04f152514eda254f71090871ab39a88904c7c0d78ab0c8390c65e59bc67a0759

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe
Size

408KB
MD5

594209aa6d5f6370f0d4da8af523a387
SHA1

c7999bd1a8a5a7d964cfa8faa8c149c77697ce70
SHA256

04f152514eda254f71090871ab39a88904c7c0d78ab0c8390c65e59bc67a0759
SHA512

19ae704274be324edb02fbc6d4c1cb1aa63974d5bdd778e621ae3234ba002170f2d6e8bedb492ba5943c0aa65dff0a859f3cd7848e50b024eca1e3724890f960
SSDEEP

3072:CEGh0orl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGVldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{272A654E-E434-444f-A8ED-AA1F12343CA3}\stubpath = "C:\\Windows\\{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe"	2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17B0014D-5094-46f1-A7EC-128B261489E9}	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17B0014D-5094-46f1-A7EC-128B261489E9}\stubpath = "C:\\Windows\\{17B0014D-5094-46f1-A7EC-128B261489E9}.exe"	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8089EB84-F212-4eee-8AE2-57D598F203E7}	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}\stubpath = "C:\\Windows\\{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe"	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E5D642-FDE2-4eb7-BBAF-8CFCE5B63612}	{7EA62E4E-0450-4300-BCE9-8356FD7120F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06D81421-4873-4d2b-965B-41463A71C30D}	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25647AC1-6D71-4794-AC73-56BDE9B26ACC}\stubpath = "C:\\Windows\\{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe"	{06D81421-4873-4d2b-965B-41463A71C30D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{021B28CE-E31B-4a85-A7C8-04E816A25993}\stubpath = "C:\\Windows\\{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe"	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}\stubpath = "C:\\Windows\\{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe"	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1CC9180-96C2-48b8-8954-9758610FB5FA}	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8089EB84-F212-4eee-8AE2-57D598F203E7}\stubpath = "C:\\Windows\\{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe"	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EA62E4E-0450-4300-BCE9-8356FD7120F5}\stubpath = "C:\\Windows\\{7EA62E4E-0450-4300-BCE9-8356FD7120F5}.exe"	{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EA62E4E-0450-4300-BCE9-8356FD7120F5}	{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{272A654E-E434-444f-A8ED-AA1F12343CA3}	2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06D81421-4873-4d2b-965B-41463A71C30D}\stubpath = "C:\\Windows\\{06D81421-4873-4d2b-965B-41463A71C30D}.exe"	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25647AC1-6D71-4794-AC73-56BDE9B26ACC}	{06D81421-4873-4d2b-965B-41463A71C30D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1CC9180-96C2-48b8-8954-9758610FB5FA}\stubpath = "C:\\Windows\\{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe"	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{021B28CE-E31B-4a85-A7C8-04E816A25993}	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}\stubpath = "C:\\Windows\\{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe"	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E5D642-FDE2-4eb7-BBAF-8CFCE5B63612}\stubpath = "C:\\Windows\\{87E5D642-FDE2-4eb7-BBAF-8CFCE5B63612}.exe"	{7EA62E4E-0450-4300-BCE9-8356FD7120F5}.exe

Executes dropped EXE 12 IoCs

pid	Process
1244	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe
1604	{06D81421-4873-4d2b-965B-41463A71C30D}.exe
4176	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe
1144	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe
448	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe
3652	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe
4404	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe
3296	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe
768	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe
348	{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe
1164	{7EA62E4E-0450-4300-BCE9-8356FD7120F5}.exe
5072	{87E5D642-FDE2-4eb7-BBAF-8CFCE5B63612}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe
File created	C:\Windows\{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe
File created	C:\Windows\{87E5D642-FDE2-4eb7-BBAF-8CFCE5B63612}.exe	{7EA62E4E-0450-4300-BCE9-8356FD7120F5}.exe
File created	C:\Windows\{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe	2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe
File created	C:\Windows\{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe	{06D81421-4873-4d2b-965B-41463A71C30D}.exe
File created	C:\Windows\{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe
File created	C:\Windows\{17B0014D-5094-46f1-A7EC-128B261489E9}.exe	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe
File created	C:\Windows\{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe
File created	C:\Windows\{06D81421-4873-4d2b-965B-41463A71C30D}.exe	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe
File created	C:\Windows\{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe
File created	C:\Windows\{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe
File created	C:\Windows\{7EA62E4E-0450-4300-BCE9-8356FD7120F5}.exe	{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87E5D642-FDE2-4eb7-BBAF-8CFCE5B63612}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7EA62E4E-0450-4300-BCE9-8356FD7120F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06D81421-4873-4d2b-965B-41463A71C30D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5044	2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1244	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe
Token: SeIncBasePriorityPrivilege	1604	{06D81421-4873-4d2b-965B-41463A71C30D}.exe
Token: SeIncBasePriorityPrivilege	4176	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe
Token: SeIncBasePriorityPrivilege	1144	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe
Token: SeIncBasePriorityPrivilege	448	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe
Token: SeIncBasePriorityPrivilege	3652	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe
Token: SeIncBasePriorityPrivilege	4404	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe
Token: SeIncBasePriorityPrivilege	3296	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe
Token: SeIncBasePriorityPrivilege	768	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe
Token: SeIncBasePriorityPrivilege	348	{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe
Token: SeIncBasePriorityPrivilege	1164	{7EA62E4E-0450-4300-BCE9-8356FD7120F5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1244	5044	2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe	95
PID 5044 wrote to memory of 1244	5044	2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe	95
PID 5044 wrote to memory of 1244	5044	2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe	95
PID 5044 wrote to memory of 2148	5044	2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe	96
PID 5044 wrote to memory of 2148	5044	2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe	96
PID 5044 wrote to memory of 2148	5044	2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe	96
PID 1244 wrote to memory of 1604	1244	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe	97
PID 1244 wrote to memory of 1604	1244	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe	97
PID 1244 wrote to memory of 1604	1244	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe	97
PID 1244 wrote to memory of 688	1244	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe	98
PID 1244 wrote to memory of 688	1244	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe	98
PID 1244 wrote to memory of 688	1244	{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe	98
PID 1604 wrote to memory of 4176	1604	{06D81421-4873-4d2b-965B-41463A71C30D}.exe	101
PID 1604 wrote to memory of 4176	1604	{06D81421-4873-4d2b-965B-41463A71C30D}.exe	101
PID 1604 wrote to memory of 4176	1604	{06D81421-4873-4d2b-965B-41463A71C30D}.exe	101
PID 1604 wrote to memory of 1336	1604	{06D81421-4873-4d2b-965B-41463A71C30D}.exe	102
PID 1604 wrote to memory of 1336	1604	{06D81421-4873-4d2b-965B-41463A71C30D}.exe	102
PID 1604 wrote to memory of 1336	1604	{06D81421-4873-4d2b-965B-41463A71C30D}.exe	102
PID 4176 wrote to memory of 1144	4176	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe	103
PID 4176 wrote to memory of 1144	4176	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe	103
PID 4176 wrote to memory of 1144	4176	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe	103
PID 4176 wrote to memory of 4652	4176	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe	104
PID 4176 wrote to memory of 4652	4176	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe	104
PID 4176 wrote to memory of 4652	4176	{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe	104
PID 1144 wrote to memory of 448	1144	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe	105
PID 1144 wrote to memory of 448	1144	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe	105
PID 1144 wrote to memory of 448	1144	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe	105
PID 1144 wrote to memory of 2276	1144	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe	106
PID 1144 wrote to memory of 2276	1144	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe	106
PID 1144 wrote to memory of 2276	1144	{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe	106
PID 448 wrote to memory of 3652	448	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe	107
PID 448 wrote to memory of 3652	448	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe	107
PID 448 wrote to memory of 3652	448	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe	107
PID 448 wrote to memory of 3472	448	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe	108
PID 448 wrote to memory of 3472	448	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe	108
PID 448 wrote to memory of 3472	448	{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe	108
PID 3652 wrote to memory of 4404	3652	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe	109
PID 3652 wrote to memory of 4404	3652	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe	109
PID 3652 wrote to memory of 4404	3652	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe	109
PID 3652 wrote to memory of 5096	3652	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe	110
PID 3652 wrote to memory of 5096	3652	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe	110
PID 3652 wrote to memory of 5096	3652	{17B0014D-5094-46f1-A7EC-128B261489E9}.exe	110
PID 4404 wrote to memory of 3296	4404	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe	111
PID 4404 wrote to memory of 3296	4404	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe	111
PID 4404 wrote to memory of 3296	4404	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe	111
PID 4404 wrote to memory of 728	4404	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe	112
PID 4404 wrote to memory of 728	4404	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe	112
PID 4404 wrote to memory of 728	4404	{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe	112
PID 3296 wrote to memory of 768	3296	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe	113
PID 3296 wrote to memory of 768	3296	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe	113
PID 3296 wrote to memory of 768	3296	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe	113
PID 3296 wrote to memory of 2992	3296	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe	114
PID 3296 wrote to memory of 2992	3296	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe	114
PID 3296 wrote to memory of 2992	3296	{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe	114
PID 768 wrote to memory of 348	768	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe	115
PID 768 wrote to memory of 348	768	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe	115
PID 768 wrote to memory of 348	768	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe	115
PID 768 wrote to memory of 4732	768	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe	116
PID 768 wrote to memory of 4732	768	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe	116
PID 768 wrote to memory of 4732	768	{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe	116
PID 348 wrote to memory of 1164	348	{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe	117
PID 348 wrote to memory of 1164	348	{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe	117
PID 348 wrote to memory of 1164	348	{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe	117
PID 348 wrote to memory of 2928	348	{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-06_594209aa6d5f6370f0d4da8af523a387_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe
  C:\Windows\{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\{06D81421-4873-4d2b-965B-41463A71C30D}.exe
    C:\Windows\{06D81421-4873-4d2b-965B-41463A71C30D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe
      C:\Windows\{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4176
    - - C:\Windows\{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe
        
        C:\Windows\{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\Windows\{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe
        
        C:\Windows\{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\{17B0014D-5094-46f1-A7EC-128B261489E9}.exe
        
        C:\Windows\{17B0014D-5094-46f1-A7EC-128B261489E9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe
        
        C:\Windows\{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe
        
        C:\Windows\{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe
        
        C:\Windows\{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe
        
        C:\Windows\{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\{7EA62E4E-0450-4300-BCE9-8356FD7120F5}.exe
        
        C:\Windows\{7EA62E4E-0450-4300-BCE9-8356FD7120F5}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\{87E5D642-FDE2-4eb7-BBAF-8CFCE5B63612}.exe
        
        C:\Windows\{87E5D642-FDE2-4eb7-BBAF-8CFCE5B63612}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EA62~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD7B6~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8089E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{825DE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{021B2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17B00~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1CC9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BA3D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25647~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{06D81~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{272A6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{021B28CE-E31B-4a85-A7C8-04E816A25993}.exe

Filesize
408KB

MD5
ee27953227dc67cfdca16a71d99d4782

SHA1
68f3db561c96717b59c534a877885cf63d95b758

SHA256
3c6b435d53e4b2b0dd4b953de4f31948e3f84f8ae9e16a0881b40357a605182b

SHA512
9ad7cf2b2ca0f6953581a4265ba40764687d8cea68c9cd97ba68bf34df9b9293de3acf697a62b6777dbf037532269f317a5bb566e8416ab64f295491dae79217

Download Submit
C:\Windows\{06D81421-4873-4d2b-965B-41463A71C30D}.exe

Filesize
408KB

MD5
f950f417a1dd12d3066cca06261b19ea

SHA1
587dc23424575d5acd59f021d0cce7e991e1b11a

SHA256
710829a1ea6f4caeb046584515e6b7be4fcc3e0d0677f429df32bbac805efb23

SHA512
fcd24dde19f55e6ed280540424cef2eeec0c2c03c00b9cccb86a55e5baed2933bfd2bd2f34d09a25d3ee535b9de565207fbfaa8c12c111171cc2153d59a6a245

Download Submit
C:\Windows\{17B0014D-5094-46f1-A7EC-128B261489E9}.exe

Filesize
408KB

MD5
9633c5b4900f27f33a9c0a77220bbca0

SHA1
0b4a1b23e92a07d1430385dc89788db842d26108

SHA256
60f138bc9fd1139da9c74919bfaa7b675d6b7fc2c802acccd18064e12c078c34

SHA512
3f11486398ee432eb8de92d9a36bbe0a0f959f7f570827fa5d53bcb4785f3afb2322e05ffb0a8d1c5b0c995aa04c49b6a0e31351564af00ac8496ee471e1184e

Download Submit
C:\Windows\{25647AC1-6D71-4794-AC73-56BDE9B26ACC}.exe

Filesize
408KB

MD5
0750161e2d38faf29f1e012cb776701e

SHA1
0fe4b493b7d4e42221d49682b68178c10d09922c

SHA256
d4610a6391a1f5cae9ccd24623819a67841d7746fbd18f6f00759607b3cf09cf

SHA512
dc10d8ce9da148b060f116da77c196a7b06090ab38fe0e9e440f76594f6428d2bf3ad4627333f6f2d46a84618079016d18636810506c801bc9c73603698c6a9c

Download Submit
C:\Windows\{272A654E-E434-444f-A8ED-AA1F12343CA3}.exe

Filesize
408KB

MD5
35d66866fe5324c856d91a94ea8b6fba

SHA1
7ac6082852460483347189cbf0de84106d070b33

SHA256
655e4589879845fde30f2fc231e87b3ac5681539a8003cdebfeaa3351db6fb4c

SHA512
8d5c85c8be62f379f76c81c83dd0c5ea2bb3b9f0965f69ec6ce910584777fd5bfce0c6b2409af9b0b5b39314ac250f98d692d45ec3b595a0610e55f88baea6bd

Download Submit
C:\Windows\{6BA3DE34-6857-4033-8C3D-DF51D11FC4A6}.exe

Filesize
408KB

MD5
c275730de1cba42a3dbfe671f0774441

SHA1
c25c05aa1390497d671d3b188b7379718db21b5e

SHA256
efe2d35398b245b2596f3b26be2eed9aab7aa3514a7f8cebbe58a68326d11bae

SHA512
3882a9b40b1c3d19f4ad52704000d625a7d8cfb8a94d0499949ef5f6741ba7dfe6571efd5e282e0e2ad8a0919b9ffec4c1651dd690575de6a127c3bc26c5c361

Download Submit
C:\Windows\{7EA62E4E-0450-4300-BCE9-8356FD7120F5}.exe

Filesize
408KB

MD5
fe9303a334f595e135418532d8776cb2

SHA1
b38924496ad1160aa986097684c0d69096569c60

SHA256
8e617f20efb778be7a8b71b34ce31f10a760394665ca554723b12805cf8656bc

SHA512
55edc259663784294cd3336694d840015ffdd389285d372f9d0c43a19c3f987e6225622ae06901f0e69c7a44385f33368b546fb9d0c2a4e8ab76043991f7ebfa

Download Submit
C:\Windows\{8089EB84-F212-4eee-8AE2-57D598F203E7}.exe

Filesize
408KB

MD5
b9e167a9c9f4479b00a89602ef4c7a79

SHA1
ce28f8df5d342ca4cf711c71bbd5d74a08347aa4

SHA256
739e52203ddfec3b60f703dfe87443a572e53f855c4a11fe7e33292d9bc85131

SHA512
4f0d84ffaf4cf9073d3ee39e8adb39291af60394b0002169e9d977e5112629c52b438a9bed3ae3ae664e1d8f65c82212fca593ceca2db09d3b0665203d00ec4e

Download Submit
C:\Windows\{825DEBBB-A23A-4bf3-8ACF-4C3900F424A0}.exe

Filesize
408KB

MD5
4964ebdfbc3ce3af801c164c52d7b533

SHA1
7d6a06d0361460943d7baadc9ad1e776502f72de

SHA256
079866d4362629893c3f299b8f40c513ce211df908b32d62155e15cf30c1143f

SHA512
0bf3c9e4d049f6d215c650e472d84190bcf28bb785680d64322d25b745da2d37992bd050ce7a6f9e871f1b3483441974b80c4516ee15b841f3a5ddf4bf5b4175

Download Submit
C:\Windows\{87E5D642-FDE2-4eb7-BBAF-8CFCE5B63612}.exe

Filesize
408KB

MD5
8b75b14c7dd4e79f3eca56dcaf71ad02

SHA1
7e1051e6c1252deb5bf85c5e32940f9bfc9d2734

SHA256
87dd283f6bce044cdd4f1595c5af3a31ba628d3f3de986d61e5d0894dc35b761

SHA512
df2e197177f2c2cc85a3b235ee8bb030fed1d5ee12dd00b6de4e70c9b97927a03ff35527112117e9e3e63fc681340a92e695b548187d38a6426b4f6c7a90079d

Download Submit
C:\Windows\{B1CC9180-96C2-48b8-8954-9758610FB5FA}.exe

Filesize
408KB

MD5
aa5f72a394ddd324a463b4b58e0ec2f4

SHA1
40db4aa4948b7aa95f17c82346e83043f069730c

SHA256
96f93b4cbf43cce108d2ef7a4da9fbe6f38f61a9f0de1f7f1f897d4e1457b6c4

SHA512
d0ecda72561c658865355c23b8c2ab21bfa03422201883b1f08687e7aec4da6a1bdd7d40d813bb286926e46ace50ef0786f49d08b1f373a8c5186ff5e623d1d9

Download Submit
C:\Windows\{FD7B6775-2CC2-4d26-BD7F-82D137AA56DC}.exe

Filesize
408KB

MD5
9993e7a7d29aee81dff3352aab613eb1

SHA1
eabfd0bbd34067e4f9d0f345c87dd91e846d9a95

SHA256
ed7334c6b59e872424ddf2e8dac140eb733279a4983c13db091ed032d8cf72df

SHA512
b95c8cc94a598fbfe33b178daed294b6d6e468d141b2c5074a105fd184b223a7ec257344f7f3d3b2b18123d67ac311aa02718a083353e7675f01a9462f57e060

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads