29bf32dca63dd2cda1a7c682714c5a89e71ba32e088f6353c8f170f1b22701e2

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe
Size

344KB
MD5

c0db2e3360c456376bd99685fb559069
SHA1

1d1bc3824d30e263815e79513c9c8440535d0bd8
SHA256

29bf32dca63dd2cda1a7c682714c5a89e71ba32e088f6353c8f170f1b22701e2
SHA512

6c0f50c7f07dd6a0b6c61434cf0cd2fde3816743f9cc9a4357643da1f7d4ee29b9b859fc2da30246ea12ca2193038b23335adbb7217e0b2a8ed7e91cf6e5ffa9
SSDEEP

3072:mEGh0orlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGJlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{098907A5-84E1-4b5a-9967-6EFB0A81AF47}\stubpath = "C:\\Windows\\{098907A5-84E1-4b5a-9967-6EFB0A81AF47}.exe"	{B62D596E-1F4B-4518-B9D0-104CA302C1D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}\stubpath = "C:\\Windows\\{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe"	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41F01625-62CC-4ea9-B500-31273A851D6E}\stubpath = "C:\\Windows\\{41F01625-62CC-4ea9-B500-31273A851D6E}.exe"	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A156A85-AC36-4019-BEB1-693F8DDFAB79}\stubpath = "C:\\Windows\\{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe"	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}\stubpath = "C:\\Windows\\{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe"	{ACF46468-100C-4546-B317-690B3158FBDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A156A85-AC36-4019-BEB1-693F8DDFAB79}	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62D596E-1F4B-4518-B9D0-104CA302C1D8}\stubpath = "C:\\Windows\\{B62D596E-1F4B-4518-B9D0-104CA302C1D8}.exe"	{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}\stubpath = "C:\\Windows\\{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe"	2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}\stubpath = "C:\\Windows\\{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe"	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACF46468-100C-4546-B317-690B3158FBDB}\stubpath = "C:\\Windows\\{ACF46468-100C-4546-B317-690B3158FBDB}.exe"	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41F01625-62CC-4ea9-B500-31273A851D6E}	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACF46468-100C-4546-B317-690B3158FBDB}	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022A806B-E19A-47cf-B582-22E223A94927}	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022A806B-E19A-47cf-B582-22E223A94927}\stubpath = "C:\\Windows\\{022A806B-E19A-47cf-B582-22E223A94927}.exe"	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}	{022A806B-E19A-47cf-B582-22E223A94927}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CB25601-4763-4c10-8282-8B0DA61F7394}	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CB25601-4763-4c10-8282-8B0DA61F7394}\stubpath = "C:\\Windows\\{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe"	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62D596E-1F4B-4518-B9D0-104CA302C1D8}	{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}\stubpath = "C:\\Windows\\{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe"	{022A806B-E19A-47cf-B582-22E223A94927}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{098907A5-84E1-4b5a-9967-6EFB0A81AF47}	{B62D596E-1F4B-4518-B9D0-104CA302C1D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}	2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}	{ACF46468-100C-4546-B317-690B3158FBDB}.exe

Executes dropped EXE 12 IoCs

pid	Process
2000	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe
4328	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe
3920	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe
4752	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe
4896	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe
3928	{ACF46468-100C-4546-B317-690B3158FBDB}.exe
2148	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe
4608	{022A806B-E19A-47cf-B582-22E223A94927}.exe
4208	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe
4716	{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe
3476	{B62D596E-1F4B-4518-B9D0-104CA302C1D8}.exe
4692	{098907A5-84E1-4b5a-9967-6EFB0A81AF47}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe	{022A806B-E19A-47cf-B582-22E223A94927}.exe
File created	C:\Windows\{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe
File created	C:\Windows\{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe
File created	C:\Windows\{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe
File created	C:\Windows\{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe
File created	C:\Windows\{ACF46468-100C-4546-B317-690B3158FBDB}.exe	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe
File created	C:\Windows\{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe	{ACF46468-100C-4546-B317-690B3158FBDB}.exe
File created	C:\Windows\{022A806B-E19A-47cf-B582-22E223A94927}.exe	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe
File created	C:\Windows\{098907A5-84E1-4b5a-9967-6EFB0A81AF47}.exe	{B62D596E-1F4B-4518-B9D0-104CA302C1D8}.exe
File created	C:\Windows\{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe	2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe
File created	C:\Windows\{41F01625-62CC-4ea9-B500-31273A851D6E}.exe	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe
File created	C:\Windows\{B62D596E-1F4B-4518-B9D0-104CA302C1D8}.exe	{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACF46468-100C-4546-B317-690B3158FBDB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B62D596E-1F4B-4518-B9D0-104CA302C1D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{022A806B-E19A-47cf-B582-22E223A94927}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{098907A5-84E1-4b5a-9967-6EFB0A81AF47}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2584	2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2000	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe
Token: SeIncBasePriorityPrivilege	4328	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe
Token: SeIncBasePriorityPrivilege	3920	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe
Token: SeIncBasePriorityPrivilege	4752	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe
Token: SeIncBasePriorityPrivilege	4896	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe
Token: SeIncBasePriorityPrivilege	3928	{ACF46468-100C-4546-B317-690B3158FBDB}.exe
Token: SeIncBasePriorityPrivilege	2148	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe
Token: SeIncBasePriorityPrivilege	4608	{022A806B-E19A-47cf-B582-22E223A94927}.exe
Token: SeIncBasePriorityPrivilege	4208	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe
Token: SeIncBasePriorityPrivilege	4716	{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe
Token: SeIncBasePriorityPrivilege	3476	{B62D596E-1F4B-4518-B9D0-104CA302C1D8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2000	2584	2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe	92
PID 2584 wrote to memory of 2000	2584	2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe	92
PID 2584 wrote to memory of 2000	2584	2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe	92
PID 2584 wrote to memory of 2948	2584	2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe	93
PID 2584 wrote to memory of 2948	2584	2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe	93
PID 2584 wrote to memory of 2948	2584	2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe	93
PID 2000 wrote to memory of 4328	2000	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe	96
PID 2000 wrote to memory of 4328	2000	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe	96
PID 2000 wrote to memory of 4328	2000	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe	96
PID 2000 wrote to memory of 3636	2000	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe	97
PID 2000 wrote to memory of 3636	2000	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe	97
PID 2000 wrote to memory of 3636	2000	{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe	97
PID 4328 wrote to memory of 3920	4328	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe	99
PID 4328 wrote to memory of 3920	4328	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe	99
PID 4328 wrote to memory of 3920	4328	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe	99
PID 4328 wrote to memory of 2540	4328	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe	100
PID 4328 wrote to memory of 2540	4328	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe	100
PID 4328 wrote to memory of 2540	4328	{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe	100
PID 3920 wrote to memory of 4752	3920	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe	102
PID 3920 wrote to memory of 4752	3920	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe	102
PID 3920 wrote to memory of 4752	3920	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe	102
PID 3920 wrote to memory of 4244	3920	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe	103
PID 3920 wrote to memory of 4244	3920	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe	103
PID 3920 wrote to memory of 4244	3920	{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe	103
PID 4752 wrote to memory of 4896	4752	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe	104
PID 4752 wrote to memory of 4896	4752	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe	104
PID 4752 wrote to memory of 4896	4752	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe	104
PID 4752 wrote to memory of 5052	4752	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe	105
PID 4752 wrote to memory of 5052	4752	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe	105
PID 4752 wrote to memory of 5052	4752	{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe	105
PID 4896 wrote to memory of 3928	4896	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe	106
PID 4896 wrote to memory of 3928	4896	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe	106
PID 4896 wrote to memory of 3928	4896	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe	106
PID 4896 wrote to memory of 3016	4896	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe	107
PID 4896 wrote to memory of 3016	4896	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe	107
PID 4896 wrote to memory of 3016	4896	{41F01625-62CC-4ea9-B500-31273A851D6E}.exe	107
PID 3928 wrote to memory of 2148	3928	{ACF46468-100C-4546-B317-690B3158FBDB}.exe	108
PID 3928 wrote to memory of 2148	3928	{ACF46468-100C-4546-B317-690B3158FBDB}.exe	108
PID 3928 wrote to memory of 2148	3928	{ACF46468-100C-4546-B317-690B3158FBDB}.exe	108
PID 3928 wrote to memory of 2408	3928	{ACF46468-100C-4546-B317-690B3158FBDB}.exe	109
PID 3928 wrote to memory of 2408	3928	{ACF46468-100C-4546-B317-690B3158FBDB}.exe	109
PID 3928 wrote to memory of 2408	3928	{ACF46468-100C-4546-B317-690B3158FBDB}.exe	109
PID 2148 wrote to memory of 4608	2148	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe	110
PID 2148 wrote to memory of 4608	2148	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe	110
PID 2148 wrote to memory of 4608	2148	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe	110
PID 2148 wrote to memory of 2352	2148	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe	111
PID 2148 wrote to memory of 2352	2148	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe	111
PID 2148 wrote to memory of 2352	2148	{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe	111
PID 4608 wrote to memory of 4208	4608	{022A806B-E19A-47cf-B582-22E223A94927}.exe	112
PID 4608 wrote to memory of 4208	4608	{022A806B-E19A-47cf-B582-22E223A94927}.exe	112
PID 4608 wrote to memory of 4208	4608	{022A806B-E19A-47cf-B582-22E223A94927}.exe	112
PID 4608 wrote to memory of 2304	4608	{022A806B-E19A-47cf-B582-22E223A94927}.exe	113
PID 4608 wrote to memory of 2304	4608	{022A806B-E19A-47cf-B582-22E223A94927}.exe	113
PID 4608 wrote to memory of 2304	4608	{022A806B-E19A-47cf-B582-22E223A94927}.exe	113
PID 4208 wrote to memory of 4716	4208	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe	114
PID 4208 wrote to memory of 4716	4208	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe	114
PID 4208 wrote to memory of 4716	4208	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe	114
PID 4208 wrote to memory of 2988	4208	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe	115
PID 4208 wrote to memory of 2988	4208	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe	115
PID 4208 wrote to memory of 2988	4208	{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe	115
PID 4716 wrote to memory of 3476	4716	{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe	116
PID 4716 wrote to memory of 3476	4716	{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe	116
PID 4716 wrote to memory of 3476	4716	{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe	116
PID 4716 wrote to memory of 2340	4716	{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-09_c0db2e3360c456376bd99685fb559069_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe
  C:\Windows\{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe
    C:\Windows\{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe
      C:\Windows\{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Windows\{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe
        
        C:\Windows\{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\{41F01625-62CC-4ea9-B500-31273A851D6E}.exe
        
        C:\Windows\{41F01625-62CC-4ea9-B500-31273A851D6E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\{ACF46468-100C-4546-B317-690B3158FBDB}.exe
        
        C:\Windows\{ACF46468-100C-4546-B317-690B3158FBDB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe
        
        C:\Windows\{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\{022A806B-E19A-47cf-B582-22E223A94927}.exe
        
        C:\Windows\{022A806B-E19A-47cf-B582-22E223A94927}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe
        
        C:\Windows\{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe
        
        C:\Windows\{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\{B62D596E-1F4B-4518-B9D0-104CA302C1D8}.exe
        
        C:\Windows\{B62D596E-1F4B-4518-B9D0-104CA302C1D8}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
        
        C:\Windows\{098907A5-84E1-4b5a-9967-6EFB0A81AF47}.exe
        
        C:\Windows\{098907A5-84E1-4b5a-9967-6EFB0A81AF47}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B62D5~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A156~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{489EC~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{022A8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACEFA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACF46~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41F01~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B7EF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CB25~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{54D07~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6A26A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{022A806B-E19A-47cf-B582-22E223A94927}.exe

Filesize
344KB

MD5
40f7b7f81ad75d22e19ab0adf581881d

SHA1
3cc7acc9e769a5615a4e3f01b44cc58fae4ce55e

SHA256
92a69928c40fbc69335cb1708b394aac42dc2f3f7ea7eda91ebc7158c6accf8c

SHA512
79911d93e91d18e84085ee1c0391a23f6a89b0180771d8297884e524fe922116a4379c2d96e07ad676ea7af9c2b5074a81e45baafd75c1c86b5f9f24cece0c9e

Download Submit
C:\Windows\{098907A5-84E1-4b5a-9967-6EFB0A81AF47}.exe

Filesize
344KB

MD5
453defc6bd6e3990be8fd6e89ece20eb

SHA1
feef6454ff4dd9c39f335b615da0e72c4625696c

SHA256
b1755d2400d1e9163280a138649f0b47998fbd9b0cbfd8583b9685aa82927591

SHA512
9ee5990bca824aa7f05623d3e7fbefa641b4f9aaff918baa553a66b8ee7e8846c5ad501141f30c9eff196f2c48f6cb977c51dc77f7ff39e17f59473f991c0b8e

Download Submit
C:\Windows\{41F01625-62CC-4ea9-B500-31273A851D6E}.exe

Filesize
344KB

MD5
8fd776d8f06c631dfcd6cf76174abed7

SHA1
eccfaef7da936d7fe75b8dbeba7c4c025245bfe5

SHA256
5b31fd2e1bb0f61041b7e7c1878f762e605dc478b905306430885a511956f11e

SHA512
7d27efab84bace5d1a8b42158c8fff1173b5a639890d2abe910cc61fad83d0b0f4a571e1bb7e5b034584315c6274022c1c89ac7828441b26e0da62e59455a754

Download Submit
C:\Windows\{489EC64A-1E2A-4427-B8F2-9EC5D610D3A9}.exe

Filesize
344KB

MD5
1dffb2b38a7a1ead800839b1320fb192

SHA1
0ffccf92e2826310d76fcc40dab58dddf9373fcc

SHA256
c1c8e6fabfee7f244f8d2699932ac5f2282cf4a1161df9c854e178c1e9688604

SHA512
c03687900d1eeed7ae4e856da1dc8c8e2d9466d5f32f2aaad6be2e18671870f35854c7cc500a4cd6eff3ec42b976581a6dfbe37d4100311d9bba994629011446

Download Submit
C:\Windows\{54D075D6-0035-4fee-A8DB-C3D2852A5A5F}.exe

Filesize
344KB

MD5
cbaa1fad58550aef6ad4db338e4a20a8

SHA1
94acb3c1097fabe748b46c2a756de89d9689380e

SHA256
674df6dc85e3f895299a052c080070b66286f796954323fa27570e2172ca229b

SHA512
1235e90f722e04ba9141a886f641d07887bd46fdac1eb63521807201abd501492a9d777d61c8ffaf7cc7f79d03814f38c8c5c1af5abca05ea1f3bcb724cc59b5

Download Submit
C:\Windows\{6A26AE77-BC54-4ceb-A18C-7D1FA25CC038}.exe

Filesize
344KB

MD5
c0fbce085a7b7b0d3500f5f0761cb6ca

SHA1
c7e7cd75781886cf400b8f2a31d06ab81a284a72

SHA256
82ec04706d1198eef51fa444e220d709af7b399940f1f0c994162e96b61ee73d

SHA512
edfd18ced602ecb3a2039ecb48e173ecd661aa1787435959f6fb5bfcc8753b5f326732fd19ff057e2d18d1860b8760ef6fc803fe44bbddba2ab4276af9750ebc

Download Submit
C:\Windows\{7A156A85-AC36-4019-BEB1-693F8DDFAB79}.exe

Filesize
344KB

MD5
0f056276129e54e5095adc10a1bf8e38

SHA1
22d77bca231fc9569fe1c6b6883cd4e330a9b980

SHA256
9069f6dfed8e2b68dd06afd85041a24d9a2edad0f4816abef31c214ac500c60f

SHA512
632e4680f2dbe787775731227d0313b5c107e2b4aa64bd5a3fddad4b03aac0f6498fb959cce369919456fb3ae0c6f3dd5bf0791e8bcd40a25c56d8d2ce653e08

Download Submit
C:\Windows\{7CB25601-4763-4c10-8282-8B0DA61F7394}.exe

Filesize
344KB

MD5
11bc120bcd1e7e79110897a1f153e1f5

SHA1
2741c086d9e17b2ac20a51f55cec7942308d7a55

SHA256
d042eb845648fd1396140db782d01df48020ec769b77811070e5d80ebce81369

SHA512
df1df28bc4da1d1ba719c04a18d78c381ae76440a8bcb1505d09baf788230cd7800987c0d209cd99a4047f9965ed5b263dda1cb92343277c2a57f33020fa9bb8

Download Submit
C:\Windows\{8B7EF871-F094-4e40-9D93-8DF196DA9D5A}.exe

Filesize
344KB

MD5
c6e14f73f2ad4713414554d98733980f

SHA1
3b7437ba7d8d712ab38cba2aad1204d01da223e2

SHA256
5736bfcdc5f87e751cf60b71261b8ac04de5242b614c62ae4f40a953afd64e70

SHA512
f30a3330ca42c465f16a2acaf74a670a83573d45d178debca73f2fb523231a65baeeb966581dcda2d83ef2b07177b079bdb453533786c9ccda1a9f15f58aefb2

Download Submit
C:\Windows\{ACEFAA18-E4BA-4558-ABB3-5BA5183EE521}.exe

Filesize
344KB

MD5
e824bd5f395602ae8f13e508d6440c7f

SHA1
a0759c720592b2f76120699ef8d9587c735d13bd

SHA256
f5400d30dbf98532e52d8781d1967baa1d25dffa460e64b76e292a0006e52378

SHA512
0b38859a0108c968a5e1cb7d46c692b7c353515916254ef2c012dd4976cea25cbd13415bda5fc458912f690dc5e1d6e0c5afd4bbc5062833c24e798d2f8d3234

Download Submit
C:\Windows\{ACF46468-100C-4546-B317-690B3158FBDB}.exe

Filesize
344KB

MD5
5601f7e3065a536e16a40a9c14adc93b

SHA1
ac110e44443bff3ff0078d0371eefaff9284914c

SHA256
5f1d2aa27503ed805671714b15d16c3a4ca604be885f6b6b5bdf9256b8a31019

SHA512
70e3f779ef4bfd582dbc1c622969fa051f117658a30475f5730b65ca1515b69d73b377869df452a774f306d525e3bb2ba2ce6837a9f4443c4edf1704e3470d09

Download Submit
C:\Windows\{B62D596E-1F4B-4518-B9D0-104CA302C1D8}.exe

Filesize
344KB

MD5
116d25a94132691ae061db53981fdf43

SHA1
97a36a23bbca6c4f5873d65559239135f7c31a2c

SHA256
1bb4d9a5e4a30cdf04ed07ac06a7105cb603d994a9cdcb255ce6525e775c1558

SHA512
2cd04d5752f984b0ddfea029f453421dfa496275647e086bd4bb36913ace89d2f7b122f5325b60442ec3c2868de0019ac8f4c37e2523dfe1c7b95fbd96983f46

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads