99c871a97771fc8fd32ef992daabf1196b32ff4cf858e3810cb5f8c7c03d9b68

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe
Size

344KB
MD5

0ad4df4fc60c40557469a213b08ba0f4
SHA1

96f810963d366e518c804f809ecebb63c0ea84e7
SHA256

99c871a97771fc8fd32ef992daabf1196b32ff4cf858e3810cb5f8c7c03d9b68
SHA512

1423ee3c224f998072265fed5afc21f893fe8df08710e4fd6dd92cf0f70bb520236f6279fbf1b5f300b4bc5eeca66219df1ccfd0f5b787e8971a77ea82adb348
SSDEEP

3072:mEGh0oRqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEc:mEGXqlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}\stubpath = "C:\\Windows\\{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe"	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC196AC9-1776-41ad-AFA1-1731E5453D25}\stubpath = "C:\\Windows\\{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe"	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6B9AF13-0510-473d-89F2-1A767F9563BA}	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}	{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361780B5-917F-4935-B713-AC2AA2BD7530}\stubpath = "C:\\Windows\\{361780B5-917F-4935-B713-AC2AA2BD7530}.exe"	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}\stubpath = "C:\\Windows\\{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe"	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC196AC9-1776-41ad-AFA1-1731E5453D25}	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}\stubpath = "C:\\Windows\\{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}.exe"	{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{408D5F3B-D849-4e8a-A398-33FD78F7F40C}	2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361780B5-917F-4935-B713-AC2AA2BD7530}	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6B9AF13-0510-473d-89F2-1A767F9563BA}\stubpath = "C:\\Windows\\{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe"	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}	{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}\stubpath = "C:\\Windows\\{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe"	{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{408D5F3B-D849-4e8a-A398-33FD78F7F40C}\stubpath = "C:\\Windows\\{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe"	2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A972A0E-CF47-411f-B66B-90EDB077DE4A}	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A972A0E-CF47-411f-B66B-90EDB077DE4A}\stubpath = "C:\\Windows\\{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe"	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}\stubpath = "C:\\Windows\\{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe"	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}\stubpath = "C:\\Windows\\{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe"	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}\stubpath = "C:\\Windows\\{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe"	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe

Executes dropped EXE 12 IoCs

pid	Process
916	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe
4496	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe
1484	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe
3204	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe
2132	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe
4336	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe
3756	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe
1052	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe
1800	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe
232	{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe
1896	{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe
4304	{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe
File created	C:\Windows\{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe	{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe
File created	C:\Windows\{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe
File created	C:\Windows\{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe
File created	C:\Windows\{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe
File created	C:\Windows\{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe
File created	C:\Windows\{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe
File created	C:\Windows\{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}.exe	{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe
File created	C:\Windows\{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe	2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe
File created	C:\Windows\{361780B5-917F-4935-B713-AC2AA2BD7530}.exe	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe
File created	C:\Windows\{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe
File created	C:\Windows\{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	228	2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	916	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe
Token: SeIncBasePriorityPrivilege	4496	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe
Token: SeIncBasePriorityPrivilege	1484	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe
Token: SeIncBasePriorityPrivilege	3204	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe
Token: SeIncBasePriorityPrivilege	2132	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe
Token: SeIncBasePriorityPrivilege	4336	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe
Token: SeIncBasePriorityPrivilege	3756	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe
Token: SeIncBasePriorityPrivilege	1052	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe
Token: SeIncBasePriorityPrivilege	1800	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe
Token: SeIncBasePriorityPrivilege	232	{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe
Token: SeIncBasePriorityPrivilege	1896	{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 916	228	2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe	94
PID 228 wrote to memory of 916	228	2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe	94
PID 228 wrote to memory of 916	228	2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe	94
PID 228 wrote to memory of 2532	228	2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe	95
PID 228 wrote to memory of 2532	228	2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe	95
PID 228 wrote to memory of 2532	228	2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe	95
PID 916 wrote to memory of 4496	916	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe	96
PID 916 wrote to memory of 4496	916	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe	96
PID 916 wrote to memory of 4496	916	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe	96
PID 916 wrote to memory of 2460	916	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe	97
PID 916 wrote to memory of 2460	916	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe	97
PID 916 wrote to memory of 2460	916	{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe	97
PID 4496 wrote to memory of 1484	4496	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe	100
PID 4496 wrote to memory of 1484	4496	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe	100
PID 4496 wrote to memory of 1484	4496	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe	100
PID 4496 wrote to memory of 4860	4496	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe	101
PID 4496 wrote to memory of 4860	4496	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe	101
PID 4496 wrote to memory of 4860	4496	{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe	101
PID 1484 wrote to memory of 3204	1484	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe	102
PID 1484 wrote to memory of 3204	1484	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe	102
PID 1484 wrote to memory of 3204	1484	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe	102
PID 1484 wrote to memory of 3264	1484	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe	103
PID 1484 wrote to memory of 3264	1484	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe	103
PID 1484 wrote to memory of 3264	1484	{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe	103
PID 3204 wrote to memory of 2132	3204	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe	104
PID 3204 wrote to memory of 2132	3204	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe	104
PID 3204 wrote to memory of 2132	3204	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe	104
PID 3204 wrote to memory of 4776	3204	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe	105
PID 3204 wrote to memory of 4776	3204	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe	105
PID 3204 wrote to memory of 4776	3204	{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe	105
PID 2132 wrote to memory of 4336	2132	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe	106
PID 2132 wrote to memory of 4336	2132	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe	106
PID 2132 wrote to memory of 4336	2132	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe	106
PID 2132 wrote to memory of 4340	2132	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe	107
PID 2132 wrote to memory of 4340	2132	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe	107
PID 2132 wrote to memory of 4340	2132	{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe	107
PID 4336 wrote to memory of 3756	4336	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe	108
PID 4336 wrote to memory of 3756	4336	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe	108
PID 4336 wrote to memory of 3756	4336	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe	108
PID 4336 wrote to memory of 2464	4336	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe	109
PID 4336 wrote to memory of 2464	4336	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe	109
PID 4336 wrote to memory of 2464	4336	{361780B5-917F-4935-B713-AC2AA2BD7530}.exe	109
PID 3756 wrote to memory of 1052	3756	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe	110
PID 3756 wrote to memory of 1052	3756	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe	110
PID 3756 wrote to memory of 1052	3756	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe	110
PID 3756 wrote to memory of 4292	3756	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe	111
PID 3756 wrote to memory of 4292	3756	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe	111
PID 3756 wrote to memory of 4292	3756	{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe	111
PID 1052 wrote to memory of 1800	1052	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe	112
PID 1052 wrote to memory of 1800	1052	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe	112
PID 1052 wrote to memory of 1800	1052	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe	112
PID 1052 wrote to memory of 2764	1052	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe	113
PID 1052 wrote to memory of 2764	1052	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe	113
PID 1052 wrote to memory of 2764	1052	{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe	113
PID 1800 wrote to memory of 232	1800	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe	114
PID 1800 wrote to memory of 232	1800	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe	114
PID 1800 wrote to memory of 232	1800	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe	114
PID 1800 wrote to memory of 2208	1800	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe	115
PID 1800 wrote to memory of 2208	1800	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe	115
PID 1800 wrote to memory of 2208	1800	{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe	115
PID 232 wrote to memory of 1896	232	{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe	116
PID 232 wrote to memory of 1896	232	{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe	116
PID 232 wrote to memory of 1896	232	{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe	116
PID 232 wrote to memory of 3672	232	{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_0ad4df4fc60c40557469a213b08ba0f4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe
  C:\Windows\{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe
    C:\Windows\{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe
      C:\Windows\{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe
        
        C:\Windows\{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3204
      - C:\Windows\{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe
        
        C:\Windows\{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\{361780B5-917F-4935-B713-AC2AA2BD7530}.exe
        
        C:\Windows\{361780B5-917F-4935-B713-AC2AA2BD7530}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe
        
        C:\Windows\{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe
        
        C:\Windows\{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe
        
        C:\Windows\{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe
        
        C:\Windows\{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe
        
        C:\Windows\{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}.exe
        
        C:\Windows\{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B885A~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6B9A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC196~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B76D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA7FE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36178~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7B4B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A972~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A946~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{30D4E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{408D5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A9460E3-8AC8-4f79-9C87-150E40B64D5B}.exe

Filesize
344KB

MD5
404b14d25276c5c09eb1cb63a20b37a7

SHA1
4b0600bcb470dbb394a51bd646a92e7ceb2b9aec

SHA256
ff400d0b61370cb5998d07150189d46e2a7807fa6214dc8d94d951cba0ae59ed

SHA512
e813bc61524cb66fa2d8516315b8a07355b9cb96b5972ba12d4eb5512321ea958693920813a2ccc95c558b97dd72febab73a969748992d6c5e8fea353ca33e30

Download Submit
C:\Windows\{2A972A0E-CF47-411f-B66B-90EDB077DE4A}.exe

Filesize
344KB

MD5
45604f4aefcb0bcd873566460c065e86

SHA1
d85984e1bade9e7185d96f5bdb8e9693b5df0d35

SHA256
70f2d42caf23d38e9145743292d0e1ded2ecb534036d15aebab9e8864f2f8b2c

SHA512
a3779a58969248f317d4f3d5f4bc5959af89963988d51841ac7a1afcb5bee4c7c17bfa5225ae29ca864b3a06b0a060ad6a654139f5a1a62f476b4dc5d7d06365

Download Submit
C:\Windows\{30D4ECBD-E98A-4b6d-AB2D-EAFF68F63CA9}.exe

Filesize
344KB

MD5
3b37fd96a74ab02e48c727a09de5e051

SHA1
42e53efee6f1bfa33d225b729796fb0aa3aae38a

SHA256
c4c19a9c5e246f6784ba67853fb50f98ec543134be9cbfb50a462d5162344e8c

SHA512
17bbf099d8fab97ecf0836c3e7901d6cbc19997714227bbc2da805a73e7561460863363807c7619f1179fe92997968747042b22ed81f5c1e7463eb1860019f5a

Download Submit
C:\Windows\{361780B5-917F-4935-B713-AC2AA2BD7530}.exe

Filesize
344KB

MD5
e493dc72d7b9c6b6b800144b94e54fb9

SHA1
0fb103d0a53d50c6fedee15e5dccc0ef788fa7f5

SHA256
c58fb84aedda82033ec6b94a6e6058a8c7c29541f8b63d6afccd5c1cef626ef0

SHA512
0a27f8cf4ab38fe681c10bd6445aac0a1e5f5d1377feaa7df806726dedfdbcf5f873b8c21030635ff154579f95422954e06a2f148457d0c6b6ecd04bcb1a6062

Download Submit
C:\Windows\{408D5F3B-D849-4e8a-A398-33FD78F7F40C}.exe

Filesize
344KB

MD5
21774ee544c7ec7fbf56f0f6bb6ceadd

SHA1
dcad7d1f1c5b3bded416777a80471ee94da79e2a

SHA256
149f130872ab82d915eaec530f9794d649e509ee7c8474d5482ca309f241e349

SHA512
ae6531ae46c15e75ea4e1c646cc5f58101210bdea2536bbfcc06f4ee1c355042e339c2e5d33bb4977713994d5c4631df33bdcb2e1cc49a6d658eb802980ce4ce

Download Submit
C:\Windows\{8B76D626-3C08-43f9-BACF-7B8BD6565A0B}.exe

Filesize
344KB

MD5
a43a896bef5e346c31711de82aa77c7c

SHA1
01029eb8e63b3d9fa5495141e35d651e8e54db37

SHA256
23ef48387f52c6287b4f079feb94969f8bd40c8de3ade12a962c101f2a0878d1

SHA512
75b40b031e8029469afde5dfad2467f602d141ba477e03edf141cdb00edd129dd2b893ab28e2c360d266a41f6fe6ee2b2b400c688bf640ebed971ac1887fd9b8

Download Submit
C:\Windows\{B885AE3A-8DA9-4bc4-B66B-2C2F126F7853}.exe

Filesize
344KB

MD5
2fac068cf34d0220e45382c900809a0e

SHA1
f786cd7fd0c7945eba3bcf8a5b611f0289500839

SHA256
a266f350ccc3761e0eb522c9071c75ab4cf0d9aca1e5f89d75595c9a4b6c6465

SHA512
75f7e43b05b67c147af05dd466fed28a991a7f4f9d6371f3b5e3cff901b06d73c969d79f5736497b659932b75b1cb310d3e39efb4cc1fdcd332f9042f6f0fca3

Download Submit
C:\Windows\{CA7FE5B7-8E5E-45d5-91B9-BEF066670DA0}.exe

Filesize
344KB

MD5
6017aebabc2f21e586047e203d22b5bd

SHA1
4d6d711e32966cd31ccc1b101df5d75bb29b256b

SHA256
9d3d1d588770fc28ec72d3812536a2618ebac17352624bb8b96f3ca009fd76bf

SHA512
1a25557004c137c4321c95c03c985a508d0a1797d8d6e0e12d0c7965eb38f2a8a80a989f468bd08ad059fe78c2e77724dc50cde7b750abaf8911557cebbe7081

Download Submit
C:\Windows\{D6B9AF13-0510-473d-89F2-1A767F9563BA}.exe

Filesize
344KB

MD5
f4ef922e86b59107ea77c689e5cb5df7

SHA1
6efb67ee105639951c844df8b2f221494a2a7a55

SHA256
693640bc07023c4d71b381c6ee71997ccb2479e3bcbfaf88ea5272b91fa020dd

SHA512
4e3d85bf3eb5c0c66ef298628be53889440d0bebba6372d60bf78daaf9cd9a65331aaf604ecafd2271c1b197b5f4e82747f38e15e2be30289e9067850e7b844f

Download Submit
C:\Windows\{DC196AC9-1776-41ad-AFA1-1731E5453D25}.exe

Filesize
344KB

MD5
f93a7a55a9f8a3ba572d5b4080fc3c1a

SHA1
32999d5ed35b735cd046b268bea0974790b88170

SHA256
156ffd4a23bd108bfad675cc30180db91c9b0a5c47661ec4d7a0add28275a4fe

SHA512
d0b4bed7deb2720fc82f2046c6ffc33d22a704a7ca16e0b58d0a394bf4f47c8bc3c41fc852eb7dc1e05293d5006b2ba7a9f567e4d44e67e7f11c1822b5266ab3

Download Submit
C:\Windows\{DC4D6E9A-F8B2-4554-8822-0217AD863BC8}.exe

Filesize
344KB

MD5
36f1dae4c1f835ac4aba12b44808eddf

SHA1
e78b17cd24f17cef3355d6fff4bc627175a5950e

SHA256
13c23e065377e729c4a0ee1edfcf97f54569d0f0eabbe5837955d4200013e919

SHA512
96d340f6c5954851dcaac4e3fe9b689dc4bd3a507b73ecb3caee1dcc99d85422149075982b1a3d2c86fb82b4ff9f25de03704a41ad7f19f5d159315d30de2a41

Download Submit
C:\Windows\{F7B4B974-7B90-4f09-BEAF-23E737A0C0E0}.exe

Filesize
344KB

MD5
6d8eb3e2b619676572f88306831145d6

SHA1
410e975753e1ef3d81a8caf8a6cb23da2bea706b

SHA256
a74573d55d824aaf47042c157dd7c03eaafbbebfe2583b796a2b78e5cd07c1ab

SHA512
2cf549087eb7f2a5f55e5520a3b099af172cdd07796cbb2acc0c2c989d131d6f7419b8392ea0183e3f15e3a44581a392e03c4837f9810a6eb98ca3a76afe7a95

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads