eb636d65fadb2a4fe9d47ba9fedc3cffe7f151a00380e471902521f2dbdba439

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
Size

344KB
MD5

5b1009c3118c06f34aaccdbf8866858f
SHA1

63fa6cfb0323248d311dd2cb0611564bd01e30af
SHA256

eb636d65fadb2a4fe9d47ba9fedc3cffe7f151a00380e471902521f2dbdba439
SHA512

28101f4cad97a961e27e25f7337d25ba9171ef37d9260b2408cde3abe10e6807eb38b4de0608c9ba27491e2470fb753ddae46a19d39c5c21def327d127873bea
SSDEEP

3072:mEGh0o+lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGAlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{642F9322-FD58-4ff7-91E8-E3CE355FF1B6}	{DDF064CF-548C-44b6-8E1E-2648F46C0394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{642F9322-FD58-4ff7-91E8-E3CE355FF1B6}\stubpath = "C:\\Windows\\{642F9322-FD58-4ff7-91E8-E3CE355FF1B6}.exe"	{DDF064CF-548C-44b6-8E1E-2648F46C0394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{241CFFF1-5750-4a7e-97E5-A8D68899A586}\stubpath = "C:\\Windows\\{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe"	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}\stubpath = "C:\\Windows\\{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe"	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C7C73B-1460-4983-9049-F131166ED193}\stubpath = "C:\\Windows\\{49C7C73B-1460-4983-9049-F131166ED193}.exe"	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F25A634-6346-4e19-9F31-5082054A43C2}	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB062A3-55F8-49ac-86C9-FD1410E3384C}\stubpath = "C:\\Windows\\{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe"	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ACB7E94-CC9A-4377-9051-499A05478D78}\stubpath = "C:\\Windows\\{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe"	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F25A634-6346-4e19-9F31-5082054A43C2}\stubpath = "C:\\Windows\\{3F25A634-6346-4e19-9F31-5082054A43C2}.exe"	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ACB7E94-CC9A-4377-9051-499A05478D78}	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDF064CF-548C-44b6-8E1E-2648F46C0394}	{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B880AE9E-4FBC-4129-9380-EBD0C42215EE}\stubpath = "C:\\Windows\\{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe"	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{910A5886-AA1F-4630-89B0-31F9C48E0F91}	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C7C73B-1460-4983-9049-F131166ED193}	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{164AC611-BAA0-4c55-881A-CBCB26323D11}	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDF064CF-548C-44b6-8E1E-2648F46C0394}\stubpath = "C:\\Windows\\{DDF064CF-548C-44b6-8E1E-2648F46C0394}.exe"	{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB062A3-55F8-49ac-86C9-FD1410E3384C}	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B880AE9E-4FBC-4129-9380-EBD0C42215EE}	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{910A5886-AA1F-4630-89B0-31F9C48E0F91}\stubpath = "C:\\Windows\\{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe"	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{241CFFF1-5750-4a7e-97E5-A8D68899A586}	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E13772A6-6A70-4eda-85BD-380707DF98D6}	{49C7C73B-1460-4983-9049-F131166ED193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E13772A6-6A70-4eda-85BD-380707DF98D6}\stubpath = "C:\\Windows\\{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe"	{49C7C73B-1460-4983-9049-F131166ED193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{164AC611-BAA0-4c55-881A-CBCB26323D11}\stubpath = "C:\\Windows\\{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe"	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe

Executes dropped EXE 12 IoCs

pid	Process
3980	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe
2752	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe
3984	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe
848	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe
5112	{49C7C73B-1460-4983-9049-F131166ED193}.exe
3988	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe
4648	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe
4344	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe
4420	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe
4712	{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe
3680	{DDF064CF-548C-44b6-8E1E-2648F46C0394}.exe
1456	{642F9322-FD58-4ff7-91E8-E3CE355FF1B6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{642F9322-FD58-4ff7-91E8-E3CE355FF1B6}.exe	{DDF064CF-548C-44b6-8E1E-2648F46C0394}.exe
File created	C:\Windows\{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe
File created	C:\Windows\{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe
File created	C:\Windows\{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe
File created	C:\Windows\{49C7C73B-1460-4983-9049-F131166ED193}.exe	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe
File created	C:\Windows\{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe	{49C7C73B-1460-4983-9049-F131166ED193}.exe
File created	C:\Windows\{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe
File created	C:\Windows\{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
File created	C:\Windows\{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe
File created	C:\Windows\{3F25A634-6346-4e19-9F31-5082054A43C2}.exe	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe
File created	C:\Windows\{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe
File created	C:\Windows\{DDF064CF-548C-44b6-8E1E-2648F46C0394}.exe	{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{642F9322-FD58-4ff7-91E8-E3CE355FF1B6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49C7C73B-1460-4983-9049-F131166ED193}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DDF064CF-548C-44b6-8E1E-2648F46C0394}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1640	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3980	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe
Token: SeIncBasePriorityPrivilege	2752	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe
Token: SeIncBasePriorityPrivilege	3984	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe
Token: SeIncBasePriorityPrivilege	848	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe
Token: SeIncBasePriorityPrivilege	5112	{49C7C73B-1460-4983-9049-F131166ED193}.exe
Token: SeIncBasePriorityPrivilege	3988	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe
Token: SeIncBasePriorityPrivilege	4648	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe
Token: SeIncBasePriorityPrivilege	4344	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe
Token: SeIncBasePriorityPrivilege	4420	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe
Token: SeIncBasePriorityPrivilege	4712	{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe
Token: SeIncBasePriorityPrivilege	3680	{DDF064CF-548C-44b6-8E1E-2648F46C0394}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3980	1640	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	96
PID 1640 wrote to memory of 3980	1640	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	96
PID 1640 wrote to memory of 3980	1640	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	96
PID 1640 wrote to memory of 4836	1640	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	97
PID 1640 wrote to memory of 4836	1640	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	97
PID 1640 wrote to memory of 4836	1640	2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe	97
PID 3980 wrote to memory of 2752	3980	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe	98
PID 3980 wrote to memory of 2752	3980	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe	98
PID 3980 wrote to memory of 2752	3980	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe	98
PID 3980 wrote to memory of 4360	3980	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe	99
PID 3980 wrote to memory of 4360	3980	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe	99
PID 3980 wrote to memory of 4360	3980	{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe	99
PID 2752 wrote to memory of 3984	2752	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe	103
PID 2752 wrote to memory of 3984	2752	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe	103
PID 2752 wrote to memory of 3984	2752	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe	103
PID 2752 wrote to memory of 3484	2752	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe	104
PID 2752 wrote to memory of 3484	2752	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe	104
PID 2752 wrote to memory of 3484	2752	{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe	104
PID 3984 wrote to memory of 848	3984	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe	105
PID 3984 wrote to memory of 848	3984	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe	105
PID 3984 wrote to memory of 848	3984	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe	105
PID 3984 wrote to memory of 5096	3984	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe	106
PID 3984 wrote to memory of 5096	3984	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe	106
PID 3984 wrote to memory of 5096	3984	{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe	106
PID 848 wrote to memory of 5112	848	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe	107
PID 848 wrote to memory of 5112	848	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe	107
PID 848 wrote to memory of 5112	848	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe	107
PID 848 wrote to memory of 2988	848	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe	108
PID 848 wrote to memory of 2988	848	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe	108
PID 848 wrote to memory of 2988	848	{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe	108
PID 5112 wrote to memory of 3988	5112	{49C7C73B-1460-4983-9049-F131166ED193}.exe	110
PID 5112 wrote to memory of 3988	5112	{49C7C73B-1460-4983-9049-F131166ED193}.exe	110
PID 5112 wrote to memory of 3988	5112	{49C7C73B-1460-4983-9049-F131166ED193}.exe	110
PID 5112 wrote to memory of 4524	5112	{49C7C73B-1460-4983-9049-F131166ED193}.exe	111
PID 5112 wrote to memory of 4524	5112	{49C7C73B-1460-4983-9049-F131166ED193}.exe	111
PID 5112 wrote to memory of 4524	5112	{49C7C73B-1460-4983-9049-F131166ED193}.exe	111
PID 3988 wrote to memory of 4648	3988	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe	112
PID 3988 wrote to memory of 4648	3988	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe	112
PID 3988 wrote to memory of 4648	3988	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe	112
PID 3988 wrote to memory of 2216	3988	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe	113
PID 3988 wrote to memory of 2216	3988	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe	113
PID 3988 wrote to memory of 2216	3988	{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe	113
PID 4648 wrote to memory of 4344	4648	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe	121
PID 4648 wrote to memory of 4344	4648	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe	121
PID 4648 wrote to memory of 4344	4648	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe	121
PID 4648 wrote to memory of 768	4648	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe	122
PID 4648 wrote to memory of 768	4648	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe	122
PID 4648 wrote to memory of 768	4648	{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe	122
PID 4344 wrote to memory of 4420	4344	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe	123
PID 4344 wrote to memory of 4420	4344	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe	123
PID 4344 wrote to memory of 4420	4344	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe	123
PID 4344 wrote to memory of 4208	4344	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe	124
PID 4344 wrote to memory of 4208	4344	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe	124
PID 4344 wrote to memory of 4208	4344	{3F25A634-6346-4e19-9F31-5082054A43C2}.exe	124
PID 4420 wrote to memory of 4712	4420	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe	125
PID 4420 wrote to memory of 4712	4420	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe	125
PID 4420 wrote to memory of 4712	4420	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe	125
PID 4420 wrote to memory of 612	4420	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe	126
PID 4420 wrote to memory of 612	4420	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe	126
PID 4420 wrote to memory of 612	4420	{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe	126
PID 4712 wrote to memory of 3680	4712	{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe	130
PID 4712 wrote to memory of 3680	4712	{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe	130
PID 4712 wrote to memory of 3680	4712	{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe	130
PID 4712 wrote to memory of 5112	4712	{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-19_5b1009c3118c06f34aaccdbf8866858f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe
  C:\Windows\{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe
    C:\Windows\{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe
      C:\Windows\{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe
        
        C:\Windows\{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
      - C:\Windows\{49C7C73B-1460-4983-9049-F131166ED193}.exe
        
        C:\Windows\{49C7C73B-1460-4983-9049-F131166ED193}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe
        
        C:\Windows\{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe
        
        C:\Windows\{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\{3F25A634-6346-4e19-9F31-5082054A43C2}.exe
        
        C:\Windows\{3F25A634-6346-4e19-9F31-5082054A43C2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe
        
        C:\Windows\{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe
        
        C:\Windows\{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{DDF064CF-548C-44b6-8E1E-2648F46C0394}.exe
        
        C:\Windows\{DDF064CF-548C-44b6-8E1E-2648F46C0394}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
        
        C:\Windows\{642F9322-FD58-4ff7-91E8-E3CE355FF1B6}.exe
        
        C:\Windows\{642F9322-FD58-4ff7-91E8-E3CE355FF1B6}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDF06~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ACB7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDB06~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F25A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{164AC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1377~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49C7C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53CE3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{241CF~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{910A5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B880A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{164AC611-BAA0-4c55-881A-CBCB26323D11}.exe

Filesize
344KB

MD5
c5eee34beca2d7092367d3ac91e1cfc8

SHA1
dcb496eee6742f07db790bf32b507b6db6bc2195

SHA256
421c02e53260f4bf9266ce27d4e0cebb73980873c2adac0b6a7f1a4d0a88c839

SHA512
d9f59a8fe8945793d5496fa384c0dd494adb8e06473742baa34797fb75c3e22da97421bd4de0de617cf7125ed79c2f76482b663e9e46ed192e466496c0794797

Download Submit
C:\Windows\{1ACB7E94-CC9A-4377-9051-499A05478D78}.exe

Filesize
344KB

MD5
7caddc865b06e9e8ee21d531d11a22e4

SHA1
5e1b3a157561965eaba5e70641d7ce39e314079d

SHA256
5e4ab16e3e754375f1bb85bfa0ba1da759dc3a77016de9596d81ff82f7788971

SHA512
8b292fd1bbf6a6db68d1e19f6bc8ce571332b9106b26969d901dbd769ee9b4a3d99e78c3d44c35a983c18a1bdec34a015b097c7d462f317986aae6c46b1c6342

Download Submit
C:\Windows\{241CFFF1-5750-4a7e-97E5-A8D68899A586}.exe

Filesize
344KB

MD5
462cc5fa96df90ed8f3e071185f3d111

SHA1
4faed0665ab2f165f167985774412c60625f240b

SHA256
f3e37220c24bb4477b117efdbf59473903de6c4837c5c6c9cfb250aa9412fc8f

SHA512
6d3769dcfdd68592e4bc7a41aa4382a57de831f55c5d2e14030bc961bd0792bad698f690872c892d228fabc640fbd23232642ea462f23e00314cd23ea55a5b9c

Download Submit
C:\Windows\{3F25A634-6346-4e19-9F31-5082054A43C2}.exe

Filesize
344KB

MD5
7a35199fa5d9ff6b4a954f69a6f28062

SHA1
f93a3f7abf4bf4afb13dac31b7083201e2991deb

SHA256
4cb70f35d832dbe0958db88749dabb48f5c751e18e6a90a83b77b758c779c62a

SHA512
58d46fc424a46ccd9a0118d0b68df61f0d406d76e3057819066fbb33fdff5eddd87390249ffabd71bc3b66fabd24f8870f983718a7fde5f4f7f07f4b8afd0b14

Download Submit
C:\Windows\{49C7C73B-1460-4983-9049-F131166ED193}.exe

Filesize
344KB

MD5
90eaca6cc92ae45bef8737083511b663

SHA1
5f46f7909d7462eac89373aa96a440db4672b53d

SHA256
fda63c8fc2b2ab3f1943c1eacf14c0b96b708a1bc4c8cd5a511dbdda83fe028b

SHA512
03c8cc601f55b4760cb2f949b688195f52d0fd3f642e2e5c8463305b6b7a2b3942aec9123bd27880e283ac6ee410a3ca55d6b4c919ed201aaaa8729a3c2f8230

Download Submit
C:\Windows\{53CE3716-BB76-40a9-8308-9BF3C97EEDF9}.exe

Filesize
344KB

MD5
1eb848f34099e4bccdf167202916396b

SHA1
eb9b03f9012127d72f97c07a664f656c1b7cd331

SHA256
b5b1511e273bc2c8946a75bb07dab0a5b3c476ef730f92249ab61cb491e9ebdf

SHA512
f1ec5fce016ecdc744359da5fe5a8839a39ef97713c3bfc5fc3090ed0302e0670cd9e658fb4501ef5410ff488fc2b3cb6e79eea82efb6df2e90deeed7bf93bc5

Download Submit
C:\Windows\{642F9322-FD58-4ff7-91E8-E3CE355FF1B6}.exe

Filesize
344KB

MD5
4d39c0b5669d073f254bf75df0339955

SHA1
f8078a8e0d304722cc95f4aa924daef0966e0759

SHA256
64a77789169bf54cfa50cc9f3344b414ec024269fff1adb0187d54e52da2d0e5

SHA512
98ee28c4d0699d7ba06b1cfc72f612b75554615d624e8dd27c271bf73c81b9e4c69c63cab7c719181670f95615af236a513b8729a46cb63519b12a691fdfb0a4

Download Submit
C:\Windows\{910A5886-AA1F-4630-89B0-31F9C48E0F91}.exe

Filesize
344KB

MD5
a987c7a883562b1f9893e0641924859d

SHA1
8cb26b660a21611a22b848c6679c9b37705dd50b

SHA256
5000432105f92f9f0651c0bb469ee4215c4ae42afec307f087a91e9ad68a86d7

SHA512
eb46cc18a88bb93038229436ac3cf9ff074450c686baf240dcdc264dc6d082fe72a45838efa2d540ce52242e5ed54b09f321cb6ea95645d592b32e525133a8ba

Download Submit
C:\Windows\{B880AE9E-4FBC-4129-9380-EBD0C42215EE}.exe

Filesize
344KB

MD5
49070dde13aaabc2def0b364b9f71b53

SHA1
1f031ad3963278ff5ecc6631d7a3ff78e3018734

SHA256
ca09279670f7ebae0aec08086f1647c965322a0911f4e04a883ca946b2b9eb08

SHA512
362d682f58af849c59f9cee41e23b680c375a1bcdddac81be3758fc268522065c90a9613964dfb475cff88b24002238e10245630433488a1d988139270ba0dd9

Download Submit
C:\Windows\{DDB062A3-55F8-49ac-86C9-FD1410E3384C}.exe

Filesize
344KB

MD5
05e6472f9bc0de466291ad79eb8c1538

SHA1
97b400488127612a853f929473095dc1fa4efa0c

SHA256
7fb131098ec65e51eeb4af86a5134a976e531ab4711b7890517af43d12f3879b

SHA512
5fc7268f34a243ca2c226b4827cbf415f2e2f33dd3bf94ea6bb4a95439e619827ab7bed6dbe5076e38d704e2675749f141a6874110caac0e5dfb9422a1567bde

Download Submit
C:\Windows\{DDF064CF-548C-44b6-8E1E-2648F46C0394}.exe

Filesize
344KB

MD5
4d145cba177fd360b6951dbabea00776

SHA1
3fa40f9ba2cac6b7b5c82997112a970efe8f1b18

SHA256
fa8117f03d0046aded5819f36b4be130eee6c0e4cae0bf37258224d2233f55d3

SHA512
24a641126ec160b10a205f3a621c6097f8688e59cc0c6fc2fc44af3005a4ee5109f69b541efb15f761f53e358d803b4c83f858c3a7997f281136f587b08a9b21

Download Submit
C:\Windows\{E13772A6-6A70-4eda-85BD-380707DF98D6}.exe

Filesize
344KB

MD5
6244ae6d17d050a69f2bd4d1c1aff7a0

SHA1
a3bb1015271970c6c573a098e1dc4059a8198a35

SHA256
37e2dab73eda65a7458c1e11c2ad1c72ee37f481da5181fcb1311154b03e7593

SHA512
89c8f40acc1f3d96da1ac0b28df95b4507494772bc2bf79141c8367622e84b22d6ec88446867a0f42b0f89f897d557687713e711f5ab3acc760639c4c7983131

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads