196000bd2c8369f08eb983b883dac4f7f26a99e3a6a6349dff736e9f22caffe8

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
Size

408KB
MD5

895557d300511f763dfa1105e82bb491
SHA1

6c5ff8b4067a83247922d73c5e461f4ffeb8f7fa
SHA256

196000bd2c8369f08eb983b883dac4f7f26a99e3a6a6349dff736e9f22caffe8
SHA512

ec546d97ccd09ca8b4947bebbf13c023d098049c1285cbe4a57599e4a8155d39ba9c7e0bce829b791a5da70c92bcba57b94a0cf8683f9fd50f5945262c684a63
SSDEEP

3072:CEGh0oFl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGHldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}	{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCDD32B2-C293-4629-847B-314CFEE68C20}	{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCDD32B2-C293-4629-847B-314CFEE68C20}\stubpath = "C:\\Windows\\{CCDD32B2-C293-4629-847B-314CFEE68C20}.exe"	{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}\stubpath = "C:\\Windows\\{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe"	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}\stubpath = "C:\\Windows\\{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe"	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C456355F-3478-4dab-AF10-A40771F79DD0}	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C456355F-3478-4dab-AF10-A40771F79DD0}\stubpath = "C:\\Windows\\{C456355F-3478-4dab-AF10-A40771F79DD0}.exe"	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6840CFF-A7C8-4e30-80DA-E548081380F2}\stubpath = "C:\\Windows\\{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe"	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F22063-3760-4a36-9DC3-5A817176F9F7}\stubpath = "C:\\Windows\\{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe"	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57EC7DA6-5247-4dcf-8210-589D5230A9C4}\stubpath = "C:\\Windows\\{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe"	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7625F019-4B6C-4a1f-B450-79289195CA0B}	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}\stubpath = "C:\\Windows\\{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe"	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57EC7DA6-5247-4dcf-8210-589D5230A9C4}	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}\stubpath = "C:\\Windows\\{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe"	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43F22063-3760-4a36-9DC3-5A817176F9F7}	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6840CFF-A7C8-4e30-80DA-E548081380F2}	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7625F019-4B6C-4a1f-B450-79289195CA0B}\stubpath = "C:\\Windows\\{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe"	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}\stubpath = "C:\\Windows\\{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe"	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}\stubpath = "C:\\Windows\\{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe"	{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe

Executes dropped EXE 12 IoCs

pid	Process
640	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe
4060	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe
3432	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe
1764	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe
408	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe
4308	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe
3692	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe
4988	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe
1508	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe
3612	{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe
4972	{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe
1752	{CCDD32B2-C293-4629-847B-314CFEE68C20}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe
File created	C:\Windows\{CCDD32B2-C293-4629-847B-314CFEE68C20}.exe	{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe
File created	C:\Windows\{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
File created	C:\Windows\{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe
File created	C:\Windows\{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe
File created	C:\Windows\{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe
File created	C:\Windows\{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe
File created	C:\Windows\{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe
File created	C:\Windows\{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe
File created	C:\Windows\{C456355F-3478-4dab-AF10-A40771F79DD0}.exe	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe
File created	C:\Windows\{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe
File created	C:\Windows\{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe	{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCDD32B2-C293-4629-847B-314CFEE68C20}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3840	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
Token: SeIncBasePriorityPrivilege	640	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe
Token: SeIncBasePriorityPrivilege	4060	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe
Token: SeIncBasePriorityPrivilege	3432	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe
Token: SeIncBasePriorityPrivilege	1764	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe
Token: SeIncBasePriorityPrivilege	408	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe
Token: SeIncBasePriorityPrivilege	4308	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe
Token: SeIncBasePriorityPrivilege	3692	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe
Token: SeIncBasePriorityPrivilege	4988	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe
Token: SeIncBasePriorityPrivilege	1508	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe
Token: SeIncBasePriorityPrivilege	3612	{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe
Token: SeIncBasePriorityPrivilege	4972	{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 640	3840	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	95
PID 3840 wrote to memory of 640	3840	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	95
PID 3840 wrote to memory of 640	3840	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	95
PID 3840 wrote to memory of 1432	3840	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	96
PID 3840 wrote to memory of 1432	3840	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	96
PID 3840 wrote to memory of 1432	3840	2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe	96
PID 640 wrote to memory of 4060	640	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe	97
PID 640 wrote to memory of 4060	640	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe	97
PID 640 wrote to memory of 4060	640	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe	97
PID 640 wrote to memory of 3120	640	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe	98
PID 640 wrote to memory of 3120	640	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe	98
PID 640 wrote to memory of 3120	640	{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe	98
PID 4060 wrote to memory of 3432	4060	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe	101
PID 4060 wrote to memory of 3432	4060	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe	101
PID 4060 wrote to memory of 3432	4060	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe	101
PID 4060 wrote to memory of 3232	4060	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe	102
PID 4060 wrote to memory of 3232	4060	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe	102
PID 4060 wrote to memory of 3232	4060	{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe	102
PID 3432 wrote to memory of 1764	3432	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe	103
PID 3432 wrote to memory of 1764	3432	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe	103
PID 3432 wrote to memory of 1764	3432	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe	103
PID 3432 wrote to memory of 3048	3432	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe	104
PID 3432 wrote to memory of 3048	3432	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe	104
PID 3432 wrote to memory of 3048	3432	{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe	104
PID 1764 wrote to memory of 408	1764	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe	105
PID 1764 wrote to memory of 408	1764	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe	105
PID 1764 wrote to memory of 408	1764	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe	105
PID 1764 wrote to memory of 1132	1764	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe	106
PID 1764 wrote to memory of 1132	1764	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe	106
PID 1764 wrote to memory of 1132	1764	{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe	106
PID 408 wrote to memory of 4308	408	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe	107
PID 408 wrote to memory of 4308	408	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe	107
PID 408 wrote to memory of 4308	408	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe	107
PID 408 wrote to memory of 976	408	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe	108
PID 408 wrote to memory of 976	408	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe	108
PID 408 wrote to memory of 976	408	{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe	108
PID 4308 wrote to memory of 3692	4308	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe	109
PID 4308 wrote to memory of 3692	4308	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe	109
PID 4308 wrote to memory of 3692	4308	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe	109
PID 4308 wrote to memory of 4236	4308	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe	110
PID 4308 wrote to memory of 4236	4308	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe	110
PID 4308 wrote to memory of 4236	4308	{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe	110
PID 3692 wrote to memory of 4988	3692	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe	111
PID 3692 wrote to memory of 4988	3692	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe	111
PID 3692 wrote to memory of 4988	3692	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe	111
PID 3692 wrote to memory of 2528	3692	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe	112
PID 3692 wrote to memory of 2528	3692	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe	112
PID 3692 wrote to memory of 2528	3692	{C456355F-3478-4dab-AF10-A40771F79DD0}.exe	112
PID 4988 wrote to memory of 1508	4988	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe	113
PID 4988 wrote to memory of 1508	4988	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe	113
PID 4988 wrote to memory of 1508	4988	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe	113
PID 4988 wrote to memory of 2208	4988	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe	114
PID 4988 wrote to memory of 2208	4988	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe	114
PID 4988 wrote to memory of 2208	4988	{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe	114
PID 1508 wrote to memory of 3612	1508	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe	115
PID 1508 wrote to memory of 3612	1508	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe	115
PID 1508 wrote to memory of 3612	1508	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe	115
PID 1508 wrote to memory of 3876	1508	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe	116
PID 1508 wrote to memory of 3876	1508	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe	116
PID 1508 wrote to memory of 3876	1508	{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe	116
PID 3612 wrote to memory of 4972	3612	{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe	117
PID 3612 wrote to memory of 4972	3612	{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe	117
PID 3612 wrote to memory of 4972	3612	{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe	117
PID 3612 wrote to memory of 3280	3612	{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_895557d300511f763dfa1105e82bb491_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe
  C:\Windows\{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe
    C:\Windows\{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe
      C:\Windows\{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Windows\{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe
        
        C:\Windows\{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe
        
        C:\Windows\{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe
        
        C:\Windows\{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\{C456355F-3478-4dab-AF10-A40771F79DD0}.exe
        
        C:\Windows\{C456355F-3478-4dab-AF10-A40771F79DD0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe
        
        C:\Windows\{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe
        
        C:\Windows\{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe
        
        C:\Windows\{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe
        
        C:\Windows\{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\{CCDD32B2-C293-4629-847B-314CFEE68C20}.exe
        
        C:\Windows\{CCDD32B2-C293-4629-847B-314CFEE68C20}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96863~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEE40~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6840~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43F22~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4563~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AFA0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21EE8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7625F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EE76~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EAEB1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{57EC7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21EE8ADE-CCFA-40d0-A703-0B6D69E65EFF}.exe

Filesize
408KB

MD5
50bc227596f8656378edfabefd3d6c99

SHA1
8a421e2e0be3236cb60bf4437933eab16ec46711

SHA256
4ab057f06804402468a37344a90102df27f500c7671cea7cb4f83a64ae5b021a

SHA512
5f4eb4f48e0b74232bf96357c579fcac5928f18d671206423b64a56a7c7ec5ae678466570dddabeb7e0aaace48aa5d1bd0efbb165a915a079f162e3bb028d560

Download Submit
C:\Windows\{43F22063-3760-4a36-9DC3-5A817176F9F7}.exe

Filesize
408KB

MD5
932f674bb3a5cff8ba3695efde01831a

SHA1
5dca7a76c6aaaa23ccdb56aaca7258c03eb2cba5

SHA256
59b2690f32a96b11290986e227fe4fb479f42208b154989fe015f01f66bde93d

SHA512
c2aa9f5c5fffa6447329ef848fdfb2b270e44bb97c7442e207c512c4beb29ed312dcdbc8a476508d3d86c24823148f0a02b47f6c8cca47fdf0bd92ea9fd8e0ba

Download Submit
C:\Windows\{4EE76C0B-0131-48bd-A5B3-A9D11A6D3469}.exe

Filesize
408KB

MD5
ab3ec52bbd66f451a11d8bc53e698a2b

SHA1
5b2b1fc2c7dcb735367094e6975839ecbd76b6e9

SHA256
73a2d53cfdeafefd2dffffede90dafef6fee2ebcef746a9741946a189452f4de

SHA512
1fee33bd2bd8f615c247d09bcf21707e6a2f39dfb3c054cfe7d74564a4d9dbe755086addc097c7fdc4fa3c5d9895f8ebf0f2ca7cbbe0a971485c1e31245d2895

Download Submit
C:\Windows\{57EC7DA6-5247-4dcf-8210-589D5230A9C4}.exe

Filesize
408KB

MD5
3a37d3004cad2b94b54405f5da1922ed

SHA1
90b45a6ef24d1859cadefcc0cf9b7fe77c088024

SHA256
0c4252089db5f58f1564f9cd2e13ad8c886b00ad5e7335f4bc7de1cbbf7324ba

SHA512
b0cccc6fd224a45598e17f198fc2713c5255382abcce5ee227bd085b2a4b3a79941755883d88e6f64863d58ebbb3ea960464a29450e00b23a469c30a0093b094

Download Submit
C:\Windows\{7625F019-4B6C-4a1f-B450-79289195CA0B}.exe

Filesize
408KB

MD5
f87f60c3ed3c6d715edefc787525b178

SHA1
45d64e655324fc6dd68927d5c5f8bae7a8f96f84

SHA256
d0bc26125568fce2febc750d55d54df5cf23063a200d02836790fa8d664f7828

SHA512
36417eaaa649815ba8b879401bcc12881682ab381fc283dc0b0e7cdf72a0d4db369dcecfcfd5cef7b045199667674b3beb6eaa239848646546535e66796b8a94

Download Submit
C:\Windows\{7AFA04F1-E95E-4f1c-984C-588FED1ED3BD}.exe

Filesize
408KB

MD5
92edc61bb316563d2c524da3350017a4

SHA1
8874267e232f30aafd7e537cd651c449fd5bb82f

SHA256
4c4b8d17ca17c65ff5d30071f9e37cf95e0c7a89706bd519e04d1be6fd2cf2f5

SHA512
2dcf5124fbbf2854d42a4a903c64da2d278b6bea4eeb8cd5f82b0f05da6d95b982f63b4322905497b49c96514a8e85f1ff0cdaa1ff751042fb9760391a6d0894

Download Submit
C:\Windows\{96863A9A-6D43-4b1e-9AEF-3C6AF48910EF}.exe

Filesize
408KB

MD5
a92dbd89667220ee3a7a4834903f901d

SHA1
7de01b0f9f3249a39d87bdd212a4069965e35b09

SHA256
4e471987407d8b170fb669ef216721e8da2af6ae299b53f83a1ad9b54c1e2727

SHA512
4cf0355d80c1c5970e81bb80be5871b0da4e749be0698da136d54348052887de5cf8a06ed11d1b5fba3a605ad07a2871c569183242b2c475a078d8cb4061206f

Download Submit
C:\Windows\{BEE40D85-3DBD-4f4d-A5EE-C3F518EE212A}.exe

Filesize
408KB

MD5
517d9f622ea3a2fde911c9c1a0749700

SHA1
7ebe1e6284f900f69adeeb1bf34ad5c802588df7

SHA256
ba2d692b3a63f1519ab02480d7623309ed0cef0ec73b7ff8c4e92f296b52b032

SHA512
a6b5d1c2d63479820d2701a7b5fea3f82a08949b9fe53f82c0eb5422ab38bb53f339e44e56db3480137fc982beede41977f6f83b10f12d7d321e3f799e369939

Download Submit
C:\Windows\{C456355F-3478-4dab-AF10-A40771F79DD0}.exe

Filesize
408KB

MD5
39aa125a0a5a35a858448257277a2d91

SHA1
510ce70bb3111fa005bc6d9aeb166030e42623a2

SHA256
da05384f43ab106d9fec2ec1f6714f9a3b1ad26ba33313586b8268919e3bc558

SHA512
872a6fa868f28738811307ae51e1b8a0dff2193365be1111978c4dd99554e0c45bc259001e4928efd07602c4da013dfc85118357cc9cc97a8d721b136a05f42a

Download Submit
C:\Windows\{C6840CFF-A7C8-4e30-80DA-E548081380F2}.exe

Filesize
408KB

MD5
ee4d7a4af40a5d2009a6e2e6cdca5a21

SHA1
514e5d784452c8824d29c2ab850e2ff78383c35a

SHA256
d3644d0306239c0e58f800df68f6615fb625de8c022bee9fea4b4e966082cb76

SHA512
d0948b5ef42ea07030c99a6105680d793f455b645e8b66c926aed9a38a423cfd7d68d04b07efd1d8498b7289d77697d2e67d96ef39b7d0e0a44353098844b828

Download Submit
C:\Windows\{CCDD32B2-C293-4629-847B-314CFEE68C20}.exe

Filesize
408KB

MD5
6ab49b0dac1a3debf01ed5dfd0285f5c

SHA1
01331d43d5330e15faf2b5ae655ef7b566d66e21

SHA256
6c8388b73cdda557e4a1b25aa236614c5f04868b12dfd2ba373f958538ba60ae

SHA512
afb963e861db8d7a54df1d49227a613c72027ed0bfc53d730d93084fe9b54eb8f49fab1c42d5a847c2dd8dc8d63c2971fb749ef5de2ca9c4e85cd60fad0b41e5

Download Submit
C:\Windows\{EAEB1E2C-827D-41d9-9BEE-E99EDCF2A855}.exe

Filesize
408KB

MD5
f404152fc1bc84204d8ff502dce8c0d1

SHA1
2b505be81d5c0f94e57ce2754c5d0671e8b498d5

SHA256
0561e6bd5a30d8b5fa6d10a5439ecf5acede2388d38996126e5f97a5ac8fb6ff

SHA512
ad5ddadfee8dfdaf8b47e1259933677d18261e3340849918bc483e31332f70e0e4308d9d4e590fd0b3b68c15b706a284c2e33d82204662fa8bdd2cb803b5bc34

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads