7259c954a5a5fbde19ff4af9c089bae1dad6ec710d1c3515d416074b84ea34ef

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
Size

168KB
MD5

6e24f841ec4d1a00d67e55b1b888f2cd
SHA1

ad05518e387665a0db5fa824cbeb0b838ba261b6
SHA256

7259c954a5a5fbde19ff4af9c089bae1dad6ec710d1c3515d416074b84ea34ef
SHA512

58a1e4417bbc0b2dee5ed87280b36f4bccf0691127bc8bd4812b2da5f1cfa0e896c9b7b42851721b81feb15c1569d4022b0dd91ee35e4fba824526f3e96a28e2
SSDEEP

1536:1EGh0oElq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oElqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}\stubpath = "C:\\Windows\\{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe"	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{431C8F7F-DC33-4989-A072-0C71532C827F}	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{737ABA49-D9C9-415c-89CA-BBCECD35650A}	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{737ABA49-D9C9-415c-89CA-BBCECD35650A}\stubpath = "C:\\Windows\\{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe"	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD988080-8458-419a-B840-46C77A6B31FB}\stubpath = "C:\\Windows\\{AD988080-8458-419a-B840-46C77A6B31FB}.exe"	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1340F27C-34C9-4923-A1E5-EB405CF52529}	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1340F27C-34C9-4923-A1E5-EB405CF52529}\stubpath = "C:\\Windows\\{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe"	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{862FF304-0192-4c56-81B6-45982CDF7788}	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{862FF304-0192-4c56-81B6-45982CDF7788}\stubpath = "C:\\Windows\\{862FF304-0192-4c56-81B6-45982CDF7788}.exe"	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1435B693-602D-4158-86B5-80F585C53640}	{862FF304-0192-4c56-81B6-45982CDF7788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1435B693-602D-4158-86B5-80F585C53640}\stubpath = "C:\\Windows\\{1435B693-602D-4158-86B5-80F585C53640}.exe"	{862FF304-0192-4c56-81B6-45982CDF7788}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}\stubpath = "C:\\Windows\\{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe"	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{431C8F7F-DC33-4989-A072-0C71532C827F}\stubpath = "C:\\Windows\\{431C8F7F-DC33-4989-A072-0C71532C827F}.exe"	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD988080-8458-419a-B840-46C77A6B31FB}	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}\stubpath = "C:\\Windows\\{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe"	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71DD81D-0C60-48f5-95D7-391609C77163}\stubpath = "C:\\Windows\\{B71DD81D-0C60-48f5-95D7-391609C77163}.exe"	{AD988080-8458-419a-B840-46C77A6B31FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E72EDB78-451C-4283-9520-B3D4FC45F8BF}	{1435B693-602D-4158-86B5-80F585C53640}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}\stubpath = "C:\\Windows\\{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe"	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71DD81D-0C60-48f5-95D7-391609C77163}	{AD988080-8458-419a-B840-46C77A6B31FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E72EDB78-451C-4283-9520-B3D4FC45F8BF}\stubpath = "C:\\Windows\\{E72EDB78-451C-4283-9520-B3D4FC45F8BF}.exe"	{1435B693-602D-4158-86B5-80F585C53640}.exe

Executes dropped EXE 12 IoCs

pid	Process
1368	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe
1972	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe
1608	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe
632	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe
1068	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe
532	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe
1968	{AD988080-8458-419a-B840-46C77A6B31FB}.exe
2084	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe
1780	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe
4780	{862FF304-0192-4c56-81B6-45982CDF7788}.exe
3620	{1435B693-602D-4158-86B5-80F585C53640}.exe
4116	{E72EDB78-451C-4283-9520-B3D4FC45F8BF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B71DD81D-0C60-48f5-95D7-391609C77163}.exe	{AD988080-8458-419a-B840-46C77A6B31FB}.exe
File created	C:\Windows\{E72EDB78-451C-4283-9520-B3D4FC45F8BF}.exe	{1435B693-602D-4158-86B5-80F585C53640}.exe
File created	C:\Windows\{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
File created	C:\Windows\{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe
File created	C:\Windows\{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe
File created	C:\Windows\{AD988080-8458-419a-B840-46C77A6B31FB}.exe	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe
File created	C:\Windows\{862FF304-0192-4c56-81B6-45982CDF7788}.exe	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe
File created	C:\Windows\{1435B693-602D-4158-86B5-80F585C53640}.exe	{862FF304-0192-4c56-81B6-45982CDF7788}.exe
File created	C:\Windows\{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe
File created	C:\Windows\{431C8F7F-DC33-4989-A072-0C71532C827F}.exe	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe
File created	C:\Windows\{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe
File created	C:\Windows\{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD988080-8458-419a-B840-46C77A6B31FB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1435B693-602D-4158-86B5-80F585C53640}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E72EDB78-451C-4283-9520-B3D4FC45F8BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{862FF304-0192-4c56-81B6-45982CDF7788}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3740	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1368	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe
Token: SeIncBasePriorityPrivilege	1972	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe
Token: SeIncBasePriorityPrivilege	1608	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe
Token: SeIncBasePriorityPrivilege	632	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe
Token: SeIncBasePriorityPrivilege	1068	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe
Token: SeIncBasePriorityPrivilege	532	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe
Token: SeIncBasePriorityPrivilege	1968	{AD988080-8458-419a-B840-46C77A6B31FB}.exe
Token: SeIncBasePriorityPrivilege	2084	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe
Token: SeIncBasePriorityPrivilege	1780	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe
Token: SeIncBasePriorityPrivilege	4780	{862FF304-0192-4c56-81B6-45982CDF7788}.exe
Token: SeIncBasePriorityPrivilege	3620	{1435B693-602D-4158-86B5-80F585C53640}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 1368	3740	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	94
PID 3740 wrote to memory of 1368	3740	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	94
PID 3740 wrote to memory of 1368	3740	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	94
PID 3740 wrote to memory of 2208	3740	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	95
PID 3740 wrote to memory of 2208	3740	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	95
PID 3740 wrote to memory of 2208	3740	2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe	95
PID 1368 wrote to memory of 1972	1368	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe	96
PID 1368 wrote to memory of 1972	1368	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe	96
PID 1368 wrote to memory of 1972	1368	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe	96
PID 1368 wrote to memory of 1464	1368	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe	97
PID 1368 wrote to memory of 1464	1368	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe	97
PID 1368 wrote to memory of 1464	1368	{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe	97
PID 1972 wrote to memory of 1608	1972	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe	100
PID 1972 wrote to memory of 1608	1972	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe	100
PID 1972 wrote to memory of 1608	1972	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe	100
PID 1972 wrote to memory of 1684	1972	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe	101
PID 1972 wrote to memory of 1684	1972	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe	101
PID 1972 wrote to memory of 1684	1972	{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe	101
PID 1608 wrote to memory of 632	1608	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe	103
PID 1608 wrote to memory of 632	1608	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe	103
PID 1608 wrote to memory of 632	1608	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe	103
PID 1608 wrote to memory of 404	1608	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe	104
PID 1608 wrote to memory of 404	1608	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe	104
PID 1608 wrote to memory of 404	1608	{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe	104
PID 632 wrote to memory of 1068	632	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe	105
PID 632 wrote to memory of 1068	632	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe	105
PID 632 wrote to memory of 1068	632	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe	105
PID 632 wrote to memory of 3544	632	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe	106
PID 632 wrote to memory of 3544	632	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe	106
PID 632 wrote to memory of 3544	632	{431C8F7F-DC33-4989-A072-0C71532C827F}.exe	106
PID 1068 wrote to memory of 532	1068	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe	107
PID 1068 wrote to memory of 532	1068	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe	107
PID 1068 wrote to memory of 532	1068	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe	107
PID 1068 wrote to memory of 4140	1068	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe	108
PID 1068 wrote to memory of 4140	1068	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe	108
PID 1068 wrote to memory of 4140	1068	{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe	108
PID 532 wrote to memory of 1968	532	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe	109
PID 532 wrote to memory of 1968	532	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe	109
PID 532 wrote to memory of 1968	532	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe	109
PID 532 wrote to memory of 4284	532	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe	110
PID 532 wrote to memory of 4284	532	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe	110
PID 532 wrote to memory of 4284	532	{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe	110
PID 1968 wrote to memory of 2084	1968	{AD988080-8458-419a-B840-46C77A6B31FB}.exe	111
PID 1968 wrote to memory of 2084	1968	{AD988080-8458-419a-B840-46C77A6B31FB}.exe	111
PID 1968 wrote to memory of 2084	1968	{AD988080-8458-419a-B840-46C77A6B31FB}.exe	111
PID 1968 wrote to memory of 2208	1968	{AD988080-8458-419a-B840-46C77A6B31FB}.exe	112
PID 1968 wrote to memory of 2208	1968	{AD988080-8458-419a-B840-46C77A6B31FB}.exe	112
PID 1968 wrote to memory of 2208	1968	{AD988080-8458-419a-B840-46C77A6B31FB}.exe	112
PID 2084 wrote to memory of 1780	2084	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe	113
PID 2084 wrote to memory of 1780	2084	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe	113
PID 2084 wrote to memory of 1780	2084	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe	113
PID 2084 wrote to memory of 2176	2084	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe	114
PID 2084 wrote to memory of 2176	2084	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe	114
PID 2084 wrote to memory of 2176	2084	{B71DD81D-0C60-48f5-95D7-391609C77163}.exe	114
PID 1780 wrote to memory of 4780	1780	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe	115
PID 1780 wrote to memory of 4780	1780	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe	115
PID 1780 wrote to memory of 4780	1780	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe	115
PID 1780 wrote to memory of 1660	1780	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe	116
PID 1780 wrote to memory of 1660	1780	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe	116
PID 1780 wrote to memory of 1660	1780	{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe	116
PID 4780 wrote to memory of 3620	4780	{862FF304-0192-4c56-81B6-45982CDF7788}.exe	117
PID 4780 wrote to memory of 3620	4780	{862FF304-0192-4c56-81B6-45982CDF7788}.exe	117
PID 4780 wrote to memory of 3620	4780	{862FF304-0192-4c56-81B6-45982CDF7788}.exe	117
PID 4780 wrote to memory of 3988	4780	{862FF304-0192-4c56-81B6-45982CDF7788}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_6e24f841ec4d1a00d67e55b1b888f2cd_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe
  C:\Windows\{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe
    C:\Windows\{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe
      C:\Windows\{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\{431C8F7F-DC33-4989-A072-0C71532C827F}.exe
        
        C:\Windows\{431C8F7F-DC33-4989-A072-0C71532C827F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe
        
        C:\Windows\{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe
        
        C:\Windows\{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\{AD988080-8458-419a-B840-46C77A6B31FB}.exe
        
        C:\Windows\{AD988080-8458-419a-B840-46C77A6B31FB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{B71DD81D-0C60-48f5-95D7-391609C77163}.exe
        
        C:\Windows\{B71DD81D-0C60-48f5-95D7-391609C77163}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe
        
        C:\Windows\{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{862FF304-0192-4c56-81B6-45982CDF7788}.exe
        
        C:\Windows\{862FF304-0192-4c56-81B6-45982CDF7788}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\{1435B693-602D-4158-86B5-80F585C53640}.exe
        
        C:\Windows\{1435B693-602D-4158-86B5-80F585C53640}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
        
        C:\Windows\{E72EDB78-451C-4283-9520-B3D4FC45F8BF}.exe
        
        C:\Windows\{E72EDB78-451C-4283-9520-B3D4FC45F8BF}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1435B~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{862FF~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1340F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B71DD~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD988~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D311~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{737AB~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{431C8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61B11~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7235E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BF52A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
1⤵
PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1340F27C-34C9-4923-A1E5-EB405CF52529}.exe

Filesize
168KB

MD5
ba4a12c0b340dbcabf1bfcd36a68e4b8

SHA1
2cf7364d434a0f1be96c9df2868d0ae9c5b38e32

SHA256
742ea881fb48e15e9ea08201f8247a37de27594adb72ec53d3f1b9775785a27d

SHA512
d4f09282acaaae4107dfedee65afea4022de3bb260b3abcf796202b98b02e4927f4d62c64aa6f154839190da2811c79720255a17a22fc7b9e4dbd16690e63245

Download Submit
C:\Windows\{1435B693-602D-4158-86B5-80F585C53640}.exe

Filesize
168KB

MD5
cd4ce7ad7770fbc2ef3fffd41e43f363

SHA1
badac1ceafa528f7f445b16f04d38752367b68d7

SHA256
de6ba729f359c6474dfecee2400a225e6ebe61cc716c43575ec1b50f1f696aa7

SHA512
9664a6cdb2a53807ecd502d31c2c3b0a49a0fc9810c1bced1e6aba60ded4690297d1bc0ef877e54e7256b602610b20339097d72ed149010312656c0c784db3b5

Download Submit
C:\Windows\{3D31112E-4C31-48bc-9A7C-7BC3FBF65E78}.exe

Filesize
168KB

MD5
cb109b15fbc5126d5078942b1a729114

SHA1
b323363e95ba56d21d347164d275bc37003f13d7

SHA256
105e09d9352ecfb2e6e85097d33705aaf8e094ce216b1ea185776c0b49c9b0ce

SHA512
e62113e063a9c941d5c0394eca5f4bd1d69550635bbb8f92e7d90326f07b1338662065e191db76e180c83378f4747c55319d5d77149f62762f7f3cfe6ae24b80

Download Submit
C:\Windows\{431C8F7F-DC33-4989-A072-0C71532C827F}.exe

Filesize
168KB

MD5
f707269015541ff4b9627f375af63dc4

SHA1
9827908568f854400f5a867230671025e8089567

SHA256
e661715c35d757458dd96583b749546fbbc7d245a240a429f5d9d7c713f741bf

SHA512
2237d6033110d018b23d0632349c61e6657fe30b026bca5b5cfbbfa4f41368c571a473df91a980c1c2f9959cf1ce11d07cabbeee7046e696b25c5f6647e4a726

Download Submit
C:\Windows\{61B11E1E-9B5A-48a2-A01F-525A5B4DDF94}.exe

Filesize
168KB

MD5
43fe29d5c58782a8ba0a13b92b8148da

SHA1
de8d2a46c8507b41e92fc97064ccc119f3350701

SHA256
b27e72e3af332d14b78d9689e345416812ba14967d887c51778b641e63705e3e

SHA512
a6a5db12bef8408a4a39c7368f75ccdb8061985bea5866d986a9e1cf35e542f84a515eb2f792a11d84af6dfff60bd72651d08f7fe713b5f3782786060cfa8b92

Download Submit
C:\Windows\{7235E274-A5A7-42d4-B5C4-458DD90B4C0F}.exe

Filesize
168KB

MD5
520ff1f346a8082c8f3bb901d907d8d5

SHA1
edcfc45146614930929d6084d6871d23d685d0f4

SHA256
581b93e372ee1db83cef95aa26d33ac8d626f4a403942816fa9642073aa46fd7

SHA512
a67ca8f45384e14f88bc0e11ae9ea9d4bd41df5ec39f5471a8efbf8ce6db485890d77a7757d86d77b128c4390fcfb842c58938d37be4e99889d83dde207b8dbd

Download Submit
C:\Windows\{737ABA49-D9C9-415c-89CA-BBCECD35650A}.exe

Filesize
168KB

MD5
b0e6ce300eb69c33f11084b0d8e08f20

SHA1
a0a4cd7ae55749799d7a87c76ff97cb6dfb83913

SHA256
a692861ca1436c2f8dba275f64b048cb884f964ece96feabc2eb89ffc33b0cf8

SHA512
c692d59e08870ee4b61c23f0ba6d685ab266bc6e3e447e99f23d1d60c0d22a6b0dad190b385705a5da37cb759ab9fc1d1615332a352efb39be1ccdbe9742f316

Download Submit
C:\Windows\{862FF304-0192-4c56-81B6-45982CDF7788}.exe

Filesize
168KB

MD5
80e41bbd8c9afc4236fd9b94945422e3

SHA1
22464eb295fce4d7a5133e1e5db97d4e4ee986d1

SHA256
f0f8d7113d1f5e27f73a36285543312a5b8b597be6293045de5afc06146812cd

SHA512
10d7aaa0e28714ce034e5739a2549c4188f21159689fd9c429e2b59819da95aedf7dc9472934651c168806d9f3a67a25cba5e239d5ae66c311376cd75cee5eaf

Download Submit
C:\Windows\{AD988080-8458-419a-B840-46C77A6B31FB}.exe

Filesize
168KB

MD5
586dff55fb3951e78e0f728330c98acc

SHA1
9c63d7cbb8dc9bcbca09fd2cf3ab918b5f7ec94f

SHA256
63bcc1ab087642a551c312f8aa66547d2fdb03932336c0c3649535c8e89dfed2

SHA512
14c9d4b9fa6d1f9129a6dbc9a4a1a193fd848b81aa00c03fd54768a67748547d75c4e836cd505c6f069c8485f6b4b253900e1b374c1cce9e839befff3419d889

Download Submit
C:\Windows\{B71DD81D-0C60-48f5-95D7-391609C77163}.exe

Filesize
168KB

MD5
edb8414c278eb32d042ef53397d83d34

SHA1
74d9f7d397704753f60bd072a99b780d7f19d0cd

SHA256
1dff05e26326809cb5742472ebe38d161b638b383cce1b1be69034ed6b76fd8f

SHA512
eb3f3b6d5c3094602e5dbac165724a9f77b9260674f1946615a293b7e60ecba73e4be383c333e677a4acc7ff1ef3e3d7bf7fe36e9e5a2e554ff63859a02ee680

Download Submit
C:\Windows\{BF52A2FA-0510-4e34-88DB-C3A6B2DDA725}.exe

Filesize
168KB

MD5
8da5cd24293970d7965529b5ebe119f7

SHA1
963a4c6168bc52d65f4cd098bb82cc2c28de2875

SHA256
5d288fffd36177c8108f4f8432a365c8e213b2d2d8b2ff0039c0eb30dd233e4b

SHA512
f9de44ed81a0a9fae99c884a3280a0aa79e03054496139e884ca14eeda76d975361bd52f635488161d874580339e58982f952c7b2152a22c064f6bb04f6dd85a

Download Submit
C:\Windows\{E72EDB78-451C-4283-9520-B3D4FC45F8BF}.exe

Filesize
168KB

MD5
3f10d2226ce7f353e3db6aa53bfdf58c

SHA1
06728f1c2a91bd5a1c3cbf24e85ad2f001132a72

SHA256
c26d5f5c5297484cf872b1b12a10f5dac3f3066c09d9e685c8d7b2f76e7b4221

SHA512
567104e61f7415bf482ea188efce3647018490b3a0bf78ad74510408d038b98454e645fce2f98b99f9f15647d00945208b41320efc26545ee2277e8a7cfc5518

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads