f9e28efa88dac35f0a7b9ff99e0c7b4827cd6496e4be9bf6a7cc2d54501957af

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
Size

380KB
MD5

dde8214497f9cce33bb255611157fe5a
SHA1

a5923cd70d864604958ce40b1b894a0e7633ca2c
SHA256

f9e28efa88dac35f0a7b9ff99e0c7b4827cd6496e4be9bf6a7cc2d54501957af
SHA512

3a68d87e1a5e2be19e272b7b07e0dff487f8d23559f1c7b4a37761ee840cd92c26b497083c92d67793b07e2456c34b745fa63442a91fb3300659912f5f4fa261
SSDEEP

3072:mEGh0omlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E791659F-6B3A-433e-879D-BE738AACC008}	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A50652B-40BB-4a31-85FF-8E78D66C67C3}\stubpath = "C:\\Windows\\{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe"	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49CE902F-E93C-4d61-B4E2-11AA064C5307}\stubpath = "C:\\Windows\\{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe"	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{726DC184-19CD-4131-88F4-7759CB88DDBE}\stubpath = "C:\\Windows\\{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe"	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91514FFB-AF48-4fd5-9F76-C394552AC13D}\stubpath = "C:\\Windows\\{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe"	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}\stubpath = "C:\\Windows\\{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe"	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91514FFB-AF48-4fd5-9F76-C394552AC13D}	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9EBE2F6-C4B6-484b-867A-025530930B59}\stubpath = "C:\\Windows\\{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe"	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49CE902F-E93C-4d61-B4E2-11AA064C5307}	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1676A555-BC30-42ba-9400-05C937C4AD62}	{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4307EFE9-23C5-471d-AC52-E6BC20480DAA}\stubpath = "C:\\Windows\\{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe"	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}\stubpath = "C:\\Windows\\{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe"	{E791659F-6B3A-433e-879D-BE738AACC008}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A50652B-40BB-4a31-85FF-8E78D66C67C3}	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9EBE2F6-C4B6-484b-867A-025530930B59}	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1676A555-BC30-42ba-9400-05C937C4AD62}\stubpath = "C:\\Windows\\{1676A555-BC30-42ba-9400-05C937C4AD62}.exe"	{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}	{1676A555-BC30-42ba-9400-05C937C4AD62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}\stubpath = "C:\\Windows\\{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}.exe"	{1676A555-BC30-42ba-9400-05C937C4AD62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}	{E791659F-6B3A-433e-879D-BE738AACC008}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E791659F-6B3A-433e-879D-BE738AACC008}\stubpath = "C:\\Windows\\{E791659F-6B3A-433e-879D-BE738AACC008}.exe"	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{726DC184-19CD-4131-88F4-7759CB88DDBE}	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E7C0225-B173-41fe-B194-CAA16D25654A}	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E7C0225-B173-41fe-B194-CAA16D25654A}\stubpath = "C:\\Windows\\{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe"	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4307EFE9-23C5-471d-AC52-E6BC20480DAA}	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
4552	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe
4376	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe
1168	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe
1380	{E791659F-6B3A-433e-879D-BE738AACC008}.exe
5044	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe
4204	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe
852	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe
2944	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe
1452	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe
1768	{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe
3724	{1676A555-BC30-42ba-9400-05C937C4AD62}.exe
1208	{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1676A555-BC30-42ba-9400-05C937C4AD62}.exe	{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe
File created	C:\Windows\{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
File created	C:\Windows\{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe
File created	C:\Windows\{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe
File created	C:\Windows\{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe
File created	C:\Windows\{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe
File created	C:\Windows\{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe
File created	C:\Windows\{E791659F-6B3A-433e-879D-BE738AACC008}.exe	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe
File created	C:\Windows\{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe	{E791659F-6B3A-433e-879D-BE738AACC008}.exe
File created	C:\Windows\{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe
File created	C:\Windows\{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe
File created	C:\Windows\{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}.exe	{1676A555-BC30-42ba-9400-05C937C4AD62}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1676A555-BC30-42ba-9400-05C937C4AD62}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E791659F-6B3A-433e-879D-BE738AACC008}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4124	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4552	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe
Token: SeIncBasePriorityPrivilege	4376	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe
Token: SeIncBasePriorityPrivilege	1168	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe
Token: SeIncBasePriorityPrivilege	1380	{E791659F-6B3A-433e-879D-BE738AACC008}.exe
Token: SeIncBasePriorityPrivilege	5044	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe
Token: SeIncBasePriorityPrivilege	4204	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe
Token: SeIncBasePriorityPrivilege	852	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe
Token: SeIncBasePriorityPrivilege	2944	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe
Token: SeIncBasePriorityPrivilege	1452	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe
Token: SeIncBasePriorityPrivilege	1768	{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe
Token: SeIncBasePriorityPrivilege	3724	{1676A555-BC30-42ba-9400-05C937C4AD62}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 4552	4124	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	94
PID 4124 wrote to memory of 4552	4124	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	94
PID 4124 wrote to memory of 4552	4124	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	94
PID 4124 wrote to memory of 3168	4124	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	95
PID 4124 wrote to memory of 3168	4124	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	95
PID 4124 wrote to memory of 3168	4124	2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe	95
PID 4552 wrote to memory of 4376	4552	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe	96
PID 4552 wrote to memory of 4376	4552	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe	96
PID 4552 wrote to memory of 4376	4552	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe	96
PID 4552 wrote to memory of 1864	4552	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe	97
PID 4552 wrote to memory of 1864	4552	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe	97
PID 4552 wrote to memory of 1864	4552	{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe	97
PID 4376 wrote to memory of 1168	4376	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe	101
PID 4376 wrote to memory of 1168	4376	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe	101
PID 4376 wrote to memory of 1168	4376	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe	101
PID 4376 wrote to memory of 4448	4376	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe	102
PID 4376 wrote to memory of 4448	4376	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe	102
PID 4376 wrote to memory of 4448	4376	{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe	102
PID 1168 wrote to memory of 1380	1168	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe	103
PID 1168 wrote to memory of 1380	1168	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe	103
PID 1168 wrote to memory of 1380	1168	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe	103
PID 1168 wrote to memory of 4912	1168	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe	104
PID 1168 wrote to memory of 4912	1168	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe	104
PID 1168 wrote to memory of 4912	1168	{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe	104
PID 1380 wrote to memory of 5044	1380	{E791659F-6B3A-433e-879D-BE738AACC008}.exe	105
PID 1380 wrote to memory of 5044	1380	{E791659F-6B3A-433e-879D-BE738AACC008}.exe	105
PID 1380 wrote to memory of 5044	1380	{E791659F-6B3A-433e-879D-BE738AACC008}.exe	105
PID 1380 wrote to memory of 4264	1380	{E791659F-6B3A-433e-879D-BE738AACC008}.exe	106
PID 1380 wrote to memory of 4264	1380	{E791659F-6B3A-433e-879D-BE738AACC008}.exe	106
PID 1380 wrote to memory of 4264	1380	{E791659F-6B3A-433e-879D-BE738AACC008}.exe	106
PID 5044 wrote to memory of 4204	5044	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe	107
PID 5044 wrote to memory of 4204	5044	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe	107
PID 5044 wrote to memory of 4204	5044	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe	107
PID 5044 wrote to memory of 3940	5044	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe	108
PID 5044 wrote to memory of 3940	5044	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe	108
PID 5044 wrote to memory of 3940	5044	{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe	108
PID 4204 wrote to memory of 852	4204	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe	109
PID 4204 wrote to memory of 852	4204	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe	109
PID 4204 wrote to memory of 852	4204	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe	109
PID 4204 wrote to memory of 2680	4204	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe	110
PID 4204 wrote to memory of 2680	4204	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe	110
PID 4204 wrote to memory of 2680	4204	{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe	110
PID 852 wrote to memory of 2944	852	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe	111
PID 852 wrote to memory of 2944	852	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe	111
PID 852 wrote to memory of 2944	852	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe	111
PID 852 wrote to memory of 3784	852	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe	112
PID 852 wrote to memory of 3784	852	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe	112
PID 852 wrote to memory of 3784	852	{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe	112
PID 2944 wrote to memory of 1452	2944	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe	113
PID 2944 wrote to memory of 1452	2944	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe	113
PID 2944 wrote to memory of 1452	2944	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe	113
PID 2944 wrote to memory of 4672	2944	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe	114
PID 2944 wrote to memory of 4672	2944	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe	114
PID 2944 wrote to memory of 4672	2944	{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe	114
PID 1452 wrote to memory of 1768	1452	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe	115
PID 1452 wrote to memory of 1768	1452	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe	115
PID 1452 wrote to memory of 1768	1452	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe	115
PID 1452 wrote to memory of 2504	1452	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe	116
PID 1452 wrote to memory of 2504	1452	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe	116
PID 1452 wrote to memory of 2504	1452	{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe	116
PID 1768 wrote to memory of 3724	1768	{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe	117
PID 1768 wrote to memory of 3724	1768	{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe	117
PID 1768 wrote to memory of 3724	1768	{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe	117
PID 1768 wrote to memory of 5064	1768	{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_dde8214497f9cce33bb255611157fe5a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe
  C:\Windows\{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe
    C:\Windows\{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe
      C:\Windows\{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Windows\{E791659F-6B3A-433e-879D-BE738AACC008}.exe
        
        C:\Windows\{E791659F-6B3A-433e-879D-BE738AACC008}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe
        
        C:\Windows\{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe
        
        C:\Windows\{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe
        
        C:\Windows\{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe
        
        C:\Windows\{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe
        
        C:\Windows\{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe
        
        C:\Windows\{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{1676A555-BC30-42ba-9400-05C937C4AD62}.exe
        
        C:\Windows\{1676A555-BC30-42ba-9400-05C937C4AD62}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
        
        C:\Windows\{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}.exe
        
        C:\Windows\{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1676A~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E7C0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{726DC~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49CE9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9EBE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A506~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DEA3~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7916~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91514~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EFC9D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4307E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:8
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DEA3C28-EF9E-4900-8225-FC378FA68E9B}.exe

Filesize
380KB

MD5
b9eaf83cb463d546c87cfa421fb4ea7d

SHA1
068f972b0100a71d175b6a1eb31901ffd014f656

SHA256
ee0f7246b8e85e4489cd73ec8bc87324f2199ebc18c476aba96ebc0695b99356

SHA512
8cad7b2b9733a1a7503b86f3a4fccf20c4f97ab3c8ea697114ea048bf1fe0029e996b1e2a9f382deef2525a67248266b6974958c6d62ff34a1b2b607cdc7375c

Download Submit
C:\Windows\{1676A555-BC30-42ba-9400-05C937C4AD62}.exe

Filesize
380KB

MD5
c9b6539e7d482c53d877ace410594592

SHA1
3c9d342cf606fc139d764ac0344489e27b041326

SHA256
02f1d3e13c7f645c15aa82178e164cc934c51f38e82025bd113093ed36920035

SHA512
7bca5cca26f0ae639f0bcd0f4cb46b00edd9ae5b24a22bb024213b3ef75c5789f42923db0b520437aedc6139a3e000fb5cfc52ddf77ce89e9820f7bb5cd1f4cc

Download Submit
C:\Windows\{1A50652B-40BB-4a31-85FF-8E78D66C67C3}.exe

Filesize
380KB

MD5
e18bed81a8f24bb1bb795f445bb250c4

SHA1
32f8acffea4ce099a1c09c60f282fe79518bea4e

SHA256
f03c715d06940b3e6517b9a1cc5694ee8edf4b055a7eb4b87e3839c354741392

SHA512
e0bb6764352ec06a3b99708fb22fe2519b08b85ee39fe8f75aaecbdc69989a80791ba5938d58e6e4596d25b447c81a4a3aeca9d14a7c1f134ac0ccec99d792dc

Download Submit
C:\Windows\{4307EFE9-23C5-471d-AC52-E6BC20480DAA}.exe

Filesize
380KB

MD5
f4c8108c33ff1d30054807ea72fc09c5

SHA1
938788b53e78ec6e988508314c50a39ace546905

SHA256
3970f29f2ff9a81aad04de176bd5488779600726c00a658706541ea3dce41337

SHA512
7ea4cc78a6cd9527794704069c8e7c4138f568f5ecc2c6b3c325552cb86864bf48f6e7d2c5b418a42e06dc5f60218153c753efe366a00edf4558168ba8174bdf

Download Submit
C:\Windows\{49CE902F-E93C-4d61-B4E2-11AA064C5307}.exe

Filesize
380KB

MD5
77d873cee7b19a1e0cb82bb8dd63a695

SHA1
c590ae8b41c3ce35835acea6cb1885de477a4320

SHA256
0f858c6bd92319632df96d9c4a364302f39c142d93a36c6b39c2dbba9365c313

SHA512
1938c8bcdccf44f84328e925ffa445ab34071d2bbd584f38967754f4a9decf07d8ab222aae1b594474d24f0cef7cae1e1cb36f7cb6f5be85dcaefb4b9f496c2a

Download Submit
C:\Windows\{726DC184-19CD-4131-88F4-7759CB88DDBE}.exe

Filesize
380KB

MD5
e894bb303b4f07d569073df7872e770a

SHA1
abe8c530022950fda70b2c736ef1b1dc6fa08756

SHA256
ce2641ff809a9e6e8ed0f2588df8fb85a7f28f0f128979c57a70854a5a0054e5

SHA512
0eff516354a28d62d17a32a91fe2dd8dec46050f5256cc2197ccf203398d481af63604bd5cd39d956f02d8f28a75486817ded09f207441f15e66d43bfa5cf3e2

Download Submit
C:\Windows\{91514FFB-AF48-4fd5-9F76-C394552AC13D}.exe

Filesize
380KB

MD5
25dc0c313d5d6f39b0dfc3b164efdcdc

SHA1
2755047321406a0f3183218d409f4b57e856e821

SHA256
197170174770ee423b3beaa19815fd2458877e5068d79d6f7b9d6f6b2460a411

SHA512
45dee2c2ae51be85e773b4844b3e2fa3d5dd1d05f6047350fd3db815078e07b768428594aa4fd349469dcb09194f7fb00a9f1153b1904d5a1a10f988c9a26d40

Download Submit
C:\Windows\{9E7C0225-B173-41fe-B194-CAA16D25654A}.exe

Filesize
380KB

MD5
0c9477684289370eddd1bb66f00f2444

SHA1
5b953ea10024ee2f4a1beb905aca8e3e8828b334

SHA256
c434c5f5d1fe487dd425cda53518cd27621d1835f8469d3ed3cd456f636a1f15

SHA512
d3f5c32fe6b2fb5ea990fc9b19f2feabb83adaa5ce85eb97e1d928db1171125c471c821f01d1394b2b37dad52911d25870ab9a566b5972b707bdf016e714cfeb

Download Submit
C:\Windows\{A17C747F-063A-4687-A6B4-8CBDC0C5D3CF}.exe

Filesize
380KB

MD5
520e1a8728caa57fd627a3df284fe3ba

SHA1
e1f288bfe0b37076279b76f518a904fa06bf8d9f

SHA256
f8348e1ea57dffefdb5feae8d1e3bccc95164d62f600a5bc09801cb418d5fca1

SHA512
d45a99ccfd194280a4f22101d7f6cfd5206151187fe78715a30ec1f6f1a798f21efab1dae19f69352a7289912f8ae0b34c2f6386df3bb16dc5091a38cb5881e7

Download Submit
C:\Windows\{D9EBE2F6-C4B6-484b-867A-025530930B59}.exe

Filesize
380KB

MD5
e741393d459fbc72380153b9bd618d49

SHA1
d286494fb803431892a4806ac84322d02f382394

SHA256
3a9108532087ecc5125d15664dee21f25797ca22deddedc2947bfc02214a5c6f

SHA512
a731c6ed0d0756105e532edef50c1a0732d7104094a22c90f5ad97a831c56dfdbd85f8431a5a887057ad89333b5e3a6516ce7b7a21408ec3057ce325c2c49bf8

Download Submit
C:\Windows\{E791659F-6B3A-433e-879D-BE738AACC008}.exe

Filesize
380KB

MD5
14c82d83db01e382d9ee4bf8197316c3

SHA1
6b8bfa35be77870e906a6091c4b55cc806ae650c

SHA256
a35ce6e4d5fc33b7510198e8eaeed13b04f0ecec5cf548aeaf75a448bee99fe1

SHA512
78aea24c24454f48cdea63a414d4f8c98a8d8a11acf990a50ec00f44893c3c5cb0cf689888efdaaed9b785cd2b1d3bbbb684eeb90fbf10fc798732213938269c

Download Submit
C:\Windows\{EFC9DF1E-76EF-4707-AFBB-301A81E868F8}.exe

Filesize
380KB

MD5
ce8eda04262d64093f50b0f88e6328d5

SHA1
1f95fefc4b6813195a452d6465dabc85b9837f2c

SHA256
14308251529fb926b36c227bf66a8ac0bdaad9437831bee52f6a82919a61b305

SHA512
954c9672cff707df9418292341ab1f870ca566cd9a5ee20d28445a2eec1c1da7c401e2699945fa003ec797405eb43f45c496a19804eaa1887237d16cff9af5e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads