1699ca3eaaf3f7fdd177a81a79a2e2a3f8bf6eea762e550ab81119c912d6b07a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 02:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe
Size

192KB
MD5

2a469dab096d7b8d9b0fea501609bffd
SHA1

0e412c92a4b6fd140731fdd9d0380f5df3616cb3
SHA256

1699ca3eaaf3f7fdd177a81a79a2e2a3f8bf6eea762e550ab81119c912d6b07a
SHA512

c864f41bb66605dade5121dc49c564a0af92ccae6a5832e44c77f2a13b277fba2f2a81258fd5671cef08df75f66a4590e6e3de121e4604c0ce2d532c2178d1d7
SSDEEP

1536:1EGh0oCl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oCl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}\stubpath = "C:\\Windows\\{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe"	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6605AB1-CE9F-42a4-9738-73320FE799D1}	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6605AB1-CE9F-42a4-9738-73320FE799D1}\stubpath = "C:\\Windows\\{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe"	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}\stubpath = "C:\\Windows\\{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe"	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F43B1BA-BF02-445c-A623-449BDC0D228F}\stubpath = "C:\\Windows\\{6F43B1BA-BF02-445c-A623-449BDC0D228F}.exe"	{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CFF7671-2F7B-4017-A480-E3BF35B67643}	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CFF7671-2F7B-4017-A480-E3BF35B67643}\stubpath = "C:\\Windows\\{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe"	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7855FC2-5BB0-4023-965B-55DE2FD961EF}	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}\stubpath = "C:\\Windows\\{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe"	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92CC2C0-7BCC-471f-9838-093B88B92C2B}	{6F43B1BA-BF02-445c-A623-449BDC0D228F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A802BBDE-3C36-4dd8-B124-C6372B2242B6}	2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A802BBDE-3C36-4dd8-B124-C6372B2242B6}\stubpath = "C:\\Windows\\{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe"	2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5816AA08-29DE-40ee-BC8F-54138EA9B669}\stubpath = "C:\\Windows\\{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe"	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7855FC2-5BB0-4023-965B-55DE2FD961EF}\stubpath = "C:\\Windows\\{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe"	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F43B1BA-BF02-445c-A623-449BDC0D228F}	{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92CC2C0-7BCC-471f-9838-093B88B92C2B}\stubpath = "C:\\Windows\\{E92CC2C0-7BCC-471f-9838-093B88B92C2B}.exe"	{6F43B1BA-BF02-445c-A623-449BDC0D228F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E25B4FB8-229D-498e-B685-1D4F8290DBBA}	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E25B4FB8-229D-498e-B685-1D4F8290DBBA}\stubpath = "C:\\Windows\\{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe"	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}\stubpath = "C:\\Windows\\{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe"	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5816AA08-29DE-40ee-BC8F-54138EA9B669}	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe

Executes dropped EXE 12 IoCs

pid	Process
5588	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe
5184	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe
1200	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe
3868	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe
5220	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe
5612	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe
3660	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe
4524	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe
2312	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe
4636	{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe
2100	{6F43B1BA-BF02-445c-A623-449BDC0D228F}.exe
5392	{E92CC2C0-7BCC-471f-9838-093B88B92C2B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe
File created	C:\Windows\{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe	2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe
File created	C:\Windows\{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe
File created	C:\Windows\{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe
File created	C:\Windows\{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe
File created	C:\Windows\{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe
File created	C:\Windows\{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe
File created	C:\Windows\{6F43B1BA-BF02-445c-A623-449BDC0D228F}.exe	{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe
File created	C:\Windows\{E92CC2C0-7BCC-471f-9838-093B88B92C2B}.exe	{6F43B1BA-BF02-445c-A623-449BDC0D228F}.exe
File created	C:\Windows\{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe
File created	C:\Windows\{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe
File created	C:\Windows\{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F43B1BA-BF02-445c-A623-449BDC0D228F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E92CC2C0-7BCC-471f-9838-093B88B92C2B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3556	2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5588	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe
Token: SeIncBasePriorityPrivilege	5184	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe
Token: SeIncBasePriorityPrivilege	1200	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe
Token: SeIncBasePriorityPrivilege	3868	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe
Token: SeIncBasePriorityPrivilege	5220	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe
Token: SeIncBasePriorityPrivilege	5612	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe
Token: SeIncBasePriorityPrivilege	3660	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe
Token: SeIncBasePriorityPrivilege	4524	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe
Token: SeIncBasePriorityPrivilege	2312	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe
Token: SeIncBasePriorityPrivilege	4636	{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe
Token: SeIncBasePriorityPrivilege	2100	{6F43B1BA-BF02-445c-A623-449BDC0D228F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 5588	3556	2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe	86
PID 3556 wrote to memory of 5588	3556	2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe	86
PID 3556 wrote to memory of 5588	3556	2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe	86
PID 3556 wrote to memory of 3028	3556	2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe	87
PID 3556 wrote to memory of 3028	3556	2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe	87
PID 3556 wrote to memory of 3028	3556	2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe	87
PID 5588 wrote to memory of 5184	5588	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe	88
PID 5588 wrote to memory of 5184	5588	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe	88
PID 5588 wrote to memory of 5184	5588	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe	88
PID 5588 wrote to memory of 5988	5588	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe	89
PID 5588 wrote to memory of 5988	5588	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe	89
PID 5588 wrote to memory of 5988	5588	{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe	89
PID 5184 wrote to memory of 1200	5184	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe	96
PID 5184 wrote to memory of 1200	5184	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe	96
PID 5184 wrote to memory of 1200	5184	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe	96
PID 5184 wrote to memory of 4748	5184	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe	97
PID 5184 wrote to memory of 4748	5184	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe	97
PID 5184 wrote to memory of 4748	5184	{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe	97
PID 1200 wrote to memory of 3868	1200	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe	100
PID 1200 wrote to memory of 3868	1200	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe	100
PID 1200 wrote to memory of 3868	1200	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe	100
PID 1200 wrote to memory of 1168	1200	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe	101
PID 1200 wrote to memory of 1168	1200	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe	101
PID 1200 wrote to memory of 1168	1200	{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe	101
PID 3868 wrote to memory of 5220	3868	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe	102
PID 3868 wrote to memory of 5220	3868	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe	102
PID 3868 wrote to memory of 5220	3868	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe	102
PID 3868 wrote to memory of 4456	3868	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe	103
PID 3868 wrote to memory of 4456	3868	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe	103
PID 3868 wrote to memory of 4456	3868	{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe	103
PID 5220 wrote to memory of 5612	5220	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe	104
PID 5220 wrote to memory of 5612	5220	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe	104
PID 5220 wrote to memory of 5612	5220	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe	104
PID 5220 wrote to memory of 5608	5220	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe	105
PID 5220 wrote to memory of 5608	5220	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe	105
PID 5220 wrote to memory of 5608	5220	{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe	105
PID 5612 wrote to memory of 3660	5612	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe	106
PID 5612 wrote to memory of 3660	5612	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe	106
PID 5612 wrote to memory of 3660	5612	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe	106
PID 5612 wrote to memory of 5700	5612	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe	107
PID 5612 wrote to memory of 5700	5612	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe	107
PID 5612 wrote to memory of 5700	5612	{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe	107
PID 3660 wrote to memory of 4524	3660	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe	108
PID 3660 wrote to memory of 4524	3660	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe	108
PID 3660 wrote to memory of 4524	3660	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe	108
PID 3660 wrote to memory of 540	3660	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe	109
PID 3660 wrote to memory of 540	3660	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe	109
PID 3660 wrote to memory of 540	3660	{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe	109
PID 4524 wrote to memory of 2312	4524	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe	110
PID 4524 wrote to memory of 2312	4524	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe	110
PID 4524 wrote to memory of 2312	4524	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe	110
PID 4524 wrote to memory of 2508	4524	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe	111
PID 4524 wrote to memory of 2508	4524	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe	111
PID 4524 wrote to memory of 2508	4524	{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe	111
PID 2312 wrote to memory of 4636	2312	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe	112
PID 2312 wrote to memory of 4636	2312	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe	112
PID 2312 wrote to memory of 4636	2312	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe	112
PID 2312 wrote to memory of 5000	2312	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe	113
PID 2312 wrote to memory of 5000	2312	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe	113
PID 2312 wrote to memory of 5000	2312	{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe	113
PID 4636 wrote to memory of 2100	4636	{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe	114
PID 4636 wrote to memory of 2100	4636	{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe	114
PID 4636 wrote to memory of 2100	4636	{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe	114
PID 4636 wrote to memory of 1048	4636	{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_2a469dab096d7b8d9b0fea501609bffd_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe
  C:\Windows\{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5588
- - C:\Windows\{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe
    C:\Windows\{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5184
  - - C:\Windows\{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe
      C:\Windows\{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Windows\{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe
        
        C:\Windows\{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
      - C:\Windows\{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe
        
        C:\Windows\{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5220
        
        C:\Windows\{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe
        
        C:\Windows\{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5612
        
        C:\Windows\{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe
        
        C:\Windows\{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe
        
        C:\Windows\{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe
        
        C:\Windows\{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe
        
        C:\Windows\{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\{6F43B1BA-BF02-445c-A623-449BDC0D228F}.exe
        
        C:\Windows\{6F43B1BA-BF02-445c-A623-449BDC0D228F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\{E92CC2C0-7BCC-471f-9838-093B88B92C2B}.exe
        
        C:\Windows\{E92CC2C0-7BCC-471f-9838-093B88B92C2B}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F43B~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC0DE~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7855~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5816A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CFF7~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71F8F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83B9F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E25B4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6605~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{69DA7~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A802B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3CFF7671-2F7B-4017-A480-E3BF35B67643}.exe

Filesize
192KB

MD5
f5570b74f92a056ca76850854d912bc8

SHA1
0767eaa39bfe0201cdcac504500e172794c91b12

SHA256
14cc9442619e874aa81f464899b55c796cc68acf0780fcc160af0a3dd4b9573e

SHA512
9fd455ef27e8a80032c10f36fc101ed2d5535d6ed3dea12e8a03ad1f4603d5830392bbe41f0c5e0bebcd6515e29f7617badcef3aa643c0b361eb659b0b2b5ed1

Download Submit
C:\Windows\{5816AA08-29DE-40ee-BC8F-54138EA9B669}.exe

Filesize
192KB

MD5
fe5ca9eb2ee52dc3b3bea5f0ca90aaae

SHA1
8965887e27d2681e595d562cbee0cf7617fb395a

SHA256
38874e0c85bc5fe5dfcb05d43ef591a6c5239e613fde773f72b75d2b25774411

SHA512
2f9849fd9056c11f409cc00e68b3a3a7bafb96fa0cf2b7bcda4522e66947503096aebc00ec190f34945590c66e4a8977f9e99fe4dab82eb4bdaf45270db95853

Download Submit
C:\Windows\{69DA7D74-6780-4c38-B6B2-B5E2D9C4A3B8}.exe

Filesize
192KB

MD5
10539774ac9b119b36506729f5edd043

SHA1
d025c92133be1902d3ebb3585ccd212a400d5c70

SHA256
8adf4bbb7c0dc7da89e6038772ef18094da2e07ebdc13ae52cef22c66477b63e

SHA512
d06903386baaebc69ecbb1d2082a66d2486913d62eeb190f8c64729504967c0c2435f6fe7e730885e9e6c8626c6f9bfc6c287a8acd969878fc44cb71fc7aa27d

Download Submit
C:\Windows\{6F43B1BA-BF02-445c-A623-449BDC0D228F}.exe

Filesize
192KB

MD5
3f6737256452fe45c79b4d7a31bd3bc8

SHA1
15d56962fba369d1fb135b60b80ce8d53cb7bfb4

SHA256
193cc4c2fd8a260a1c11469135c8565c69dd53c09fd9c9e82f3d1bc3eaad9865

SHA512
a8c4059039988c86be506918f2686d167dad464cda1a00ed221b75ddf9d788e89fd2e165c0deecc15a1bf4b3998670501b9a233f63e275cedde43d401bae7cf3

Download Submit
C:\Windows\{71F8FF7E-4B8E-40c1-ADD0-8F56294E3E88}.exe

Filesize
192KB

MD5
e7055d3ef172d43428548fe1337130f3

SHA1
3b3851252bd49c1c42d4d40ae75f78516645f0b0

SHA256
013470b1056e39e704b554657dcb2005287ea91e67664e4792f775be9144fb8d

SHA512
136b7058c9e84d6132e5c01b9183bbcfe12170e760bc030dc3b7b02f997b3af0f159cca44aeda7b5f496924a708abf4051f6af3bd947843f4501aa3ef322a49d

Download Submit
C:\Windows\{83B9FEA4-D2FB-4906-8B60-72414F6DDD18}.exe

Filesize
192KB

MD5
0d92883609778ceaa215158789306f14

SHA1
a1e507daa81516f0bbba95cda315ea1c92322dd2

SHA256
00aac81ee098fc980c7f18ef7cbfec332f3d057a241d61a61a84f46a98874b8b

SHA512
28d505622ffcd6c5c936d312ccfc2ba97fbb9d5a85ab8ecf87193bfeaad822359e95baaca85371ee651fbbdf180d3f3fa2120b78e048d3eb7978e43888c95621

Download Submit
C:\Windows\{A802BBDE-3C36-4dd8-B124-C6372B2242B6}.exe

Filesize
192KB

MD5
7c66f3205a45fec2370a4cad1dedc480

SHA1
1ce7bc094d00eb5b647524cc30476150efae1550

SHA256
7eda73207b2dd98164815281f7f5f837a83720f5d28ad8e242a0bacd24578aee

SHA512
b80d31cf1a5c6431d29eae8ca7a35d727a922b2e7db2aedfc18d30be3789e54256c29c2b69b4c4a132217dae34d1ac4f2118433f010b0fd29c5f7d8f0a1faf36

Download Submit
C:\Windows\{E25B4FB8-229D-498e-B685-1D4F8290DBBA}.exe

Filesize
192KB

MD5
872e32ebe94b2f043b0905be382c6f58

SHA1
1ec73e1c805f39a26c607aead98c3e0804b18484

SHA256
5a6b41a54381325a23f818dfae40e560f2f70093fe8a3f5ffd4df9a63146b8d8

SHA512
a3aadd2e6f504790ea09c549076ef942cfd2ec49892e665ac12b9fae07bfb2cccd151615a0e1a20e657c073c6422e93e4d7d66eb5776bc79813323be8bbdd8f3

Download Submit
C:\Windows\{E7855FC2-5BB0-4023-965B-55DE2FD961EF}.exe

Filesize
192KB

MD5
a0bd99fdf142fe57075634ba9e73f580

SHA1
1ccc99c18995be2f4cf501267dca42f6a34d6593

SHA256
6d5870bfdfe932c55104aa34811aa76d4d8eb6f244e96ee1cb537c37c716f2d7

SHA512
1631f53161d2f0ad9c767cd7ac1b3ce34d8275c96390180adcd2e31fbec7248cc8bbe10c9b8bc2a9eb84bb2e6e890f9aeca8b0b7cda74529179997b2ef2342b2

Download Submit
C:\Windows\{E92CC2C0-7BCC-471f-9838-093B88B92C2B}.exe

Filesize
192KB

MD5
02690221db9613d0b913e0d9e58da4e7

SHA1
bcf12abd14ab4e63175de6607df2442a5214fd03

SHA256
d4e2852ed00fb645ea2270723a374319daec2dbdaf93cc52c6dfa2ceeb5d6148

SHA512
10bb653dfbc47dc53cddfe100d938f361f937ff977aa62f81a4e0e89b1955c894ee9275da990264e0aff3b4607adc6af4ab40edd82d44ef0346a80f890929ef0

Download Submit
C:\Windows\{F6605AB1-CE9F-42a4-9738-73320FE799D1}.exe

Filesize
192KB

MD5
8db457ff72e6812bd1ed65d7c5829b83

SHA1
d9e70383a19b563f53577287da2811f7e5fc2f03

SHA256
68540bc23dead749b26a0675095acb6e0b96457f248d6e8b269f7f7b1aa175ed

SHA512
e448f9d9cb6004ac2cd085aa797ac3d965eb5b61a4c95f1bfefd4cf92a68b63c89631c99e8b1551f7cbcbe5cedf78ed8d81607d24e6e378819f7f45e5d431092

Download Submit
C:\Windows\{FC0DE911-A9F1-4d28-AF76-211CC8E3A137}.exe

Filesize
192KB

MD5
fedbe0d0c874e239f10610b8e183c24c

SHA1
4642c2345132d1cf6612f34a5ce687e6a63801e1

SHA256
036f1736226bad8c1af1e3cc4c4ad2201eea17edffff6c74aac51db16318e175

SHA512
20eb7d46ec8d0c8d30659014829630876d2e1302ba6ec3e4ce5fd77d4eb79c3448dead6d2f1e755a37ede060229fb114f7d764116f2199c7e6c24565595ce369

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads