0175cdcf69c3c0e922683edd59d2db3b09d79e3c774a366f8c93c23ec10f61d2

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 01:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
Size

197KB
MD5

6f427dc92b46c6e9a6f1c06e2474a96b
SHA1

b9a42ee1f7a3228fb794383cf6e8b82968271a58
SHA256

0175cdcf69c3c0e922683edd59d2db3b09d79e3c774a366f8c93c23ec10f61d2
SHA512

81316010b98f72660eaff1ee9de930f5d93c970c5f91bca6c232ab0302da983a4608ef1dd659ee5784a61fbf5b8ab9794e9525e0dd24354285649f1b40bad41c
SSDEEP

3072:jEGh0oQl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGGlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}\stubpath = "C:\\Windows\\{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe"	{495A3927-5BEE-4f24-9E62-A2F25094FA2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86930B9C-4384-477c-AFA3-6FB41DB47023}\stubpath = "C:\\Windows\\{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe"	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3455EA52-F233-4dd4-9A27-8B145A122633}	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3455EA52-F233-4dd4-9A27-8B145A122633}\stubpath = "C:\\Windows\\{3455EA52-F233-4dd4-9A27-8B145A122633}.exe"	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{495A3927-5BEE-4f24-9E62-A2F25094FA2E}\stubpath = "C:\\Windows\\{495A3927-5BEE-4f24-9E62-A2F25094FA2E}.exe"	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{495A3927-5BEE-4f24-9E62-A2F25094FA2E}	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}	{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{861889D2-E70E-4517-8B7E-974F29D7EBBD}	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84E610D7-4403-40df-9B61-8309494EC9C4}\stubpath = "C:\\Windows\\{84E610D7-4403-40df-9B61-8309494EC9C4}.exe"	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{801CF440-F8E7-47bd-97EC-9E39F1058F6E}\stubpath = "C:\\Windows\\{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe"	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}\stubpath = "C:\\Windows\\{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe"	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84E610D7-4403-40df-9B61-8309494EC9C4}	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{801CF440-F8E7-47bd-97EC-9E39F1058F6E}	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F68B4D-1DBA-477d-A0F8-242F1106478A}	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86930B9C-4384-477c-AFA3-6FB41DB47023}	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F68B4D-1DBA-477d-A0F8-242F1106478A}\stubpath = "C:\\Windows\\{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe"	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7D12558-5E17-4ea3-A0BF-0584ABA314DF}	{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7D12558-5E17-4ea3-A0BF-0584ABA314DF}\stubpath = "C:\\Windows\\{C7D12558-5E17-4ea3-A0BF-0584ABA314DF}.exe"	{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}\stubpath = "C:\\Windows\\{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe"	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}	{495A3927-5BEE-4f24-9E62-A2F25094FA2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}\stubpath = "C:\\Windows\\{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe"	{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{861889D2-E70E-4517-8B7E-974F29D7EBBD}\stubpath = "C:\\Windows\\{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe"	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe

Executes dropped EXE 11 IoCs

pid	Process
2072	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe
2064	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe
3148	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe
3960	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe
1404	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe
4888	{495A3927-5BEE-4f24-9E62-A2F25094FA2E}.exe
4764	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe
3092	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe
2736	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe
3992	{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe
4408	{C7D12558-5E17-4ea3-A0BF-0584ABA314DF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe
File created	C:\Windows\{3455EA52-F233-4dd4-9A27-8B145A122633}.exe	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe
File created	C:\Windows\{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe	{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe
File created	C:\Windows\{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe
File created	C:\Windows\{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe
File created	C:\Windows\{C7D12558-5E17-4ea3-A0BF-0584ABA314DF}.exe	{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe
File created	C:\Windows\{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
File created	C:\Windows\{84E610D7-4403-40df-9B61-8309494EC9C4}.exe	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe
File created	C:\Windows\{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe
File created	C:\Windows\{495A3927-5BEE-4f24-9E62-A2F25094FA2E}.exe	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe
File created	C:\Windows\{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{495A3927-5BEE-4f24-9E62-A2F25094FA2E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7D12558-5E17-4ea3-A0BF-0584ABA314DF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4668	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2072	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe
Token: SeIncBasePriorityPrivilege	2064	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe
Token: SeIncBasePriorityPrivilege	3148	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe
Token: SeIncBasePriorityPrivilege	3960	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe
Token: SeIncBasePriorityPrivilege	1404	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe
Token: SeIncBasePriorityPrivilege	2664	{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe
Token: SeIncBasePriorityPrivilege	4764	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe
Token: SeIncBasePriorityPrivilege	3092	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe
Token: SeIncBasePriorityPrivilege	2736	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe
Token: SeIncBasePriorityPrivilege	3992	{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2072	4668	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	93
PID 4668 wrote to memory of 2072	4668	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	93
PID 4668 wrote to memory of 2072	4668	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	93
PID 4668 wrote to memory of 1660	4668	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	94
PID 4668 wrote to memory of 1660	4668	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	94
PID 4668 wrote to memory of 1660	4668	2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe	94
PID 2072 wrote to memory of 2064	2072	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe	95
PID 2072 wrote to memory of 2064	2072	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe	95
PID 2072 wrote to memory of 2064	2072	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe	95
PID 2072 wrote to memory of 4200	2072	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe	96
PID 2072 wrote to memory of 4200	2072	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe	96
PID 2072 wrote to memory of 4200	2072	{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe	96
PID 2064 wrote to memory of 3148	2064	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe	100
PID 2064 wrote to memory of 3148	2064	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe	100
PID 2064 wrote to memory of 3148	2064	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe	100
PID 2064 wrote to memory of 1844	2064	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe	101
PID 2064 wrote to memory of 1844	2064	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe	101
PID 2064 wrote to memory of 1844	2064	{84E610D7-4403-40df-9B61-8309494EC9C4}.exe	101
PID 3148 wrote to memory of 3960	3148	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe	102
PID 3148 wrote to memory of 3960	3148	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe	102
PID 3148 wrote to memory of 3960	3148	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe	102
PID 3148 wrote to memory of 4832	3148	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe	103
PID 3148 wrote to memory of 4832	3148	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe	103
PID 3148 wrote to memory of 4832	3148	{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe	103
PID 3960 wrote to memory of 1404	3960	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe	104
PID 3960 wrote to memory of 1404	3960	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe	104
PID 3960 wrote to memory of 1404	3960	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe	104
PID 3960 wrote to memory of 412	3960	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe	105
PID 3960 wrote to memory of 412	3960	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe	105
PID 3960 wrote to memory of 412	3960	{3455EA52-F233-4dd4-9A27-8B145A122633}.exe	105
PID 1404 wrote to memory of 4888	1404	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe	107
PID 1404 wrote to memory of 4888	1404	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe	107
PID 1404 wrote to memory of 4888	1404	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe	107
PID 1404 wrote to memory of 4292	1404	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe	108
PID 1404 wrote to memory of 4292	1404	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe	108
PID 1404 wrote to memory of 4292	1404	{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe	108
PID 2664 wrote to memory of 4764	2664	{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe	115
PID 2664 wrote to memory of 4764	2664	{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe	115
PID 2664 wrote to memory of 4764	2664	{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe	115
PID 2664 wrote to memory of 3152	2664	{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe	116
PID 2664 wrote to memory of 3152	2664	{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe	116
PID 2664 wrote to memory of 3152	2664	{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe	116
PID 4764 wrote to memory of 3092	4764	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe	121
PID 4764 wrote to memory of 3092	4764	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe	121
PID 4764 wrote to memory of 3092	4764	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe	121
PID 4764 wrote to memory of 5072	4764	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe	122
PID 4764 wrote to memory of 5072	4764	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe	122
PID 4764 wrote to memory of 5072	4764	{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe	122
PID 3092 wrote to memory of 2736	3092	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe	123
PID 3092 wrote to memory of 2736	3092	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe	123
PID 3092 wrote to memory of 2736	3092	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe	123
PID 3092 wrote to memory of 2652	3092	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe	124
PID 3092 wrote to memory of 2652	3092	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe	124
PID 3092 wrote to memory of 2652	3092	{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe	124
PID 2736 wrote to memory of 3992	2736	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe	125
PID 2736 wrote to memory of 3992	2736	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe	125
PID 2736 wrote to memory of 3992	2736	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe	125
PID 2736 wrote to memory of 4840	2736	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe	126
PID 2736 wrote to memory of 4840	2736	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe	126
PID 2736 wrote to memory of 4840	2736	{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe	126
PID 3992 wrote to memory of 4408	3992	{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe	130
PID 3992 wrote to memory of 4408	3992	{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe	130
PID 3992 wrote to memory of 4408	3992	{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe	130
PID 3992 wrote to memory of 4272	3992	{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_6f427dc92b46c6e9a6f1c06e2474a96b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe
  C:\Windows\{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\{84E610D7-4403-40df-9B61-8309494EC9C4}.exe
    C:\Windows\{84E610D7-4403-40df-9B61-8309494EC9C4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe
      C:\Windows\{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Windows\{3455EA52-F233-4dd4-9A27-8B145A122633}.exe
        
        C:\Windows\{3455EA52-F233-4dd4-9A27-8B145A122633}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
      - C:\Windows\{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe
        
        C:\Windows\{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\{495A3927-5BEE-4f24-9E62-A2F25094FA2E}.exe
        
        C:\Windows\{495A3927-5BEE-4f24-9E62-A2F25094FA2E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe
        
        C:\Windows\{E502FD09-C4FC-4926-B64D-5F8F0A0EE300}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe
        
        C:\Windows\{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe
        
        C:\Windows\{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe
        
        C:\Windows\{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe
        
        C:\Windows\{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\{C7D12558-5E17-4ea3-A0BF-0584ABA314DF}.exe
        
        C:\Windows\{C7D12558-5E17-4ea3-A0BF-0584ABA314DF}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F68~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86930~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86188~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAB6D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E502F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{495A3~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9C49~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3455E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{801CF~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{84E61~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D4D43~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3455EA52-F233-4dd4-9A27-8B145A122633}.exe

Filesize
197KB

MD5
25e5fe8a9a1c04384f962afaaa0a92a5

SHA1
e21b91dbd5053f8ae7cecba9a360013b0be9dfe1

SHA256
3c7b1089f97d9e07fa2883db2bad797557032ed830de34cb8e9bd272eb953107

SHA512
752122a2120b7c8f69c12a9a7fabc984c14831af842a7edee56165af64dc062b1102081bdc8124c6543a9c7e6a43ba3e312951b3866b0fdcfcb55f808990793e

Download Submit
C:\Windows\{495A3927-5BEE-4f24-9E62-A2F25094FA2E}.exe

Filesize
197KB

MD5
ed929fcb8a5b128314c4273a8c18fc32

SHA1
c4a67815181716db54db10315e9812fb80a6f626

SHA256
90de956fe42dbbfad54aad4ec2af4673586c56daa2aeb143a54becc608c28389

SHA512
3b50473db1874c96d47967575e8eba4e55f277416929000800d6be990f659e0753c0366ff6ef0461c6afcc648dacd1daf9931ef10a47bb56916b23889d0f4a89

Download Submit
C:\Windows\{801CF440-F8E7-47bd-97EC-9E39F1058F6E}.exe

Filesize
197KB

MD5
fecaa9e66b7657b86d6f97223dcbf2ea

SHA1
cbe96f5f9442f629013c0ffcf08b95397ae29d08

SHA256
cfb622fb12dcf7f592358ef1274498147ea8d2c9dc5269d67510ab27737a47a6

SHA512
69d76005a381820f0bc243746e012f6f4a7ce6f267e1041238bee3f3259e973e5b5506130d41bce42603418676935ee99114274cc98d88e629afc11a87751fe6

Download Submit
C:\Windows\{84E610D7-4403-40df-9B61-8309494EC9C4}.exe

Filesize
197KB

MD5
98228ba9eb8f4feb313598bb9a57f221

SHA1
5832638e181a7cbfdb0a018358936d9d714e9b0b

SHA256
3d4c6dd9a6c004590eb9067e1c2a73f077a4da99f0eb5bd3c4ac1e08fbad005d

SHA512
f485aceb4d24d8e18cf4b65da8778a7a316e7c21788a7f9d91384ef2ed696008e45ceedfc190fed013b212e8b92804fca77b91e2e296a695c095b4ed4a7af436

Download Submit
C:\Windows\{861889D2-E70E-4517-8B7E-974F29D7EBBD}.exe

Filesize
197KB

MD5
b052cdb028c1c249746f9926b77ed2f9

SHA1
cf1a12717dc84c01a5c137c7e51c8afb162174e4

SHA256
4db6475304c30bfd07ef9b89e23d5d70187c57b967f982bc44686beb6d0d74ae

SHA512
64420558340b1ad2075769d2f2286b86866813d8d17442b0911d2223d703fc193a31331f107733789e80ecdd04255bbea2992e49557dd9434943874fcd24d9b3

Download Submit
C:\Windows\{86930B9C-4384-477c-AFA3-6FB41DB47023}.exe

Filesize
197KB

MD5
754d05917a2057bf2381692d3fd9eb76

SHA1
24b980604a13bdf682fcfad4a3a894610020b66a

SHA256
bd3a77a7001acac138c1593fe8a0a7443618bc94431f500e23e5e736256207db

SHA512
76bddb890fe6a57584a0989b37e21969b25cfc9cadc08d68e5f04d1babeb0a6d8919784a13a0f79cdb02559266a24a8a10609f33f13f8d1cbb385403d085af45

Download Submit
C:\Windows\{A6F68B4D-1DBA-477d-A0F8-242F1106478A}.exe

Filesize
197KB

MD5
712843af8f8b1c10c3dc1fa8323baf22

SHA1
e1ec9b5f4a3d618d2a3ffd0d6a9f0aa3d30d5813

SHA256
aaaa091ffd5efdab02ca725d840e0dc55c26a4a252c62269018d7e354d4c1ff6

SHA512
7abf20236f775e3f78ca6cb122d21bdc4536f7dd36a81b064e7c54f9c1890f19a1da689956ae0bd61c05c5dc5326c619849d1545ce67f85db4b835e04c7e7122

Download Submit
C:\Windows\{AAB6D3CB-68C5-4708-9AA8-C33C62782C08}.exe

Filesize
197KB

MD5
bd2f9a3c55be7e931d0598868b05df44

SHA1
4206d563327e7df497f7b2fe41246cb0b1d6575d

SHA256
9b244de2f19a54274dde813ae9d62200b9f3b802db93d7a3d19a2ac0529a7f39

SHA512
b7a1f707c2765d2301ac6db0ce5cfd9f07afd1329199f38ddadb33ba73f3ae4bbf772d73a9ed7e2c1344b048e4659bd227d88e6c8d9e9eab342d7b125a26fd80

Download Submit
C:\Windows\{C7D12558-5E17-4ea3-A0BF-0584ABA314DF}.exe

Filesize
197KB

MD5
2f31f8eb6d1ec93fef2c0a7340249d16

SHA1
262cf57a0fedefd4f7e653cd865775c6604acb2e

SHA256
0dbb8faccdb73b78bdfb3806daf799284156d3e2785145b300528c173bf8d9ad

SHA512
3f8d5fdf32306ac17b243b9510fc047b9f5255a1060577398b3b59e748b641be0c78e8e376f2619ae5c3b05a853840470201b33dd9560178a6c97562766f7b3a

Download Submit
C:\Windows\{D4D434F2-753B-429b-BF10-EDEC2F6C8D71}.exe

Filesize
197KB

MD5
65fd1727e6b83dec7ce1ac76f6b2adfa

SHA1
2a1792269aab0c59a3f52baac9726a979c968fe6

SHA256
de06fc4921a9169f01cdf5d8d7513368b8715cbe4b2c5a7c18830c9fb3c18e41

SHA512
b55a85ab7617e31a8c9e83dc56cf2db1bf33fe9d3797418eb7753e3709680742d01367db6bf49a39863bc69813e6b4d4d15b38be5fee97ba05080ca9b1a31a0a

Download Submit
C:\Windows\{E9C49CCE-BA6B-46d2-BBC1-DEFF1CE8B06E}.exe

Filesize
197KB

MD5
af90312e749334b3a613e2e329dfc066

SHA1
aaf4fb6ef8a3f23b3682ab9d9c2a57d29e6b4be3

SHA256
5f372727223293e2bd4742aa6ff5d8bbb0fe7edeea7034b153befc80bf6dd3ca

SHA512
644aeb4c57039cbbf924c20bc954d6a2c6844ad88ac9ff12ec2b281986f756281e5b955687668570a28a26e67673c5af6ffa37050a187801d2785243a4e0ce98

Download Submit
memory/4888-23-0x0000000003980000-0x0000000003A5B000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads