C:\Windows\{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe
        
        C:\Windows\{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe
        
        C:\Windows\{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe
        
        C:\Windows\{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe
        
        C:\Windows\{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe
        
        C:\Windows\{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{B33C992A-3363-414c-A20E-BA3C11F52CE2}.exe
        
        C:\Windows\{B33C992A-3363-414c-A20E-BA3C11F52CE2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Windows\{BD85B7E4-8038-4ad6-A3EB-C7A1AE2A70AA}.exe
        
        C:\Windows\{BD85B7E4-8038-4ad6-A3EB-C7A1AE2A70AA}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B33C9~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B84E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48CA1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5179F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B0B1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77979~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64BCB~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79AC0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B62E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{70C47~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8EEEE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B62E327-9FF2-4c3e-8F07-40163E182CDB}.exe

Filesize
380KB

MD5
3e27abcd04f71a84f7140843654a2e02

SHA1
3b29e23d406abc2905047dcdd008fe675d6d636c

SHA256
a8b1b4fec378192e6a90b6e50354160ec4bbb89843ebb968bb252d5173ee5b2b

SHA512
847845bc2fe37b1d22d28639317085b7e155ac494424cc796162ba3caff5e8e19b2cb44992c0364b4f4ff07d480173fd9e22bd087ca510fd8ae2b288dce0a10f

Download Submit
C:\Windows\{3B84E930-DE0D-40fd-A9DB-9CC2F0A0C2D7}.exe

Filesize
380KB

MD5
dc952c77864d4938bc9a736e608863dc

SHA1
94296c6dac7fd16e2a3185960be07976d6b162a8

SHA256
088d17d3b7909d0334e5cd14779ea0f0f4f02659e63704aa00f03309c2f03ce5

SHA512
69f90efdada45cf37b27b0567479595b0ab2c5812cead47b2756d6f754ce6f26f67a4025d505ed0e067caad386a376592a129a95cc457a3ec5da2cc77d7a068d

Download Submit
C:\Windows\{48CA149A-F2A2-4bd9-905B-B6B38F720C82}.exe

Filesize
380KB

MD5
6c1fb226858b5e599ff44ad6fb465167

SHA1
00469dd2f26413fbc5b4bb01f545ff8b73d3bc9f

SHA256
df3c53143b3495bce3131d8af76c21331c16d0f88da1a0c631cccd695e9c12f9

SHA512
8101dcde072a34fa807238609bb701d10c216bb37fc9867266c9d66eb53f45326cc75c4187953d802641753bf729d3742900d8fde8d18813dde0f1edcd86443c

Download Submit
C:\Windows\{5179F45B-0C24-4c15-AFCF-736F5C2B0FD0}.exe

Filesize
380KB

MD5
c2fc15afe8694895a796bd666c94766b

SHA1
f5674f552e9dc2451232c37f85bcd10a131b30e5

SHA256
818c67011a19bca530d76a7f8733435c9c3485d1b7b1fb01119bae1e6cfc5609

SHA512
7aa5c2155a3b4c792076eaffaf49651a6943effca49b279703492e80df8fb4a855630e1d34b10e9d6be3f557cac1c12e9779acf65392fdc15281d2ed382017db

Download Submit
C:\Windows\{64BCB042-D77E-420d-9AAB-74E67BA797D2}.exe

Filesize
380KB

MD5
faef5477e97d221d4892806b07d52d92

SHA1
88d1112e6a0324a50743f0e848d5c429af7f1fa4

SHA256
29584a6dbd1795905395afdca7eedbbe98fad600ea5787d7e9021e7e0b74f785

SHA512
be4c343fcdd1657f7cb975427db0c491619392e866232efdc83c619dda4934fea5aa16ca89e59f9266f65345c4a0dce31416c8f22a95b623ecf640ce51d635a5

Download Submit
C:\Windows\{70C476D9-0B03-45a0-BE33-59FBC2A5783D}.exe

Filesize
380KB

MD5
821e88369dd376dce984319aeb9a570d

SHA1
188564a1d8c68103762f50f61966f0a3e20c770e

SHA256
be37136d790f2fd3cc0f2e3adabc445ece44e7c440d134a0e758bd74a1154138

SHA512
1876877e0184c35ad3a88eb45fd619a39f90bdd69dd070046deca6a5aec73d520b76fe8194e0175eecf778ccc2014a170323f24666a23fe6601b307e3b9a63f3

Download Submit
C:\Windows\{77979554-D4CE-49ab-8FDE-24067D4EFDEB}.exe

Filesize
380KB

MD5
206f4b3126364079f0a00a3960b39237

SHA1
56e2ea53d00a3fa0b71eb099cc8e9a3dcf870779

SHA256
542650b5a053218e23d464545da2bed90701c47351bbc19816a006d5f54bd1b1

SHA512
dd4a60e53cf8eef8e36700424cf3171bbbd9187bc3ea70620fee23aa3b31ce214b7ead844a5148dc04fa0831cbb7e7fa99e9b5befb4d1d7b46de05c7267b4e89

Download Submit
C:\Windows\{79AC08BB-9B34-4bd7-A905-D622FD0B2AA0}.exe

Filesize
380KB

MD5
4632d1f3849f28dd168ddde64b622e32

SHA1
01c49278c4401566b5a30783866c96cc3bc95e8a

SHA256
e895a621a42a023ef7a082db0588bc590fb1daf1f16a971285b64db9380c4045

SHA512
581b39bb6e4572f0eb3459280eeaedf5fbc97897855b551ca6465c99d0dbcc723f7e46636c3cd4cb3e08661ee204bb669b3cc1e45ec7570c38314f4ac6c8c053

Download Submit
C:\Windows\{7B0B1E48-425B-4a1c-AD8B-218C22970CDE}.exe

Filesize
380KB

MD5
3dc93d381ad62f39780b1764bc8c1f35

SHA1
d08289095f96e6f3a5f2a131121537ec80ef53c5

SHA256
9f36d9c3eb3b1691c2430d452871a3c609953855f4bb4e898646f9d8ec9254f1

SHA512
dbb373d8fcce5cf3f68b26591842e0715675107545204afdc7615121e85fe824aedd967c3d537d871062390d42dab4b4ea53f4cc519af61057603af98044e7b6

Download Submit
C:\Windows\{8EEEE915-F244-4a02-93AD-85AF27C14A64}.exe

Filesize
380KB

MD5
681e6d7bd8ddb0f783b54a688e27cbe8

SHA1
b2f903b31117d6bbf58841a557a2cbde95c60991

SHA256
2272b973ae900435b5b1d588b741a7e2d5aba4447d45892cd7f839115de387d4

SHA512
96b28565461bf7e6040873df8d9d0b34f3749b8c04ae0a79171a876b2b1a2b5e8944f7e5c8055c7c531e7c462a81b9869ef5694b84175e0b5efe1ce37e65d37b

Download Submit
C:\Windows\{B33C992A-3363-414c-A20E-BA3C11F52CE2}.exe

Filesize
380KB

MD5
ea0d7d5d19b2c44eb7f75bc60558da53

SHA1
9449e5df3ea9862688cd99dacacb388b92d88c25

SHA256
8cbf1bbab6ef01325cfb5e0d57f4b5838363a9c424e9ed777a8f5a1069b9d74b

SHA512
2109e8adf59bb0c193459dbb97c3aff7645fb70ae3a5de8ceb8412b2365c9d89b855ad30f2593b45296dc606810272ba40317f18d13493798918076a01b6cde2

Download Submit
C:\Windows\{BD85B7E4-8038-4ad6-A3EB-C7A1AE2A70AA}.exe

Filesize
380KB

MD5
356af62a4d5dade8064b90607ea3241b

SHA1
c821fe52df6c7e9ad793d325b9a41f4867d9d49a

SHA256
9cf9e4e7bcce902713f386e9176b58d5c57fd9c6e0c91f39418cf65b6e2ea40d

SHA512
d46030e0f33682d3d18389ac7da17f77cfd87ef50ff8c7cd5dbe9790ea214e8e8017257b649a128bc9df8c5cf46f3029e4f0f95612b1fb6cf312732f28db1be3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads