8ff6f33dc59e2c549176dc7ad90e8d04ac6369737c57ca4672e9728088c39bea

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe
Size

372KB
MD5

c8de2514d06e61fb1980790dbc1065be
SHA1

5e10ae426a35ea6b139751a02766f32f09d8fb3c
SHA256

8ff6f33dc59e2c549176dc7ad90e8d04ac6369737c57ca4672e9728088c39bea
SHA512

a96ed5e5d36620f4aef4833174d16d5016f1e2c837d47730a03079ca1a66542c3f501e4426a8d10d522e81da33dcd64ed53f982cd3a92a27d8c34b10a32a1ef6
SSDEEP

3072:CEGh0olmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGql/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F14FA51B-2B4F-4704-8041-E676B544952E}\stubpath = "C:\\Windows\\{F14FA51B-2B4F-4704-8041-E676B544952E}.exe"	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}\stubpath = "C:\\Windows\\{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe"	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED170F4D-58F5-471b-848C-1DBA14EA26C2}\stubpath = "C:\\Windows\\{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe"	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}\stubpath = "C:\\Windows\\{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe"	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}\stubpath = "C:\\Windows\\{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}.exe"	{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0AB13CD-CE51-4af6-835B-A3E63E889B16}\stubpath = "C:\\Windows\\{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe"	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F14FA51B-2B4F-4704-8041-E676B544952E}	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0ABA4A-731C-4e97-8804-8437CC3BD042}	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}\stubpath = "C:\\Windows\\{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe"	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}\stubpath = "C:\\Windows\\{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe"	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCA45D6D-2091-4fc4-B96E-2DB1340180B9}	{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F507B894-24B8-44c8-BFB1-233E7B0295F6}\stubpath = "C:\\Windows\\{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe"	2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED170F4D-58F5-471b-848C-1DBA14EA26C2}	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0ABA4A-731C-4e97-8804-8437CC3BD042}\stubpath = "C:\\Windows\\{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe"	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCA45D6D-2091-4fc4-B96E-2DB1340180B9}\stubpath = "C:\\Windows\\{FCA45D6D-2091-4fc4-B96E-2DB1340180B9}.exe"	{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0AB13CD-CE51-4af6-835B-A3E63E889B16}	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}\stubpath = "C:\\Windows\\{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe"	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}	{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F507B894-24B8-44c8-BFB1-233E7B0295F6}	2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
3448	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe
4576	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe
4572	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe
2708	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe
3424	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe
1248	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe
1936	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe
4808	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe
3384	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe
3868	{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe
2312	{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}.exe
5084	{FCA45D6D-2091-4fc4-B96E-2DB1340180B9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe	2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe
File created	C:\Windows\{F14FA51B-2B4F-4704-8041-E676B544952E}.exe	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe
File created	C:\Windows\{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe
File created	C:\Windows\{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe
File created	C:\Windows\{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe
File created	C:\Windows\{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe
File created	C:\Windows\{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe
File created	C:\Windows\{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe
File created	C:\Windows\{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe
File created	C:\Windows\{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe
File created	C:\Windows\{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}.exe	{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe
File created	C:\Windows\{FCA45D6D-2091-4fc4-B96E-2DB1340180B9}.exe	{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FCA45D6D-2091-4fc4-B96E-2DB1340180B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	916	2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3448	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe
Token: SeIncBasePriorityPrivilege	4576	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe
Token: SeIncBasePriorityPrivilege	4572	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe
Token: SeIncBasePriorityPrivilege	2708	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe
Token: SeIncBasePriorityPrivilege	3424	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe
Token: SeIncBasePriorityPrivilege	1248	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe
Token: SeIncBasePriorityPrivilege	1936	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe
Token: SeIncBasePriorityPrivilege	4808	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe
Token: SeIncBasePriorityPrivilege	3384	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe
Token: SeIncBasePriorityPrivilege	3868	{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe
Token: SeIncBasePriorityPrivilege	2312	{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 3448	916	2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe	93
PID 916 wrote to memory of 3448	916	2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe	93
PID 916 wrote to memory of 3448	916	2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe	93
PID 916 wrote to memory of 4012	916	2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe	94
PID 916 wrote to memory of 4012	916	2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe	94
PID 916 wrote to memory of 4012	916	2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe	94
PID 3448 wrote to memory of 4576	3448	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe	95
PID 3448 wrote to memory of 4576	3448	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe	95
PID 3448 wrote to memory of 4576	3448	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe	95
PID 3448 wrote to memory of 3036	3448	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe	96
PID 3448 wrote to memory of 3036	3448	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe	96
PID 3448 wrote to memory of 3036	3448	{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe	96
PID 4576 wrote to memory of 4572	4576	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe	100
PID 4576 wrote to memory of 4572	4576	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe	100
PID 4576 wrote to memory of 4572	4576	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe	100
PID 4576 wrote to memory of 4776	4576	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe	101
PID 4576 wrote to memory of 4776	4576	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe	101
PID 4576 wrote to memory of 4776	4576	{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe	101
PID 4572 wrote to memory of 2708	4572	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe	102
PID 4572 wrote to memory of 2708	4572	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe	102
PID 4572 wrote to memory of 2708	4572	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe	102
PID 4572 wrote to memory of 5012	4572	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe	103
PID 4572 wrote to memory of 5012	4572	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe	103
PID 4572 wrote to memory of 5012	4572	{F14FA51B-2B4F-4704-8041-E676B544952E}.exe	103
PID 2708 wrote to memory of 3424	2708	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe	104
PID 2708 wrote to memory of 3424	2708	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe	104
PID 2708 wrote to memory of 3424	2708	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe	104
PID 2708 wrote to memory of 5032	2708	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe	105
PID 2708 wrote to memory of 5032	2708	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe	105
PID 2708 wrote to memory of 5032	2708	{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe	105
PID 3424 wrote to memory of 1248	3424	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe	107
PID 3424 wrote to memory of 1248	3424	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe	107
PID 3424 wrote to memory of 1248	3424	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe	107
PID 3424 wrote to memory of 4168	3424	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe	108
PID 3424 wrote to memory of 4168	3424	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe	108
PID 3424 wrote to memory of 4168	3424	{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe	108
PID 1248 wrote to memory of 1936	1248	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe	109
PID 1248 wrote to memory of 1936	1248	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe	109
PID 1248 wrote to memory of 1936	1248	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe	109
PID 1248 wrote to memory of 3060	1248	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe	110
PID 1248 wrote to memory of 3060	1248	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe	110
PID 1248 wrote to memory of 3060	1248	{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe	110
PID 1936 wrote to memory of 4808	1936	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe	115
PID 1936 wrote to memory of 4808	1936	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe	115
PID 1936 wrote to memory of 4808	1936	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe	115
PID 1936 wrote to memory of 4120	1936	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe	116
PID 1936 wrote to memory of 4120	1936	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe	116
PID 1936 wrote to memory of 4120	1936	{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe	116
PID 4808 wrote to memory of 3384	4808	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe	121
PID 4808 wrote to memory of 3384	4808	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe	121
PID 4808 wrote to memory of 3384	4808	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe	121
PID 4808 wrote to memory of 4028	4808	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe	122
PID 4808 wrote to memory of 4028	4808	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe	122
PID 4808 wrote to memory of 4028	4808	{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe	122
PID 3384 wrote to memory of 3868	3384	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe	123
PID 3384 wrote to memory of 3868	3384	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe	123
PID 3384 wrote to memory of 3868	3384	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe	123
PID 3384 wrote to memory of 4092	3384	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe	124
PID 3384 wrote to memory of 4092	3384	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe	124
PID 3384 wrote to memory of 4092	3384	{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe	124
PID 3868 wrote to memory of 2312	3868	{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe	128
PID 3868 wrote to memory of 2312	3868	{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe	128
PID 3868 wrote to memory of 2312	3868	{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe	128
PID 3868 wrote to memory of 5036	3868	{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_c8de2514d06e61fb1980790dbc1065be_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe
  C:\Windows\{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe
    C:\Windows\{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\{F14FA51B-2B4F-4704-8041-E676B544952E}.exe
      C:\Windows\{F14FA51B-2B4F-4704-8041-E676B544952E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe
        
        C:\Windows\{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe
        
        C:\Windows\{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe
        
        C:\Windows\{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe
        
        C:\Windows\{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe
        
        C:\Windows\{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe
        
        C:\Windows\{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe
        
        C:\Windows\{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}.exe
        
        C:\Windows\{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\{FCA45D6D-2091-4fc4-B96E-2DB1340180B9}.exe
        
        C:\Windows\{FCA45D6D-2091-4fc4-B96E-2DB1340180B9}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AA1C~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{288DA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF389~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDEFE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F85~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD0AB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED170~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE575~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F14FA~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F0AB1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F507B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{288DA16D-7E1E-47a6-80F8-D02E04BDDCD5}.exe

Filesize
372KB

MD5
3eb5d79f1cfc2c5dc2b2616e6e5ffb29

SHA1
f3fee23f1e210e3c66e273b54d1b3f52a90b51f9

SHA256
7dc6254c2399f40d2982070af324780ca0a39933256605158af0354ffbcdc99c

SHA512
dbf188c505854f0cd2c03e75bf2b6c69b002f03427b8010e125ccc490a037a03d5b275eeb3b4199410b4259842df4cae12fd59790719618aa903dd3e0d701647

Download Submit
C:\Windows\{3AA1CCDB-A50F-42f0-B35A-8B4B39A079F8}.exe

Filesize
372KB

MD5
4857ad5e7024fa894d8874464d869c93

SHA1
cfbbf40a8b70ba1692925c6b5c988307c43feacf

SHA256
71856d0ba4d72d5a7893cc2a24694b808c8d9dd1f5dbcf6f3a2beda797f97f86

SHA512
ee8fd8e3d1c4c364d054d8aa1f9bfd90e1f639e5cca582f287461d2ac1dd74975ceb0c7cb9646a59c7028553e158f2e38d8ff99c11befcb43661e085fde631b9

Download Submit
C:\Windows\{A6F85B30-4E74-47f0-8DC8-7799E661F1CA}.exe

Filesize
372KB

MD5
d137ae841c140c6b79293e84459599fc

SHA1
fe11f1ac6ead529c70390980b525a17796188b6d

SHA256
eb38f1e69335ee5323bff8115e8c4117472471aae786689dc1b3e919fe825c43

SHA512
4a6e9c883fdd43689d675fd010bfe70dcc7b1252d8e78faef5b5218ea087e65c31e9cd52911574ed7721c42f78c07f21892f2fbec06d2206a6d959f67c08dc1a

Download Submit
C:\Windows\{AE575CE9-9D52-4d3f-9EA8-D68C07B102B3}.exe

Filesize
372KB

MD5
2c8cd06b52f9c43ab1c0ae686bd57765

SHA1
34653960cb3088040baf979204c824b6b89bbd66

SHA256
0b8482021ff9c05fdab9788e926a658fc2397d172b9ba4d3fc2c0cd3eb69b0e0

SHA512
70e49a99a11b132c6a4d8f2a4f75225f32279a2ded2b160a044c735bb1bd02b22d4e241320871d989edd4063196270de0a411f9274494b5435327f0304d9dee4

Download Submit
C:\Windows\{BDEFEAB1-8AE3-4c25-A47B-023D8ACDCF72}.exe

Filesize
372KB

MD5
896a6ec277b1ea18b14df03a2632de5a

SHA1
a2a17ac09087e53cf96bfbaace3bf76aa07ac7f8

SHA256
4f63a6923204f54a3a809fc19ab44f6f1127fcf7ccc55c351254abd5e84ae820

SHA512
75ef15bdf0f930fcb75fca3afeedbf0c52da5a7f7bf8fee143e0ddb372ad0097538fb45a02ddb929d5c7b1925d3f4c0d9f544ff48af192bb6b3ed3aa2f3041e4

Download Submit
C:\Windows\{CD0ABA4A-731C-4e97-8804-8437CC3BD042}.exe

Filesize
372KB

MD5
079724f703a70584e971e7a923a02f0d

SHA1
df0f42d0afef38ae01dcbccb870cb5688b0b9efa

SHA256
307825b6f683b6e64083980d1cc285237a1c8a97aefdb57ed27ee1ec2ae599ba

SHA512
8e6f29203f15897c044292a85796aa7717fc620b2b74166569aafa22fbf6ffe0e234481f4dc2267c363d3ce01e0c1454e12b23687de51794012135389cfca8b9

Download Submit
C:\Windows\{ED170F4D-58F5-471b-848C-1DBA14EA26C2}.exe

Filesize
372KB

MD5
6d4fe2924d177e938838163a1f8b953b

SHA1
4d3e28f7bd7ec0f276672290a36eda6fec442dce

SHA256
a9d9839edb153b585250531624ecc91e568707be6338b2021d9700802f1dd99a

SHA512
4c414d73482f015b64789809573245cd60c52d0670880ed854a6ad18edd95d9e0cfe1711c458c4748539f13de57616368f43ad07cdd42113e79d1c1930d9bb80

Download Submit
C:\Windows\{EF389FAD-4414-4bd2-B98E-797A3CACC1BF}.exe

Filesize
372KB

MD5
d4ab0c576d76ebf93c47f41108f0e4de

SHA1
2cb4ce78f6e003c9e2ccc45550ab5bb4376be5cc

SHA256
277a77fd66b0de96ebbd06a9d695c9c19ba69ab9ab3b3e60e2f979b9a0acac9e

SHA512
de77241ba104a3cdd00b4b7f481cd91c8325cc0a0272369450aa20b2bd74e868cf7ff15a8ee0c91847969eab3b825c8bc332423e5b380fd5b8bcfbd1963b1e83

Download Submit
C:\Windows\{F0AB13CD-CE51-4af6-835B-A3E63E889B16}.exe

Filesize
372KB

MD5
33039d857273974eab56f16016babba9

SHA1
6970d9ce4e018e5bc29870f385f60f13160011db

SHA256
083017e5d07fd2de112f783a81927107caa8f23fcff280896b791309db6c75a7

SHA512
da49ad608494ae192651c39aaa1edd30e6a178958784f96a9d877f9a73aba7ff6aae0d7916e009943d0c4e163c437053a97bbb86a4166c3e03af89390530a54a

Download Submit
C:\Windows\{F14FA51B-2B4F-4704-8041-E676B544952E}.exe

Filesize
372KB

MD5
bd55864c89f263b2746bf64b2b3ea47a

SHA1
5a470e8a26f9622efc1d136c707ecbd38ade89fa

SHA256
e0b49bbcf5015a8119e4191bc0752de8a7e8367fe804aabac6303e3d3bf49b0a

SHA512
b1051452d28472aeb98c9e6a0bd41e13c581201e9973696b2fcac80390d4b8bb5f343d017b3212ed355fef1c7afb09fe0b1abce1f3d3c5fb2bf718517b90efe2

Download Submit
C:\Windows\{F507B894-24B8-44c8-BFB1-233E7B0295F6}.exe

Filesize
372KB

MD5
adcba413331b6e418f2756e566eb66ad

SHA1
c535cfbaaf83e60d4f049b4411986e8a20b3a1cc

SHA256
8241458425a5e0ce3704b45b8b73673cb8fcf6168d4fe6e4f9b3c555ad2108bf

SHA512
ef947037f2fc9425812c8af1caaf82ef0ff17977243804ef1399a454bb6e9da99959e8f78231600ad8a4f7d839d0441856941f398354365f4992984e289fb946

Download Submit
C:\Windows\{FCA45D6D-2091-4fc4-B96E-2DB1340180B9}.exe

Filesize
372KB

MD5
ff2b2a1bc4ed9fb2acbe2adbc26593af

SHA1
56b33697c289827d973bce6390bf8df31bf347b4

SHA256
6166f04b11d1573c74445014c42575c3604923e714b3cb3e7efa457a2567273c

SHA512
d65ef4ab504880dabd9bfd4a28f52b2070099fcad528b80640910e714898bad65031f0ad84df64dab242658c163ab7e8d9778cdc53f3dfe6d30cc2774383bada

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads