dc2a25def4162e32dcc9d0f5ca4786b49831c521e9253190f3ecf20caed9684b

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
Size

380KB
MD5

ebc5656e8d678bc599eb0effbe59ad3a
SHA1

63d880f4fe554eece5d88e101324bf4c46222c01
SHA256

dc2a25def4162e32dcc9d0f5ca4786b49831c521e9253190f3ecf20caed9684b
SHA512

242215b1645f50656986ee43bc18f14c9c12e860fa5d92597a5b5e5c444b3bc6913c0d2e4ef649a019ff7a6726f40e653975f950faefe37de9be95b5ca91dff1
SSDEEP

3072:mEGh0orlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG1l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}\stubpath = "C:\\Windows\\{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}.exe"	{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522A38DC-93E0-429b-AB42-D670777C8044}\stubpath = "C:\\Windows\\{522A38DC-93E0-429b-AB42-D670777C8044}.exe"	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9124E597-B499-40df-B93E-12752DB50B2D}	{522A38DC-93E0-429b-AB42-D670777C8044}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}\stubpath = "C:\\Windows\\{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe"	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{277B85D7-95D9-4ef9-979F-53977B8553D4}	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}\stubpath = "C:\\Windows\\{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe"	{2C96F328-0239-488c-9787-112686185DB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ACFB2C8-0588-4251-8737-9D5A6D902B57}\stubpath = "C:\\Windows\\{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe"	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}	{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC04A2A4-5111-4c11-8277-FD47C8D4E98D}\stubpath = "C:\\Windows\\{AC04A2A4-5111-4c11-8277-FD47C8D4E98D}.exe"	{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C409D69-A2FB-4359-BFAE-523CC40A6771}	{9124E597-B499-40df-B93E-12752DB50B2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{277B85D7-95D9-4ef9-979F-53977B8553D4}\stubpath = "C:\\Windows\\{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe"	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9124E597-B499-40df-B93E-12752DB50B2D}\stubpath = "C:\\Windows\\{9124E597-B499-40df-B93E-12752DB50B2D}.exe"	{522A38DC-93E0-429b-AB42-D670777C8044}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C96F328-0239-488c-9787-112686185DB6}	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}	{2C96F328-0239-488c-9787-112686185DB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ACFB2C8-0588-4251-8737-9D5A6D902B57}	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC04A2A4-5111-4c11-8277-FD47C8D4E98D}	{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}\stubpath = "C:\\Windows\\{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe"	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522A38DC-93E0-429b-AB42-D670777C8044}	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C409D69-A2FB-4359-BFAE-523CC40A6771}\stubpath = "C:\\Windows\\{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe"	{9124E597-B499-40df-B93E-12752DB50B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C96F328-0239-488c-9787-112686185DB6}\stubpath = "C:\\Windows\\{2C96F328-0239-488c-9787-112686185DB6}.exe"	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F07EA33-807F-40e1-BF4B-FC8549687F8B}	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F07EA33-807F-40e1-BF4B-FC8549687F8B}\stubpath = "C:\\Windows\\{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe"	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe

Executes dropped EXE 12 IoCs

pid	Process
552	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe
2084	{522A38DC-93E0-429b-AB42-D670777C8044}.exe
4344	{9124E597-B499-40df-B93E-12752DB50B2D}.exe
1936	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe
2616	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe
3404	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe
3332	{2C96F328-0239-488c-9787-112686185DB6}.exe
2204	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe
2796	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe
1636	{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe
3868	{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}.exe
1772	{AC04A2A4-5111-4c11-8277-FD47C8D4E98D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe	{2C96F328-0239-488c-9787-112686185DB6}.exe
File created	C:\Windows\{AC04A2A4-5111-4c11-8277-FD47C8D4E98D}.exe	{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}.exe
File created	C:\Windows\{522A38DC-93E0-429b-AB42-D670777C8044}.exe	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe
File created	C:\Windows\{9124E597-B499-40df-B93E-12752DB50B2D}.exe	{522A38DC-93E0-429b-AB42-D670777C8044}.exe
File created	C:\Windows\{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe	{9124E597-B499-40df-B93E-12752DB50B2D}.exe
File created	C:\Windows\{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe
File created	C:\Windows\{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe
File created	C:\Windows\{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}.exe	{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe
File created	C:\Windows\{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
File created	C:\Windows\{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe
File created	C:\Windows\{2C96F328-0239-488c-9787-112686185DB6}.exe	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe
File created	C:\Windows\{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{522A38DC-93E0-429b-AB42-D670777C8044}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C96F328-0239-488c-9787-112686185DB6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC04A2A4-5111-4c11-8277-FD47C8D4E98D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9124E597-B499-40df-B93E-12752DB50B2D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3212	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	552	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe
Token: SeIncBasePriorityPrivilege	2084	{522A38DC-93E0-429b-AB42-D670777C8044}.exe
Token: SeIncBasePriorityPrivilege	4344	{9124E597-B499-40df-B93E-12752DB50B2D}.exe
Token: SeIncBasePriorityPrivilege	1936	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe
Token: SeIncBasePriorityPrivilege	2616	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe
Token: SeIncBasePriorityPrivilege	3404	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe
Token: SeIncBasePriorityPrivilege	3332	{2C96F328-0239-488c-9787-112686185DB6}.exe
Token: SeIncBasePriorityPrivilege	2204	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe
Token: SeIncBasePriorityPrivilege	2796	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe
Token: SeIncBasePriorityPrivilege	1636	{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe
Token: SeIncBasePriorityPrivilege	3868	{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 552	3212	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	97
PID 3212 wrote to memory of 552	3212	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	97
PID 3212 wrote to memory of 552	3212	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	97
PID 3212 wrote to memory of 3880	3212	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	98
PID 3212 wrote to memory of 3880	3212	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	98
PID 3212 wrote to memory of 3880	3212	2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe	98
PID 552 wrote to memory of 2084	552	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe	99
PID 552 wrote to memory of 2084	552	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe	99
PID 552 wrote to memory of 2084	552	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe	99
PID 552 wrote to memory of 1492	552	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe	100
PID 552 wrote to memory of 1492	552	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe	100
PID 552 wrote to memory of 1492	552	{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe	100
PID 2084 wrote to memory of 4344	2084	{522A38DC-93E0-429b-AB42-D670777C8044}.exe	104
PID 2084 wrote to memory of 4344	2084	{522A38DC-93E0-429b-AB42-D670777C8044}.exe	104
PID 2084 wrote to memory of 4344	2084	{522A38DC-93E0-429b-AB42-D670777C8044}.exe	104
PID 2084 wrote to memory of 2688	2084	{522A38DC-93E0-429b-AB42-D670777C8044}.exe	105
PID 2084 wrote to memory of 2688	2084	{522A38DC-93E0-429b-AB42-D670777C8044}.exe	105
PID 2084 wrote to memory of 2688	2084	{522A38DC-93E0-429b-AB42-D670777C8044}.exe	105
PID 4344 wrote to memory of 1936	4344	{9124E597-B499-40df-B93E-12752DB50B2D}.exe	106
PID 4344 wrote to memory of 1936	4344	{9124E597-B499-40df-B93E-12752DB50B2D}.exe	106
PID 4344 wrote to memory of 1936	4344	{9124E597-B499-40df-B93E-12752DB50B2D}.exe	106
PID 4344 wrote to memory of 1196	4344	{9124E597-B499-40df-B93E-12752DB50B2D}.exe	107
PID 4344 wrote to memory of 1196	4344	{9124E597-B499-40df-B93E-12752DB50B2D}.exe	107
PID 4344 wrote to memory of 1196	4344	{9124E597-B499-40df-B93E-12752DB50B2D}.exe	107
PID 1936 wrote to memory of 2616	1936	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe	108
PID 1936 wrote to memory of 2616	1936	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe	108
PID 1936 wrote to memory of 2616	1936	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe	108
PID 1936 wrote to memory of 3932	1936	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe	109
PID 1936 wrote to memory of 3932	1936	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe	109
PID 1936 wrote to memory of 3932	1936	{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe	109
PID 2616 wrote to memory of 3404	2616	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe	110
PID 2616 wrote to memory of 3404	2616	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe	110
PID 2616 wrote to memory of 3404	2616	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe	110
PID 2616 wrote to memory of 3720	2616	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe	111
PID 2616 wrote to memory of 3720	2616	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe	111
PID 2616 wrote to memory of 3720	2616	{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe	111
PID 3404 wrote to memory of 3332	3404	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe	112
PID 3404 wrote to memory of 3332	3404	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe	112
PID 3404 wrote to memory of 3332	3404	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe	112
PID 3404 wrote to memory of 4336	3404	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe	113
PID 3404 wrote to memory of 4336	3404	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe	113
PID 3404 wrote to memory of 4336	3404	{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe	113
PID 3332 wrote to memory of 2204	3332	{2C96F328-0239-488c-9787-112686185DB6}.exe	114
PID 3332 wrote to memory of 2204	3332	{2C96F328-0239-488c-9787-112686185DB6}.exe	114
PID 3332 wrote to memory of 2204	3332	{2C96F328-0239-488c-9787-112686185DB6}.exe	114
PID 3332 wrote to memory of 3820	3332	{2C96F328-0239-488c-9787-112686185DB6}.exe	115
PID 3332 wrote to memory of 3820	3332	{2C96F328-0239-488c-9787-112686185DB6}.exe	115
PID 3332 wrote to memory of 3820	3332	{2C96F328-0239-488c-9787-112686185DB6}.exe	115
PID 2204 wrote to memory of 2796	2204	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe	116
PID 2204 wrote to memory of 2796	2204	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe	116
PID 2204 wrote to memory of 2796	2204	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe	116
PID 2204 wrote to memory of 3856	2204	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe	117
PID 2204 wrote to memory of 3856	2204	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe	117
PID 2204 wrote to memory of 3856	2204	{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe	117
PID 2796 wrote to memory of 1636	2796	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe	118
PID 2796 wrote to memory of 1636	2796	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe	118
PID 2796 wrote to memory of 1636	2796	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe	118
PID 2796 wrote to memory of 2484	2796	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe	119
PID 2796 wrote to memory of 2484	2796	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe	119
PID 2796 wrote to memory of 2484	2796	{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe	119
PID 1636 wrote to memory of 3868	1636	{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe	120
PID 1636 wrote to memory of 3868	1636	{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe	120
PID 1636 wrote to memory of 3868	1636	{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe	120
PID 1636 wrote to memory of 624	1636	{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_ebc5656e8d678bc599eb0effbe59ad3a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe
  C:\Windows\{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\{522A38DC-93E0-429b-AB42-D670777C8044}.exe
    C:\Windows\{522A38DC-93E0-429b-AB42-D670777C8044}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\{9124E597-B499-40df-B93E-12752DB50B2D}.exe
      C:\Windows\{9124E597-B499-40df-B93E-12752DB50B2D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe
        
        C:\Windows\{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe
        
        C:\Windows\{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe
        
        C:\Windows\{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\{2C96F328-0239-488c-9787-112686185DB6}.exe
        
        C:\Windows\{2C96F328-0239-488c-9787-112686185DB6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe
        
        C:\Windows\{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe
        
        C:\Windows\{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe
        
        C:\Windows\{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}.exe
        
        C:\Windows\{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
        
        C:\Windows\{AC04A2A4-5111-4c11-8277-FD47C8D4E98D}.exe
        
        C:\Windows\{AC04A2A4-5111-4c11-8277-FD47C8D4E98D}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C918~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ACFB~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F07E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1BB9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C96F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{277B8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9785D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C409~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9124E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{522A3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D9A90~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{277B85D7-95D9-4ef9-979F-53977B8553D4}.exe

Filesize
380KB

MD5
ca9f6e6fe3e5614637e824c64bd6f9ac

SHA1
c4fb949fa544cbb3826d803ee96880d15cc5680e

SHA256
5fb309ab73b5c52bb22349a597122fd423a87d32e7bdadfa11cc670aa42de3e1

SHA512
fe04d75fd22bc77f12ccfd82769a395dab674c6f0fd15c1d8a0350a043ea3fe4f186619da0747528092b8916dbe49045a7c3371a88f95081f6407b7498848dd2

Download Submit
C:\Windows\{2C96F328-0239-488c-9787-112686185DB6}.exe

Filesize
380KB

MD5
6514b0275658c5791c736b3661d07f51

SHA1
6d47fc6202028d10250803a499ecbe846c596bf5

SHA256
b7241dba361c046747b5c36fc265c8de945d4d1759233699e61b6412af550323

SHA512
6bf4f8d89881dbec0bb16edde2c3d3b805630852607b93e858af156378f5d3d9f07653bb9e5c28ab00233c9224f4e2f09866dab55cc7b2dce018cb2a4ff04f09

Download Submit
C:\Windows\{3ACFB2C8-0588-4251-8737-9D5A6D902B57}.exe

Filesize
380KB

MD5
f612b8d6faf0b9c37ce13b92f5589b44

SHA1
3a0b5c56ee5dbb4754286948c66c8c6f099e7d76

SHA256
52141fce682f01058f484c04557bbb882b26a3e5d4cc06b68e79071be667325b

SHA512
ec377981cf99144dd8e4c334ebca3177ef9ab4fda76e65b2d1a0f274bb947695cf8eb0d3367d1f1ed77f6a8cbef2cce05b5fa136f5dd27398ac88b0d48e4bf0c

Download Submit
C:\Windows\{3F07EA33-807F-40e1-BF4B-FC8549687F8B}.exe

Filesize
380KB

MD5
bff2a37d954bf13b39dd23cb210abab7

SHA1
9cb32da21045c404195a77bbd78abf843f139293

SHA256
7075961ad447dab5e62e27c30f225d9d5e04a2e1576915f17512d230dab480c9

SHA512
ed3b9332073e82a26f3e539408979b2b38f1bcb872caab307394e01e9d760463b57ea08eb60e1256479f210060afd973ead29dd3a9d61c18cef95ee79dc0d456

Download Submit
C:\Windows\{522A38DC-93E0-429b-AB42-D670777C8044}.exe

Filesize
380KB

MD5
f55618438c63ac7aed483c8eceef46b6

SHA1
420e1293c25d61396ef7280ebda73ddfaa1aae37

SHA256
7a3388ac0155a21f1aadf46780a7bb578a86e4e57537959feb1a58c790988e4a

SHA512
061aac781aa1034938406d9956f86e049a1eb5a41436aa74dd498d130a5bfec2cedc321e8d3ad470a8d7ca1c720425a1ac1ddd1fb31baae09e5e4c86606f8fb0

Download Submit
C:\Windows\{6C918AFB-8574-43a8-87E8-36CFEB7E5DD9}.exe

Filesize
380KB

MD5
1fa7a362cd0bb8ee78303df0921e4512

SHA1
29c914528fd7b81cae9bdc3c1cf6e54084c4c3ba

SHA256
21bd27186a2e4137fe040ac154a1e05bd4b740ba1702acce9bf05c36dc1fdf48

SHA512
0d2d7a53fc24b49b4c6d8645384f33509c53ef557432b7f0086f5ac9d782273bae58f14c4caeb53c19b2b3dc0b06fcabfbd9f0aa2f0627b66f92c2f917f158a5

Download Submit
C:\Windows\{7C409D69-A2FB-4359-BFAE-523CC40A6771}.exe

Filesize
380KB

MD5
094bc042ee671b5668123befd9237fd4

SHA1
a499fda6434af4ce3f58b7ecf9cc9d20e4b357a1

SHA256
137a5dd04882974a95697c4a457b50d59093c846be0995b1d0a9303327771dca

SHA512
b2aa68dc48eb6adb7a02698a7f60dcaf725727daa1c53f70b55044a7d27707ced8782dc55012baf06c12ea1e414533d0ca40b3c19c57f73239f9b29c905c72a5

Download Submit
C:\Windows\{9124E597-B499-40df-B93E-12752DB50B2D}.exe

Filesize
380KB

MD5
47734d6a512c4e398eb7232ee392cea0

SHA1
d1c51fb3bc0783b3c5337ddd2d5207f3509d3ff0

SHA256
7dfad25acffd687a6b6b504c582e4f8276f3a51d596aba3fc7c2ff1538dd5830

SHA512
ef8af94e5c6622e5caf87aef5acf1f7b7ff53fa10094c416a8a4b5a6bde5f5b031d1f8dfe8ed050e9b17f24a1ef7b9a3729cf0a49a71dc617f9af850a9322282

Download Submit
C:\Windows\{9785D57E-AB93-4b33-9FF6-BF3E51D7CC23}.exe

Filesize
380KB

MD5
356e9440b27ec81569c973c37493ba7b

SHA1
f40e5fec2f50ee283d5a7134da947e633e413635

SHA256
e78c182e565c6ff210df888868d6f61b6590ade4ff71e64c256a91449045185d

SHA512
a183f4ccc132c61bb6a9e072d1c34c70b4430b7c61f15d81c9e07d33b89e5d212b45983e4f1f3865185a3a752a1f5efc1118f78c2bb90029c7b9d40abdbebc23

Download Submit
C:\Windows\{AC04A2A4-5111-4c11-8277-FD47C8D4E98D}.exe

Filesize
380KB

MD5
93bb28000d09eac89bc88afc3ecff860

SHA1
15397943ca6aec9e540011935f6655b7544b146e

SHA256
cd0a54cbca16dc56bb2291506aa0b55965c83ae54c82dfafc5fa49718ec251ae

SHA512
b7483aba4f3a65de648176db576973c65c1c3cb8055451fe94a04a56b6bdacef55789b41994eb591fbac88930d9cedeb314189fd9fd129a875f51a0ac0127583

Download Submit
C:\Windows\{C1BB9C40-A200-4f6d-8DE8-EF7381E93A21}.exe

Filesize
380KB

MD5
6e66eb39c51313e0969d8ba78f31816a

SHA1
625cd4a0b42af8214aef093fb68475a578c49543

SHA256
fefe2e8dc1a53620e520a599ad1477cdf7c1e30699362af14012afcc0257ac8a

SHA512
5a70a81b0f90a1f95ce14ac59950c15d228eef1581a4bd00383321cc2b57ad880acff7f802c71dd3234535025a9457163c81322386d72ef6a932e93d111ed1b8

Download Submit
C:\Windows\{D9A90A5D-3C67-4a50-B47E-33CE0322CFB8}.exe

Filesize
380KB

MD5
809b6a8c404a0104f57035e9a4655c6a

SHA1
976fddedb3fd7a0f3fa9255ef9168ee823e76185

SHA256
d93ee079d05ff9afc07c4ec4e8f63c378e1de0dffca7edeb8f1c51a3ff7b12ae

SHA512
7e77bce46bcf668dde4ec3cc00ddd5c49040f5aab7edbb5f578610b621b69f326ead0568184eeb166e05cb9b5d08c8af45f04c4fd55651cb00a54fdc8024acf1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads