66a6d175befe674a489d47de40ed00d0b507c3ef55829f88f19a8da56094300b

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
Size

168KB
MD5

3fd2bc82efcd249c1374527fb549a37c
SHA1

f52782c4098b4a24603f754e47c4ebb5a3c3ee7b
SHA256

66a6d175befe674a489d47de40ed00d0b507c3ef55829f88f19a8da56094300b
SHA512

006fee66cabb4d6dfb6325005c67e6c7ec634790b4426d48aa00d1533e181403bac0acccf0986d1dbeae2ec3c67922aede70b88844c0247415835e977f063250
SSDEEP

1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F03329D4-AFEA-4cc2-B440-A6A9B223795F}	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060DC70D-DB1F-43b3-8AB4-025903E7E906}	{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29F662DF-3B64-4339-B8D4-CF3C98A94F52}\stubpath = "C:\\Windows\\{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe"	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}\stubpath = "C:\\Windows\\{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe"	{1F97E474-3030-46d3-8666-29B60D926C11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}\stubpath = "C:\\Windows\\{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe"	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060DC70D-DB1F-43b3-8AB4-025903E7E906}\stubpath = "C:\\Windows\\{060DC70D-DB1F-43b3-8AB4-025903E7E906}.exe"	{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1798430-6B4E-4734-8E0E-8E37AB588B12}	{060DC70D-DB1F-43b3-8AB4-025903E7E906}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}	{1F97E474-3030-46d3-8666-29B60D926C11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E95AB1-BE91-402f-9A04-406F6D9521B5}	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10E95AB1-BE91-402f-9A04-406F6D9521B5}\stubpath = "C:\\Windows\\{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe"	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}\stubpath = "C:\\Windows\\{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe"	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F97E474-3030-46d3-8666-29B60D926C11}	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F97E474-3030-46d3-8666-29B60D926C11}\stubpath = "C:\\Windows\\{1F97E474-3030-46d3-8666-29B60D926C11}.exe"	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}\stubpath = "C:\\Windows\\{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe"	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{623B5CE0-6759-486e-A8F3-42A3794AB9A2}	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{623B5CE0-6759-486e-A8F3-42A3794AB9A2}\stubpath = "C:\\Windows\\{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe"	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}\stubpath = "C:\\Windows\\{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe"	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1798430-6B4E-4734-8E0E-8E37AB588B12}\stubpath = "C:\\Windows\\{E1798430-6B4E-4734-8E0E-8E37AB588B12}.exe"	{060DC70D-DB1F-43b3-8AB4-025903E7E906}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29F662DF-3B64-4339-B8D4-CF3C98A94F52}	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F03329D4-AFEA-4cc2-B440-A6A9B223795F}\stubpath = "C:\\Windows\\{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe"	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe

Executes dropped EXE 12 IoCs

pid	Process
3008	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe
1544	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe
1256	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe
3684	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe
2968	{1F97E474-3030-46d3-8666-29B60D926C11}.exe
444	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe
2112	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe
1292	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe
2760	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe
3908	{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe
4644	{060DC70D-DB1F-43b3-8AB4-025903E7E906}.exe
1880	{E1798430-6B4E-4734-8E0E-8E37AB588B12}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe
File created	C:\Windows\{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe
File created	C:\Windows\{060DC70D-DB1F-43b3-8AB4-025903E7E906}.exe	{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe
File created	C:\Windows\{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe
File created	C:\Windows\{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe
File created	C:\Windows\{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe
File created	C:\Windows\{1F97E474-3030-46d3-8666-29B60D926C11}.exe	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe
File created	C:\Windows\{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe	{1F97E474-3030-46d3-8666-29B60D926C11}.exe
File created	C:\Windows\{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe
File created	C:\Windows\{E1798430-6B4E-4734-8E0E-8E37AB588B12}.exe	{060DC70D-DB1F-43b3-8AB4-025903E7E906}.exe
File created	C:\Windows\{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
File created	C:\Windows\{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1798430-6B4E-4734-8E0E-8E37AB588B12}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{060DC70D-DB1F-43b3-8AB4-025903E7E906}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F97E474-3030-46d3-8666-29B60D926C11}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3312	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3008	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe
Token: SeIncBasePriorityPrivilege	1544	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe
Token: SeIncBasePriorityPrivilege	1256	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe
Token: SeIncBasePriorityPrivilege	3684	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe
Token: SeIncBasePriorityPrivilege	2968	{1F97E474-3030-46d3-8666-29B60D926C11}.exe
Token: SeIncBasePriorityPrivilege	444	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe
Token: SeIncBasePriorityPrivilege	2112	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe
Token: SeIncBasePriorityPrivilege	1292	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe
Token: SeIncBasePriorityPrivilege	2760	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe
Token: SeIncBasePriorityPrivilege	3908	{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe
Token: SeIncBasePriorityPrivilege	4644	{060DC70D-DB1F-43b3-8AB4-025903E7E906}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 3008	3312	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	94
PID 3312 wrote to memory of 3008	3312	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	94
PID 3312 wrote to memory of 3008	3312	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	94
PID 3312 wrote to memory of 3228	3312	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	95
PID 3312 wrote to memory of 3228	3312	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	95
PID 3312 wrote to memory of 3228	3312	2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe	95
PID 3008 wrote to memory of 1544	3008	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe	96
PID 3008 wrote to memory of 1544	3008	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe	96
PID 3008 wrote to memory of 1544	3008	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe	96
PID 3008 wrote to memory of 3740	3008	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe	97
PID 3008 wrote to memory of 3740	3008	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe	97
PID 3008 wrote to memory of 3740	3008	{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe	97
PID 1544 wrote to memory of 1256	1544	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe	100
PID 1544 wrote to memory of 1256	1544	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe	100
PID 1544 wrote to memory of 1256	1544	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe	100
PID 1544 wrote to memory of 4996	1544	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe	101
PID 1544 wrote to memory of 4996	1544	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe	101
PID 1544 wrote to memory of 4996	1544	{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe	101
PID 1256 wrote to memory of 3684	1256	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe	102
PID 1256 wrote to memory of 3684	1256	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe	102
PID 1256 wrote to memory of 3684	1256	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe	102
PID 1256 wrote to memory of 1584	1256	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe	103
PID 1256 wrote to memory of 1584	1256	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe	103
PID 1256 wrote to memory of 1584	1256	{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe	103
PID 3684 wrote to memory of 2968	3684	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe	104
PID 3684 wrote to memory of 2968	3684	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe	104
PID 3684 wrote to memory of 2968	3684	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe	104
PID 3684 wrote to memory of 4340	3684	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe	105
PID 3684 wrote to memory of 4340	3684	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe	105
PID 3684 wrote to memory of 4340	3684	{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe	105
PID 2968 wrote to memory of 444	2968	{1F97E474-3030-46d3-8666-29B60D926C11}.exe	106
PID 2968 wrote to memory of 444	2968	{1F97E474-3030-46d3-8666-29B60D926C11}.exe	106
PID 2968 wrote to memory of 444	2968	{1F97E474-3030-46d3-8666-29B60D926C11}.exe	106
PID 2968 wrote to memory of 3480	2968	{1F97E474-3030-46d3-8666-29B60D926C11}.exe	107
PID 2968 wrote to memory of 3480	2968	{1F97E474-3030-46d3-8666-29B60D926C11}.exe	107
PID 2968 wrote to memory of 3480	2968	{1F97E474-3030-46d3-8666-29B60D926C11}.exe	107
PID 444 wrote to memory of 2112	444	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe	108
PID 444 wrote to memory of 2112	444	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe	108
PID 444 wrote to memory of 2112	444	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe	108
PID 444 wrote to memory of 3592	444	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe	109
PID 444 wrote to memory of 3592	444	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe	109
PID 444 wrote to memory of 3592	444	{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe	109
PID 2112 wrote to memory of 1292	2112	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe	110
PID 2112 wrote to memory of 1292	2112	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe	110
PID 2112 wrote to memory of 1292	2112	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe	110
PID 2112 wrote to memory of 3380	2112	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe	111
PID 2112 wrote to memory of 3380	2112	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe	111
PID 2112 wrote to memory of 3380	2112	{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe	111
PID 1292 wrote to memory of 2760	1292	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe	112
PID 1292 wrote to memory of 2760	1292	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe	112
PID 1292 wrote to memory of 2760	1292	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe	112
PID 1292 wrote to memory of 4488	1292	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe	113
PID 1292 wrote to memory of 4488	1292	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe	113
PID 1292 wrote to memory of 4488	1292	{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe	113
PID 2760 wrote to memory of 3908	2760	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe	114
PID 2760 wrote to memory of 3908	2760	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe	114
PID 2760 wrote to memory of 3908	2760	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe	114
PID 2760 wrote to memory of 3600	2760	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe	115
PID 2760 wrote to memory of 3600	2760	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe	115
PID 2760 wrote to memory of 3600	2760	{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe	115
PID 3908 wrote to memory of 4644	3908	{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe	116
PID 3908 wrote to memory of 4644	3908	{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe	116
PID 3908 wrote to memory of 4644	3908	{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe	116
PID 3908 wrote to memory of 4280	3908	{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_3fd2bc82efcd249c1374527fb549a37c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe
  C:\Windows\{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe
    C:\Windows\{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe
      C:\Windows\{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe
        
        C:\Windows\{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3684
      - C:\Windows\{1F97E474-3030-46d3-8666-29B60D926C11}.exe
        
        C:\Windows\{1F97E474-3030-46d3-8666-29B60D926C11}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe
        
        C:\Windows\{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe
        
        C:\Windows\{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe
        
        C:\Windows\{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe
        
        C:\Windows\{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe
        
        C:\Windows\{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\{060DC70D-DB1F-43b3-8AB4-025903E7E906}.exe
        
        C:\Windows\{060DC70D-DB1F-43b3-8AB4-025903E7E906}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Windows\{E1798430-6B4E-4734-8E0E-8E37AB588B12}.exe
        
        C:\Windows\{E1798430-6B4E-4734-8E0E-8E37AB588B12}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{060DC~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0332~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A70ED~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B33EA~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71D9E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96319~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F97E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD09A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29F66~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{10E95~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{623B5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{060DC70D-DB1F-43b3-8AB4-025903E7E906}.exe

Filesize
168KB

MD5
5f17bf37accc48737aaa8fe282ad8c58

SHA1
48b81b450cf6605372bf114d37b3f314551fdbba

SHA256
0e2e2ffff27dff7da6c3626144c066f13ed8de3f28b97db795887f6cb6af1dce

SHA512
69815565795cffd7499ce8c2d9489254ba915eb1546adcc86a9b99ee1029e72c72f8a8c7b8a04a514f3c44abff969b51f471a4d9a9161d0bab93a913d17163eb

Download Submit
C:\Windows\{10E95AB1-BE91-402f-9A04-406F6D9521B5}.exe

Filesize
168KB

MD5
98b6b9a3c8605fddfda58dfeb06e3a26

SHA1
0df90152da47aa5852201b259bc32a0d24eb6180

SHA256
19debdd542aaa817b8babfd9aa8ca9817905ff16335f8405f1fe50dcc42f0daf

SHA512
3e10955df317bb6faba356e00b08eac14ecdb298a97ea0de4b0b7151f8c7940dbde16181d3a5278682cb7300a0180f6b86fca47cdaf819bac4cfdbd9e716bebb

Download Submit
C:\Windows\{1F97E474-3030-46d3-8666-29B60D926C11}.exe

Filesize
168KB

MD5
10ebc8dd920f71c0162e67c33ebe4b8b

SHA1
2a0327d0f189a49ccdb376578891adb921c202e9

SHA256
efeb65ac7c466396235dcdc8e1e8398c2bab51355bc55fd427ce95896ad7e299

SHA512
ce70a3d3e3dfeb954bfd1383f4318b5695ca52fb7958f7f44c970c2d5bfaccb4bcadceaf4a21f84b7b2e61cbb341dc7a1bb7f254f0614e5098f16551e04a189b

Download Submit
C:\Windows\{29F662DF-3B64-4339-B8D4-CF3C98A94F52}.exe

Filesize
168KB

MD5
f74a75b10c3a0267ef479393c6bac477

SHA1
9df8ebec1d6468a8ed6d6e5c2352cf46fcdbaf81

SHA256
6627a00f5e7f046cf8cab6e1b45385c59414909eae438c3afc8af2e06dee5556

SHA512
f5144aa23f07d6c18425aecd9f183d645e9b6911ec6a9b3206ced0e51466c2627371d3aae6a66ccf4493ac9359c49b857669bf064e346faffc4269f8994c7bbd

Download Submit
C:\Windows\{623B5CE0-6759-486e-A8F3-42A3794AB9A2}.exe

Filesize
168KB

MD5
c5406a67aaa500a7342f602e608b390c

SHA1
066bf82e4dbddb4aed06b1a2d4326acece0c8b61

SHA256
244284f6ae16358c21775daa9cd28260729e0fc42ac633541d7cf8d5dd6037af

SHA512
6f03749f499ff38a02e65f5023927be052401586b03602fd3748b2d5afdac3158b0e697a95448d8918e127cecb2ddc404360ec5cb37b1992cb42464f5e835f14

Download Submit
C:\Windows\{71D9EFE7-30BB-46fc-8440-DAAC0FE2D1BC}.exe

Filesize
168KB

MD5
44649f49b000452fb8a94fcb96e73947

SHA1
5603a362f2dd717069fdbd00f665bd7def576c7c

SHA256
f368727fcbcfabdcfc80f34907a7c1cefe95f3719583c05194fc3fc741a955e8

SHA512
f4fea05f991b81f1de36abe51512d93040d9731c8e780baa25e91eb55eaa181b0bbc2d5965401e04ebc2ba19403034e42e9689340308bc4c437e8bb31ebc41a9

Download Submit
C:\Windows\{96319FA6-0610-4fbf-A15F-0AF7E4C05BC7}.exe

Filesize
168KB

MD5
e1bb1e6393ce041557ba32840572781a

SHA1
274ff9be3e9c4278e1ab404bb0063bce811eee2f

SHA256
0cd1f2a6fbb74d6017972e46703316baea5f4ed931f59c6ff12c3183d72845da

SHA512
06e1284aff7088a52218da805afb34ca85ec8b8e9e8f62968084cc63c03aec9e0bc3167b81bb3e2c5225cb81bae9a80596f8e4769fa7e0ddb71ee461f1966f17

Download Submit
C:\Windows\{A70EDF26-2AF1-4c3f-B6F0-657F71D1EA6F}.exe

Filesize
168KB

MD5
b55844a3087a2fd671d98107445a6601

SHA1
ebfd15cfbebb3b6bd800120ec0f561f0a51c7559

SHA256
e19e6f76c11ffe1f60616a5a87237a6d0da8bcca23f0db6caf3e196963a64806

SHA512
89f4370d69dec511dc2865f12e450db48584aad81fe7b2cab9ee6b4d546566259cb86e4e252714d356cf3a679d1a8ec22b847a3da80baa77795cd7eec2cc6760

Download Submit
C:\Windows\{B33EA564-24E8-4ed5-A7C7-1BAA9DDEA919}.exe

Filesize
168KB

MD5
b396811119516f780be4b4913400de56

SHA1
1a0a4455215666b99f22728509ce7ef1027a880a

SHA256
1ca966f9c922ec45490033597cc6424a9b35a27412ed0c0167fd0cd22fe4b1bc

SHA512
f51a446f83c10059a85d9555efc19d9bffb4fb950cb4cfc64d2a8124dd835b2d9b6123cf8e3d99323f0e1ea15e64646c811f1f03b910d9f8c5058e294f3dce77

Download Submit
C:\Windows\{BD09AA01-6CA4-466e-BA53-5C44C133F3FB}.exe

Filesize
168KB

MD5
6e5a768675e837c3469197c50a88f31e

SHA1
48ef8bf4ccdcc6070d3acfa6127c0598d25800e1

SHA256
14809606f546cf2b257957605f22bf746b29d5542896c6f0bdfc2541c8db7767

SHA512
243d255a505a909d228e38722d93fcd607e6bb616f7f9a5b8e25b3ed15c438c45060de24d6aca6a9ec5f7ffc093bffa74c5731da05f6f988c5e791609558c416

Download Submit
C:\Windows\{E1798430-6B4E-4734-8E0E-8E37AB588B12}.exe

Filesize
168KB

MD5
3fa0ad0eb2983f2fcc53dfa7b12cdd3f

SHA1
c756ad93b88616968b8cbd4acdf0b4ea881dbee8

SHA256
2a9496cb7e04e08314d087dce92fe6b85c52f4c3d0fa83fc79c755056bad030e

SHA512
bdbe0e790d60b4806c2f116b4dc49d744a593a38e09c1dec69b3854f284e433c0f55a4da01b83db047edeb3f1d83b500208f7892abf1b39dae35b88683f2eefd

Download Submit
C:\Windows\{F03329D4-AFEA-4cc2-B440-A6A9B223795F}.exe

Filesize
168KB

MD5
9f2d1e550c2517bdd57a52437431e688

SHA1
87e2eb54ca50cdb2bfe1ef296b513aab6eda2604

SHA256
9f90209738ce4c096d590e379a013f0c786797d9c36c62b8844565aa26d86c33

SHA512
1b98faa87cdc58e265eff8a724f73344f93be8cebd399ee1c9dbe83e7b3b43007a97f8448bed66eb8f050a6c1998830701e6ef7d5dc956ad6d2ed97e06fe48ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads