d550d6320e73a68bab130c7589af42f113b4b290a82ace8cc56fdbbf0c49d39a

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 07:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe
Size

216KB
MD5

b2b8f7db566469d8c2ad233f471df308
SHA1

dbee22f2c95dfd4b92b6d986070e252516339698
SHA256

d550d6320e73a68bab130c7589af42f113b4b290a82ace8cc56fdbbf0c49d39a
SHA512

869b6dd42188b7ba887287eafa3c55bf1e6ec6dbd70cf13350617703330c723a7e5122a5b09c388cfea0ae7904f03cc9aa776a0a932a7615d1bc8dc50621f9f6
SSDEEP

3072:jEGh0oDl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG9lEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E2203B-4C65-4560-807D-41F1F4503CE6}\stubpath = "C:\\Windows\\{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe"	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29EBDEBC-82C2-4047-980A-9CE8A266A17F}	{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45D29A2D-9347-4baa-B75B-BE933B0CF620}	2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E2203B-4C65-4560-807D-41F1F4503CE6}	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0591C59-7A9D-4d29-8996-0768BE1AF30A}	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0591C59-7A9D-4d29-8996-0768BE1AF30A}\stubpath = "C:\\Windows\\{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe"	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AFC9628-310B-4852-8CE4-671EAFD777E3}\stubpath = "C:\\Windows\\{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe"	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45D29A2D-9347-4baa-B75B-BE933B0CF620}\stubpath = "C:\\Windows\\{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe"	2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}\stubpath = "C:\\Windows\\{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe"	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5E69B61-C87E-4871-BC31-60826780E870}	{29EBDEBC-82C2-4047-980A-9CE8A266A17F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}\stubpath = "C:\\Windows\\{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe"	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AFC9628-310B-4852-8CE4-671EAFD777E3}	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5E69B61-C87E-4871-BC31-60826780E870}\stubpath = "C:\\Windows\\{F5E69B61-C87E-4871-BC31-60826780E870}.exe"	{29EBDEBC-82C2-4047-980A-9CE8A266A17F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}\stubpath = "C:\\Windows\\{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe"	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}\stubpath = "C:\\Windows\\{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe"	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}\stubpath = "C:\\Windows\\{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe"	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29EBDEBC-82C2-4047-980A-9CE8A266A17F}\stubpath = "C:\\Windows\\{29EBDEBC-82C2-4047-980A-9CE8A266A17F}.exe"	{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}\stubpath = "C:\\Windows\\{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe"	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4276	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe
4892	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe
2464	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe
4816	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe
2752	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe
3552	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe
3668	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe
4412	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe
2228	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe
2376	{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe
2756	{29EBDEBC-82C2-4047-980A-9CE8A266A17F}.exe
644	{F5E69B61-C87E-4871-BC31-60826780E870}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe
File created	C:\Windows\{29EBDEBC-82C2-4047-980A-9CE8A266A17F}.exe	{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe
File created	C:\Windows\{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe
File created	C:\Windows\{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe
File created	C:\Windows\{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe
File created	C:\Windows\{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe
File created	C:\Windows\{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe
File created	C:\Windows\{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe
File created	C:\Windows\{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe
File created	C:\Windows\{F5E69B61-C87E-4871-BC31-60826780E870}.exe	{29EBDEBC-82C2-4047-980A-9CE8A266A17F}.exe
File created	C:\Windows\{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe	2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe
File created	C:\Windows\{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29EBDEBC-82C2-4047-980A-9CE8A266A17F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5E69B61-C87E-4871-BC31-60826780E870}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4252	2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4276	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe
Token: SeIncBasePriorityPrivilege	4892	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe
Token: SeIncBasePriorityPrivilege	2464	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe
Token: SeIncBasePriorityPrivilege	4816	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe
Token: SeIncBasePriorityPrivilege	2752	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe
Token: SeIncBasePriorityPrivilege	3552	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe
Token: SeIncBasePriorityPrivilege	3668	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe
Token: SeIncBasePriorityPrivilege	4412	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe
Token: SeIncBasePriorityPrivilege	2228	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe
Token: SeIncBasePriorityPrivilege	2376	{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe
Token: SeIncBasePriorityPrivilege	2756	{29EBDEBC-82C2-4047-980A-9CE8A266A17F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 4276	4252	2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe	97
PID 4252 wrote to memory of 4276	4252	2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe	97
PID 4252 wrote to memory of 4276	4252	2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe	97
PID 4252 wrote to memory of 4272	4252	2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe	98
PID 4252 wrote to memory of 4272	4252	2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe	98
PID 4252 wrote to memory of 4272	4252	2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe	98
PID 4276 wrote to memory of 4892	4276	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe	99
PID 4276 wrote to memory of 4892	4276	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe	99
PID 4276 wrote to memory of 4892	4276	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe	99
PID 4276 wrote to memory of 3684	4276	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe	100
PID 4276 wrote to memory of 3684	4276	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe	100
PID 4276 wrote to memory of 3684	4276	{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe	100
PID 4892 wrote to memory of 2464	4892	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe	104
PID 4892 wrote to memory of 2464	4892	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe	104
PID 4892 wrote to memory of 2464	4892	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe	104
PID 4892 wrote to memory of 3988	4892	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe	105
PID 4892 wrote to memory of 3988	4892	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe	105
PID 4892 wrote to memory of 3988	4892	{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe	105
PID 2464 wrote to memory of 4816	2464	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe	106
PID 2464 wrote to memory of 4816	2464	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe	106
PID 2464 wrote to memory of 4816	2464	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe	106
PID 2464 wrote to memory of 740	2464	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe	107
PID 2464 wrote to memory of 740	2464	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe	107
PID 2464 wrote to memory of 740	2464	{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe	107
PID 4816 wrote to memory of 2752	4816	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe	108
PID 4816 wrote to memory of 2752	4816	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe	108
PID 4816 wrote to memory of 2752	4816	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe	108
PID 4816 wrote to memory of 5084	4816	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe	109
PID 4816 wrote to memory of 5084	4816	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe	109
PID 4816 wrote to memory of 5084	4816	{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe	109
PID 2752 wrote to memory of 3552	2752	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe	111
PID 2752 wrote to memory of 3552	2752	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe	111
PID 2752 wrote to memory of 3552	2752	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe	111
PID 2752 wrote to memory of 4588	2752	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe	112
PID 2752 wrote to memory of 4588	2752	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe	112
PID 2752 wrote to memory of 4588	2752	{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe	112
PID 3552 wrote to memory of 3668	3552	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe	113
PID 3552 wrote to memory of 3668	3552	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe	113
PID 3552 wrote to memory of 3668	3552	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe	113
PID 3552 wrote to memory of 3732	3552	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe	114
PID 3552 wrote to memory of 3732	3552	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe	114
PID 3552 wrote to memory of 3732	3552	{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe	114
PID 3668 wrote to memory of 4412	3668	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe	119
PID 3668 wrote to memory of 4412	3668	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe	119
PID 3668 wrote to memory of 4412	3668	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe	119
PID 3668 wrote to memory of 4136	3668	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe	120
PID 3668 wrote to memory of 4136	3668	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe	120
PID 3668 wrote to memory of 4136	3668	{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe	120
PID 4412 wrote to memory of 2228	4412	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe	125
PID 4412 wrote to memory of 2228	4412	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe	125
PID 4412 wrote to memory of 2228	4412	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe	125
PID 4412 wrote to memory of 2372	4412	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe	126
PID 4412 wrote to memory of 2372	4412	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe	126
PID 4412 wrote to memory of 2372	4412	{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe	126
PID 2228 wrote to memory of 2376	2228	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe	127
PID 2228 wrote to memory of 2376	2228	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe	127
PID 2228 wrote to memory of 2376	2228	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe	127
PID 2228 wrote to memory of 2784	2228	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe	128
PID 2228 wrote to memory of 2784	2228	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe	128
PID 2228 wrote to memory of 2784	2228	{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe	128
PID 2376 wrote to memory of 2756	2376	{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe	132
PID 2376 wrote to memory of 2756	2376	{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe	132
PID 2376 wrote to memory of 2756	2376	{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe	132
PID 2376 wrote to memory of 5012	2376	{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_b2b8f7db566469d8c2ad233f471df308_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe
  C:\Windows\{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe
    C:\Windows\{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe
      C:\Windows\{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe
        
        C:\Windows\{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Windows\{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe
        
        C:\Windows\{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe
        
        C:\Windows\{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe
        
        C:\Windows\{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe
        
        C:\Windows\{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe
        
        C:\Windows\{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe
        
        C:\Windows\{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{29EBDEBC-82C2-4047-980A-9CE8A266A17F}.exe
        
        C:\Windows\{29EBDEBC-82C2-4047-980A-9CE8A266A17F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{F5E69B61-C87E-4871-BC31-60826780E870}.exe
        
        C:\Windows\{F5E69B61-C87E-4871-BC31-60826780E870}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29EBD~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C6F5~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AFC9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2E8D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0591~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FECB5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19BC6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4E22~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4052~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A4EF2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{45D29~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19BC6F5C-4CDF-487f-87E6-2ABC52E6A461}.exe

Filesize
216KB

MD5
aa425e571e5c0c533f90994ff917354e

SHA1
fb5f950dfe4e76336245ef34cd7e31677b48332a

SHA256
687b820daab9368cee31e960f655cd679df8ddbd2829f22ea50e2640f2343f9c

SHA512
98a97bb62d1f7b983a5a3ff501da6456bed485446004b5f08812ca0b369473f9bf8309b5ccbd2c89ad89d28559f87c9e92497e9b12ab378662157e87a429f37e

Download Submit
C:\Windows\{29EBDEBC-82C2-4047-980A-9CE8A266A17F}.exe

Filesize
216KB

MD5
34350d057e48c514848515eb858a152d

SHA1
38195e8d105f03a198eee6508a103aad71b2042c

SHA256
d37b12ed72d58e13710471e7714f56406ee4d3f50810a8e58fae006ed3598ed2

SHA512
939eebedb30cfe16be1a3822dca076fb57621b76c6dd3cb2b2b521fba84f53a787501581d33a818791f5f88429c5653ee97e059140531507523ae6da079a649b

Download Submit
C:\Windows\{45D29A2D-9347-4baa-B75B-BE933B0CF620}.exe

Filesize
216KB

MD5
492c8012156e3980cb6248376e56d872

SHA1
75644a11f4fbf73e87024f30a11e7af115770cfb

SHA256
ba595b20caace6f3f2f3eaee926a52dd2ccd7fa5f790256f6b15725e349292d9

SHA512
10a2e32ebb6d312146c9c4bb31d7bf51479722b89a152c1c808daac236124ad0af021fcc0fc211d569a319db749987ec93406203e3906a80aa5681ffc53557ed

Download Submit
C:\Windows\{4C6F57FD-C8E7-458e-A9A1-FF4A8FADD88F}.exe

Filesize
216KB

MD5
b9bd0fed15d0ff731f51117a0a318bde

SHA1
42c5f1f1df74e1fc6641c1c9c2890a63937bb20a

SHA256
8d3dd869e28dc7b6375e75b65f43a85e56abf52d5f5ab1c5d402846865358a86

SHA512
7d7f7e6ff57a0e7865ea7036bf0fb47d81ecc573584fcfc364a05b413b6ae83f219978851701917143cbfcc0a0ae3cc3d3c2d8a206e1cd164e479707e5a3dcbd

Download Submit
C:\Windows\{8AFC9628-310B-4852-8CE4-671EAFD777E3}.exe

Filesize
216KB

MD5
82d156c64ed7656e3c1f7df3edd160fc

SHA1
ab18e8128725372d28a34b7b430fa551f4c1382b

SHA256
a67fecf2bc9f9471e299feacb2e28fe849e5cd0156719ce5852420c85e115bdc

SHA512
e1a0928781643a8987665dd3297fca663d7484900bd52316443b3bee3340302adc541eeb7d4e09ee4f4610f536a00168a4daccc93d42f2fba8ee0e975c2a5d78

Download Submit
C:\Windows\{A4EF202A-4CCD-4ac7-A875-054ACD1D335B}.exe

Filesize
216KB

MD5
a455ee60bd055acc75751c05345a2134

SHA1
2d810954580b027f3274fbb3de22fcabb332161b

SHA256
fe8279dcdf21ef597152dfc39aee44669668304eed874bb5bfbd76f6017ebcc8

SHA512
f99961b30e6d1ff9bde847713663e05ff112127c185614109a3ce558648af3a39d3fe8f06498c8eacdbf86e2e0c7772762d34cf6e3a44c892db167ff93dfe9a1

Download Submit
C:\Windows\{C4E2203B-4C65-4560-807D-41F1F4503CE6}.exe

Filesize
216KB

MD5
7042c24448eff08173e5bd4c16ab4029

SHA1
7c27ff379de97863cb19f3089b2a2244476f65bb

SHA256
5d152a8bf3ed0eb626ffe53aca59914ee00bc2a18b4c9f0723e1ea971f8d5332

SHA512
9080051570b8ba9d4c219f5790cf932d821a7c72d84ef0520927de5606e715203cf35d32e3a4306e8c3f86fa764dae4cddc249e407d33ac0a71ba4ad102f29a1

Download Submit
C:\Windows\{D40528A6-1C53-45d8-AA20-5FC4D517FE7F}.exe

Filesize
216KB

MD5
fe39bf06f0953209a3d9a2b18c94b7e2

SHA1
884f7310c3d43a450a225b48329556e8af91c189

SHA256
6d1cc03ce084d9773c3809b3b5bc5d93dae167f8874bb8ff4e70044a3273b58d

SHA512
8dd981e1ad8aee1898be238cd05d3daf20c6baced78e18e4bff61542f22c0c510c7592dbda6d26d46e723e3b385521cb9f3162cbcd207c05aefd053158513ed0

Download Submit
C:\Windows\{E0591C59-7A9D-4d29-8996-0768BE1AF30A}.exe

Filesize
216KB

MD5
046ca4d2984721157fb946fba3ae33b7

SHA1
45fe280c68c6f37a504c0b16f550741fbe034185

SHA256
8b91c202a6043bb6f5fd5ffbe2e3540222b2c03beda4fd1ac333938a585ed4f6

SHA512
c70a68856f136b900335b1880fdcd45e8574771fb2229a3c20dfd0def5099fb324c5d0781afeb82186f2205351ea7a435e64f860dc826d10d164e3ec97f43d91

Download Submit
C:\Windows\{E2E8D221-FF56-4d7d-8A42-5ED22947ED7E}.exe

Filesize
216KB

MD5
91d539c40016c8c836f695828275aa9d

SHA1
f4042700863518276e6323bc576a4e2fd3310ee8

SHA256
560944386baf30d502d54b4ee5bcf81acaa85d0cb64481322582c0c1fe05b9a4

SHA512
a6f554f29677404b078f06610e1310ec87b3686ca684dcbc2253df5ba1638ce5014126d1ed023ddfe4843f441a78b0662fb180c06de3dc541e20ec9b97a17077

Download Submit
C:\Windows\{F5E69B61-C87E-4871-BC31-60826780E870}.exe

Filesize
216KB

MD5
499c978b45274a3a646e2cd211941073

SHA1
f1c259f1045c58e6c8abbf8b0adc5029b6fe7271

SHA256
6fba854eb6371c0a2ee6245c6af5239238cdbf4c68c2bc2f729efa08694447e6

SHA512
d6f55257c1b1c2227f116fd629a7378eb983c4f324cc587b8e03f5e4507089c4bd1c08f8ad7071b46ea7b130d29970ad464d7c2c5c956db9fe3c26cda2a86567

Download Submit
C:\Windows\{FECB5570-3110-4477-A8EB-6D4EFF4BB3CA}.exe

Filesize
216KB

MD5
0a55012b5c2cca9bc93eb489409ca7e6

SHA1
63271f6d4388b1d49525a587e806c94adf7998ef

SHA256
5673aef490d718d8e691bd0259ad07560909560a52e8e1bd81aa50bc0c8e4813

SHA512
b29e82fbda85877cb6f53fe1deb8a58605095be77fe82a8c2589231da5a6bcc1bd5425a45526a23cbf7d488780aa429866423af2028aa87531ac7eda3c8d1fb1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads