1ca5f8f4279e4d0b40aae96d0bab9caa5aadadacd91ac6ff21cd38755c2f3bb3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 10:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe
Size

408KB
MD5

9bc3abcf1455bbbcf929d8628e3a6c42
SHA1

333a16790326400f47cbaaa53fb42ccca0281261
SHA256

1ca5f8f4279e4d0b40aae96d0bab9caa5aadadacd91ac6ff21cd38755c2f3bb3
SHA512

0a0108446edc514dfce392ee9177efbc47268107c7c16502a567bd205f20ce7b830e844ba7d86e87fa34e8b5c4e037d2434c350536e6fff30ed349b4b746b7fa
SSDEEP

3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGsldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72C5C666-F07A-444a-986E-32076151AC31}\stubpath = "C:\\Windows\\{72C5C666-F07A-444a-986E-32076151AC31}.exe"	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF7BB994-3EC4-4af8-803A-C340223DACD8}	{72C5C666-F07A-444a-986E-32076151AC31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20ABBD30-6307-4bf8-846B-13DDD51E3990}\stubpath = "C:\\Windows\\{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe"	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C10AD3A4-B0EE-49c4-B356-D472C36497FE}	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}	{20FCF4F3-1B89-419b-A888-D75623A83513}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A33D78B4-3028-489a-8C7E-1E2701720524}	2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72C5C666-F07A-444a-986E-32076151AC31}	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20ABBD30-6307-4bf8-846B-13DDD51E3990}	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C10AD3A4-B0EE-49c4-B356-D472C36497FE}\stubpath = "C:\\Windows\\{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe"	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80023E24-7964-483f-98A6-B76EC59D1F2C}	{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80023E24-7964-483f-98A6-B76EC59D1F2C}\stubpath = "C:\\Windows\\{80023E24-7964-483f-98A6-B76EC59D1F2C}.exe"	{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF7BB994-3EC4-4af8-803A-C340223DACD8}\stubpath = "C:\\Windows\\{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe"	{72C5C666-F07A-444a-986E-32076151AC31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}\stubpath = "C:\\Windows\\{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe"	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20FCF4F3-1B89-419b-A888-D75623A83513}	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}\stubpath = "C:\\Windows\\{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}.exe"	{20FCF4F3-1B89-419b-A888-D75623A83513}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20FCF4F3-1B89-419b-A888-D75623A83513}\stubpath = "C:\\Windows\\{20FCF4F3-1B89-419b-A888-D75623A83513}.exe"	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A33D78B4-3028-489a-8C7E-1E2701720524}\stubpath = "C:\\Windows\\{A33D78B4-3028-489a-8C7E-1E2701720524}.exe"	2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}\stubpath = "C:\\Windows\\{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe"	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}\stubpath = "C:\\Windows\\{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe"	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E69874DF-7974-40c1-BFB6-93A10E5804DE}	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E69874DF-7974-40c1-BFB6-93A10E5804DE}\stubpath = "C:\\Windows\\{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe"	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe

Executes dropped EXE 12 IoCs

pid	Process
2084	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe
2216	{72C5C666-F07A-444a-986E-32076151AC31}.exe
4580	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe
1100	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe
3860	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe
2944	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe
4284	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe
4884	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe
5112	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe
4932	{20FCF4F3-1B89-419b-A888-D75623A83513}.exe
2532	{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}.exe
1756	{80023E24-7964-483f-98A6-B76EC59D1F2C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe	{72C5C666-F07A-444a-986E-32076151AC31}.exe
File created	C:\Windows\{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe
File created	C:\Windows\{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe
File created	C:\Windows\{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe
File created	C:\Windows\{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe
File created	C:\Windows\{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe
File created	C:\Windows\{20FCF4F3-1B89-419b-A888-D75623A83513}.exe	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe
File created	C:\Windows\{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}.exe	{20FCF4F3-1B89-419b-A888-D75623A83513}.exe
File created	C:\Windows\{A33D78B4-3028-489a-8C7E-1E2701720524}.exe	2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe
File created	C:\Windows\{72C5C666-F07A-444a-986E-32076151AC31}.exe	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe
File created	C:\Windows\{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe
File created	C:\Windows\{80023E24-7964-483f-98A6-B76EC59D1F2C}.exe	{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20FCF4F3-1B89-419b-A888-D75623A83513}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80023E24-7964-483f-98A6-B76EC59D1F2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72C5C666-F07A-444a-986E-32076151AC31}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3732	2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2084	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe
Token: SeIncBasePriorityPrivilege	2216	{72C5C666-F07A-444a-986E-32076151AC31}.exe
Token: SeIncBasePriorityPrivilege	4580	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe
Token: SeIncBasePriorityPrivilege	1100	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe
Token: SeIncBasePriorityPrivilege	3860	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe
Token: SeIncBasePriorityPrivilege	2944	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe
Token: SeIncBasePriorityPrivilege	4284	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe
Token: SeIncBasePriorityPrivilege	4884	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe
Token: SeIncBasePriorityPrivilege	5112	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe
Token: SeIncBasePriorityPrivilege	4932	{20FCF4F3-1B89-419b-A888-D75623A83513}.exe
Token: SeIncBasePriorityPrivilege	2532	{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 2084	3732	2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe	102
PID 3732 wrote to memory of 2084	3732	2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe	102
PID 3732 wrote to memory of 2084	3732	2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe	102
PID 3732 wrote to memory of 3700	3732	2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe	103
PID 3732 wrote to memory of 3700	3732	2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe	103
PID 3732 wrote to memory of 3700	3732	2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe	103
PID 2084 wrote to memory of 2216	2084	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe	104
PID 2084 wrote to memory of 2216	2084	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe	104
PID 2084 wrote to memory of 2216	2084	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe	104
PID 2084 wrote to memory of 872	2084	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe	105
PID 2084 wrote to memory of 872	2084	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe	105
PID 2084 wrote to memory of 872	2084	{A33D78B4-3028-489a-8C7E-1E2701720524}.exe	105
PID 2216 wrote to memory of 4580	2216	{72C5C666-F07A-444a-986E-32076151AC31}.exe	108
PID 2216 wrote to memory of 4580	2216	{72C5C666-F07A-444a-986E-32076151AC31}.exe	108
PID 2216 wrote to memory of 4580	2216	{72C5C666-F07A-444a-986E-32076151AC31}.exe	108
PID 2216 wrote to memory of 3872	2216	{72C5C666-F07A-444a-986E-32076151AC31}.exe	109
PID 2216 wrote to memory of 3872	2216	{72C5C666-F07A-444a-986E-32076151AC31}.exe	109
PID 2216 wrote to memory of 3872	2216	{72C5C666-F07A-444a-986E-32076151AC31}.exe	109
PID 4580 wrote to memory of 1100	4580	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe	111
PID 4580 wrote to memory of 1100	4580	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe	111
PID 4580 wrote to memory of 1100	4580	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe	111
PID 4580 wrote to memory of 4468	4580	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe	112
PID 4580 wrote to memory of 4468	4580	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe	112
PID 4580 wrote to memory of 4468	4580	{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe	112
PID 1100 wrote to memory of 3860	1100	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe	113
PID 1100 wrote to memory of 3860	1100	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe	113
PID 1100 wrote to memory of 3860	1100	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe	113
PID 1100 wrote to memory of 2640	1100	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe	114
PID 1100 wrote to memory of 2640	1100	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe	114
PID 1100 wrote to memory of 2640	1100	{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe	114
PID 3860 wrote to memory of 2944	3860	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe	118
PID 3860 wrote to memory of 2944	3860	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe	118
PID 3860 wrote to memory of 2944	3860	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe	118
PID 3860 wrote to memory of 4440	3860	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe	119
PID 3860 wrote to memory of 4440	3860	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe	119
PID 3860 wrote to memory of 4440	3860	{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe	119
PID 2944 wrote to memory of 4284	2944	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe	120
PID 2944 wrote to memory of 4284	2944	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe	120
PID 2944 wrote to memory of 4284	2944	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe	120
PID 2944 wrote to memory of 2832	2944	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe	121
PID 2944 wrote to memory of 2832	2944	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe	121
PID 2944 wrote to memory of 2832	2944	{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe	121
PID 4284 wrote to memory of 4884	4284	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe	122
PID 4284 wrote to memory of 4884	4284	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe	122
PID 4284 wrote to memory of 4884	4284	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe	122
PID 4284 wrote to memory of 4468	4284	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe	123
PID 4284 wrote to memory of 4468	4284	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe	123
PID 4284 wrote to memory of 4468	4284	{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe	123
PID 4884 wrote to memory of 5112	4884	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe	126
PID 4884 wrote to memory of 5112	4884	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe	126
PID 4884 wrote to memory of 5112	4884	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe	126
PID 4884 wrote to memory of 644	4884	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe	127
PID 4884 wrote to memory of 644	4884	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe	127
PID 4884 wrote to memory of 644	4884	{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe	127
PID 5112 wrote to memory of 4932	5112	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe	128
PID 5112 wrote to memory of 4932	5112	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe	128
PID 5112 wrote to memory of 4932	5112	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe	128
PID 5112 wrote to memory of 4640	5112	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe	129
PID 5112 wrote to memory of 4640	5112	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe	129
PID 5112 wrote to memory of 4640	5112	{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe	129
PID 4932 wrote to memory of 2532	4932	{20FCF4F3-1B89-419b-A888-D75623A83513}.exe	130
PID 4932 wrote to memory of 2532	4932	{20FCF4F3-1B89-419b-A888-D75623A83513}.exe	130
PID 4932 wrote to memory of 2532	4932	{20FCF4F3-1B89-419b-A888-D75623A83513}.exe	130
PID 4932 wrote to memory of 4200	4932	{20FCF4F3-1B89-419b-A888-D75623A83513}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_9bc3abcf1455bbbcf929d8628e3a6c42_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\{A33D78B4-3028-489a-8C7E-1E2701720524}.exe
  C:\Windows\{A33D78B4-3028-489a-8C7E-1E2701720524}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\{72C5C666-F07A-444a-986E-32076151AC31}.exe
    C:\Windows\{72C5C666-F07A-444a-986E-32076151AC31}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe
      C:\Windows\{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe
        
        C:\Windows\{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe
        
        C:\Windows\{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe
        
        C:\Windows\{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe
        
        C:\Windows\{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe
        
        C:\Windows\{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe
        
        C:\Windows\{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\{20FCF4F3-1B89-419b-A888-D75623A83513}.exe
        
        C:\Windows\{20FCF4F3-1B89-419b-A888-D75623A83513}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}.exe
        
        C:\Windows\{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\{80023E24-7964-483f-98A6-B76EC59D1F2C}.exe
        
        C:\Windows\{80023E24-7964-483f-98A6-B76EC59D1F2C}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDF83~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20FCF~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6987~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C10AD~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15B51~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CE3C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A335~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20ABB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF7BB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{72C5C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A33D7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4124,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15B511C7-B6AC-47c9-878F-B3D7FA5FD8BD}.exe

Filesize
408KB

MD5
ec85cdd2db9b4fd19083f9f273c002fc

SHA1
399fcb87a03468570eec3ec40280ed751400de1b

SHA256
df98fbb18f117b03749a6d6686a6a68f72c7b50403e580e6bc186b9f9da27421

SHA512
dfbab376af99eef2d643aaee9ba73e2588e60e49be213dfb477f7021ca9735595d46856ce21979d1dfc1ed6b965afab0932b9595f537baba042ed4007a7c5290

Download Submit
C:\Windows\{20ABBD30-6307-4bf8-846B-13DDD51E3990}.exe

Filesize
408KB

MD5
da4c8e2e8e58ea57c4e1adfb6ca34d62

SHA1
7b9c5d5da8889743c301067a5f9ca4a8c04d023d

SHA256
230b06791f781983dba454bff03de917bc91a95d3c72322106b9131f3e957fb7

SHA512
080d0e5ed6fac6c2aed7325141618162cae631841b7e59c8b25539a1f94ff7e0d94a7d0a70752bc14d94a88ee4c7948859a2bc0ec926522f7d8f02809fe7e726

Download Submit
C:\Windows\{20FCF4F3-1B89-419b-A888-D75623A83513}.exe

Filesize
408KB

MD5
af6b5906316a5b081618400bd7f6ebc6

SHA1
e1361d39847bb7a5217d45d1bba48e4ed6cef1bc

SHA256
cbddbf2f439caf04d6f040f98621e7494a8eb3e06bd314d8a4f99dac62beeaf8

SHA512
f841c769379195f9048fc24b9367e4fc054b7474aafbd440003d9a4a6648964db0af2dc2c2eb2b8efc37ebaff3b9e818172a09d20bdaf67cc74bdbf416232b8c

Download Submit
C:\Windows\{5CE3C596-6663-45c8-ADE4-5E4EEAD73A0A}.exe

Filesize
408KB

MD5
4927278f7c9f20a3dd49d6542034d1b9

SHA1
9c16cbb48349ee678a66f5b709b88d50018026cf

SHA256
265f6126f99955c9d330cc2118c9cf95c8b9d8e75a047bbdc350918fdd50d7fe

SHA512
7c8a401688fa58e6367730b4edd28c9a023f71c6796e48ed33f7376393896683e2bbe8f5fd648f4bc74295b87fe72897fc11951c02270c67273ffe9c77b6ccc3

Download Submit
C:\Windows\{6A335FB6-228F-42a6-9D96-AC79F3DD81D9}.exe

Filesize
408KB

MD5
df6c0144b4f7346a8c69a97e1b8616df

SHA1
7928c646291c2368b7900ca5ebc63a04dcf278fc

SHA256
90cd56603f52dee763d3e5595030a55778a5381e0cfbe9539e23c656311e47f6

SHA512
3e9c8d47d7e5cb289e80637bc81a6adcc25a6fccdf4c1cd59fbcc13337e191215c06c0e4f26f759e13b85c0244b70d8e14add401df189b1247d296c342251642

Download Submit
C:\Windows\{72C5C666-F07A-444a-986E-32076151AC31}.exe

Filesize
408KB

MD5
18e162c4439557e13d1a0a35dccfbb3c

SHA1
599d3679154d7d79cd36b8e86e9ec69863e0dbb0

SHA256
d8bcea1f7424fc21cebb36dabe06a1a61a0f52a0f4f9f644620b07c9d7ccb727

SHA512
46e25c85c04d383ed4e5b3adaeeba6d133acd8e7054324021efeb0fd959754aa1f122b40ecb08835c268d5092a511a918fe2667cd50486984d2ce9a3a5d1d15d

Download Submit
C:\Windows\{80023E24-7964-483f-98A6-B76EC59D1F2C}.exe

Filesize
408KB

MD5
91784320c4e17f53386168ee02a94758

SHA1
19791e77c9ce7edb7b0d138365e3d4c40aaebb36

SHA256
d8cb17e3590b2b466adb69f797428330642b4220e04ea95e95bfa95f16eda4fc

SHA512
9213f23f19af137d40b7f31e429b46aae756b6430f2b6d94064cb878404286d8e03213f0d6c05fcabdc38a42cbed1d7ba95543abcbde4f1130aa2d8fd6636647

Download Submit
C:\Windows\{A33D78B4-3028-489a-8C7E-1E2701720524}.exe

Filesize
408KB

MD5
5d6a0a907a2bf1e899f4e6f2bcaad190

SHA1
2c0cab825a5b81409729742d5ff268ed58eaaf27

SHA256
ba40c419929e2efc25808e378791d860deff1293e2097102e23a96e4066e473c

SHA512
977f0e2cf4ca3048c58657430e0efee9a9bdd7a7f44b9ce19fd45102035a27375a337e16c22c8b373eae7d8560c154201e94bb2302eccdb812167a35bbe2f562

Download Submit
C:\Windows\{C10AD3A4-B0EE-49c4-B356-D472C36497FE}.exe

Filesize
408KB

MD5
0caad28ddbaa500a405de10e73f34bf6

SHA1
2dfce63847562dfee00f882dbe5b87dabf93df25

SHA256
867cb72cb62f51e918d1cbe500058b960fc55e57067c206a529f269f60141438

SHA512
9ce777491ab8c9068d1fd9c844fcb95fe3472ed6ba2e9a68858cdc9d83b4d8eeadb7c5d6135e44dd7152834d9144557686f3ff1fee5dfea8b355c9baeb02dbb1

Download Submit
C:\Windows\{CF7BB994-3EC4-4af8-803A-C340223DACD8}.exe

Filesize
408KB

MD5
a97e54cbd4187f74b8b3df4a4cdb203b

SHA1
ff766a24e45224517a1c17b99e817fe84f2b750c

SHA256
a13b5d70851c8fb1a59f79dc8838a4787c88b838a961d6a0584bc72f83778750

SHA512
0ae414bcf4a8f4f03cb35aa8479532b6cde04be2a1bf11beb8e34a224eee77ef75e0bbc5b6c5c22a95f1130cd2c4b16c1f26d95277c40e3acd089468d55d6f32

Download Submit
C:\Windows\{E69874DF-7974-40c1-BFB6-93A10E5804DE}.exe

Filesize
408KB

MD5
4aa027630353edae569f454eea19876b

SHA1
76d9c6b69792c31e62a813ae453165af2ce75b12

SHA256
4006a936b3dc5553458aa4460c5d68041998b9675cab616a8dc6be93f3b17fab

SHA512
50eac504a4bd0304dc965f9cf43670ad6d67c762b97be6a1d4b877a97daebd310b464c019d3b7260092e5cc053035dcdca24a324e3ed42842144ca4711ad3ea2

Download Submit
C:\Windows\{FDF835A8-EB8A-4d17-9FFC-B30C9D8BD69A}.exe

Filesize
408KB

MD5
417f376a1bb09c6e35b5f447b9d7a0bc

SHA1
3fe2d09d297d66eb3512a71f369faff9d36f5d7b

SHA256
0e66adc96b6f26fe2b0482ef5c405d4ab55121840ded73bb78c76dcf73022ae7

SHA512
c1dd1e088fcd477d8b1935a0ee37d102e7d15be11ff0e7b783800349ff03a43ec222711d99555d65ec2789d85233f0522d4791cd6f99e1c73592c57153e08a6f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads