b5307200f5caa6aefb1bda28b04d583f5a11fb657984ee944412146c815ee47a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
Size

168KB
MD5

60b2e0baefe97b339fdace0948eb7b25
SHA1

f135d9d12a2e666f74a73662fe8d2f92b02bd6f7
SHA256

b5307200f5caa6aefb1bda28b04d583f5a11fb657984ee944412146c815ee47a
SHA512

e37be02622821e0fb6ab2ec9a41c7e9332ff58a8a63d7d7469458041771f1123de9c536d69bc487570fb3ad33ce036380e91c825e4c6ec3748dbf44d92c8f4be
SSDEEP

1536:1EGh0ohlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ohlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83164022-4BB8-40ae-9902-8CA60190D2AD}	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}\stubpath = "C:\\Windows\\{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe"	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A9FE3A-82DA-4975-956D-3EB866847756}	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC864085-0269-4424-B036-BE2EF6251E90}	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F447AC58-C046-4856-BC60-8FE43302F78B}\stubpath = "C:\\Windows\\{F447AC58-C046-4856-BC60-8FE43302F78B}.exe"	{5670E57C-8B49-4827-9404-D73064CF8492}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}\stubpath = "C:\\Windows\\{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe"	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D67887C5-95B4-4293-9703-3E9832B38EE2}\stubpath = "C:\\Windows\\{D67887C5-95B4-4293-9703-3E9832B38EE2}.exe"	{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8439DB36-AF37-4460-ADF6-612C7CD4E15D}	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5670E57C-8B49-4827-9404-D73064CF8492}	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C25D3BD1-10EE-4d27-AED4-7F81633F4CE4}	{D67887C5-95B4-4293-9703-3E9832B38EE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83164022-4BB8-40ae-9902-8CA60190D2AD}\stubpath = "C:\\Windows\\{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe"	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A9FE3A-82DA-4975-956D-3EB866847756}\stubpath = "C:\\Windows\\{55A9FE3A-82DA-4975-956D-3EB866847756}.exe"	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8439DB36-AF37-4460-ADF6-612C7CD4E15D}\stubpath = "C:\\Windows\\{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe"	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC864085-0269-4424-B036-BE2EF6251E90}\stubpath = "C:\\Windows\\{DC864085-0269-4424-B036-BE2EF6251E90}.exe"	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}\stubpath = "C:\\Windows\\{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe"	{DC864085-0269-4424-B036-BE2EF6251E90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F447AC58-C046-4856-BC60-8FE43302F78B}	{5670E57C-8B49-4827-9404-D73064CF8492}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C25D3BD1-10EE-4d27-AED4-7F81633F4CE4}\stubpath = "C:\\Windows\\{C25D3BD1-10EE-4d27-AED4-7F81633F4CE4}.exe"	{D67887C5-95B4-4293-9703-3E9832B38EE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}\stubpath = "C:\\Windows\\{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe"	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}	{DC864085-0269-4424-B036-BE2EF6251E90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5670E57C-8B49-4827-9404-D73064CF8492}\stubpath = "C:\\Windows\\{5670E57C-8B49-4827-9404-D73064CF8492}.exe"	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D67887C5-95B4-4293-9703-3E9832B38EE2}	{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe

Executes dropped EXE 12 IoCs

pid	Process
4280	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe
1636	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe
3184	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe
1564	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe
3832	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe
4724	{DC864085-0269-4424-B036-BE2EF6251E90}.exe
1676	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe
1572	{5670E57C-8B49-4827-9404-D73064CF8492}.exe
984	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe
1580	{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe
2068	{D67887C5-95B4-4293-9703-3E9832B38EE2}.exe
3660	{C25D3BD1-10EE-4d27-AED4-7F81633F4CE4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
File created	C:\Windows\{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe
File created	C:\Windows\{DC864085-0269-4424-B036-BE2EF6251E90}.exe	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe
File created	C:\Windows\{5670E57C-8B49-4827-9404-D73064CF8492}.exe	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe
File created	C:\Windows\{F447AC58-C046-4856-BC60-8FE43302F78B}.exe	{5670E57C-8B49-4827-9404-D73064CF8492}.exe
File created	C:\Windows\{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe
File created	C:\Windows\{D67887C5-95B4-4293-9703-3E9832B38EE2}.exe	{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe
File created	C:\Windows\{C25D3BD1-10EE-4d27-AED4-7F81633F4CE4}.exe	{D67887C5-95B4-4293-9703-3E9832B38EE2}.exe
File created	C:\Windows\{55A9FE3A-82DA-4975-956D-3EB866847756}.exe	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe
File created	C:\Windows\{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe
File created	C:\Windows\{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe
File created	C:\Windows\{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe	{DC864085-0269-4424-B036-BE2EF6251E90}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC864085-0269-4424-B036-BE2EF6251E90}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D67887C5-95B4-4293-9703-3E9832B38EE2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5670E57C-8B49-4827-9404-D73064CF8492}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C25D3BD1-10EE-4d27-AED4-7F81633F4CE4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1912	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4280	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe
Token: SeIncBasePriorityPrivilege	1636	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe
Token: SeIncBasePriorityPrivilege	3184	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe
Token: SeIncBasePriorityPrivilege	1564	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe
Token: SeIncBasePriorityPrivilege	3832	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe
Token: SeIncBasePriorityPrivilege	4724	{DC864085-0269-4424-B036-BE2EF6251E90}.exe
Token: SeIncBasePriorityPrivilege	1676	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe
Token: SeIncBasePriorityPrivilege	1572	{5670E57C-8B49-4827-9404-D73064CF8492}.exe
Token: SeIncBasePriorityPrivilege	984	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe
Token: SeIncBasePriorityPrivilege	1580	{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe
Token: SeIncBasePriorityPrivilege	2068	{D67887C5-95B4-4293-9703-3E9832B38EE2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 4280	1912	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	94
PID 1912 wrote to memory of 4280	1912	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	94
PID 1912 wrote to memory of 4280	1912	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	94
PID 1912 wrote to memory of 3444	1912	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	95
PID 1912 wrote to memory of 3444	1912	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	95
PID 1912 wrote to memory of 3444	1912	2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe	95
PID 4280 wrote to memory of 1636	4280	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe	96
PID 4280 wrote to memory of 1636	4280	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe	96
PID 4280 wrote to memory of 1636	4280	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe	96
PID 4280 wrote to memory of 2772	4280	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe	97
PID 4280 wrote to memory of 2772	4280	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe	97
PID 4280 wrote to memory of 2772	4280	{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe	97
PID 1636 wrote to memory of 3184	1636	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe	100
PID 1636 wrote to memory of 3184	1636	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe	100
PID 1636 wrote to memory of 3184	1636	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe	100
PID 1636 wrote to memory of 2384	1636	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe	101
PID 1636 wrote to memory of 2384	1636	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe	101
PID 1636 wrote to memory of 2384	1636	{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe	101
PID 3184 wrote to memory of 1564	3184	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe	102
PID 3184 wrote to memory of 1564	3184	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe	102
PID 3184 wrote to memory of 1564	3184	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe	102
PID 3184 wrote to memory of 5068	3184	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe	103
PID 3184 wrote to memory of 5068	3184	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe	103
PID 3184 wrote to memory of 5068	3184	{55A9FE3A-82DA-4975-956D-3EB866847756}.exe	103
PID 1564 wrote to memory of 3832	1564	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe	104
PID 1564 wrote to memory of 3832	1564	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe	104
PID 1564 wrote to memory of 3832	1564	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe	104
PID 1564 wrote to memory of 4892	1564	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe	105
PID 1564 wrote to memory of 4892	1564	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe	105
PID 1564 wrote to memory of 4892	1564	{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe	105
PID 3832 wrote to memory of 4724	3832	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe	106
PID 3832 wrote to memory of 4724	3832	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe	106
PID 3832 wrote to memory of 4724	3832	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe	106
PID 3832 wrote to memory of 2176	3832	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe	107
PID 3832 wrote to memory of 2176	3832	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe	107
PID 3832 wrote to memory of 2176	3832	{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe	107
PID 4724 wrote to memory of 1676	4724	{DC864085-0269-4424-B036-BE2EF6251E90}.exe	108
PID 4724 wrote to memory of 1676	4724	{DC864085-0269-4424-B036-BE2EF6251E90}.exe	108
PID 4724 wrote to memory of 1676	4724	{DC864085-0269-4424-B036-BE2EF6251E90}.exe	108
PID 4724 wrote to memory of 3044	4724	{DC864085-0269-4424-B036-BE2EF6251E90}.exe	109
PID 4724 wrote to memory of 3044	4724	{DC864085-0269-4424-B036-BE2EF6251E90}.exe	109
PID 4724 wrote to memory of 3044	4724	{DC864085-0269-4424-B036-BE2EF6251E90}.exe	109
PID 1676 wrote to memory of 1572	1676	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe	110
PID 1676 wrote to memory of 1572	1676	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe	110
PID 1676 wrote to memory of 1572	1676	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe	110
PID 1676 wrote to memory of 4248	1676	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe	111
PID 1676 wrote to memory of 4248	1676	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe	111
PID 1676 wrote to memory of 4248	1676	{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe	111
PID 1572 wrote to memory of 984	1572	{5670E57C-8B49-4827-9404-D73064CF8492}.exe	112
PID 1572 wrote to memory of 984	1572	{5670E57C-8B49-4827-9404-D73064CF8492}.exe	112
PID 1572 wrote to memory of 984	1572	{5670E57C-8B49-4827-9404-D73064CF8492}.exe	112
PID 1572 wrote to memory of 2948	1572	{5670E57C-8B49-4827-9404-D73064CF8492}.exe	113
PID 1572 wrote to memory of 2948	1572	{5670E57C-8B49-4827-9404-D73064CF8492}.exe	113
PID 1572 wrote to memory of 2948	1572	{5670E57C-8B49-4827-9404-D73064CF8492}.exe	113
PID 984 wrote to memory of 1580	984	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe	114
PID 984 wrote to memory of 1580	984	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe	114
PID 984 wrote to memory of 1580	984	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe	114
PID 984 wrote to memory of 5084	984	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe	115
PID 984 wrote to memory of 5084	984	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe	115
PID 984 wrote to memory of 5084	984	{F447AC58-C046-4856-BC60-8FE43302F78B}.exe	115
PID 1580 wrote to memory of 2068	1580	{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe	116
PID 1580 wrote to memory of 2068	1580	{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe	116
PID 1580 wrote to memory of 2068	1580	{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe	116
PID 1580 wrote to memory of 3732	1580	{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-03_60b2e0baefe97b339fdace0948eb7b25_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe
  C:\Windows\{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe
    C:\Windows\{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\{55A9FE3A-82DA-4975-956D-3EB866847756}.exe
      C:\Windows\{55A9FE3A-82DA-4975-956D-3EB866847756}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Windows\{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe
        
        C:\Windows\{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Windows\{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe
        
        C:\Windows\{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\{DC864085-0269-4424-B036-BE2EF6251E90}.exe
        
        C:\Windows\{DC864085-0269-4424-B036-BE2EF6251E90}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe
        
        C:\Windows\{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{5670E57C-8B49-4827-9404-D73064CF8492}.exe
        
        C:\Windows\{5670E57C-8B49-4827-9404-D73064CF8492}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{F447AC58-C046-4856-BC60-8FE43302F78B}.exe
        
        C:\Windows\{F447AC58-C046-4856-BC60-8FE43302F78B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe
        
        C:\Windows\{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{D67887C5-95B4-4293-9703-3E9832B38EE2}.exe
        
        C:\Windows\{D67887C5-95B4-4293-9703-3E9832B38EE2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{C25D3BD1-10EE-4d27-AED4-7F81633F4CE4}.exe
        
        C:\Windows\{C25D3BD1-10EE-4d27-AED4-7F81633F4CE4}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6788~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CD89~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F447A~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5670E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C59DF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC864~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8439D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1512~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55A9F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA0BC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{83164~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{55A9FE3A-82DA-4975-956D-3EB866847756}.exe

Filesize
168KB

MD5
9045ebeea4231c652f23231e1c819923

SHA1
b4459a566ea81c91d56399f045d8928b76c39ceb

SHA256
37b4b161ab0efb3deb74cfe17c07977aa7ee5e74c1553a71a8124fc36d24ce4f

SHA512
34b755254e13b1d543408d871f0527ce9fc38495ab0f241ff1e807a717c9c2349508be01630de7ae727e22cc4865be84e876045a14c11d8c3d715f99982d3d62

Download Submit
C:\Windows\{5670E57C-8B49-4827-9404-D73064CF8492}.exe

Filesize
168KB

MD5
b9f2c415a01b3ae70ce18bf7786aa8f0

SHA1
a9bac8ce24a5133d66b1c359112e3c258e4d50f1

SHA256
de554c922b4d6756430f69378c84c1029a8200504be4451ab87fba9f714f3d6e

SHA512
80d7918531eb5a46fdcb20346e4f86c445e844f844f3d31dc87d9a409dcced4591cb920a36ec0d2794128e1152224575a370d157b4cf3e03b4765db303c99f1c

Download Submit
C:\Windows\{5CD89BFA-3398-4e1b-9AB9-1B3162E3B504}.exe

Filesize
168KB

MD5
302ef14f21893072a1245cb2b2aaf22d

SHA1
47ac9081f6119ec38ee739157e390a70c58f4e33

SHA256
2a6546cb7185163b067c734dd74f7a06a936a8f06e773762ebc5df27014811ac

SHA512
a2ca1004018443239da561fb68abff808ef1fc9cf70995f3571ba098d065590e2500f7a91b5697330e95df7e9dc598b16ee22dcb7d155e8761fd90d68edf3bb2

Download Submit
C:\Windows\{83164022-4BB8-40ae-9902-8CA60190D2AD}.exe

Filesize
168KB

MD5
29991a7fe3b54ffb8645858b69812baa

SHA1
bfd44182cb8b7ae197047d5c8b3be588764f1619

SHA256
e20492392a488f8a55a8ceaffdcd33253996c28585cf5b39d5e122a53f09ccba

SHA512
e3f088f3f9ce4ad1edf6aac6541ab8f12d9253116f0494338b5368d7a42de8ccd37740385fa27cf5203528e92d9ce663438a191c987324fda51d2279cac4ad9e

Download Submit
C:\Windows\{8439DB36-AF37-4460-ADF6-612C7CD4E15D}.exe

Filesize
168KB

MD5
b8a9981740e6b0a97fa6d52c6f53feb0

SHA1
ca155800f1be6b11b0f565b090f61607a1c73da7

SHA256
ad044840169a871ff0256a5b8e962520b8d601965a9854977a257c81f9c3c29f

SHA512
7fd4eae843dd2d20f2703dac1423c15f4fd9ccfa0241e0bf220a6328ea54e7db529f9093330fc2424c974e4b67f833da4d53c5689680b37bc0608801b7d5ca77

Download Submit
C:\Windows\{AA0BC429-4684-440a-8DE9-160CCAFB5E8C}.exe

Filesize
168KB

MD5
f6fb26f36dae6283a666e36a5ebe7327

SHA1
433038556c029aabe249cecd1026e87773112e9e

SHA256
4e00aa99a508a4ffc00115e22d6dd0353672097ad269ea6f2e47d1542bbe08e9

SHA512
0b539c6a55bdf1b1c3e614c393c70792f7d7fab9a24217d464de5b374d2ee56fdb0fac53b0e45508561411e263db5d0ea922ffa7fde1775eeb7c9e32962fe94c

Download Submit
C:\Windows\{C25D3BD1-10EE-4d27-AED4-7F81633F4CE4}.exe

Filesize
168KB

MD5
35282ee49f4000ff7857b305fc37ea83

SHA1
6d8c8121860f1a59719cfa825789ea794fa79767

SHA256
b89aea424bdd7e7778dd52b38827abea3decdf13c4d92ae8ed2ee9d1b8e69189

SHA512
2deaf56541c2e0faceb1d49991bf20ca0369983ad12d7d455ef0785a18f9413a266bfd2fa799f3c95d255af78ec9d0f29f96d3b1f6705ef88bb1692c597295d5

Download Submit
C:\Windows\{C59DFD11-6D10-4f6b-8FDE-F5E0A7422EE2}.exe

Filesize
168KB

MD5
55a85702436d334d4bccdcd2ffe5c9d8

SHA1
6f8661adde3d860ddeb9d20106178feeccf53755

SHA256
58662031313ab9291d9a740ced497b605369fd14b3a1f9dede110da4aa45246a

SHA512
d79d00fa633d636283b23ad52ff1cfd97bfe2d16e12bce340cf4aea2a61ac6f4501d5b61fe6fae4d85117415dcabfca34be10f091edcad41c56162dc370fa834

Download Submit
C:\Windows\{D67887C5-95B4-4293-9703-3E9832B38EE2}.exe

Filesize
168KB

MD5
18ec3b0b75a932c56bd7d15ab3283bcf

SHA1
253d1ce4196ee93b21694549de7e6a404034c435

SHA256
4de47c81f0d5c5487d1dac05d7ec363c7b6b357f378b0706680f4f2337496627

SHA512
d5a9551970b08c2e55b186068f1f425ee649ca362643b846d2f5a2185cf7d878d973cdceb46a0238c55aa617b0ebdd0a151a2db896227b87da04d2d942a7c1a7

Download Submit
C:\Windows\{DC864085-0269-4424-B036-BE2EF6251E90}.exe

Filesize
168KB

MD5
3773d4985458ef47f9664bf173a4c841

SHA1
a7519c92f67aa72e18f30ee4ab16ad13e0b1533d

SHA256
2f155ce9dfc5351c93b0482ef5ab9605f9f0c0f7fed7d65b92e212afed2082b0

SHA512
9f20b3993315d605153b4f64e113a1f56681c7905a035d8d57246264bcc950b49b8fa02d07a9f8dcc1ac868b6f00e73e15f639278ce799fd9dbeebbda172dfe1

Download Submit
C:\Windows\{F151280B-1C8C-421a-A8B3-7DB04A6F55BF}.exe

Filesize
168KB

MD5
6657fd7d85a0bca14134831a6664449f

SHA1
39bfcf8a6c017061180017b6af4c1c4a4ecc541b

SHA256
82ae5daa53795ad0fecdc7565e21f44470c48c3b6ea4eb0b0d2dc4488fcb0901

SHA512
81332e67689d8c393fd08468289171d993ced53baa21ef2dff071bdbedadab3b2605046dfd796ad3a1c2a2f0bb36c0454f772ef2053ba82b34de1b2de6cc5404

Download Submit
C:\Windows\{F447AC58-C046-4856-BC60-8FE43302F78B}.exe

Filesize
168KB

MD5
862dde482827dca568e1b76af744d80c

SHA1
b3dc293c7be4ca7bf445b485e837c549b5ab6b1f

SHA256
895e16a073097b1b9af79d38d8d23eeb065751d57b4f394713fc3fdba4801142

SHA512
2e468a1661b930e9556bea4b00cd9a110c4037a33fb424c7516c8f708c68c62b0d8743c785e7bb6b7347c9e85101b6f8cbd6f2f8fa4e62af97f6091f87ea9161

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads