08f5acbab5ea7f6ca3d94ec0dec08788c099426c60968574dad54b7e8f817c41

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe
Size

344KB
MD5

11bcad7c984f0d68447b017b2ffa67e1
SHA1

0da1708a903a2197d4e42bd8d2f6a4cc0bc3e100
SHA256

08f5acbab5ea7f6ca3d94ec0dec08788c099426c60968574dad54b7e8f817c41
SHA512

03b4808893562b52d9865912dd0c9392f285c9ccef9deeeb2c1c7ddee4ea09d15f102c905902190f7db9d90d22b6214b5ef54be4ddd3264616a990a66e71f280
SSDEEP

3072:mEGh0oclEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGylqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C5B7B13-76C9-4436-AC03-8745E5739E92}\stubpath = "C:\\Windows\\{9C5B7B13-76C9-4436-AC03-8745E5739E92}.exe"	{66A83C67-2BCC-4c71-836E-57C09A57B653}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE4F8353-A446-4a37-81C1-7DF140CC1A26}\stubpath = "C:\\Windows\\{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe"	2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C34772F3-16A4-4a4f-B8F6-675E75543282}	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{607F6F99-EF92-4497-B7C5-72F26B128BF1}	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{607F6F99-EF92-4497-B7C5-72F26B128BF1}\stubpath = "C:\\Windows\\{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe"	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A83C67-2BCC-4c71-836E-57C09A57B653}\stubpath = "C:\\Windows\\{66A83C67-2BCC-4c71-836E-57C09A57B653}.exe"	{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A83C67-2BCC-4c71-836E-57C09A57B653}	{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C5B7B13-76C9-4436-AC03-8745E5739E92}	{66A83C67-2BCC-4c71-836E-57C09A57B653}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE4F8353-A446-4a37-81C1-7DF140CC1A26}	2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{509879B6-B490-4b56-AF12-0313639341FA}	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}	{509879B6-B490-4b56-AF12-0313639341FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C2578B-365B-40a3-94A0-AB44D1C7E084}	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C2578B-365B-40a3-94A0-AB44D1C7E084}\stubpath = "C:\\Windows\\{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe"	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C34772F3-16A4-4a4f-B8F6-675E75543282}\stubpath = "C:\\Windows\\{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe"	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}\stubpath = "C:\\Windows\\{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe"	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}\stubpath = "C:\\Windows\\{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe"	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}\stubpath = "C:\\Windows\\{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe"	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{509879B6-B490-4b56-AF12-0313639341FA}\stubpath = "C:\\Windows\\{509879B6-B490-4b56-AF12-0313639341FA}.exe"	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}\stubpath = "C:\\Windows\\{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe"	{509879B6-B490-4b56-AF12-0313639341FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}\stubpath = "C:\\Windows\\{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe"	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe

Executes dropped EXE 12 IoCs

pid	Process
928	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe
2096	{509879B6-B490-4b56-AF12-0313639341FA}.exe
184	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe
368	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe
4356	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe
1952	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe
1412	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe
2056	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe
1904	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe
2516	{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe
1824	{66A83C67-2BCC-4c71-836E-57C09A57B653}.exe
452	{9C5B7B13-76C9-4436-AC03-8745E5739E92}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe
File created	C:\Windows\{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe
File created	C:\Windows\{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe
File created	C:\Windows\{66A83C67-2BCC-4c71-836E-57C09A57B653}.exe	{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe
File created	C:\Windows\{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe	2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe
File created	C:\Windows\{509879B6-B490-4b56-AF12-0313639341FA}.exe	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe
File created	C:\Windows\{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe
File created	C:\Windows\{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe
File created	C:\Windows\{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe
File created	C:\Windows\{9C5B7B13-76C9-4436-AC03-8745E5739E92}.exe	{66A83C67-2BCC-4c71-836E-57C09A57B653}.exe
File created	C:\Windows\{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe	{509879B6-B490-4b56-AF12-0313639341FA}.exe
File created	C:\Windows\{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66A83C67-2BCC-4c71-836E-57C09A57B653}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{509879B6-B490-4b56-AF12-0313639341FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C5B7B13-76C9-4436-AC03-8745E5739E92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3920	2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	928	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe
Token: SeIncBasePriorityPrivilege	2096	{509879B6-B490-4b56-AF12-0313639341FA}.exe
Token: SeIncBasePriorityPrivilege	184	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe
Token: SeIncBasePriorityPrivilege	368	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe
Token: SeIncBasePriorityPrivilege	4356	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe
Token: SeIncBasePriorityPrivilege	1952	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe
Token: SeIncBasePriorityPrivilege	1412	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe
Token: SeIncBasePriorityPrivilege	2056	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe
Token: SeIncBasePriorityPrivilege	1904	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe
Token: SeIncBasePriorityPrivilege	2516	{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe
Token: SeIncBasePriorityPrivilege	1824	{66A83C67-2BCC-4c71-836E-57C09A57B653}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 928	3920	2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe	94
PID 3920 wrote to memory of 928	3920	2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe	94
PID 3920 wrote to memory of 928	3920	2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe	94
PID 3920 wrote to memory of 4100	3920	2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe	95
PID 3920 wrote to memory of 4100	3920	2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe	95
PID 3920 wrote to memory of 4100	3920	2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe	95
PID 928 wrote to memory of 2096	928	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe	96
PID 928 wrote to memory of 2096	928	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe	96
PID 928 wrote to memory of 2096	928	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe	96
PID 928 wrote to memory of 3172	928	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe	97
PID 928 wrote to memory of 3172	928	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe	97
PID 928 wrote to memory of 3172	928	{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe	97
PID 2096 wrote to memory of 184	2096	{509879B6-B490-4b56-AF12-0313639341FA}.exe	101
PID 2096 wrote to memory of 184	2096	{509879B6-B490-4b56-AF12-0313639341FA}.exe	101
PID 2096 wrote to memory of 184	2096	{509879B6-B490-4b56-AF12-0313639341FA}.exe	101
PID 2096 wrote to memory of 1648	2096	{509879B6-B490-4b56-AF12-0313639341FA}.exe	102
PID 2096 wrote to memory of 1648	2096	{509879B6-B490-4b56-AF12-0313639341FA}.exe	102
PID 2096 wrote to memory of 1648	2096	{509879B6-B490-4b56-AF12-0313639341FA}.exe	102
PID 184 wrote to memory of 368	184	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe	103
PID 184 wrote to memory of 368	184	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe	103
PID 184 wrote to memory of 368	184	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe	103
PID 184 wrote to memory of 3080	184	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe	104
PID 184 wrote to memory of 3080	184	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe	104
PID 184 wrote to memory of 3080	184	{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe	104
PID 368 wrote to memory of 4356	368	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe	105
PID 368 wrote to memory of 4356	368	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe	105
PID 368 wrote to memory of 4356	368	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe	105
PID 368 wrote to memory of 5044	368	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe	106
PID 368 wrote to memory of 5044	368	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe	106
PID 368 wrote to memory of 5044	368	{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe	106
PID 4356 wrote to memory of 1952	4356	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe	108
PID 4356 wrote to memory of 1952	4356	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe	108
PID 4356 wrote to memory of 1952	4356	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe	108
PID 4356 wrote to memory of 4716	4356	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe	109
PID 4356 wrote to memory of 4716	4356	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe	109
PID 4356 wrote to memory of 4716	4356	{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe	109
PID 1952 wrote to memory of 1412	1952	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe	110
PID 1952 wrote to memory of 1412	1952	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe	110
PID 1952 wrote to memory of 1412	1952	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe	110
PID 1952 wrote to memory of 5032	1952	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe	111
PID 1952 wrote to memory of 5032	1952	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe	111
PID 1952 wrote to memory of 5032	1952	{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe	111
PID 1412 wrote to memory of 2056	1412	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe	116
PID 1412 wrote to memory of 2056	1412	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe	116
PID 1412 wrote to memory of 2056	1412	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe	116
PID 1412 wrote to memory of 2392	1412	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe	117
PID 1412 wrote to memory of 2392	1412	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe	117
PID 1412 wrote to memory of 2392	1412	{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe	117
PID 2056 wrote to memory of 1904	2056	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe	122
PID 2056 wrote to memory of 1904	2056	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe	122
PID 2056 wrote to memory of 1904	2056	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe	122
PID 2056 wrote to memory of 2832	2056	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe	123
PID 2056 wrote to memory of 2832	2056	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe	123
PID 2056 wrote to memory of 2832	2056	{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe	123
PID 1904 wrote to memory of 2516	1904	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe	124
PID 1904 wrote to memory of 2516	1904	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe	124
PID 1904 wrote to memory of 2516	1904	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe	124
PID 1904 wrote to memory of 1948	1904	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe	125
PID 1904 wrote to memory of 1948	1904	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe	125
PID 1904 wrote to memory of 1948	1904	{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe	125
PID 2516 wrote to memory of 1824	2516	{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe	126
PID 2516 wrote to memory of 1824	2516	{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe	126
PID 2516 wrote to memory of 1824	2516	{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe	126
PID 2516 wrote to memory of 1524	2516	{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-12_11bcad7c984f0d68447b017b2ffa67e1_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe
  C:\Windows\{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\{509879B6-B490-4b56-AF12-0313639341FA}.exe
    C:\Windows\{509879B6-B490-4b56-AF12-0313639341FA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe
      C:\Windows\{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:184
    - - C:\Windows\{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe
        
        C:\Windows\{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:368
      - C:\Windows\{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe
        
        C:\Windows\{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe
        
        C:\Windows\{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe
        
        C:\Windows\{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe
        
        C:\Windows\{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe
        
        C:\Windows\{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe
        
        C:\Windows\{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{66A83C67-2BCC-4c71-836E-57C09A57B653}.exe
        
        C:\Windows\{66A83C67-2BCC-4c71-836E-57C09A57B653}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\{9C5B7B13-76C9-4436-AC03-8745E5739E92}.exe
        
        C:\Windows\{9C5B7B13-76C9-4436-AC03-8745E5739E92}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66A83~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{607F6~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D8FD~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02C25~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77B64~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E0B4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA8E2~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3477~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3481A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{50987~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BE4F8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02C2578B-365B-40a3-94A0-AB44D1C7E084}.exe

Filesize
344KB

MD5
c9d430d5cfadfe91a3256766d3acee14

SHA1
26ed34d7189047ad23136dc16275b804cf46e04c

SHA256
7901a3ff944be83f4f9186aa29616b617282aa0f46a434d567903e0b7fc27713

SHA512
4452058841187960f89ca3537df08337cebf4ab3a990fa97ca717d1ab51f246b2bb1882df6c868824366aeb0d991a3b92a096e1f42270aed6472b2d093132145

Download Submit
C:\Windows\{1D8FD87C-9442-4e44-AD1C-04A9D88667F5}.exe

Filesize
344KB

MD5
fbf41a5807063ced60cb3374229df92f

SHA1
98b4607e9ce3a241c47c5d62440694c5b0429408

SHA256
f0fce192205e9992f95201d8b392eb89314fd447af01c1b347106139671fdbf3

SHA512
63bda49ac9d0740c3c00b1d7a34a5966a3a610fd2c217c2764d4ca3edaf676ded31e4f45b4987dcd31ab95bd72fa35210587b002d5fca0834228abd725038f60

Download Submit
C:\Windows\{3481A4C4-7C9C-4442-8DFE-0B79E82C2430}.exe

Filesize
344KB

MD5
fc2808ffd29fa4c10b3f667f37808987

SHA1
f90693bf5760fef78c4038022a8671a49d18670c

SHA256
f99bb6fdeea2cc97a2c500e4c115726b42b26625bc36c478d654e13a9cd609eb

SHA512
098d5bfd3a5f6762c21568cf78aaeb0cefc70e95d586064ce1d64c9c1420e23824e70b99aa4a63b4914c205140225da31f0058717f01fa27a2d13bd956187356

Download Submit
C:\Windows\{509879B6-B490-4b56-AF12-0313639341FA}.exe

Filesize
344KB

MD5
c11a36b36c88a21a4b453a3a1ce3595f

SHA1
c5a769d8bd7f45cfd5073082d2b0083d45981a13

SHA256
68951004550aaf89304a3cd4c80a42f52d9d4d7a923c0b227fdfc2aeb0161373

SHA512
c9e3b10759fc3556d71b7c03fc5ef3a14a4a8debed0caaf2ed7a842fc60e69060c844fbdc7b2c63ae10553d5b090caa385d864ca52be4b779fd69344ab41c6ea

Download Submit
C:\Windows\{607F6F99-EF92-4497-B7C5-72F26B128BF1}.exe

Filesize
344KB

MD5
cb5d0b1ae6f190513121ff018a6401a1

SHA1
1e7e619f5568ef2da329f32844e41331c32f2d03

SHA256
f02a75d0b20602bb39dfec277fc1e317384bd6f017ff9053bfc2a2bfed39f73b

SHA512
7dccfa75fcc0a2fae6ae0b625ed856e6163ab724c22ea85965fc130f761503266912bbf63a4f0be146459f49284087050ac5b8689aad08f044589a76ef42c754

Download Submit
C:\Windows\{66A83C67-2BCC-4c71-836E-57C09A57B653}.exe

Filesize
344KB

MD5
77509be781957ed01085260a97340301

SHA1
274c490e23270f29e41293eca7103cb48717ffdf

SHA256
355d92e3111a50e8128d61af0de4f09b5b4db5c215cb6151733ca66d967a2abc

SHA512
088f10bba3e12d1d02262e465e6d59163695ad632d3c97a99b74fc8bef966391dd71b3158e8676c132079f46aa872763cedc9e7826b9e87647b2045c9d50469c

Download Submit
C:\Windows\{77B644A3-EC74-42cf-AF5C-CD5486B0EB30}.exe

Filesize
344KB

MD5
4bda10d8a8f552178ca158ae883edc51

SHA1
7fa8edc04d307d52d279c92efca8688e8fc6833d

SHA256
3cd27b24f508a5aa0d1146c11cce4b8590cea6015b2e16babfe361f78a243d26

SHA512
819b6cc0dc89b3117096fb2506f69022a1e89ab9059d6ce78ecfb9ffda25ce5f0dc3daa4d08ae0899c2df9fa257d30a338936b9b27a0166c921d22a3bf92fe0a

Download Submit
C:\Windows\{7E0B4C41-B792-4b9a-8842-A35E3B6907E7}.exe

Filesize
344KB

MD5
b526a1fc03a1ceead6536e82216bffe8

SHA1
7f7b0ebfa0462bba821026354b7f49f0d0c6595b

SHA256
3bcd4f18266f94a0a5417ad082c2d0b49074aa8190c84f83c1409c5e1cfb853b

SHA512
b9119c654a84dbf4d698c117a946a760a4446cb614e0b1e35040ef8eb3a19b0de9e1d2839e029b0e3ac795296fbfafc2026cbb8caa320f7c9479175fcadcec2e

Download Submit
C:\Windows\{9C5B7B13-76C9-4436-AC03-8745E5739E92}.exe

Filesize
344KB

MD5
9e631d4e341c87a7f2e65b1bebef092d

SHA1
d0c69ba4d2ebe7b1e7f151965df1ae8c143a6899

SHA256
adb2b00d717b8a34df510116718a507042f02e69f15dad5e340c065aed0dc21e

SHA512
d490bcbc67b819479ea4e73305f059819f292575610f496a9cb1e76caf144445f9abcdd08d20a595759de6013c4f1e90a7cec1bac55f87dee8ffd4c67badef48

Download Submit
C:\Windows\{AA8E2E1B-3ADC-4b78-AC7D-444F33B45D75}.exe

Filesize
344KB

MD5
ad74ab632f04f21c58678003a8429502

SHA1
2e2336a24a51d8394d68b38d955519e824198816

SHA256
6c06a86b0ae1a89862d76619879cbf26e318e711da8b874bac0d8636f4b58f2d

SHA512
6f17fa6d2abd6a07c7cdcd7a8a689b610fca2fd7a11d7b2151940b3e1f971cbcab46f5e4b043e41400e13c29c331150bbccb60663ee74415c7003ddc87a52a25

Download Submit
C:\Windows\{BE4F8353-A446-4a37-81C1-7DF140CC1A26}.exe

Filesize
344KB

MD5
df32589e94a3d1a2c7f7584c7f6872fc

SHA1
a837fba3d86d71be3c70e3108bdf01415c1d424e

SHA256
185dc5f762847be36a4442149d731f1d981199a48bbb06903acfdf9032357727

SHA512
7a21797a463fa66bc5cfb53112ba5af5bfc9f9b72466d3cf8760adc44432b3bea48a00178530705a267a1642aa5d75774738884e2f5698f91c7e9e379d0727dc

Download Submit
C:\Windows\{C34772F3-16A4-4a4f-B8F6-675E75543282}.exe

Filesize
344KB

MD5
bcc12f7e70491b771328e92733d5f9d5

SHA1
a704c066da684bbf8afd8aa88c1bca4a97186834

SHA256
675d0c5d8c405be37760cc88587508e628f58170ccfb059cf35187baae1bd204

SHA512
b8772bdaed03458430cad8ccf24ac880b2adee5a024b5e13d51364b9c4ceeefb87dc3b4a9079b3cb405476e9557ff8ba2a4e01ec5d4788ba29cab61ce567c6fa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads