e6abe1a071f2ef011f6ec4a3d35b1623d9201a6702af0e2a1a5db32bf71eb497

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 02:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
Size

380KB
MD5

6fce3a3c6d160f632ff411107d5a9e46
SHA1

ce0ef5fd17f619884984da65837eda3201bc5f85
SHA256

e6abe1a071f2ef011f6ec4a3d35b1623d9201a6702af0e2a1a5db32bf71eb497
SHA512

8b70f5f08842f750f7be1ec606085d83379240c352436c70826252f29f2e2d57c672306cf4d7945219ecb829887be3e30104ec0d3e1a944ab62f054d15ce22c8
SSDEEP

3072:mEGh0oilPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGIl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{926239DE-6B2A-4006-868D-5DBD6A943866}	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C06586C5-5659-4582-805C-03719C0A1826}\stubpath = "C:\\Windows\\{C06586C5-5659-4582-805C-03719C0A1826}.exe"	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{470EA0AC-0D36-4064-9CAC-CF37A807973A}	{12C79423-5C8C-425d-A059-30288063A5C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}	{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}\stubpath = "C:\\Windows\\{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}.exe"	{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A70F49BF-BA4F-4bde-974C-3FF0B96DA998}	{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A70F49BF-BA4F-4bde-974C-3FF0B96DA998}\stubpath = "C:\\Windows\\{A70F49BF-BA4F-4bde-974C-3FF0B96DA998}.exe"	{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}	{C06586C5-5659-4582-805C-03719C0A1826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}\stubpath = "C:\\Windows\\{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe"	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12C79423-5C8C-425d-A059-30288063A5C1}\stubpath = "C:\\Windows\\{12C79423-5C8C-425d-A059-30288063A5C1}.exe"	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}\stubpath = "C:\\Windows\\{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe"	{C06586C5-5659-4582-805C-03719C0A1826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}\stubpath = "C:\\Windows\\{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe"	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}\stubpath = "C:\\Windows\\{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe"	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}\stubpath = "C:\\Windows\\{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe"	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{926239DE-6B2A-4006-868D-5DBD6A943866}\stubpath = "C:\\Windows\\{926239DE-6B2A-4006-868D-5DBD6A943866}.exe"	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C06586C5-5659-4582-805C-03719C0A1826}	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12C79423-5C8C-425d-A059-30288063A5C1}	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{470EA0AC-0D36-4064-9CAC-CF37A807973A}\stubpath = "C:\\Windows\\{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe"	{12C79423-5C8C-425d-A059-30288063A5C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D702CAD-9E2A-483b-892D-26C85A928541}	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D702CAD-9E2A-483b-892D-26C85A928541}\stubpath = "C:\\Windows\\{4D702CAD-9E2A-483b-892D-26C85A928541}.exe"	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe

Executes dropped EXE 12 IoCs

pid	Process
3624	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe
2680	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe
3216	{C06586C5-5659-4582-805C-03719C0A1826}.exe
3232	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe
1032	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe
1508	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe
4804	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe
2888	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe
3684	{12C79423-5C8C-425d-A059-30288063A5C1}.exe
4288	{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe
3632	{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}.exe
4036	{A70F49BF-BA4F-4bde-974C-3FF0B96DA998}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{926239DE-6B2A-4006-868D-5DBD6A943866}.exe	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe
File created	C:\Windows\{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe	{C06586C5-5659-4582-805C-03719C0A1826}.exe
File created	C:\Windows\{4D702CAD-9E2A-483b-892D-26C85A928541}.exe	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe
File created	C:\Windows\{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe
File created	C:\Windows\{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe	{12C79423-5C8C-425d-A059-30288063A5C1}.exe
File created	C:\Windows\{A70F49BF-BA4F-4bde-974C-3FF0B96DA998}.exe	{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}.exe
File created	C:\Windows\{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
File created	C:\Windows\{C06586C5-5659-4582-805C-03719C0A1826}.exe	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe
File created	C:\Windows\{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe
File created	C:\Windows\{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe
File created	C:\Windows\{12C79423-5C8C-425d-A059-30288063A5C1}.exe	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe
File created	C:\Windows\{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}.exe	{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C06586C5-5659-4582-805C-03719C0A1826}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12C79423-5C8C-425d-A059-30288063A5C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A70F49BF-BA4F-4bde-974C-3FF0B96DA998}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4324	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3624	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe
Token: SeIncBasePriorityPrivilege	2680	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe
Token: SeIncBasePriorityPrivilege	3216	{C06586C5-5659-4582-805C-03719C0A1826}.exe
Token: SeIncBasePriorityPrivilege	3232	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe
Token: SeIncBasePriorityPrivilege	1032	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe
Token: SeIncBasePriorityPrivilege	1508	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe
Token: SeIncBasePriorityPrivilege	4804	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe
Token: SeIncBasePriorityPrivilege	2888	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe
Token: SeIncBasePriorityPrivilege	3684	{12C79423-5C8C-425d-A059-30288063A5C1}.exe
Token: SeIncBasePriorityPrivilege	4288	{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe
Token: SeIncBasePriorityPrivilege	3632	{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 3624	4324	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	96
PID 4324 wrote to memory of 3624	4324	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	96
PID 4324 wrote to memory of 3624	4324	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	96
PID 4324 wrote to memory of 2500	4324	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	97
PID 4324 wrote to memory of 2500	4324	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	97
PID 4324 wrote to memory of 2500	4324	2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe	97
PID 3624 wrote to memory of 2680	3624	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe	98
PID 3624 wrote to memory of 2680	3624	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe	98
PID 3624 wrote to memory of 2680	3624	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe	98
PID 3624 wrote to memory of 4308	3624	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe	99
PID 3624 wrote to memory of 4308	3624	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe	99
PID 3624 wrote to memory of 4308	3624	{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe	99
PID 2680 wrote to memory of 3216	2680	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe	103
PID 2680 wrote to memory of 3216	2680	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe	103
PID 2680 wrote to memory of 3216	2680	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe	103
PID 2680 wrote to memory of 4636	2680	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe	104
PID 2680 wrote to memory of 4636	2680	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe	104
PID 2680 wrote to memory of 4636	2680	{926239DE-6B2A-4006-868D-5DBD6A943866}.exe	104
PID 3216 wrote to memory of 3232	3216	{C06586C5-5659-4582-805C-03719C0A1826}.exe	105
PID 3216 wrote to memory of 3232	3216	{C06586C5-5659-4582-805C-03719C0A1826}.exe	105
PID 3216 wrote to memory of 3232	3216	{C06586C5-5659-4582-805C-03719C0A1826}.exe	105
PID 3216 wrote to memory of 2996	3216	{C06586C5-5659-4582-805C-03719C0A1826}.exe	106
PID 3216 wrote to memory of 2996	3216	{C06586C5-5659-4582-805C-03719C0A1826}.exe	106
PID 3216 wrote to memory of 2996	3216	{C06586C5-5659-4582-805C-03719C0A1826}.exe	106
PID 3232 wrote to memory of 1032	3232	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe	108
PID 3232 wrote to memory of 1032	3232	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe	108
PID 3232 wrote to memory of 1032	3232	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe	108
PID 3232 wrote to memory of 2896	3232	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe	109
PID 3232 wrote to memory of 2896	3232	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe	109
PID 3232 wrote to memory of 2896	3232	{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe	109
PID 1032 wrote to memory of 1508	1032	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe	110
PID 1032 wrote to memory of 1508	1032	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe	110
PID 1032 wrote to memory of 1508	1032	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe	110
PID 1032 wrote to memory of 552	1032	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe	111
PID 1032 wrote to memory of 552	1032	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe	111
PID 1032 wrote to memory of 552	1032	{4D702CAD-9E2A-483b-892D-26C85A928541}.exe	111
PID 1508 wrote to memory of 4804	1508	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe	112
PID 1508 wrote to memory of 4804	1508	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe	112
PID 1508 wrote to memory of 4804	1508	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe	112
PID 1508 wrote to memory of 1652	1508	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe	113
PID 1508 wrote to memory of 1652	1508	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe	113
PID 1508 wrote to memory of 1652	1508	{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe	113
PID 4804 wrote to memory of 2888	4804	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe	121
PID 4804 wrote to memory of 2888	4804	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe	121
PID 4804 wrote to memory of 2888	4804	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe	121
PID 4804 wrote to memory of 5108	4804	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe	122
PID 4804 wrote to memory of 5108	4804	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe	122
PID 4804 wrote to memory of 5108	4804	{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe	122
PID 2888 wrote to memory of 3684	2888	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe	123
PID 2888 wrote to memory of 3684	2888	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe	123
PID 2888 wrote to memory of 3684	2888	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe	123
PID 2888 wrote to memory of 3472	2888	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe	124
PID 2888 wrote to memory of 3472	2888	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe	124
PID 2888 wrote to memory of 3472	2888	{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe	124
PID 3684 wrote to memory of 4288	3684	{12C79423-5C8C-425d-A059-30288063A5C1}.exe	125
PID 3684 wrote to memory of 4288	3684	{12C79423-5C8C-425d-A059-30288063A5C1}.exe	125
PID 3684 wrote to memory of 4288	3684	{12C79423-5C8C-425d-A059-30288063A5C1}.exe	125
PID 3684 wrote to memory of 3880	3684	{12C79423-5C8C-425d-A059-30288063A5C1}.exe	126
PID 3684 wrote to memory of 3880	3684	{12C79423-5C8C-425d-A059-30288063A5C1}.exe	126
PID 3684 wrote to memory of 3880	3684	{12C79423-5C8C-425d-A059-30288063A5C1}.exe	126
PID 4288 wrote to memory of 3632	4288	{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe	130
PID 4288 wrote to memory of 3632	4288	{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe	130
PID 4288 wrote to memory of 3632	4288	{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe	130
PID 4288 wrote to memory of 4460	4288	{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_6fce3a3c6d160f632ff411107d5a9e46_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe
  C:\Windows\{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\{926239DE-6B2A-4006-868D-5DBD6A943866}.exe
    C:\Windows\{926239DE-6B2A-4006-868D-5DBD6A943866}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\{C06586C5-5659-4582-805C-03719C0A1826}.exe
      C:\Windows\{C06586C5-5659-4582-805C-03719C0A1826}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3216
    - - C:\Windows\{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe
        
        C:\Windows\{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\{4D702CAD-9E2A-483b-892D-26C85A928541}.exe
        
        C:\Windows\{4D702CAD-9E2A-483b-892D-26C85A928541}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe
        
        C:\Windows\{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe
        
        C:\Windows\{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe
        
        C:\Windows\{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{12C79423-5C8C-425d-A059-30288063A5C1}.exe
        
        C:\Windows\{12C79423-5C8C-425d-A059-30288063A5C1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe
        
        C:\Windows\{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}.exe
        
        C:\Windows\{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\{A70F49BF-BA4F-4bde-974C-3FF0B96DA998}.exe
        
        C:\Windows\{A70F49BF-BA4F-4bde-974C-3FF0B96DA998}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{762AE~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{470EA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12C79~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F2A4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB4BF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EAAD2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D702~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{111DB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0658~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{92623~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{29735~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{111DB42B-5FAD-46be-ABFA-6AB4AB16AAE5}.exe

Filesize
380KB

MD5
45badcb6f7050df25bfe91f09d8203b1

SHA1
180a84b6c8ab061ff07bb983d35a112ecef4d9ad

SHA256
af7b01fbc32791423bf76a4d576066f0a3c6eab0282fc3ed4675d7da319babc9

SHA512
1ac617f5a4216052fb2e9c98056ae3f869fb77ae1933078b99707ef4084e6227f9208fb7d32a0604e37eb2ca8e7a529ac6bdab3bb725922ef82dafd8a5dfe689

Download Submit
C:\Windows\{12C79423-5C8C-425d-A059-30288063A5C1}.exe

Filesize
380KB

MD5
291e34ca1128badf885adabcd8419039

SHA1
7d4a22724637c653239f8fca7f809b081774c8c8

SHA256
2ee2b0494b02456939ce51810e6c589558a73fb503751a8bcff09ac0451da534

SHA512
7d898c3f092300316af1396f1abe1c9101ae6b78fca329419774219f90131b426aa0ab04532bed0d1c1290adc9bdcfde457f31c11a8cbec33d4700ed19acbb3b

Download Submit
C:\Windows\{1F2A49F8-057C-4bb7-9D3F-D960BBC8D924}.exe

Filesize
380KB

MD5
cc6a6ac0b7f3b975a8f54cff0ef8a1a6

SHA1
0a783f6291f7776a3ebd29e9158b3a1364044aa4

SHA256
4c4bac4758d79a61260811c40af5ccc5eb4a647c9ba18a53835bc36055348286

SHA512
2e1edec29f4e56e0cd87d104a5ed6882cb0da20d0a4b99deaf0617774216025612b0c59ac78785fa8674afc76c804da6973a371403d4c3768a6eefe6237dfdd1

Download Submit
C:\Windows\{29735FF6-AD6C-49f9-9D0E-834E0CDD216D}.exe

Filesize
380KB

MD5
5a69d537d621bc2bdff4b0fdf6f2d502

SHA1
a9485b8a8514d0e2d9483b4411ff07ea31c04a09

SHA256
5949f58ed2a9533e4c4e6629d86c70deef5241cc10a918778d8ee6171adee3cf

SHA512
e18ed55399748270640fe933091648a21ab68e03d5b8a329110c4d6919a8a881618062aeb3631b05af3848f3e9352b9e4b88942f7615eb396d9f291b07aec0de

Download Submit
C:\Windows\{470EA0AC-0D36-4064-9CAC-CF37A807973A}.exe

Filesize
380KB

MD5
b01ea96e614b0355b5703cf6b6b79c5f

SHA1
7a2d3980c444fc5dd5fb0ad31b456ff1c64ae749

SHA256
8b37149c50a6743fc6c4a41d2a7e4dbbcf716d42df6ee14e97df05a2dc1b9198

SHA512
57d258ea59238a8c823436154db2f821c21172c5582979681bef3908d9a22fb92604cb2fbe48e6dfb92b5db4e6b6566801f51b8e39aea63b4f1586e830dfce48

Download Submit
C:\Windows\{4D702CAD-9E2A-483b-892D-26C85A928541}.exe

Filesize
380KB

MD5
916a4eb0baa9a218cd57a6c7bdb48f80

SHA1
2f6c885610766a324a37649e970468992e94783a

SHA256
28461d167a2dabd4deb942e669e4bdeb999e5ae3f63eebe086d2e5108e40d732

SHA512
cc5e3fd3b537b7565570577bb44a80db40f809d6a70e4858f0418ae69174d8d9ba45d5843e117e531890b9c76b3e895a0d9dfab17f9818210abaec5d1a101151

Download Submit
C:\Windows\{762AEBE8-FE8F-4a5b-874F-B4963CD28A45}.exe

Filesize
380KB

MD5
60f759ab86cb79362206a59dde71d565

SHA1
42dc0dc00bd0ce009fa827a67c9c6af718cb7e3f

SHA256
981f584ab13e4833a4107b42419c1eb7748484540199c79c6a243c917085031b

SHA512
246456371472963ca4ed9261e73a72a80f744bf4c79fc674ee83c9d6e77077758e0da394339c64f03e0331de18b8607846457e02b500917961c8372d436d4e0b

Download Submit
C:\Windows\{926239DE-6B2A-4006-868D-5DBD6A943866}.exe

Filesize
380KB

MD5
b3a0a1734d586f1271e2675a8cbcc389

SHA1
2c61ab79bf74a8ed97aa8fc237ea353d15be8ed5

SHA256
8d6e6a3fe2b421d9d8263efffc7ac2519a1c27000ce66d34ed73a1cbe81101bc

SHA512
3f00c7f5a88516a413f406dea43fa4768aec5f5e01633121044caf1b265ce94f3da63bcd7ad1380fcadfcd1b4549651b0891b78e8fe571979002e2598a34211a

Download Submit
C:\Windows\{A70F49BF-BA4F-4bde-974C-3FF0B96DA998}.exe

Filesize
380KB

MD5
ba7085077eb271e325346bcea3e6a2d3

SHA1
4da9a35109cf7ae9729a880ec9e2df35e199f5be

SHA256
bba17687e9aa8b1b984876049324243bd345ef3f1eab5e9af302354838560440

SHA512
87b93c81c6db6eb87bdfc8d6ec3da7d7d8e1e361847aab2441859abe8cf32579307b029cf8ad514cb99f975fe301327f44a347352e42b8ca571f280c3f4bcde5

Download Submit
C:\Windows\{C06586C5-5659-4582-805C-03719C0A1826}.exe

Filesize
380KB

MD5
fbccf35b1f6c9133a1912502ccad411c

SHA1
32920e56c9cba073cf38a4a60193ad9400c9fea2

SHA256
423e9c87939fbfd5ab846bf25e7b041046d253a3450f195ec62a7c0e76b151c6

SHA512
b9fbb3be0d418c8c4b1cbc28f29b3548c346b1316c4be60b161999c6fc90e51acda35621153f42ac1c48a5137e9b97cf14877b1eeefdfc1e7d895081e6d1feab

Download Submit
C:\Windows\{CB4BF74D-6F79-4170-8E97-E77E46EECCCA}.exe

Filesize
380KB

MD5
653e4ce9f969110dc3768709d1124330

SHA1
0333d0c19ff554ea7d4abc72157422ce5b430e1e

SHA256
e4fa69f89b62cd20db079750ee007028ded871820a25d3294fdcbcc2ccf70e6c

SHA512
098b0eb023607320961b004f93212f26f9cdcefdb4e4ef16c482557c2c5ace9a4694a1499af24f8581b169edc02db4b59d4b438feb514ca75a12884e02455b21

Download Submit
C:\Windows\{EAAD2A18-C64A-4c5a-8190-EB4A1F263EA9}.exe

Filesize
380KB

MD5
0796bbe7e25e9e8891b2b7f92073a5cc

SHA1
51543a1034d9c8e9b81bff599bc61c2639e3c46d

SHA256
7a502102eb4db515094c6ddac35197809f8014785f17983e8a6c07cdb4f89403

SHA512
dd8e5499804ebb6c3237a413b1f160beda2280b32fb923b8873b82dba8bdce4b5e1162fe42eab6fad9502ae8b8334450f9b636557fe3056800e3851c6ded1315

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads