2e99893c3c832c1a0d26726d00684b5951562e9f3adda62410adf660653a361b

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 02:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe
Size

216KB
MD5

82b50d461054b2ef1e2aab41c509c3d6
SHA1

f3497466a2f949e82712d2d10a791403dfaa0b9c
SHA256

2e99893c3c832c1a0d26726d00684b5951562e9f3adda62410adf660653a361b
SHA512

5d34caf74e103f5c5b0be71e77c7b1b33e48073a9192ee55334e6f636edc4d981d1b908a6e0e31289d58168cee10722efcfd46dde0b51b792c904e32922e0b83
SSDEEP

3072:jEGh0oZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGvlEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{969DDD17-2303-4d82-B0DE-76DDCC6AE468}	2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82982919-783C-4811-9F58-5FC303F5CBAE}	{20DAA686-3187-43eb-91FF-03D757F79686}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97A6F428-E486-438f-A72D-6DC9940ECB1E}\stubpath = "C:\\Windows\\{97A6F428-E486-438f-A72D-6DC9940ECB1E}.exe"	{82982919-783C-4811-9F58-5FC303F5CBAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48092562-E9E7-4f04-8AC8-1B038E1A6978}\stubpath = "C:\\Windows\\{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe"	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}\stubpath = "C:\\Windows\\{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe"	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA29F925-8DF7-4923-8E69-5AFB61AE993B}\stubpath = "C:\\Windows\\{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe"	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71433BA8-631C-4555-8250-96CBD02E44D1}\stubpath = "C:\\Windows\\{71433BA8-631C-4555-8250-96CBD02E44D1}.exe"	{0A3283C4-089D-4e91-A405-7180FF645099}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20DAA686-3187-43eb-91FF-03D757F79686}\stubpath = "C:\\Windows\\{20DAA686-3187-43eb-91FF-03D757F79686}.exe"	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802FFCF0-E2F5-4f33-A226-1BAC304A300E}\stubpath = "C:\\Windows\\{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe"	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}\stubpath = "C:\\Windows\\{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe"	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71433BA8-631C-4555-8250-96CBD02E44D1}	{0A3283C4-089D-4e91-A405-7180FF645099}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20DAA686-3187-43eb-91FF-03D757F79686}	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82982919-783C-4811-9F58-5FC303F5CBAE}\stubpath = "C:\\Windows\\{82982919-783C-4811-9F58-5FC303F5CBAE}.exe"	{20DAA686-3187-43eb-91FF-03D757F79686}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FFF2284-F85C-44f9-8A19-86EBB4ECCE88}	{97A6F428-E486-438f-A72D-6DC9940ECB1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{969DDD17-2303-4d82-B0DE-76DDCC6AE468}\stubpath = "C:\\Windows\\{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe"	2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{802FFCF0-E2F5-4f33-A226-1BAC304A300E}	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48092562-E9E7-4f04-8AC8-1B038E1A6978}	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA29F925-8DF7-4923-8E69-5AFB61AE993B}	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A3283C4-089D-4e91-A405-7180FF645099}	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A3283C4-089D-4e91-A405-7180FF645099}\stubpath = "C:\\Windows\\{0A3283C4-089D-4e91-A405-7180FF645099}.exe"	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97A6F428-E486-438f-A72D-6DC9940ECB1E}	{82982919-783C-4811-9F58-5FC303F5CBAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FFF2284-F85C-44f9-8A19-86EBB4ECCE88}\stubpath = "C:\\Windows\\{7FFF2284-F85C-44f9-8A19-86EBB4ECCE88}.exe"	{97A6F428-E486-438f-A72D-6DC9940ECB1E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4812	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe
1724	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe
4764	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe
1836	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe
4316	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe
1424	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe
1420	{0A3283C4-089D-4e91-A405-7180FF645099}.exe
2612	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe
1664	{20DAA686-3187-43eb-91FF-03D757F79686}.exe
3732	{82982919-783C-4811-9F58-5FC303F5CBAE}.exe
3000	{97A6F428-E486-438f-A72D-6DC9940ECB1E}.exe
2008	{7FFF2284-F85C-44f9-8A19-86EBB4ECCE88}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe
File created	C:\Windows\{0A3283C4-089D-4e91-A405-7180FF645099}.exe	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe
File created	C:\Windows\{82982919-783C-4811-9F58-5FC303F5CBAE}.exe	{20DAA686-3187-43eb-91FF-03D757F79686}.exe
File created	C:\Windows\{7FFF2284-F85C-44f9-8A19-86EBB4ECCE88}.exe	{97A6F428-E486-438f-A72D-6DC9940ECB1E}.exe
File created	C:\Windows\{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe	2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe
File created	C:\Windows\{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe
File created	C:\Windows\{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe
File created	C:\Windows\{71433BA8-631C-4555-8250-96CBD02E44D1}.exe	{0A3283C4-089D-4e91-A405-7180FF645099}.exe
File created	C:\Windows\{20DAA686-3187-43eb-91FF-03D757F79686}.exe	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe
File created	C:\Windows\{97A6F428-E486-438f-A72D-6DC9940ECB1E}.exe	{82982919-783C-4811-9F58-5FC303F5CBAE}.exe
File created	C:\Windows\{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe
File created	C:\Windows\{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20DAA686-3187-43eb-91FF-03D757F79686}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{97A6F428-E486-438f-A72D-6DC9940ECB1E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A3283C4-089D-4e91-A405-7180FF645099}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7FFF2284-F85C-44f9-8A19-86EBB4ECCE88}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82982919-783C-4811-9F58-5FC303F5CBAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4392	2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4812	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe
Token: SeIncBasePriorityPrivilege	1724	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe
Token: SeIncBasePriorityPrivilege	4764	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe
Token: SeIncBasePriorityPrivilege	1836	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe
Token: SeIncBasePriorityPrivilege	4316	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe
Token: SeIncBasePriorityPrivilege	1424	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe
Token: SeIncBasePriorityPrivilege	1420	{0A3283C4-089D-4e91-A405-7180FF645099}.exe
Token: SeIncBasePriorityPrivilege	2612	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe
Token: SeIncBasePriorityPrivilege	1664	{20DAA686-3187-43eb-91FF-03D757F79686}.exe
Token: SeIncBasePriorityPrivilege	3732	{82982919-783C-4811-9F58-5FC303F5CBAE}.exe
Token: SeIncBasePriorityPrivilege	3000	{97A6F428-E486-438f-A72D-6DC9940ECB1E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 4812	4392	2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe	92
PID 4392 wrote to memory of 4812	4392	2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe	92
PID 4392 wrote to memory of 4812	4392	2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe	92
PID 4392 wrote to memory of 4008	4392	2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe	93
PID 4392 wrote to memory of 4008	4392	2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe	93
PID 4392 wrote to memory of 4008	4392	2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe	93
PID 4812 wrote to memory of 1724	4812	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe	96
PID 4812 wrote to memory of 1724	4812	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe	96
PID 4812 wrote to memory of 1724	4812	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe	96
PID 4812 wrote to memory of 2636	4812	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe	97
PID 4812 wrote to memory of 2636	4812	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe	97
PID 4812 wrote to memory of 2636	4812	{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe	97
PID 1724 wrote to memory of 4764	1724	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe	100
PID 1724 wrote to memory of 4764	1724	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe	100
PID 1724 wrote to memory of 4764	1724	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe	100
PID 1724 wrote to memory of 4460	1724	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe	101
PID 1724 wrote to memory of 4460	1724	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe	101
PID 1724 wrote to memory of 4460	1724	{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe	101
PID 4764 wrote to memory of 1836	4764	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe	102
PID 4764 wrote to memory of 1836	4764	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe	102
PID 4764 wrote to memory of 1836	4764	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe	102
PID 4764 wrote to memory of 4916	4764	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe	103
PID 4764 wrote to memory of 4916	4764	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe	103
PID 4764 wrote to memory of 4916	4764	{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe	103
PID 1836 wrote to memory of 4316	1836	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe	104
PID 1836 wrote to memory of 4316	1836	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe	104
PID 1836 wrote to memory of 4316	1836	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe	104
PID 1836 wrote to memory of 4168	1836	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe	105
PID 1836 wrote to memory of 4168	1836	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe	105
PID 1836 wrote to memory of 4168	1836	{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe	105
PID 4316 wrote to memory of 1424	4316	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe	106
PID 4316 wrote to memory of 1424	4316	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe	106
PID 4316 wrote to memory of 1424	4316	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe	106
PID 4316 wrote to memory of 4924	4316	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe	107
PID 4316 wrote to memory of 4924	4316	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe	107
PID 4316 wrote to memory of 4924	4316	{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe	107
PID 1424 wrote to memory of 1420	1424	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe	108
PID 1424 wrote to memory of 1420	1424	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe	108
PID 1424 wrote to memory of 1420	1424	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe	108
PID 1424 wrote to memory of 3424	1424	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe	109
PID 1424 wrote to memory of 3424	1424	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe	109
PID 1424 wrote to memory of 3424	1424	{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe	109
PID 1420 wrote to memory of 2612	1420	{0A3283C4-089D-4e91-A405-7180FF645099}.exe	110
PID 1420 wrote to memory of 2612	1420	{0A3283C4-089D-4e91-A405-7180FF645099}.exe	110
PID 1420 wrote to memory of 2612	1420	{0A3283C4-089D-4e91-A405-7180FF645099}.exe	110
PID 1420 wrote to memory of 2200	1420	{0A3283C4-089D-4e91-A405-7180FF645099}.exe	111
PID 1420 wrote to memory of 2200	1420	{0A3283C4-089D-4e91-A405-7180FF645099}.exe	111
PID 1420 wrote to memory of 2200	1420	{0A3283C4-089D-4e91-A405-7180FF645099}.exe	111
PID 2612 wrote to memory of 1664	2612	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe	112
PID 2612 wrote to memory of 1664	2612	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe	112
PID 2612 wrote to memory of 1664	2612	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe	112
PID 2612 wrote to memory of 4768	2612	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe	113
PID 2612 wrote to memory of 4768	2612	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe	113
PID 2612 wrote to memory of 4768	2612	{71433BA8-631C-4555-8250-96CBD02E44D1}.exe	113
PID 1664 wrote to memory of 3732	1664	{20DAA686-3187-43eb-91FF-03D757F79686}.exe	114
PID 1664 wrote to memory of 3732	1664	{20DAA686-3187-43eb-91FF-03D757F79686}.exe	114
PID 1664 wrote to memory of 3732	1664	{20DAA686-3187-43eb-91FF-03D757F79686}.exe	114
PID 1664 wrote to memory of 4752	1664	{20DAA686-3187-43eb-91FF-03D757F79686}.exe	115
PID 1664 wrote to memory of 4752	1664	{20DAA686-3187-43eb-91FF-03D757F79686}.exe	115
PID 1664 wrote to memory of 4752	1664	{20DAA686-3187-43eb-91FF-03D757F79686}.exe	115
PID 3732 wrote to memory of 3000	3732	{82982919-783C-4811-9F58-5FC303F5CBAE}.exe	116
PID 3732 wrote to memory of 3000	3732	{82982919-783C-4811-9F58-5FC303F5CBAE}.exe	116
PID 3732 wrote to memory of 3000	3732	{82982919-783C-4811-9F58-5FC303F5CBAE}.exe	116
PID 3732 wrote to memory of 5068	3732	{82982919-783C-4811-9F58-5FC303F5CBAE}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_82b50d461054b2ef1e2aab41c509c3d6_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe
  C:\Windows\{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe
    C:\Windows\{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe
      C:\Windows\{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Windows\{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe
        
        C:\Windows\{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\Windows\{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe
        
        C:\Windows\{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe
        
        C:\Windows\{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\{0A3283C4-089D-4e91-A405-7180FF645099}.exe
        
        C:\Windows\{0A3283C4-089D-4e91-A405-7180FF645099}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\{71433BA8-631C-4555-8250-96CBD02E44D1}.exe
        
        C:\Windows\{71433BA8-631C-4555-8250-96CBD02E44D1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\{20DAA686-3187-43eb-91FF-03D757F79686}.exe
        
        C:\Windows\{20DAA686-3187-43eb-91FF-03D757F79686}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{82982919-783C-4811-9F58-5FC303F5CBAE}.exe
        
        C:\Windows\{82982919-783C-4811-9F58-5FC303F5CBAE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{97A6F428-E486-438f-A72D-6DC9940ECB1E}.exe
        
        C:\Windows\{97A6F428-E486-438f-A72D-6DC9940ECB1E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\{7FFF2284-F85C-44f9-8A19-86EBB4ECCE88}.exe
        
        C:\Windows\{7FFF2284-F85C-44f9-8A19-86EBB4ECCE88}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97A6F~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82982~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20DAA~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71433~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A328~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3096~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA29F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{723CA~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48092~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{802FF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{969DD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A3283C4-089D-4e91-A405-7180FF645099}.exe

Filesize
216KB

MD5
d785b774dce49f9c92123d73745fca0f

SHA1
f34ae1126a576d1927ba90c84690622f4375f0b0

SHA256
8bc0d99ce2cdaee2f96bacecfe5187a8323490eb6e0410fd06cda810d2bc502a

SHA512
96f9be40e02304a1350f91b842425b39feaf28de878fa70ae0bd4af2bc38b3acfd476b58b5de48dd0fb5a1f14e7399f8266ad155b2d10c0380056776127f8289

Download Submit
C:\Windows\{20DAA686-3187-43eb-91FF-03D757F79686}.exe

Filesize
216KB

MD5
0b8767c7970500cc91389e7536a167e9

SHA1
d84d1a40d5da2ab86fa783e444852eaeb4ebc104

SHA256
0b0f64c0a5870b76f9200dd77f61c174904949aacfc21b2bc395a6b3cd92034f

SHA512
ebbb98cf196d53d7c8d7e8a4cdfc54a80aababa2b384f10b65ba4667f43b77a5a8568bb2529a2aa9d54295397455c0ec8d861dee2b1e865edafee0d807780b87

Download Submit
C:\Windows\{48092562-E9E7-4f04-8AC8-1B038E1A6978}.exe

Filesize
216KB

MD5
b875a98e9db81759622235ad95aba1b2

SHA1
77e19ff04f93b9dd8e9f53c4af3f297ff5e4f24b

SHA256
c07832e38a8660cd28455fc1815bcbf47dea763f140412e54b03348bde96d6d6

SHA512
498fec5856ec3369a507064c5e74d1657280c9e76361428f2302c70e85d2d57b8b317a1edcb6419ca199f0bda2b46e36fa4961ab5bd11bb46b584215be393592

Download Submit
C:\Windows\{71433BA8-631C-4555-8250-96CBD02E44D1}.exe

Filesize
216KB

MD5
aee484eb01d44206aae2ab57efddc8e8

SHA1
613e23a7fb38193e80e1bb84ae6b6422a0edb77e

SHA256
c40de816db79c3ccbe078d5bf5bf8c2b3f27948bbf0861f9cc50b2835fe56b85

SHA512
c874316844c0449ed7e5c6f6380f3dbd6d3b8966c77335492896b64f6f0860e65d1eef2fc4fb2948e43e470f8053f1a10fa3d3f689a91134a0d2200315ca07fd

Download Submit
C:\Windows\{723CAF87-E241-4cbc-BD0A-D5AF9D709CE0}.exe

Filesize
216KB

MD5
68af533fd16c45cb657cc69b82962472

SHA1
c2c2b978059f95c85dd30a44a8b6da0ad49ed1e0

SHA256
0416dbd70d1f638184070b1662d595e7597916908b3c78e7e0660a609a6f1131

SHA512
248a52c31fd939d76cd0526df672cf5f271fb2dcc462f584ee6187f7d5833ab7ee0d4c192bc4aff6f10987853cea7c759d49205c6db585d305871e15cf72ce43

Download Submit
C:\Windows\{7FFF2284-F85C-44f9-8A19-86EBB4ECCE88}.exe

Filesize
216KB

MD5
d0878c2bff2effa57e33952a67026508

SHA1
b0fb5fcd07879630e00e5a614adb4b37cd3d1ee8

SHA256
176f9da557e222590daaa50c430bdccfa0b67b8ad92d016e5489bbbf1a12ba3b

SHA512
9ac7b32804a4780bbc564ab4d8df3847ec682e1cda19c9af39bc3ab81f8df4067dd24e2ae326481f5821c238b9b1dc1eb7c49fb9f338e067eab34775e8bc88a1

Download Submit
C:\Windows\{802FFCF0-E2F5-4f33-A226-1BAC304A300E}.exe

Filesize
216KB

MD5
98be678c95b0b23099f07da1ee17e71a

SHA1
0fa25e797b4eade8fc6b82b8eacece9bb913e882

SHA256
972ec27aa17d872976d8e013d00c5d21c707d0a1b546c6009ac4f606b8b9638a

SHA512
375cf8c81290f0c3c403e7cc25e2d53b43da34e87cdd03f11e85ab69f25effbb6e227d94ce2d16e541447ad7c590daa8670ee5cce8f3f7df43728c17dd44a8c4

Download Submit
C:\Windows\{82982919-783C-4811-9F58-5FC303F5CBAE}.exe

Filesize
216KB

MD5
419b2c68562c8bec5d77a3cf077803f2

SHA1
a62444b5175c12938b2a3e7c5bdf4e9455be2b83

SHA256
441e79db4f08c4d307db876c7c76eb22c1ad630b096fc2955ca054ba8d6325a5

SHA512
3bf9046e2608f126ae9a85a7cc76a9ca61c5240de3cad4803508bdb0469bc648717f4413ff33ed6f0542d53205df229a5a17f7c7da60200c8d117b1f35ab4930

Download Submit
C:\Windows\{969DDD17-2303-4d82-B0DE-76DDCC6AE468}.exe

Filesize
216KB

MD5
c6b02c8e80672fea358030a50d7ec358

SHA1
bdbd5cfcd76842acdf54e9cf79bab548782fda7c

SHA256
d9ac4a9198d8d36de7d380349d921935ff173f2fb754dc08dee06c978d339e9b

SHA512
e9215aa460f46f87ea873c0f775dfcaf77d29d8f0f8ef191c0196400cd70214e3cb6e15eb22952c1b4d0860b47be292ca47f48f12f24f12287b34306dfe6a045

Download Submit
C:\Windows\{97A6F428-E486-438f-A72D-6DC9940ECB1E}.exe

Filesize
216KB

MD5
955ec1ec4b02b0648ab59c7a2e9ae632

SHA1
0247f17a38e1424de0a6816b16b86f0808961e9e

SHA256
995ad529e3a1f7a602369e5b2613e950bad1de511c43974c545abed25d4ba16f

SHA512
a2bbc9268991c1af598a721d305a8cc2f4238f9e518982814f6b303790d701a34537056573636e1271f5ce9490135882ebfc4a856b35fe730f3b2654625f27ba

Download Submit
C:\Windows\{B3096449-E7B3-4b4c-B2BE-BFCE2EEE6762}.exe

Filesize
216KB

MD5
494a081179f5588c05428cb0f45e9b8b

SHA1
aad6e35fc47b0607a7b141b8b24dcd8355bce823

SHA256
a06e089a88fda3ac368aac711fd6ba053a5e4c95539a58be348068ed3c931932

SHA512
38c852b7ef0a91a63885541e3fe233c0ef2ee73b3ed83a8cc748ebb1170f074517205aac851d5251ffa57e6e9264401f3b7e50d51922eea83cb2d6de0fc172c0

Download Submit
C:\Windows\{CA29F925-8DF7-4923-8E69-5AFB61AE993B}.exe

Filesize
216KB

MD5
7d05fff399b771d9134ad7a81d7941ab

SHA1
359d1d6acba709063a87da0c32c777005412a694

SHA256
023f8e4087b53440b8eddbcc3e06a3b35687153a1c585661b365d059b94a5c1a

SHA512
bde6686bef458ec338960fed811ca18cec2e64a450082912b137313a294af0b7a985cc060261f6008d0ae7221057b176ffcdc9314bf2702709cea0935c90f208

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads