4c7f980c682de5854ffb1395a80930b41cb8db6b7b32a13d130a733047ee9ef6

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
Size

408KB
MD5

d59140b8b6025e52021778bcee4340d7
SHA1

e707c7dff8a50235e489a0107e1255258e78d83a
SHA256

4c7f980c682de5854ffb1395a80930b41cb8db6b7b32a13d130a733047ee9ef6
SHA512

6e7ce24267dcca12d4a81ee44de8907af3f710f152a135b25240a30506b9af8560763afdcc8283da9039dc11895dd27a8ce47a9ce3ac817c1d9c4269073e3635
SSDEEP

3072:CEGh0oyl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGAldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{167141D0-81A9-4657-AD85-FCC61E4C42CB}\stubpath = "C:\\Windows\\{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe"	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC2A4816-3D16-4a35-A57B-DA6898383D51}\stubpath = "C:\\Windows\\{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe"	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D7483C2-5826-47ea-8212-A12AB68F8297}\stubpath = "C:\\Windows\\{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe"	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}\stubpath = "C:\\Windows\\{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}.exe"	{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}\stubpath = "C:\\Windows\\{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe"	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{167141D0-81A9-4657-AD85-FCC61E4C42CB}	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55863BA3-089A-4b00-9ED6-948C088B4052}	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55863BA3-089A-4b00-9ED6-948C088B4052}\stubpath = "C:\\Windows\\{55863BA3-089A-4b00-9ED6-948C088B4052}.exe"	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}\stubpath = "C:\\Windows\\{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe"	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}\stubpath = "C:\\Windows\\{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe"	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC2A4816-3D16-4a35-A57B-DA6898383D51}	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D7483C2-5826-47ea-8212-A12AB68F8297}	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51554964-2A81-44ba-A1CC-E648B523A3B6}	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{763E24C1-54FA-41b7-BE42-7A1F07AD8F58}\stubpath = "C:\\Windows\\{763E24C1-54FA-41b7-BE42-7A1F07AD8F58}.exe"	{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C01C01DE-120D-4eff-835E-2F6D70156B24}\stubpath = "C:\\Windows\\{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe"	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}	{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{763E24C1-54FA-41b7-BE42-7A1F07AD8F58}	{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}\stubpath = "C:\\Windows\\{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe"	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C01C01DE-120D-4eff-835E-2F6D70156B24}	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51554964-2A81-44ba-A1CC-E648B523A3B6}\stubpath = "C:\\Windows\\{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe"	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe

Executes dropped EXE 12 IoCs

pid	Process
5052	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe
3104	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe
2044	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe
3232	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe
4060	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe
3828	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe
3804	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe
1980	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe
1692	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe
3168	{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe
1048	{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}.exe
3764	{763E24C1-54FA-41b7-BE42-7A1F07AD8F58}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
File created	C:\Windows\{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe
File created	C:\Windows\{55863BA3-089A-4b00-9ED6-948C088B4052}.exe	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe
File created	C:\Windows\{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe
File created	C:\Windows\{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe
File created	C:\Windows\{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe
File created	C:\Windows\{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe
File created	C:\Windows\{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}.exe	{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe
File created	C:\Windows\{763E24C1-54FA-41b7-BE42-7A1F07AD8F58}.exe	{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}.exe
File created	C:\Windows\{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe
File created	C:\Windows\{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe
File created	C:\Windows\{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{763E24C1-54FA-41b7-BE42-7A1F07AD8F58}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4280	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5052	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe
Token: SeIncBasePriorityPrivilege	3104	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe
Token: SeIncBasePriorityPrivilege	2044	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe
Token: SeIncBasePriorityPrivilege	3232	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe
Token: SeIncBasePriorityPrivilege	4060	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe
Token: SeIncBasePriorityPrivilege	3828	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe
Token: SeIncBasePriorityPrivilege	3804	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe
Token: SeIncBasePriorityPrivilege	1980	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe
Token: SeIncBasePriorityPrivilege	1692	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe
Token: SeIncBasePriorityPrivilege	3168	{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe
Token: SeIncBasePriorityPrivilege	1048	{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 5052	4280	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	97
PID 4280 wrote to memory of 5052	4280	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	97
PID 4280 wrote to memory of 5052	4280	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	97
PID 4280 wrote to memory of 2736	4280	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	98
PID 4280 wrote to memory of 2736	4280	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	98
PID 4280 wrote to memory of 2736	4280	2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe	98
PID 5052 wrote to memory of 3104	5052	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe	99
PID 5052 wrote to memory of 3104	5052	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe	99
PID 5052 wrote to memory of 3104	5052	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe	99
PID 5052 wrote to memory of 1840	5052	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe	100
PID 5052 wrote to memory of 1840	5052	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe	100
PID 5052 wrote to memory of 1840	5052	{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe	100
PID 3104 wrote to memory of 2044	3104	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe	104
PID 3104 wrote to memory of 2044	3104	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe	104
PID 3104 wrote to memory of 2044	3104	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe	104
PID 3104 wrote to memory of 4940	3104	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe	105
PID 3104 wrote to memory of 4940	3104	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe	105
PID 3104 wrote to memory of 4940	3104	{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe	105
PID 2044 wrote to memory of 3232	2044	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe	106
PID 2044 wrote to memory of 3232	2044	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe	106
PID 2044 wrote to memory of 3232	2044	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe	106
PID 2044 wrote to memory of 3604	2044	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe	107
PID 2044 wrote to memory of 3604	2044	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe	107
PID 2044 wrote to memory of 3604	2044	{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe	107
PID 3232 wrote to memory of 4060	3232	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe	108
PID 3232 wrote to memory of 4060	3232	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe	108
PID 3232 wrote to memory of 4060	3232	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe	108
PID 3232 wrote to memory of 3936	3232	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe	109
PID 3232 wrote to memory of 3936	3232	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe	109
PID 3232 wrote to memory of 3936	3232	{55863BA3-089A-4b00-9ED6-948C088B4052}.exe	109
PID 4060 wrote to memory of 3828	4060	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe	111
PID 4060 wrote to memory of 3828	4060	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe	111
PID 4060 wrote to memory of 3828	4060	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe	111
PID 4060 wrote to memory of 4760	4060	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe	112
PID 4060 wrote to memory of 4760	4060	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe	112
PID 4060 wrote to memory of 4760	4060	{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe	112
PID 3828 wrote to memory of 3804	3828	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe	113
PID 3828 wrote to memory of 3804	3828	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe	113
PID 3828 wrote to memory of 3804	3828	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe	113
PID 3828 wrote to memory of 2144	3828	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe	114
PID 3828 wrote to memory of 2144	3828	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe	114
PID 3828 wrote to memory of 2144	3828	{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe	114
PID 3804 wrote to memory of 1980	3804	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe	119
PID 3804 wrote to memory of 1980	3804	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe	119
PID 3804 wrote to memory of 1980	3804	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe	119
PID 3804 wrote to memory of 3392	3804	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe	120
PID 3804 wrote to memory of 3392	3804	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe	120
PID 3804 wrote to memory of 3392	3804	{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe	120
PID 1980 wrote to memory of 1692	1980	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe	125
PID 1980 wrote to memory of 1692	1980	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe	125
PID 1980 wrote to memory of 1692	1980	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe	125
PID 1980 wrote to memory of 3632	1980	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe	126
PID 1980 wrote to memory of 3632	1980	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe	126
PID 1980 wrote to memory of 3632	1980	{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe	126
PID 1692 wrote to memory of 3168	1692	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe	127
PID 1692 wrote to memory of 3168	1692	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe	127
PID 1692 wrote to memory of 3168	1692	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe	127
PID 1692 wrote to memory of 2796	1692	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe	128
PID 1692 wrote to memory of 2796	1692	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe	128
PID 1692 wrote to memory of 2796	1692	{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe	128
PID 3168 wrote to memory of 1048	3168	{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe	132
PID 3168 wrote to memory of 1048	3168	{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe	132
PID 3168 wrote to memory of 1048	3168	{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe	132
PID 3168 wrote to memory of 3056	3168	{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_d59140b8b6025e52021778bcee4340d7_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe
  C:\Windows\{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe
    C:\Windows\{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe
      C:\Windows\{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\{55863BA3-089A-4b00-9ED6-948C088B4052}.exe
        
        C:\Windows\{55863BA3-089A-4b00-9ED6-948C088B4052}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe
        
        C:\Windows\{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe
        
        C:\Windows\{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe
        
        C:\Windows\{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe
        
        C:\Windows\{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe
        
        C:\Windows\{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe
        
        C:\Windows\{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}.exe
        
        C:\Windows\{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\{763E24C1-54FA-41b7-BE42-7A1F07AD8F58}.exe
        
        C:\Windows\{763E24C1-54FA-41b7-BE42-7A1F07AD8F58}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4180C~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C01C0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51554~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D748~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC2A4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A0A7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3438E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55863~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16714~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F0A60~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2CAB4~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A0A7F48-CFF8-46a9-A0FF-630A6D93490E}.exe

Filesize
408KB

MD5
1818d2fee1dfd5640bbb47e67a91bbe6

SHA1
97e6bb28a9aed8eb7259e54cb41b3a3bae7f4c6c

SHA256
62d7b888e62c951f2d641d55c57a9c7897ccb77d2c581e33a90eec3b9fdadf40

SHA512
22887a8457489340d8dfd6ff0039580f1ad7c98c71faf662e05bfcf4b0d1a41fb786c207cd84a1d1ea6a997fa027ae2ea4c4777bc8150d10894dc3d494914ff1

Download Submit
C:\Windows\{167141D0-81A9-4657-AD85-FCC61E4C42CB}.exe

Filesize
408KB

MD5
cfb86074f4dc137f1301aad15aa08495

SHA1
d722c3b0d8000891146772745eb13a7d27a71200

SHA256
a12d8537378c9952a817ff3046f100c48450688fc0a4c00ad39c9f65d1757d69

SHA512
329a7c1b9e9ed439767c0c1c582ac6410a132867b7e0ecc58460ce65d5d47bd04be243a10c4855bed6c22369d65aef73862748c3a64bc366d4cf4d8a00163f24

Download Submit
C:\Windows\{2CAB4D91-7CBE-4048-BAAF-C627B11130AD}.exe

Filesize
408KB

MD5
9d83f2a9c787f6a4120c53532cc21e5d

SHA1
a15d8ec496b4af8bd70f5321d9776f95d263e9d6

SHA256
e7c97db4965e42d94b9d6f2b60cfcbc1e1c3ef887064392c09301bc6ea9f08f1

SHA512
baf2f37134f08aba2c5d27b8b5dede4259995de798950256a2f9d5302634f089da446a8d299eaec9a7e61b3aba2dc53958c0005385cca749a6c88dd0e6315e02

Download Submit
C:\Windows\{3438ED29-32D4-4ee5-9545-B5A4DF01CA90}.exe

Filesize
408KB

MD5
4e3d779a3762df3fd5b99c9329c57647

SHA1
c1170705a318263c977ab3165f959da6509b5b75

SHA256
7a925c8f0a7d75271bf119fe25a1fb0726bd22466a51900ab83eb96a8fdb12ba

SHA512
d8923edc4536f203f6f54a0cd7664a00db86cc1cc925edf58cc07271df6107a2624b8385f4aa86d656b9ddd5c17752cbbb997113c1758a823c886283797261ec

Download Submit
C:\Windows\{4180C6DA-971A-4bcb-8476-5B2FBB6CD39D}.exe

Filesize
408KB

MD5
b6f0cce195c145d6c0cb7ce7bd21775e

SHA1
93ec3a8c41370f9381f46565bf2dc5e131c46fc5

SHA256
0ec6a3156929d55c57ac4c97d9e0d7d2252f600b361db8c65c4e4cea6b631292

SHA512
6aa8a713f67b6f6be258d989c2bda09ccdc01ef2433b83e46dc084536fd735262f7efd04fcb10acfaf51794038f33f6020292d13213b9af81a43ead79e9836e5

Download Submit
C:\Windows\{4D7483C2-5826-47ea-8212-A12AB68F8297}.exe

Filesize
408KB

MD5
99a8e0a70ae4ef1699b8d746b568aba3

SHA1
0465c328d5f93a6689155f508c1d40fe7c752948

SHA256
4632c9616a4725a349ca5f974d7bd8bebc8d87fde3f72344cdcf9c7e9bfe64bc

SHA512
d0495133b54113a4796776b1dd5d64e422fba7731435dba7fa0bb6a23353123c4ccdb4f7b010ecb1941a7e0d799f226bc9c6168a78cb09b2082085891d866076

Download Submit
C:\Windows\{51554964-2A81-44ba-A1CC-E648B523A3B6}.exe

Filesize
408KB

MD5
b8f8865e4d716cd863f04d6344dd9c5f

SHA1
91246dafcbeb6cd5eea0686b576b1e6681566e13

SHA256
5c5136856cdbe22c3f81e646b670387a7ab17816645f9fac0c0d57efa7163cf3

SHA512
3f8739b486b701d05a99ec1004a6d36d540f93a3919bae229ae00c5c668282b9ecc291d1de51232daa69fb41931ce35177b342fdeac069556cfd4af7fb5169ab

Download Submit
C:\Windows\{55863BA3-089A-4b00-9ED6-948C088B4052}.exe

Filesize
408KB

MD5
9b8fc253a3367eec721c03c98c6553b5

SHA1
947f7d2762fbb167d0aec66b2e24a1a76025fabc

SHA256
89f0cbd929337f93791f346472e00fcb351c53f14af8ab1cf6fd3fdba5a3bbda

SHA512
8b7b781d30268ab527320b8b9487e3536f9cc63e5d8dff57128ac83da1210269332cbe5cdcb8fcc4f0c81aa392885da8ed58070efe3ad932f859aabeec08339c

Download Submit
C:\Windows\{763E24C1-54FA-41b7-BE42-7A1F07AD8F58}.exe

Filesize
408KB

MD5
9f58788d4fee8db7c2ebfc3980cd022c

SHA1
184f572f55b72711464c4c28ae6d946aad02f697

SHA256
037c9ac0fab1da4f52e790d6c85daf03af1bb48219f03b77850a138620bfea86

SHA512
b59970188ca265e7f573d964c320d22e6bfb77e4cb17ef8e9d646cbbef568e57e92a4755ba872207354c11c4e213ff332b821e3fc488b2a4594a8607acdf0cc5

Download Submit
C:\Windows\{C01C01DE-120D-4eff-835E-2F6D70156B24}.exe

Filesize
408KB

MD5
44ac3937122cae97bfedfb8a54897f02

SHA1
d01cea0b141a7fd8467a0f330207889788e13526

SHA256
ede365b0849c6ad76650a021b0b82ce5566c7b6167224fd07982c96f90f7d139

SHA512
e7e851db4bb0dfd603ef5496deb2e450418f3dcbdb81adf8e0360eb146072362b452a8f391e94743dc3b2887bb8df53c2f780a7866930246fa870e25e390fca1

Download Submit
C:\Windows\{DC2A4816-3D16-4a35-A57B-DA6898383D51}.exe

Filesize
408KB

MD5
226ff0d7dfa8fc828c4e6f5d115133e0

SHA1
74ee6d71d24db7ea4935014db72c513a9675036b

SHA256
f0ece885d73ffab43aafe2c92bd7441f36740edfeb990c97aadb56db7f9c237f

SHA512
51555f6f4ba77da5b672455869d9c091ab340eb1134ae9ccbbc7b6a649a7c393d57b2478095532e1c5a7626053e5cfffae5a1bff0a497d41881a1745d22b9f56

Download Submit
C:\Windows\{F0A6023B-3520-4fb9-A9E0-EA06854B08E1}.exe

Filesize
408KB

MD5
2d0627f1f44e3b71bbeb3b67b9e4e465

SHA1
5b7a404544c99fbea00671b78fc29e8e1767d5d6

SHA256
7f89f2d3637333a8c2c783ea79ee68f5e0e5bb93e718c43880034f1ac7602c09

SHA512
766775efb370090a267eff589593dcdcaa880d713c8d61b0abcce18051eb25a024874a8f1e7198549adbd9d0a93a12fe2e35e7412e22e1eac2ae38fbce822321

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads