4de37176cfdd8bf25ed5acd0e2815b282dd7f4c11f13d6e496785318d6978812

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
Size

408KB
MD5

a09993a37abf9c5698be4966c7651399
SHA1

725201d73f9bc9f59c3ad2999c1842c4dd695201
SHA256

4de37176cfdd8bf25ed5acd0e2815b282dd7f4c11f13d6e496785318d6978812
SHA512

91a9e6df4eacf8a08f066a3fa2ce82ee2a024768e443607690bd0d3c881665a8f0ddcc48f37d33bf2d175f5e0f27b732e5dfdb3b6d642fe1b44306321a95a1eb
SSDEEP

3072:CEGh0o9l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGvldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAC473CD-F807-4001-AE8F-4D78B9D01B15}	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAC473CD-F807-4001-AE8F-4D78B9D01B15}\stubpath = "C:\\Windows\\{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe"	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}\stubpath = "C:\\Windows\\{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}.exe"	{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A7C4A2B-75C0-4c11-834E-E5AD2B60B757}	{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}\stubpath = "C:\\Windows\\{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe"	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B05FEA4-441B-498a-88B3-E59E9E1F0189}	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B05FEA4-441B-498a-88B3-E59E9E1F0189}\stubpath = "C:\\Windows\\{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe"	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}\stubpath = "C:\\Windows\\{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe"	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{976116D1-5C10-4ba2-A046-1EF563698C7D}	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}\stubpath = "C:\\Windows\\{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe"	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}\stubpath = "C:\\Windows\\{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe"	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}\stubpath = "C:\\Windows\\{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe"	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A7C4A2B-75C0-4c11-834E-E5AD2B60B757}\stubpath = "C:\\Windows\\{4A7C4A2B-75C0-4c11-834E-E5AD2B60B757}.exe"	{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C48EABB5-C879-4f9b-991A-10A380B582C7}	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}	{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C48EABB5-C879-4f9b-991A-10A380B582C7}\stubpath = "C:\\Windows\\{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe"	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}\stubpath = "C:\\Windows\\{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe"	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{976116D1-5C10-4ba2-A046-1EF563698C7D}\stubpath = "C:\\Windows\\{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe"	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe

Executes dropped EXE 12 IoCs

pid	Process
448	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe
1484	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe
1696	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe
4360	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe
4604	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe
2612	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe
4164	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe
4168	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe
2228	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe
856	{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe
4352	{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}.exe
2692	{4A7C4A2B-75C0-4c11-834E-E5AD2B60B757}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe
File created	C:\Windows\{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe
File created	C:\Windows\{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe
File created	C:\Windows\{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe
File created	C:\Windows\{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe
File created	C:\Windows\{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe
File created	C:\Windows\{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}.exe	{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe
File created	C:\Windows\{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
File created	C:\Windows\{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe
File created	C:\Windows\{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe
File created	C:\Windows\{4A7C4A2B-75C0-4c11-834E-E5AD2B60B757}.exe	{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}.exe
File created	C:\Windows\{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A7C4A2B-75C0-4c11-834E-E5AD2B60B757}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2672	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
Token: SeIncBasePriorityPrivilege	448	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe
Token: SeIncBasePriorityPrivilege	1484	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe
Token: SeIncBasePriorityPrivilege	1696	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe
Token: SeIncBasePriorityPrivilege	4360	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe
Token: SeIncBasePriorityPrivilege	4604	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe
Token: SeIncBasePriorityPrivilege	2612	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe
Token: SeIncBasePriorityPrivilege	4164	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe
Token: SeIncBasePriorityPrivilege	4168	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe
Token: SeIncBasePriorityPrivilege	2228	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe
Token: SeIncBasePriorityPrivilege	856	{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe
Token: SeIncBasePriorityPrivilege	4352	{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 448	2672	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	94
PID 2672 wrote to memory of 448	2672	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	94
PID 2672 wrote to memory of 448	2672	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	94
PID 2672 wrote to memory of 4996	2672	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	95
PID 2672 wrote to memory of 4996	2672	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	95
PID 2672 wrote to memory of 4996	2672	2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe	95
PID 448 wrote to memory of 1484	448	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe	96
PID 448 wrote to memory of 1484	448	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe	96
PID 448 wrote to memory of 1484	448	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe	96
PID 448 wrote to memory of 4736	448	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe	97
PID 448 wrote to memory of 4736	448	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe	97
PID 448 wrote to memory of 4736	448	{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe	97
PID 1484 wrote to memory of 1696	1484	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe	100
PID 1484 wrote to memory of 1696	1484	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe	100
PID 1484 wrote to memory of 1696	1484	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe	100
PID 1484 wrote to memory of 3176	1484	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe	101
PID 1484 wrote to memory of 3176	1484	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe	101
PID 1484 wrote to memory of 3176	1484	{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe	101
PID 1696 wrote to memory of 4360	1696	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe	102
PID 1696 wrote to memory of 4360	1696	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe	102
PID 1696 wrote to memory of 4360	1696	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe	102
PID 1696 wrote to memory of 2280	1696	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe	103
PID 1696 wrote to memory of 2280	1696	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe	103
PID 1696 wrote to memory of 2280	1696	{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe	103
PID 4360 wrote to memory of 4604	4360	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe	104
PID 4360 wrote to memory of 4604	4360	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe	104
PID 4360 wrote to memory of 4604	4360	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe	104
PID 4360 wrote to memory of 1684	4360	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe	105
PID 4360 wrote to memory of 1684	4360	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe	105
PID 4360 wrote to memory of 1684	4360	{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe	105
PID 4604 wrote to memory of 2612	4604	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe	106
PID 4604 wrote to memory of 2612	4604	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe	106
PID 4604 wrote to memory of 2612	4604	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe	106
PID 4604 wrote to memory of 876	4604	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe	107
PID 4604 wrote to memory of 876	4604	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe	107
PID 4604 wrote to memory of 876	4604	{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe	107
PID 2612 wrote to memory of 4164	2612	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe	108
PID 2612 wrote to memory of 4164	2612	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe	108
PID 2612 wrote to memory of 4164	2612	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe	108
PID 2612 wrote to memory of 1844	2612	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe	109
PID 2612 wrote to memory of 1844	2612	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe	109
PID 2612 wrote to memory of 1844	2612	{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe	109
PID 4164 wrote to memory of 4168	4164	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe	110
PID 4164 wrote to memory of 4168	4164	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe	110
PID 4164 wrote to memory of 4168	4164	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe	110
PID 4164 wrote to memory of 3568	4164	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe	111
PID 4164 wrote to memory of 3568	4164	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe	111
PID 4164 wrote to memory of 3568	4164	{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe	111
PID 4168 wrote to memory of 2228	4168	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe	112
PID 4168 wrote to memory of 2228	4168	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe	112
PID 4168 wrote to memory of 2228	4168	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe	112
PID 4168 wrote to memory of 216	4168	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe	113
PID 4168 wrote to memory of 216	4168	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe	113
PID 4168 wrote to memory of 216	4168	{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe	113
PID 2228 wrote to memory of 856	2228	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe	114
PID 2228 wrote to memory of 856	2228	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe	114
PID 2228 wrote to memory of 856	2228	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe	114
PID 2228 wrote to memory of 5076	2228	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe	115
PID 2228 wrote to memory of 5076	2228	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe	115
PID 2228 wrote to memory of 5076	2228	{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe	115
PID 856 wrote to memory of 4352	856	{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe	116
PID 856 wrote to memory of 4352	856	{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe	116
PID 856 wrote to memory of 4352	856	{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe	116
PID 856 wrote to memory of 4776	856	{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-04_a09993a37abf9c5698be4966c7651399_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe
  C:\Windows\{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe
    C:\Windows\{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe
      C:\Windows\{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe
        
        C:\Windows\{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe
        
        C:\Windows\{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe
        
        C:\Windows\{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe
        
        C:\Windows\{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe
        
        C:\Windows\{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe
        
        C:\Windows\{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe
        
        C:\Windows\{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}.exe
        
        C:\Windows\{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
        
        C:\Windows\{4A7C4A2B-75C0-4c11-834E-E5AD2B60B757}.exe
        
        C:\Windows\{4A7C4A2B-75C0-4c11-834E-E5AD2B60B757}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D6F0~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C48EA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97611~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF650~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B05F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAC47~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{842A4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E1C5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CFDD~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1BECD~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{191E2~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CFDDF2B-242B-40e4-A3F4-F650E9D331EF}.exe

Filesize
408KB

MD5
75e7166f580641c0eba9c53de7b54a7b

SHA1
e4a237328ad26a45676b0013ee40ba6e161a40c1

SHA256
ad07f750e7883948308087ff8c2cd283f6cf8fc12a74c2b26474d8c3e68f9724

SHA512
34ff8c29111ba8c669d58196b0610a9908567df6a265490aa6014e1f98b675b7d2d596d249be93a7c6402b2ed4bf2f1a1cdaadeacff202522d42e8130d4cdd8e

Download Submit
C:\Windows\{191E2392-D0ED-4d57-A5BC-E935ED13A8CF}.exe

Filesize
408KB

MD5
d9e5066186c116aeda31fdd3bd43ece3

SHA1
87715c106396bc460373b47d00594418711b38c8

SHA256
74d82897c7b2410789be3a5c6a382160d2115b450e3cb9d7aead80ab1c9c4110

SHA512
dbcc1e474e032bad44fae469db6f163167782ca1d330d7da516e3be74355f58b1fb7c493fa787f533f91e4330395a3f64f98a6a24171d6ce91f99bf8e91dc7f2

Download Submit
C:\Windows\{1BECD97E-3A4F-41f5-8DDD-522700B03FC6}.exe

Filesize
408KB

MD5
e0eead0855a26c18315855b38bdb7bcd

SHA1
39dbefee3a78eff5aed67b92e3c37bc9f4abc7d2

SHA256
86f868102ce97d875a39a23400ed9e60f304e9443894e21debf482a22b72844c

SHA512
cab9b2c6bd4f3917d5c18f92e20229f68d031c4c9e3746c744a6c831204a6cb651b32a41a610ab2681f589f63741c3727984f08743b43d7dbc935d012bf8e594

Download Submit
C:\Windows\{3B05FEA4-441B-498a-88B3-E59E9E1F0189}.exe

Filesize
408KB

MD5
bc97ee99ca44409c9f920738402eafd9

SHA1
bb10b0d43c3332e98bee198808fc2157b7791250

SHA256
18dc0b39a6da760eba376e59f97c2898ea42b2fbbabbbeed03161fc481bf97c4

SHA512
1e9723e48edc4f0846781b3d32d7e0a12db3f88a0af7073fe778604c2cc4d5f5b45635b31cd5da1ba0011eea06c277066a3113d7b31a445f37c2b06cecb0a0a0

Download Submit
C:\Windows\{4A7C4A2B-75C0-4c11-834E-E5AD2B60B757}.exe

Filesize
408KB

MD5
35600345955f5351d700a5800e580aa7

SHA1
fae0df5ea48c3305b02a9c6e54e06327ba295fca

SHA256
4159e828e8aed5e694d18b1f1806f2f9ab215ba057e4f0671f50ea6dfe248718

SHA512
217e1e3e302c4839a053e10bc42044d2dd940f7eef311f9e11f9a9ab829aec5d85aa27033335812fea85a1aec4ee3e897b5c95fc769d719d6c799d9e5ead68e7

Download Submit
C:\Windows\{4E1C5254-7B21-4b41-BFF1-0019106CCD1A}.exe

Filesize
408KB

MD5
293eada54122634879e8e7bc6492bcaf

SHA1
1cb984d67fa9d56e8d23925b9cb0a2a654df61d6

SHA256
cdae88bac6858a19343f471d8f393471a4dcb48c797a1f42e479c0420aaf9850

SHA512
37d13cefd65466750a9b959da1a19d8a57bb218d72735d0678d876504ce9409e478c0b6a7155016f26365769052bb8f3f7a867298833fa92e7a80a1ac6de6c9f

Download Submit
C:\Windows\{842A4F02-C30A-4fa1-A36E-D0282FDB5E1D}.exe

Filesize
408KB

MD5
45703954f58ce416d3b14a509c9a9d36

SHA1
7c5b48a1a7acb90ed202b4b418631965c358c49e

SHA256
72de205e1a4b771b954dcb57c7419b13c0f51259c5547f8f7ed196961c5aca11

SHA512
93fbf62507ab71a0561d47e7cbf87dca2f92e1e2dc6bdf5348eb304d161fd599b26fcb4958380282de679ad4c09befdacce98065e5a03db7b162ea9c3ba3ff31

Download Submit
C:\Windows\{8D6F0624-4FD9-45fd-A1AF-11D27BB0E433}.exe

Filesize
408KB

MD5
bbc979b85a198e08dc9186ae93a24e72

SHA1
deda441b7fe93915554dc70be25f12491d74c580

SHA256
ec13d7bd86658d5e9083c9d40658956c4a0d5673c9d0b20ee3aba07246521672

SHA512
4ebdbd15da9aff8a04f078abe156d2fdafad479cf6655ad2c70cca4427e317a693779103fdf8502c7f117ca21325e48ed9195db8e63ee2e2d551a22716d3e777

Download Submit
C:\Windows\{976116D1-5C10-4ba2-A046-1EF563698C7D}.exe

Filesize
408KB

MD5
0ed920b369a6af5788be758534e98f32

SHA1
fe425b1f2d1616e310dd49c1f68d1972623ae679

SHA256
5e5bc991ea3e8923d1ac59149cf1a29a7cd9306d87cc1628704905375b3f4e90

SHA512
da9f631e0a48f2c4804fa96806ba9dfd5f8785a513d0e91bc679382b540f47e1a083b7482983375177ce13358ea66a96266503f5e14d4eb9e5272f9551fd6022

Download Submit
C:\Windows\{C48EABB5-C879-4f9b-991A-10A380B582C7}.exe

Filesize
408KB

MD5
b04c523dae1bb87018fb86def90f11e3

SHA1
5f7a7f8e1a035918b175e892dd28efc33cb3f224

SHA256
17b676ebc36c7e1261ab8a91c09b91080c01d2fde86f02e25ae7ddf1f58c6d7c

SHA512
cbd861cf4b5fc7d3c9f8f1faef1d5a100aeeb8988639e2e2d1dabe970e6efabacad3a41db426817ab95f7517a175e1d03195089f332bd89046df1bfec20e864f

Download Submit
C:\Windows\{FAC473CD-F807-4001-AE8F-4D78B9D01B15}.exe

Filesize
408KB

MD5
b058b8206d786267c1daa2da6d048915

SHA1
d58e5c2995aa48312a981efd4f1e64263720d3d7

SHA256
0a3b7b50906f8ad63bde8282dbfc8b51a1bdf7101c1311ef57ccbd9b807f8895

SHA512
264dbb5d6880d8fb141d9a9b4e566e74a5bc0cc4e9f91a26f7f56d36760c39c7c85234581c78b9f87391a4ab251ea615168ca36a6da275ed34e44930786214d2

Download Submit
C:\Windows\{FF6506A7-4C76-4ac2-8B39-1ACDEDB1EB39}.exe

Filesize
408KB

MD5
18d36a5ce3e53c32f535630f9d519731

SHA1
3d7413f89bc7fc3ed55ea22f021fec0a4e2f8761

SHA256
d4184647dbfb1b6bcf7441a93f48384c1721d000ae00b555d212f7e304338c54

SHA512
c67a110ff883514c236c7ab2ee3b508cd9c67ba3182fe80bc413e8a441884121cb60145c2de3e651bdbf924281af61fdc83d31ee11cad5a68aaba8286d462c6c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads