4dc70f5d77072b5cbb35b47d7f220bcb3ac64ec8d519b53902eff48c81dc5178

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
Size

168KB
MD5

553bfbc62ad7c84f8e29fb4bf4442ae5
SHA1

546c7fe2468e6bbacfeb35eac622880982cff82b
SHA256

4dc70f5d77072b5cbb35b47d7f220bcb3ac64ec8d519b53902eff48c81dc5178
SHA512

2e6378e183b8aed8c3f3f6b15e06e48ebe0110ebb0fff79a46a64d16ca0100772bb32ec0aad79250a6d93781234db913dd70d7cf0bf1bf92bb95e491a460730e
SSDEEP

1536:1EGh0oAlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90748F79-DFB2-4cdc-97D7-479118B32142}	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EC364B9-30DB-4800-8E16-35FA12A71DB0}\stubpath = "C:\\Windows\\{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe"	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}\stubpath = "C:\\Windows\\{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe"	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}\stubpath = "C:\\Windows\\{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe"	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5097B678-238D-4bdf-8C1B-4B3551C0F05C}	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{936C225A-AA04-45bb-A093-49E30B97E805}	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30152BA8-D461-4302-AD3A-D88CC003D777}	{936C225A-AA04-45bb-A093-49E30B97E805}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30152BA8-D461-4302-AD3A-D88CC003D777}\stubpath = "C:\\Windows\\{30152BA8-D461-4302-AD3A-D88CC003D777}.exe"	{936C225A-AA04-45bb-A093-49E30B97E805}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B43C15CE-F9A1-4dbf-9FB3-B16789879106}	{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84FC425D-67E7-46c7-9B15-76D8F9048B5F}\stubpath = "C:\\Windows\\{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe"	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8B2FB43-DA87-4524-8C40-E023314B5513}	{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5097B678-238D-4bdf-8C1B-4B3551C0F05C}\stubpath = "C:\\Windows\\{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe"	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90748F79-DFB2-4cdc-97D7-479118B32142}\stubpath = "C:\\Windows\\{90748F79-DFB2-4cdc-97D7-479118B32142}.exe"	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{936C225A-AA04-45bb-A093-49E30B97E805}\stubpath = "C:\\Windows\\{936C225A-AA04-45bb-A093-49E30B97E805}.exe"	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B43C15CE-F9A1-4dbf-9FB3-B16789879106}\stubpath = "C:\\Windows\\{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe"	{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8B2FB43-DA87-4524-8C40-E023314B5513}\stubpath = "C:\\Windows\\{B8B2FB43-DA87-4524-8C40-E023314B5513}.exe"	{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84FC425D-67E7-46c7-9B15-76D8F9048B5F}	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EC364B9-30DB-4800-8E16-35FA12A71DB0}	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}\stubpath = "C:\\Windows\\{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe"	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}\stubpath = "C:\\Windows\\{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe"	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe

Executes dropped EXE 12 IoCs

pid	Process
4808	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe
2112	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe
2056	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe
1236	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe
860	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe
3364	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe
3440	{936C225A-AA04-45bb-A093-49E30B97E805}.exe
3524	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe
2392	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe
3556	{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe
3600	{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe
3040	{B8B2FB43-DA87-4524-8C40-E023314B5513}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe
File created	C:\Windows\{90748F79-DFB2-4cdc-97D7-479118B32142}.exe	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe
File created	C:\Windows\{30152BA8-D461-4302-AD3A-D88CC003D777}.exe	{936C225A-AA04-45bb-A093-49E30B97E805}.exe
File created	C:\Windows\{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe
File created	C:\Windows\{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe	{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe
File created	C:\Windows\{B8B2FB43-DA87-4524-8C40-E023314B5513}.exe	{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe
File created	C:\Windows\{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
File created	C:\Windows\{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe
File created	C:\Windows\{936C225A-AA04-45bb-A093-49E30B97E805}.exe	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe
File created	C:\Windows\{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe
File created	C:\Windows\{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe
File created	C:\Windows\{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8B2FB43-DA87-4524-8C40-E023314B5513}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{936C225A-AA04-45bb-A093-49E30B97E805}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2844	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4808	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe
Token: SeIncBasePriorityPrivilege	2112	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe
Token: SeIncBasePriorityPrivilege	2056	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe
Token: SeIncBasePriorityPrivilege	1236	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe
Token: SeIncBasePriorityPrivilege	860	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe
Token: SeIncBasePriorityPrivilege	3364	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe
Token: SeIncBasePriorityPrivilege	3440	{936C225A-AA04-45bb-A093-49E30B97E805}.exe
Token: SeIncBasePriorityPrivilege	3524	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe
Token: SeIncBasePriorityPrivilege	2392	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe
Token: SeIncBasePriorityPrivilege	3556	{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe
Token: SeIncBasePriorityPrivilege	3600	{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 4808	2844	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	95
PID 2844 wrote to memory of 4808	2844	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	95
PID 2844 wrote to memory of 4808	2844	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	95
PID 2844 wrote to memory of 544	2844	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	96
PID 2844 wrote to memory of 544	2844	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	96
PID 2844 wrote to memory of 544	2844	2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe	96
PID 4808 wrote to memory of 2112	4808	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe	97
PID 4808 wrote to memory of 2112	4808	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe	97
PID 4808 wrote to memory of 2112	4808	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe	97
PID 4808 wrote to memory of 1508	4808	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe	98
PID 4808 wrote to memory of 1508	4808	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe	98
PID 4808 wrote to memory of 1508	4808	{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe	98
PID 2112 wrote to memory of 2056	2112	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe	101
PID 2112 wrote to memory of 2056	2112	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe	101
PID 2112 wrote to memory of 2056	2112	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe	101
PID 2112 wrote to memory of 4896	2112	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe	102
PID 2112 wrote to memory of 4896	2112	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe	102
PID 2112 wrote to memory of 4896	2112	{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe	102
PID 2056 wrote to memory of 1236	2056	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe	104
PID 2056 wrote to memory of 1236	2056	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe	104
PID 2056 wrote to memory of 1236	2056	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe	104
PID 2056 wrote to memory of 2240	2056	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe	105
PID 2056 wrote to memory of 2240	2056	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe	105
PID 2056 wrote to memory of 2240	2056	{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe	105
PID 1236 wrote to memory of 860	1236	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe	106
PID 1236 wrote to memory of 860	1236	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe	106
PID 1236 wrote to memory of 860	1236	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe	106
PID 1236 wrote to memory of 4252	1236	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe	107
PID 1236 wrote to memory of 4252	1236	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe	107
PID 1236 wrote to memory of 4252	1236	{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe	107
PID 860 wrote to memory of 3364	860	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe	109
PID 860 wrote to memory of 3364	860	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe	109
PID 860 wrote to memory of 3364	860	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe	109
PID 860 wrote to memory of 3400	860	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe	110
PID 860 wrote to memory of 3400	860	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe	110
PID 860 wrote to memory of 3400	860	{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe	110
PID 3364 wrote to memory of 3440	3364	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe	111
PID 3364 wrote to memory of 3440	3364	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe	111
PID 3364 wrote to memory of 3440	3364	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe	111
PID 3364 wrote to memory of 880	3364	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe	112
PID 3364 wrote to memory of 880	3364	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe	112
PID 3364 wrote to memory of 880	3364	{90748F79-DFB2-4cdc-97D7-479118B32142}.exe	112
PID 3440 wrote to memory of 3524	3440	{936C225A-AA04-45bb-A093-49E30B97E805}.exe	115
PID 3440 wrote to memory of 3524	3440	{936C225A-AA04-45bb-A093-49E30B97E805}.exe	115
PID 3440 wrote to memory of 3524	3440	{936C225A-AA04-45bb-A093-49E30B97E805}.exe	115
PID 3440 wrote to memory of 1068	3440	{936C225A-AA04-45bb-A093-49E30B97E805}.exe	116
PID 3440 wrote to memory of 1068	3440	{936C225A-AA04-45bb-A093-49E30B97E805}.exe	116
PID 3440 wrote to memory of 1068	3440	{936C225A-AA04-45bb-A093-49E30B97E805}.exe	116
PID 3524 wrote to memory of 2392	3524	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe	122
PID 3524 wrote to memory of 2392	3524	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe	122
PID 3524 wrote to memory of 2392	3524	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe	122
PID 3524 wrote to memory of 4040	3524	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe	123
PID 3524 wrote to memory of 4040	3524	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe	123
PID 3524 wrote to memory of 4040	3524	{30152BA8-D461-4302-AD3A-D88CC003D777}.exe	123
PID 2392 wrote to memory of 3556	2392	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe	124
PID 2392 wrote to memory of 3556	2392	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe	124
PID 2392 wrote to memory of 3556	2392	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe	124
PID 2392 wrote to memory of 2240	2392	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe	125
PID 2392 wrote to memory of 2240	2392	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe	125
PID 2392 wrote to memory of 2240	2392	{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe	125
PID 3556 wrote to memory of 3600	3556	{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe	129
PID 3556 wrote to memory of 3600	3556	{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe	129
PID 3556 wrote to memory of 3600	3556	{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe	129
PID 3556 wrote to memory of 2228	3556	{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_553bfbc62ad7c84f8e29fb4bf4442ae5_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe
  C:\Windows\{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe
    C:\Windows\{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe
      C:\Windows\{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe
        
        C:\Windows\{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe
        
        C:\Windows\{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\{90748F79-DFB2-4cdc-97D7-479118B32142}.exe
        
        C:\Windows\{90748F79-DFB2-4cdc-97D7-479118B32142}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\{936C225A-AA04-45bb-A093-49E30B97E805}.exe
        
        C:\Windows\{936C225A-AA04-45bb-A093-49E30B97E805}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\{30152BA8-D461-4302-AD3A-D88CC003D777}.exe
        
        C:\Windows\{30152BA8-D461-4302-AD3A-D88CC003D777}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe
        
        C:\Windows\{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe
        
        C:\Windows\{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe
        
        C:\Windows\{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\{B8B2FB43-DA87-4524-8C40-E023314B5513}.exe
        
        C:\Windows\{B8B2FB43-DA87-4524-8C40-E023314B5513}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B43C1~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFB2C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6979~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30152~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{936C2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90748~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5097B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8A6A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFEEA~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9EC36~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{84FC4~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{30152BA8-D461-4302-AD3A-D88CC003D777}.exe

Filesize
168KB

MD5
f2cdd0327ecbd4db4820f23660a03522

SHA1
8242447b4ce24f4e469c9dadcfb9e5fcea866546

SHA256
fbce5940bc4383574dc47c595c4e86637b0894afc13e957bf5f2509e6c3d700f

SHA512
a2de9290cffaf5ac884bc64bd420666664caba2140a08f6c588ae5b610a16bf28eb85e3d41d084372802f2a233f4b43e23f40e13e28edeb46e112a89d41ce48c

Download Submit
C:\Windows\{5097B678-238D-4bdf-8C1B-4B3551C0F05C}.exe

Filesize
168KB

MD5
bde4aad4508253cf89ae9020d5590521

SHA1
e74714b6b53148b4f835b78266cef3fd383c9d02

SHA256
026f2fe911e581e6080f3a263f26cfdf2e9380dc361d78ee4dc2ab5ca0d8b086

SHA512
3060f7f252876ed89f2ab35c0fa3533eaeb9dc6cda706920733f875b5ede13ed49f88a20535a9250ea2f1b0f93f7a01d82c1d68e0aabe3e1e80870e758bafe6a

Download Submit
C:\Windows\{84FC425D-67E7-46c7-9B15-76D8F9048B5F}.exe

Filesize
168KB

MD5
a1ee068e27760f82335a2e29ad280351

SHA1
144f1509f642b9dc19116d0522a8bd3297b9f84d

SHA256
03f7280d5db17bba93651b1b9ebf08ecbdd3fc9215f9921cc267ca873909d2f5

SHA512
7ca55fd324fe610c7c0299ecc245f80e82edd675aa6d88fdf23de58cc9490f8d97e7f48a9683bcbf60ff9b36e013a2737dced4c0de0e38e27eb66aef599629f4

Download Submit
C:\Windows\{90748F79-DFB2-4cdc-97D7-479118B32142}.exe

Filesize
168KB

MD5
275b44896e4eb38d6072656273917ce4

SHA1
d43ca6441bcaef5ee4eefc675b6d57dc81e24309

SHA256
ed2e790642f03736f86979038b91bb6298027cb2f04f4b67fff43e5c226e432c

SHA512
1d1e2d611504802a344144a29a2f7cbb68b111f49ab542ad66164e3f8438e97e0532723f8f81a714eed62661881f13c42485a548ae819b5c424792c2a43d7666

Download Submit
C:\Windows\{936C225A-AA04-45bb-A093-49E30B97E805}.exe

Filesize
168KB

MD5
b2c7abcb86c055e1c8a7233975e1b6e1

SHA1
e04abd6c866eac984442cb54e4b8f9e35d478029

SHA256
3c8dc59589e2221d621b2b84343aa4137f662c812ce8eaa65b7d8b97b9f06413

SHA512
149105e35dec2df08e4e0ffd9f503fd2d5fb9cc96b5d3f4765fb8573b8720e42a46735b78ae79fb38b3156a71db0e0fdcecfb894bfd3ba344e017d10e0e8f894

Download Submit
C:\Windows\{9EC364B9-30DB-4800-8E16-35FA12A71DB0}.exe

Filesize
168KB

MD5
311850fa3d5b80cb5a57714b950ab74f

SHA1
d7cfa09a7eb5160d782ec63b908564b3f788969d

SHA256
23a5142f364568021b0b7ba89e16b4f14325bfe9c511c87fcf7b1afa68deaf28

SHA512
8d470fab4b0d533ec8c1d43cb986cdf8081a158b7c4b0dec96a684cd99023629584d2c056957e2135e3a57ceccd1f84ace04ee3854df66b734aaa39ce98a1987

Download Submit
C:\Windows\{B43C15CE-F9A1-4dbf-9FB3-B16789879106}.exe

Filesize
168KB

MD5
f11bf6adfccbb67a84b3f297d6affb9e

SHA1
668fa0af4d246d90527636d47c396e3507d1eb50

SHA256
f39b4622479b477049bb0420ee93bcf8690526b6bad96b501b3f3de7519794f0

SHA512
9760fee7a7f1b99b531c267a9683b239536702207e2b74c672e340928f3c3b5defebc5de1ce7d43d6f6ab6ce84aff639309fb21b42f87e8d9b265ad862ff97a1

Download Submit
C:\Windows\{B8B2FB43-DA87-4524-8C40-E023314B5513}.exe

Filesize
168KB

MD5
f81bb20a4314c728fa1eaf67cf270dcb

SHA1
cf8fd662001148c366cb5450c6a636114a3f3b6d

SHA256
b19c8c678d29ed722cc6118032f2d566c12b30166b7ed337735c228aa43b7a95

SHA512
cdbcf956e6ba60967a011a1988b893d27b31282f42e0ba1d9801952344b72e0335a3d0e076a99a139548ee81a3a76a01bc601ea087038fdb359b78900146d942

Download Submit
C:\Windows\{BFB2CDFF-A50C-4a80-ADE0-67E459A7E8C3}.exe

Filesize
168KB

MD5
8281b0f8dd492f2a1d58c630b583aa32

SHA1
211417dff7df80513c8023260664d186f2335de3

SHA256
a1381496ba514d9ddb76fe9ced79c4d708fb29d32fe37c460d17d4797591ae2f

SHA512
102f1861e307b86dc7cb8b265d7fd61a9e18f945a030b0c8469d3f2f867d4b4d96f719493d88e7d1f470377f310dc797f89951c801008a6d219334093673df61

Download Submit
C:\Windows\{C69794C9-8244-423e-8DC0-D5BB2B46FD5F}.exe

Filesize
168KB

MD5
15268b0f93fc321d2bd0ca518b026999

SHA1
fd91ab6cffb13918b078ffaf9a9e2a9017162158

SHA256
0eacbf32d33edf388eaeedeb8800c62a24ef91ea72723f9b5376b4f287d8de50

SHA512
c6a358175900a225f46996e4d4751599a5cfcdd49f43fc2908c89a890bbc9d22bb47895e7b6956ee37878c501ee3fae03202459ad92c8ad1848ba3c0d68e20fa

Download Submit
C:\Windows\{DFEEA70B-EB4F-43b4-8ABA-964BFD47B6CE}.exe

Filesize
168KB

MD5
f2e781dd8e1633fd9057b3da07187734

SHA1
367ee170d6192508cde0ac68f873714b908adced

SHA256
a70365f8723e7c508959d46e6cb73bb7ae7cc6beee0a977ce331cb7483e64c6f

SHA512
063db05789e81cd6f88252e8806da6c41a57dd058d7cb7cb2f5627ab960ac3e5e5222d04ebc91da600813b56b6ff6201123d1db3445f57e7da16cbfb5a5740b3

Download Submit
C:\Windows\{E8A6A11B-4F27-4bc7-90C1-B120C74E2C2E}.exe

Filesize
168KB

MD5
3c5b8432b9408c3dd0f12516e0582b1f

SHA1
349f81423e36d7de016b8d2ba56336d19656d701

SHA256
0a964b708379297c7e32703101c217d427f7736b6fb5e759e8f6faef24d3d228

SHA512
5916727e485cbf0119484b4edbbaec80e66088d5c79628175d0884ce78a80084900537b1615c09853d774ccdc23f0a4cf0182231e33ff0f6e97675fc65198fe9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads