037f16a08772fd8ddc8178abcef40fb27e6082356ab8859dec17af4a5e816721

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe
Size

216KB
MD5

f142d2bee57c37de55c69e8558f89e78
SHA1

a9534315143d1550ec9d1ed7f07b5808244af99e
SHA256

037f16a08772fd8ddc8178abcef40fb27e6082356ab8859dec17af4a5e816721
SHA512

4438f0116a12f5a20f69bdee3e38058c4ec46fb2f7f66515c042a55eea6b5341d14f04c1699f7d9d0b71163da12a9d27d50b935a18cef6375bfec49b5e7560c2
SSDEEP

3072:jEGh0o4l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGSlEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}\stubpath = "C:\\Windows\\{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe"	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}	{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9AB5DF3-EC32-4b0c-ACDD-AB83EEE6E9A3}	{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9AB5DF3-EC32-4b0c-ACDD-AB83EEE6E9A3}\stubpath = "C:\\Windows\\{C9AB5DF3-EC32-4b0c-ACDD-AB83EEE6E9A3}.exe"	{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}\stubpath = "C:\\Windows\\{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe"	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}\stubpath = "C:\\Windows\\{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe"	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E2155DB-28EF-464c-B2F7-1FC50481CE70}\stubpath = "C:\\Windows\\{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe"	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{857C9352-1188-4411-B02F-FB4CE8C07E3C}	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98C880B5-07F5-48a3-B749-6122C4260883}	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}\stubpath = "C:\\Windows\\{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}.exe"	{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B4018D9-42A5-4e83-BEEA-62EBF860E860}	2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8397ABDA-B9E6-43b9-831B-A665E4226F54}	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8397ABDA-B9E6-43b9-831B-A665E4226F54}\stubpath = "C:\\Windows\\{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe"	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E2155DB-28EF-464c-B2F7-1FC50481CE70}	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98C880B5-07F5-48a3-B749-6122C4260883}\stubpath = "C:\\Windows\\{98C880B5-07F5-48a3-B749-6122C4260883}.exe"	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68FC655F-967A-4b12-BB5C-91073CFDFB3B}	{98C880B5-07F5-48a3-B749-6122C4260883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68FC655F-967A-4b12-BB5C-91073CFDFB3B}\stubpath = "C:\\Windows\\{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe"	{98C880B5-07F5-48a3-B749-6122C4260883}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B4018D9-42A5-4e83-BEEA-62EBF860E860}\stubpath = "C:\\Windows\\{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe"	2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}\stubpath = "C:\\Windows\\{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe"	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{857C9352-1188-4411-B02F-FB4CE8C07E3C}\stubpath = "C:\\Windows\\{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe"	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe

Executes dropped EXE 12 IoCs

pid	Process
3584	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe
976	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe
936	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe
1036	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe
4644	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe
228	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe
2392	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe
556	{98C880B5-07F5-48a3-B749-6122C4260883}.exe
1248	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe
4840	{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe
2924	{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}.exe
5076	{C9AB5DF3-EC32-4b0c-ACDD-AB83EEE6E9A3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe
File created	C:\Windows\{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe
File created	C:\Windows\{98C880B5-07F5-48a3-B749-6122C4260883}.exe	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe
File created	C:\Windows\{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe
File created	C:\Windows\{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}.exe	{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe
File created	C:\Windows\{C9AB5DF3-EC32-4b0c-ACDD-AB83EEE6E9A3}.exe	{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}.exe
File created	C:\Windows\{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe	2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe
File created	C:\Windows\{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe
File created	C:\Windows\{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe
File created	C:\Windows\{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe
File created	C:\Windows\{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe
File created	C:\Windows\{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe	{98C880B5-07F5-48a3-B749-6122C4260883}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9AB5DF3-EC32-4b0c-ACDD-AB83EEE6E9A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98C880B5-07F5-48a3-B749-6122C4260883}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1180	2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3584	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe
Token: SeIncBasePriorityPrivilege	976	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe
Token: SeIncBasePriorityPrivilege	936	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe
Token: SeIncBasePriorityPrivilege	1036	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe
Token: SeIncBasePriorityPrivilege	4644	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe
Token: SeIncBasePriorityPrivilege	228	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe
Token: SeIncBasePriorityPrivilege	2392	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe
Token: SeIncBasePriorityPrivilege	556	{98C880B5-07F5-48a3-B749-6122C4260883}.exe
Token: SeIncBasePriorityPrivilege	1248	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe
Token: SeIncBasePriorityPrivilege	4840	{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe
Token: SeIncBasePriorityPrivilege	2924	{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 3584	1180	2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe	94
PID 1180 wrote to memory of 3584	1180	2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe	94
PID 1180 wrote to memory of 3584	1180	2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe	94
PID 1180 wrote to memory of 3428	1180	2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe	95
PID 1180 wrote to memory of 3428	1180	2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe	95
PID 1180 wrote to memory of 3428	1180	2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe	95
PID 3584 wrote to memory of 976	3584	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe	96
PID 3584 wrote to memory of 976	3584	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe	96
PID 3584 wrote to memory of 976	3584	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe	96
PID 3584 wrote to memory of 1976	3584	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe	97
PID 3584 wrote to memory of 1976	3584	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe	97
PID 3584 wrote to memory of 1976	3584	{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe	97
PID 976 wrote to memory of 936	976	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe	100
PID 976 wrote to memory of 936	976	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe	100
PID 976 wrote to memory of 936	976	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe	100
PID 976 wrote to memory of 1360	976	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe	101
PID 976 wrote to memory of 1360	976	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe	101
PID 976 wrote to memory of 1360	976	{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe	101
PID 936 wrote to memory of 1036	936	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe	102
PID 936 wrote to memory of 1036	936	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe	102
PID 936 wrote to memory of 1036	936	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe	102
PID 936 wrote to memory of 3688	936	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe	103
PID 936 wrote to memory of 3688	936	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe	103
PID 936 wrote to memory of 3688	936	{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe	103
PID 1036 wrote to memory of 4644	1036	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe	104
PID 1036 wrote to memory of 4644	1036	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe	104
PID 1036 wrote to memory of 4644	1036	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe	104
PID 1036 wrote to memory of 2592	1036	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe	105
PID 1036 wrote to memory of 2592	1036	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe	105
PID 1036 wrote to memory of 2592	1036	{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe	105
PID 4644 wrote to memory of 228	4644	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe	106
PID 4644 wrote to memory of 228	4644	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe	106
PID 4644 wrote to memory of 228	4644	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe	106
PID 4644 wrote to memory of 4996	4644	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe	107
PID 4644 wrote to memory of 4996	4644	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe	107
PID 4644 wrote to memory of 4996	4644	{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe	107
PID 228 wrote to memory of 2392	228	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe	108
PID 228 wrote to memory of 2392	228	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe	108
PID 228 wrote to memory of 2392	228	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe	108
PID 228 wrote to memory of 4852	228	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe	109
PID 228 wrote to memory of 4852	228	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe	109
PID 228 wrote to memory of 4852	228	{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe	109
PID 2392 wrote to memory of 556	2392	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe	110
PID 2392 wrote to memory of 556	2392	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe	110
PID 2392 wrote to memory of 556	2392	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe	110
PID 2392 wrote to memory of 2152	2392	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe	111
PID 2392 wrote to memory of 2152	2392	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe	111
PID 2392 wrote to memory of 2152	2392	{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe	111
PID 556 wrote to memory of 1248	556	{98C880B5-07F5-48a3-B749-6122C4260883}.exe	112
PID 556 wrote to memory of 1248	556	{98C880B5-07F5-48a3-B749-6122C4260883}.exe	112
PID 556 wrote to memory of 1248	556	{98C880B5-07F5-48a3-B749-6122C4260883}.exe	112
PID 556 wrote to memory of 3744	556	{98C880B5-07F5-48a3-B749-6122C4260883}.exe	113
PID 556 wrote to memory of 3744	556	{98C880B5-07F5-48a3-B749-6122C4260883}.exe	113
PID 556 wrote to memory of 3744	556	{98C880B5-07F5-48a3-B749-6122C4260883}.exe	113
PID 1248 wrote to memory of 4840	1248	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe	114
PID 1248 wrote to memory of 4840	1248	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe	114
PID 1248 wrote to memory of 4840	1248	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe	114
PID 1248 wrote to memory of 3484	1248	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe	115
PID 1248 wrote to memory of 3484	1248	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe	115
PID 1248 wrote to memory of 3484	1248	{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe	115
PID 4840 wrote to memory of 2924	4840	{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe	116
PID 4840 wrote to memory of 2924	4840	{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe	116
PID 4840 wrote to memory of 2924	4840	{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe	116
PID 4840 wrote to memory of 1504	4840	{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-06_f142d2bee57c37de55c69e8558f89e78_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe
  C:\Windows\{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe
    C:\Windows\{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe
      C:\Windows\{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:936
    - - C:\Windows\{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe
        
        C:\Windows\{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe
        
        C:\Windows\{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe
        
        C:\Windows\{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe
        
        C:\Windows\{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\{98C880B5-07F5-48a3-B749-6122C4260883}.exe
        
        C:\Windows\{98C880B5-07F5-48a3-B749-6122C4260883}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe
        
        C:\Windows\{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe
        
        C:\Windows\{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}.exe
        
        C:\Windows\{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\{C9AB5DF3-EC32-4b0c-ACDD-AB83EEE6E9A3}.exe
        
        C:\Windows\{C9AB5DF3-EC32-4b0c-ACDD-AB83EEE6E9A3}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF8FA~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9C75~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68FC6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98C88~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EAAA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{857C9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E215~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8397A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4449F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{155D5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1B401~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EAAA83F-CB43-4dab-9DA7-B1628396E4F0}.exe

Filesize
216KB

MD5
f4e7e71e2a8ae623e581d1775f162883

SHA1
37f6cdbb72c70e5a2064706f250fd262b50a6621

SHA256
76b5a680b62b7218851eb13976938988597ce820aebf5e7b4bca1e8402f4596a

SHA512
08f085f30380fb20016818b2fd64d089a6b40bd1edb9da8255682f6c9fa06b38d14998f387c9ff125b7ddb1fa1bebb224b24416a6353c44ab23d0181ae29dfd9

Download Submit
C:\Windows\{155D591F-EBF0-4dea-A5BB-2B07513BB0A9}.exe

Filesize
216KB

MD5
4471716f2dbf50c37f1534b3cf7d4340

SHA1
5faab44664497fb6d30b648312a12550609ff07e

SHA256
139440ceb04b14c5baa343f875712ed9deac02266e344a7154e8e2e51bd4440f

SHA512
91cbb9758f485bc45a5022d23cd2183bb80ee49b05cae072e017ba860e4f79d57d3e6b318fd55275fe9b53a7e228421d9415f5c0df84c77c2125d03bbbecfaa9

Download Submit
C:\Windows\{1B4018D9-42A5-4e83-BEEA-62EBF860E860}.exe

Filesize
216KB

MD5
a56f2a4fede4d2220196598dd9e32d0e

SHA1
3eeb4bd0b373c60f385dddc9a77b0bedf63dd5ee

SHA256
e3b6d25013ac143edf874901ba1e2fbc20a5672b0980350c1758645a5e1019d8

SHA512
5c42061f284463012901e52249ffe4f8459e496601c441fccf0cd1cb2e50ab5f2382a17dba8f59d5c57b7b310c606d6f119bdfd4fc54721aa5fbd77cdbd4befa

Download Submit
C:\Windows\{4449F9FD-8844-4d6d-BDA3-B2ACB8DBCAB9}.exe

Filesize
216KB

MD5
c844266b3dce1b398d026bf9915c840c

SHA1
c9877cc23cbfee6a8ba58d7d8228ed73f7556519

SHA256
c1fdb875c3a1b092e40481868d427a7c3bc2e955ab2ab881b8cb4efc4fbee6cb

SHA512
99143fa06cd7675ddd677e6f08b201ee8b9a6b2d893dcfac798fcd52639bf028cf64eb28100c7963cf9b37bca7ed349310bdb7e30bb9d06a71241799853425a1

Download Submit
C:\Windows\{68FC655F-967A-4b12-BB5C-91073CFDFB3B}.exe

Filesize
216KB

MD5
3cd9773f1a96b14246fbfae264a4dfaf

SHA1
6863dd709b07ca76b4d36b017550266d741bca3b

SHA256
99959b33b99180177e560b9240cbd51386cd64cec16a062d8f9374f98c0b2973

SHA512
75cc519e8f1996455a651d6fe18ae82d4f90828ecee2bf007865e703bff26aab66fd2c2290e433e5339cd5c73bfa0a6a112b22849652157a5430acccc123a061

Download Submit
C:\Windows\{7E2155DB-28EF-464c-B2F7-1FC50481CE70}.exe

Filesize
216KB

MD5
71b97dcd923693e2aeea95edab3ad112

SHA1
9f1db216e87c8a93ec679c491c0680012936e569

SHA256
4985cd874fc8807b0aa4b06c046d25699e7cd402c5b07a9d69bd4edfca0bf251

SHA512
f632f6d0cfb192d5402b1032392bd0491d1fa93b9fa0581c08b887798a1370034417ad79ce3f96ad7d2ef4664a5206d4ebde30d35c58b5b18bbc268bd28ad20d

Download Submit
C:\Windows\{8397ABDA-B9E6-43b9-831B-A665E4226F54}.exe

Filesize
216KB

MD5
31d1138f7f817e0be410d45ea70adf8a

SHA1
bf0cc5b1e43553cad5fa65e1081e16ea82f84805

SHA256
78d2bfcd83a3f8746c090e8b432c2b4af750b05bb108366e0d55ab33a06bd7d3

SHA512
1c774017e2b653e7d27069303f9530f309d95ea047b4d496dd83e08450a81cd0f57c7329593804ef9492fc833f9a58cc04020b0596a1c65c66b638668b2adfaf

Download Submit
C:\Windows\{857C9352-1188-4411-B02F-FB4CE8C07E3C}.exe

Filesize
216KB

MD5
101b5c943817c7e56e17c921889498b5

SHA1
e978b243f32b64eeabfdfa44fd172a207c1fb163

SHA256
b475c3bae059e3695a9f795d5bf0113e3a9aa06b28672b1558bcd8f47ec6bcb9

SHA512
9d497d9eb83ec8354d3eb8674088caed01eb6c9706c2314add3c1dceaafffe7bb1ef81dc39dc4638187e8f5ab03fa013f6a1d74071797204d10481f18d92dd5f

Download Submit
C:\Windows\{98C880B5-07F5-48a3-B749-6122C4260883}.exe

Filesize
216KB

MD5
063bb30b8324865ad6af0bee8c2f910d

SHA1
183052ead8c30c8d4f5e59e3be166d91903293a4

SHA256
1f2b891756afd17700eb24fcc4893fb4d3e33b7e2aa65f827a89c5e20f524b36

SHA512
1b3e69aa067bc3f507250dda7be0fdbeb1820ef454baa968ac6c12ad621c41bfcb9f0a1c1ebb60a43bb40285a26de8bcd1408ba6aa9f46ff2c094d4836170840

Download Submit
C:\Windows\{A9C75D81-DB27-47cf-8FE4-6825FC80D4DC}.exe

Filesize
216KB

MD5
1d1fa44a22f089c64e71c1fa8f6b3246

SHA1
6d18bff91d9a2cfaa1004e015604da6c001dd82a

SHA256
f9ad11382a9ebb67724a309de6773be856dd15eb452e534e423c08fa655d3dcf

SHA512
b6f4cbfe14603a7c3ef91c56bb7034c640c8d901c84edf98075bdd6cdf8983a91e5d2b66d1bd51e9a2dffeddb02daa4d616392416067867fe633606a4a98025a

Download Submit
C:\Windows\{BF8FACD4-3AA6-4024-B3DF-D44DB053A361}.exe

Filesize
216KB

MD5
5e8915e3c82a56b607a26e8ce2f65f89

SHA1
ef7af6f40e0fd4fbfedc4d90483db61f2772173f

SHA256
5e6d303f2cf0b939ec33fda5adf2905137e51f2caf7cb133b93ecca4f61b787c

SHA512
7d2c6e9a122e74d68f80af6dba2925d76f8b65204fa9c100cf6657217a22f7954ade4198bb0a2c551b3beb0fffb470a3a38519043c3339f9610412b95a7b6b95

Download Submit
C:\Windows\{C9AB5DF3-EC32-4b0c-ACDD-AB83EEE6E9A3}.exe

Filesize
216KB

MD5
880f90f767b88592f54b2f9c10f75738

SHA1
c264c2c89570027b12aa5b253445f6a140aafe02

SHA256
21984d10f3db8d3d88c06cb91f6d2806b11f07fb04ff6feb7033ecb3a0cb7d10

SHA512
727b91ae608984b736939e8e127f62cc3e6036530bf679ba95c58bd1667478088402aab86453707fb9db7cd03aff6d820936ba06da0c17214a5efcdaa2d072aa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads