d9e20bc4e3e14b3cb8e3f8cddcee132542852fef298b0b8082d43756c7bfb6ea

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
Size

380KB
MD5

e169a4b26eea6cbada491c7f66712448
SHA1

c3c98c1c9e9ceae8fa7f9200e0245aebbbdc37a2
SHA256

d9e20bc4e3e14b3cb8e3f8cddcee132542852fef298b0b8082d43756c7bfb6ea
SHA512

011e8babc61946cf48228a94205eadb52bf449d8afd811287361cb5ab889582cb16cf5f168d3d9ba265a46ae961906d3efc3014d257e2796f3a602a7c1b9bc07
SSDEEP

3072:mEGh0oplPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGnl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}\stubpath = "C:\\Windows\\{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe"	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD4883AB-D8C6-4818-B081-9DFF99080E84}\stubpath = "C:\\Windows\\{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe"	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}\stubpath = "C:\\Windows\\{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe"	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0562AED1-A3CD-4375-9A0A-972B331B9835}	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2D19E31-8FE8-4992-A063-4D9A2562D10A}	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D32AAB40-5DB2-438d-94A7-287DDE3693B3}	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD4883AB-D8C6-4818-B081-9DFF99080E84}	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}	{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}\stubpath = "C:\\Windows\\{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}.exe"	{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}\stubpath = "C:\\Windows\\{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe"	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}\stubpath = "C:\\Windows\\{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe"	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}\stubpath = "C:\\Windows\\{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe"	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BF83386-3CB9-47ef-8A76-55618F40DFA4}	{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BF83386-3CB9-47ef-8A76-55618F40DFA4}\stubpath = "C:\\Windows\\{1BF83386-3CB9-47ef-8A76-55618F40DFA4}.exe"	{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0562AED1-A3CD-4375-9A0A-972B331B9835}\stubpath = "C:\\Windows\\{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe"	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2D19E31-8FE8-4992-A063-4D9A2562D10A}\stubpath = "C:\\Windows\\{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe"	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D32AAB40-5DB2-438d-94A7-287DDE3693B3}\stubpath = "C:\\Windows\\{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe"	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}\stubpath = "C:\\Windows\\{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe"	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe

Executes dropped EXE 12 IoCs

pid	Process
1420	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe
3540	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe
4644	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe
3068	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe
2684	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe
4832	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe
3960	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe
3996	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe
3588	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe
1844	{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe
4368	{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}.exe
4244	{1BF83386-3CB9-47ef-8A76-55618F40DFA4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1BF83386-3CB9-47ef-8A76-55618F40DFA4}.exe	{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}.exe
File created	C:\Windows\{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe
File created	C:\Windows\{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe
File created	C:\Windows\{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe
File created	C:\Windows\{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe
File created	C:\Windows\{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}.exe	{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe
File created	C:\Windows\{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe
File created	C:\Windows\{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
File created	C:\Windows\{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe
File created	C:\Windows\{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe
File created	C:\Windows\{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe
File created	C:\Windows\{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1BF83386-3CB9-47ef-8A76-55618F40DFA4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2680	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1420	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe
Token: SeIncBasePriorityPrivilege	3540	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe
Token: SeIncBasePriorityPrivilege	4644	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe
Token: SeIncBasePriorityPrivilege	3068	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe
Token: SeIncBasePriorityPrivilege	2684	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe
Token: SeIncBasePriorityPrivilege	4832	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe
Token: SeIncBasePriorityPrivilege	3960	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe
Token: SeIncBasePriorityPrivilege	3996	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe
Token: SeIncBasePriorityPrivilege	3588	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe
Token: SeIncBasePriorityPrivilege	1844	{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe
Token: SeIncBasePriorityPrivilege	4368	{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1420	2680	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	97
PID 2680 wrote to memory of 1420	2680	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	97
PID 2680 wrote to memory of 1420	2680	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	97
PID 2680 wrote to memory of 4012	2680	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	98
PID 2680 wrote to memory of 4012	2680	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	98
PID 2680 wrote to memory of 4012	2680	2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe	98
PID 1420 wrote to memory of 3540	1420	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe	99
PID 1420 wrote to memory of 3540	1420	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe	99
PID 1420 wrote to memory of 3540	1420	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe	99
PID 1420 wrote to memory of 1248	1420	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe	100
PID 1420 wrote to memory of 1248	1420	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe	100
PID 1420 wrote to memory of 1248	1420	{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe	100
PID 3540 wrote to memory of 4644	3540	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe	103
PID 3540 wrote to memory of 4644	3540	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe	103
PID 3540 wrote to memory of 4644	3540	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe	103
PID 3540 wrote to memory of 5096	3540	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe	104
PID 3540 wrote to memory of 5096	3540	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe	104
PID 3540 wrote to memory of 5096	3540	{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe	104
PID 4644 wrote to memory of 3068	4644	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe	105
PID 4644 wrote to memory of 3068	4644	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe	105
PID 4644 wrote to memory of 3068	4644	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe	105
PID 4644 wrote to memory of 2940	4644	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe	106
PID 4644 wrote to memory of 2940	4644	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe	106
PID 4644 wrote to memory of 2940	4644	{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe	106
PID 3068 wrote to memory of 2684	3068	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe	107
PID 3068 wrote to memory of 2684	3068	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe	107
PID 3068 wrote to memory of 2684	3068	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe	107
PID 3068 wrote to memory of 3544	3068	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe	108
PID 3068 wrote to memory of 3544	3068	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe	108
PID 3068 wrote to memory of 3544	3068	{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe	108
PID 2684 wrote to memory of 4832	2684	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe	109
PID 2684 wrote to memory of 4832	2684	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe	109
PID 2684 wrote to memory of 4832	2684	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe	109
PID 2684 wrote to memory of 216	2684	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe	110
PID 2684 wrote to memory of 216	2684	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe	110
PID 2684 wrote to memory of 216	2684	{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe	110
PID 4832 wrote to memory of 3960	4832	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe	111
PID 4832 wrote to memory of 3960	4832	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe	111
PID 4832 wrote to memory of 3960	4832	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe	111
PID 4832 wrote to memory of 3392	4832	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe	112
PID 4832 wrote to memory of 3392	4832	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe	112
PID 4832 wrote to memory of 3392	4832	{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe	112
PID 3960 wrote to memory of 3996	3960	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe	113
PID 3960 wrote to memory of 3996	3960	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe	113
PID 3960 wrote to memory of 3996	3960	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe	113
PID 3960 wrote to memory of 5020	3960	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe	114
PID 3960 wrote to memory of 5020	3960	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe	114
PID 3960 wrote to memory of 5020	3960	{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe	114
PID 3996 wrote to memory of 3588	3996	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe	115
PID 3996 wrote to memory of 3588	3996	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe	115
PID 3996 wrote to memory of 3588	3996	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe	115
PID 3996 wrote to memory of 3412	3996	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe	116
PID 3996 wrote to memory of 3412	3996	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe	116
PID 3996 wrote to memory of 3412	3996	{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe	116
PID 3588 wrote to memory of 1844	3588	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe	117
PID 3588 wrote to memory of 1844	3588	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe	117
PID 3588 wrote to memory of 1844	3588	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe	117
PID 3588 wrote to memory of 4648	3588	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe	118
PID 3588 wrote to memory of 4648	3588	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe	118
PID 3588 wrote to memory of 4648	3588	{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe	118
PID 1844 wrote to memory of 4368	1844	{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe	119
PID 1844 wrote to memory of 4368	1844	{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe	119
PID 1844 wrote to memory of 4368	1844	{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe	119
PID 1844 wrote to memory of 2332	1844	{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-04_e169a4b26eea6cbada491c7f66712448_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe
  C:\Windows\{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe
    C:\Windows\{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe
      C:\Windows\{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe
        
        C:\Windows\{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe
        
        C:\Windows\{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe
        
        C:\Windows\{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe
        
        C:\Windows\{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe
        
        C:\Windows\{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe
        
        C:\Windows\{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe
        
        C:\Windows\{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}.exe
        
        C:\Windows\{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Windows\{1BF83386-3CB9-47ef-8A76-55618F40DFA4}.exe
        
        C:\Windows\{1BF83386-3CB9-47ef-8A76-55618F40DFA4}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1C51~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD488~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB3EF~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59FF2~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FF1E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D32AA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31ACF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2D19~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E2A7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0562A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{16AEF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0562AED1-A3CD-4375-9A0A-972B331B9835}.exe

Filesize
380KB

MD5
9ddcc0dea708345cb8ad17ad3f04f609

SHA1
cca2cdefc9d053ae1932891e0f928021b7b26d4f

SHA256
84488246b2100077f6adc78c7841d1880325f65012ac4c8903dafb0bccb585ac

SHA512
deb5570fd6842cec2b4f38ecc67d8343316fc21bd94c49472c453c55fff6f73c70cc5070d834fa7a7f10efd932ff67c0d278846589c3792cf92dad5aa21cad00

Download Submit
C:\Windows\{16AEFB77-77F3-4f28-8AC1-C3E1FE71A2D6}.exe

Filesize
380KB

MD5
3ed7db1c26f479ccd3258ca5d1f84e2c

SHA1
5931bbd1ae23fc43b6d911f1c3ead1bc08bfad83

SHA256
b8b83dcec0a8f6a991cef34e040f819725ea2c8d297b7ec2de28937f070b99c4

SHA512
14117c0c3487e688f28e70f6ded6cd229e2b3467063bc4c14d19ca8d4ee4b5455159f88d90f68e1d5c633c5a7174f43f2a36804edc260a17cb1add70aae8ee5f

Download Submit
C:\Windows\{1BF83386-3CB9-47ef-8A76-55618F40DFA4}.exe

Filesize
380KB

MD5
8932303802e0440aec54d9a151baa553

SHA1
a7840427d81873ccbc19e3619bf96adb60b291ba

SHA256
62562acfbdcb2bfbdf9c65f92e2c97da1ee4c836c539e877ef7f9f268c700c30

SHA512
8f46daeb610832967f40143030d2f9552e40ae477a02c74b1bc1d48a1eaf8f3e809a09f87bfe060c7522a7208594ee0ccdccabb33ebe081268c2336497a343ca

Download Submit
C:\Windows\{31ACF72F-EA8B-4f0a-8C5A-9EEB2A14218A}.exe

Filesize
380KB

MD5
a6ea9ed10e5cb5712de179c983cac053

SHA1
2d3306e2856d53e7425014616aedeb23adf26ff0

SHA256
9085f7aee12f93619782bb9f64d6dba8fc92576d661a75d314c6484ef8ddfb69

SHA512
048cb2cf1fb19ebea2234e68560bf96a29c36971355b879f39a02cfc24e2dae34fb1d80ee58c1f3102a03fa1678d7392fe06acbc41c383fd7e00606a13f609b4

Download Submit
C:\Windows\{59FF26B8-CEDF-4d95-B22A-FF09F0C3340E}.exe

Filesize
380KB

MD5
5c0a06885491aba02c00dbb329007345

SHA1
4cbd821d97cf20a893035d11d1d62add9c164b34

SHA256
864a5e0c5cc867faf8db1d3672a102981f99f08457f8762c783b1c8b75302399

SHA512
8a79ef842d95a967f9f4bea4e696fb649090a96c0901e2a057ecf80099ada1f574a5ede3b68c6ed06012daadf1829ce36c232f46e7f69fa163d7d647887e208d

Download Submit
C:\Windows\{5E2A7FAC-0413-48b2-985B-C7CBC2D81550}.exe

Filesize
380KB

MD5
98e1fcc69d7cadb475b9369fc509d4e1

SHA1
96886b7c2f1acc1e93d13600efdf8d37f5e5b597

SHA256
874dc47de73791ec9dd39ab7a6c11dd786af07a5bd6cd02c5ebb9ec71ac747c4

SHA512
7911c7e801f9328110506315b4c5bcc5c63653114f37f804e75bc4fb5004d0843c7b4e9840adc1956483aaab461f71ae2d4ef989b2123d6cb624f12ed68f8b72

Download Submit
C:\Windows\{9FF1EC5C-2E27-4c26-84B2-8A1992D3305E}.exe

Filesize
380KB

MD5
427e3b9dd248563260cdca64d5a91f90

SHA1
02c287106b96175a28d641c4570a73eb9030e7fb

SHA256
24c8a37f91ce799c0ce1cd04cf1f6bb04b0acc5fe522c61ca9b8ad811eba8e88

SHA512
199595132c1e4e68440c7ffcbe70fdf490c28cbc5117082c771cc54ad9f4c48b415c8fe9ef91552b3b8c935f9678470a6b490eba2122049b4b31947160e9ee64

Download Submit
C:\Windows\{CB3EFB81-0BC3-4618-8F4F-9D67A107EBE3}.exe

Filesize
380KB

MD5
4c4a51ca79baa0e9abd011ee6a479b25

SHA1
59122d5cd42719a161da88efeb5a393befb59a36

SHA256
b9c7c52336a9a351dcb18ac6463684a73de58844346912348e8a37f74208da22

SHA512
59102c7c4a3c71544cf48541579a2c79cda83db09ac36fe36b94211a6a39543be8e914def6421f9772bc012aa2cdfc6edf4e55a34acaf4c163f07711cd04f9c5

Download Submit
C:\Windows\{D2D19E31-8FE8-4992-A063-4D9A2562D10A}.exe

Filesize
380KB

MD5
9de0bc69063f885b1d1e05685785851c

SHA1
9106f8a1bbea9fdbf1e2bde2acc2f4c5c241249a

SHA256
8c18b6a872d92e6b775bc497856dd4872bcb4d28790b7cc3c8d7ab34672d2f4e

SHA512
5175a387aa2002b27399d9eac56b0f9f8d3dc4685e543ae8169e9e29570e85e9145ea786d522d6fbb93f16869c8f5ca34a41ef056717b1d9aef43cfbab0f841b

Download Submit
C:\Windows\{D32AAB40-5DB2-438d-94A7-287DDE3693B3}.exe

Filesize
380KB

MD5
fa62c1e3a376e3980da944827ee94276

SHA1
85f848025abfb28d7848d5771057756ffb7b00f6

SHA256
ebc53c68d5a838746f705c06611bbc7a357f5def45bc915f24561b015226d797

SHA512
619ab2d415b20c20140d9891be4656b9a6e84072c8dd043958655b20d524ac5f66d05bc66f159da6cb7dd81430c8990c86b95c09b2e082a0fe14361c72d7a2ed

Download Submit
C:\Windows\{F1C51D9D-8DD5-49dd-86AC-038F21E334BC}.exe

Filesize
380KB

MD5
f854242af2f705005d5c8868e34e4eca

SHA1
eb056feebb918f61d253ae58698a323e473bd609

SHA256
1941bcb46fd42b6c8f2b295292bea26b75db2a1b37b19d15d87390bd58978a13

SHA512
b698dc2bf4206c310d3dd721ab1bdc764fb454324a60f976f8687917fc41c9cae934f847593d6baa1ab2363c67dc7aaf6671735ac1beb8612d53e77d81fd3b4d

Download Submit
C:\Windows\{FD4883AB-D8C6-4818-B081-9DFF99080E84}.exe

Filesize
380KB

MD5
69fff325909d9a3fbbf64c2e34771397

SHA1
a0701cbf988b8e535ca1e8acc8f9882304a7e756

SHA256
ad5f71c2b3e5f395ed7261abedcb28bfe66c654baffa511dd7ce8e9bd48e3b56

SHA512
cc130bf5eda77ec41d3c17367ce971ab57f2520c6f31ca65ba773f6e9ba55ac770b03173fc28d9d535a1d758a1554dfc227f84109be0dd01e98ab67e96e3b2aa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads