685cfcd1f3ac9cf56c8e3b0e4d895c6d68313d9e7ed3f86c5c0a054f33173b2c

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
Size

168KB
MD5

76a54df5d37821938d15f40306de56ab
SHA1

19ad559a2a12ec1e21abc9d2529d42d18312f277
SHA256

685cfcd1f3ac9cf56c8e3b0e4d895c6d68313d9e7ed3f86c5c0a054f33173b2c
SHA512

a41fe8779936c789e1849ce0fb47868a26fdf37fc7b9cfc638a969a4361cd22b6e3d6f9a72c76ef32c5385bfe446eaf264af3567ffa646991a6eb2301d2ff1d8
SSDEEP

1536:1EGh0oTlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oTlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}\stubpath = "C:\\Windows\\{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe"	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82099E09-A4B1-42b1-8CAD-14ECE252264F}	{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68C91F57-BB2B-4905-B512-6AFA1DC72F00}\stubpath = "C:\\Windows\\{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe"	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}\stubpath = "C:\\Windows\\{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe"	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}\stubpath = "C:\\Windows\\{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe"	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}\stubpath = "C:\\Windows\\{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe"	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47631D40-AAF1-4da1-93B0-8F108840383A}\stubpath = "C:\\Windows\\{47631D40-AAF1-4da1-93B0-8F108840383A}.exe"	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{716792A5-A0F9-44a5-A854-004553FCE0B6}	{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{716792A5-A0F9-44a5-A854-004553FCE0B6}\stubpath = "C:\\Windows\\{716792A5-A0F9-44a5-A854-004553FCE0B6}.exe"	{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E4A326B-F1BB-4781-99D2-C584DB13A71B}	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E4A326B-F1BB-4781-99D2-C584DB13A71B}\stubpath = "C:\\Windows\\{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe"	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68C91F57-BB2B-4905-B512-6AFA1DC72F00}	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}\stubpath = "C:\\Windows\\{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe"	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}\stubpath = "C:\\Windows\\{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe"	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47631D40-AAF1-4da1-93B0-8F108840383A}	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}\stubpath = "C:\\Windows\\{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe"	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82099E09-A4B1-42b1-8CAD-14ECE252264F}\stubpath = "C:\\Windows\\{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe"	{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe

Executes dropped EXE 12 IoCs

pid	Process
4072	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe
3080	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe
2268	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe
1684	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe
964	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe
1504	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe
3592	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe
2340	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe
760	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe
612	{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe
832	{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe
2352	{716792A5-A0F9-44a5-A854-004553FCE0B6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
File created	C:\Windows\{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe
File created	C:\Windows\{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe
File created	C:\Windows\{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe
File created	C:\Windows\{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe	{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe
File created	C:\Windows\{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe
File created	C:\Windows\{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe
File created	C:\Windows\{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe
File created	C:\Windows\{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe
File created	C:\Windows\{47631D40-AAF1-4da1-93B0-8F108840383A}.exe	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe
File created	C:\Windows\{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe
File created	C:\Windows\{716792A5-A0F9-44a5-A854-004553FCE0B6}.exe	{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{716792A5-A0F9-44a5-A854-004553FCE0B6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4092	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4072	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe
Token: SeIncBasePriorityPrivilege	3080	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe
Token: SeIncBasePriorityPrivilege	2268	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe
Token: SeIncBasePriorityPrivilege	1684	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe
Token: SeIncBasePriorityPrivilege	964	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe
Token: SeIncBasePriorityPrivilege	1504	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe
Token: SeIncBasePriorityPrivilege	3592	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe
Token: SeIncBasePriorityPrivilege	2340	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe
Token: SeIncBasePriorityPrivilege	760	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe
Token: SeIncBasePriorityPrivilege	612	{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe
Token: SeIncBasePriorityPrivilege	832	{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 4072	4092	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	94
PID 4092 wrote to memory of 4072	4092	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	94
PID 4092 wrote to memory of 4072	4092	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	94
PID 4092 wrote to memory of 4760	4092	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	95
PID 4092 wrote to memory of 4760	4092	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	95
PID 4092 wrote to memory of 4760	4092	2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe	95
PID 4072 wrote to memory of 3080	4072	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe	96
PID 4072 wrote to memory of 3080	4072	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe	96
PID 4072 wrote to memory of 3080	4072	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe	96
PID 4072 wrote to memory of 3972	4072	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe	97
PID 4072 wrote to memory of 3972	4072	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe	97
PID 4072 wrote to memory of 3972	4072	{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe	97
PID 3080 wrote to memory of 2268	3080	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe	100
PID 3080 wrote to memory of 2268	3080	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe	100
PID 3080 wrote to memory of 2268	3080	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe	100
PID 3080 wrote to memory of 932	3080	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe	101
PID 3080 wrote to memory of 932	3080	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe	101
PID 3080 wrote to memory of 932	3080	{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe	101
PID 2268 wrote to memory of 1684	2268	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe	102
PID 2268 wrote to memory of 1684	2268	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe	102
PID 2268 wrote to memory of 1684	2268	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe	102
PID 2268 wrote to memory of 4932	2268	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe	103
PID 2268 wrote to memory of 4932	2268	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe	103
PID 2268 wrote to memory of 4932	2268	{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe	103
PID 1684 wrote to memory of 964	1684	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe	104
PID 1684 wrote to memory of 964	1684	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe	104
PID 1684 wrote to memory of 964	1684	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe	104
PID 1684 wrote to memory of 3500	1684	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe	105
PID 1684 wrote to memory of 3500	1684	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe	105
PID 1684 wrote to memory of 3500	1684	{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe	105
PID 964 wrote to memory of 1504	964	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe	106
PID 964 wrote to memory of 1504	964	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe	106
PID 964 wrote to memory of 1504	964	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe	106
PID 964 wrote to memory of 2328	964	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe	107
PID 964 wrote to memory of 2328	964	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe	107
PID 964 wrote to memory of 2328	964	{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe	107
PID 1504 wrote to memory of 3592	1504	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe	108
PID 1504 wrote to memory of 3592	1504	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe	108
PID 1504 wrote to memory of 3592	1504	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe	108
PID 1504 wrote to memory of 4868	1504	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe	109
PID 1504 wrote to memory of 4868	1504	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe	109
PID 1504 wrote to memory of 4868	1504	{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe	109
PID 3592 wrote to memory of 2340	3592	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe	110
PID 3592 wrote to memory of 2340	3592	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe	110
PID 3592 wrote to memory of 2340	3592	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe	110
PID 3592 wrote to memory of 4380	3592	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe	111
PID 3592 wrote to memory of 4380	3592	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe	111
PID 3592 wrote to memory of 4380	3592	{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe	111
PID 2340 wrote to memory of 760	2340	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe	112
PID 2340 wrote to memory of 760	2340	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe	112
PID 2340 wrote to memory of 760	2340	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe	112
PID 2340 wrote to memory of 916	2340	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe	113
PID 2340 wrote to memory of 916	2340	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe	113
PID 2340 wrote to memory of 916	2340	{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe	113
PID 760 wrote to memory of 612	760	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe	114
PID 760 wrote to memory of 612	760	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe	114
PID 760 wrote to memory of 612	760	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe	114
PID 760 wrote to memory of 3372	760	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe	115
PID 760 wrote to memory of 3372	760	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe	115
PID 760 wrote to memory of 3372	760	{47631D40-AAF1-4da1-93B0-8F108840383A}.exe	115
PID 612 wrote to memory of 832	612	{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe	116
PID 612 wrote to memory of 832	612	{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe	116
PID 612 wrote to memory of 832	612	{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe	116
PID 612 wrote to memory of 3888	612	{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_76a54df5d37821938d15f40306de56ab_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe
  C:\Windows\{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe
    C:\Windows\{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe
      C:\Windows\{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe
        
        C:\Windows\{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe
        
        C:\Windows\{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe
        
        C:\Windows\{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe
        
        C:\Windows\{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe
        
        C:\Windows\{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\{47631D40-AAF1-4da1-93B0-8F108840383A}.exe
        
        C:\Windows\{47631D40-AAF1-4da1-93B0-8F108840383A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe
        
        C:\Windows\{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe
        
        C:\Windows\{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\{716792A5-A0F9-44a5-A854-004553FCE0B6}.exe
        
        C:\Windows\{716792A5-A0F9-44a5-A854-004553FCE0B6}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82099~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA315~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47631~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA70A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C63F9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B50F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97D41~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A0BB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68C91~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1E4A3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7D7FD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A0BB1EE-B251-4859-8610-EFBF2CA172DF}.exe

Filesize
168KB

MD5
0862bc8a0af012122002434940dbd794

SHA1
dba02ff7d2777cb23c66baac53a99ae973b3f298

SHA256
ddb0cce5fa03119eb27aebba1b67e963ca588d1027b0e5c068d7693053c9fb65

SHA512
aa1b51becd8f9db1560352baf692bf924b16f5ee0d36a586b3b45f56e90fbb192b40408cc50074a71baae1ca336e5510b4336c90366ab60fb01f9c5c9465fb32

Download Submit
C:\Windows\{1E4A326B-F1BB-4781-99D2-C584DB13A71B}.exe

Filesize
168KB

MD5
d005e83170469cc3d7433a39bcb737a9

SHA1
d56c8f9ca312534096e466ca846b624cab807ea1

SHA256
0d6a08ff8383c69f3c36c433829e191651b249c37284c2d744d39df9a0a7eabb

SHA512
8c5bc6b9c0693b79473a246e86d5d5e1113189a218d4987bf0891f2bd6ee7ce6c0db77ad3c5183a401b5146e84407d5f12ddb13f3b5cffaafd2ed1606b728fda

Download Submit
C:\Windows\{3B50FB69-BEBC-4e9b-9F16-BF22C0440C2E}.exe

Filesize
168KB

MD5
a58a4b4fe2fa9fbec0a336e2348dd4b0

SHA1
a40b80900b1c9d40f0fdbb2e6cd62c1bb2697c8a

SHA256
32049d8bf25abf3b42eea9cd6f4aec2d0586d9dea6e35a26b2eccd07f54ce1e6

SHA512
2d1cf475faab9b36c182b8c313bf3e51e84114e1ea86796daa3c33d2d4d7af7e235bf9ef419a5a25dbd0cf9c14dbe1df6c5e2c93cc2e43dc0e95a8af3241088d

Download Submit
C:\Windows\{47631D40-AAF1-4da1-93B0-8F108840383A}.exe

Filesize
168KB

MD5
2c9017469ac3f7b977f36a2c51d96c48

SHA1
3fd95d9b30c423ec0cf43d67dfe88bb2ac6abb5e

SHA256
41edf7c4d0e4e525a2ab3ed025b4972f02e5236493c066ced0fde8e2da1abcb1

SHA512
b67893b78bca56afc6942eb4c8b74ba9e5023209ed95dd121505fc47a61adc2126ebe6229f70fa51de405552461797e6608b87435dc6b4e0bff95fbaeeff82f0

Download Submit
C:\Windows\{68C91F57-BB2B-4905-B512-6AFA1DC72F00}.exe

Filesize
168KB

MD5
89a7ca1681c50ffa36b61f745dc559e4

SHA1
7c463eb5b7e76bd126a8970d064ff03759e84f87

SHA256
f76d3e756b0922b40dab4cb7be422d7b3715f98f8a4b603fdc53919a7974666c

SHA512
bfe30842e94f8ec99d31e58ff7442ff36631db13ecfc28ac949f116a29d0a05f057a1d99c72cbec6a016aa1611ed11307790c7578ac3b78b983242203a26fd31

Download Submit
C:\Windows\{716792A5-A0F9-44a5-A854-004553FCE0B6}.exe

Filesize
168KB

MD5
8a177541b36d01bb0ee18c2f5af7e541

SHA1
1d3f5b2a26f96c8dcb278120d5b36dd810f81490

SHA256
99b1c1a066b1412dfde824a05608324cc9cc2381e045cfccbe0d33f575a26d9b

SHA512
17daf684ed676d5791886058a605fea3d060aba9a2b3a8ba3336fd1af318c322fb061dab5f6f7f1a9649fb581f758ab5aac081efb55fe4ec6a5e587e2d10f381

Download Submit
C:\Windows\{7D7FD993-FD28-4c0a-AA4B-D1F6B02316F2}.exe

Filesize
168KB

MD5
03ea24fe26140b630c015bc71d05cdd1

SHA1
a316a67a35bf20665973e0bb6a3361fec3599578

SHA256
db932fcd86501584a7decad624afd7d86471e5948baa89ff88ed18eb848fd44c

SHA512
9330ee7990598589b4105b9df57a1104ab3c331a0ba49ac0bccbcbb39ba8f5d8aecef551b4c5caba39cb6791193ecd3e29ce60d782822cca49afa451cfc84f84

Download Submit
C:\Windows\{82099E09-A4B1-42b1-8CAD-14ECE252264F}.exe

Filesize
168KB

MD5
bd39d085902b5d6a67dfd67fd637948e

SHA1
8a09051a8d63fbadf4be4b77ac240d6eebdb7273

SHA256
2cb354b084301e3d99d065a5817c7ad372f6e5d444c1e7af9e3a3221a294d097

SHA512
85b34725599776358848cfa30a6d67cb7307b70e58af2a128e34d2d1663a6277bfaee6fc1184b0082428a492efbc9ebfa72c636ebe9cad3e360d3a492f66f8c1

Download Submit
C:\Windows\{97D41C18-DED4-4cee-80AE-6DFCA2B3A79A}.exe

Filesize
168KB

MD5
aa22d8e7034e438eef481d8da26732d6

SHA1
f3cd91c92644bbfebf38e20b648067e8d614e11c

SHA256
e59d1ef9f6a3bfd88773646eb04626b12fa3fe560cfc3dfbed36f94e4024e21f

SHA512
901facb83aa9eb1eec6a2695f53d2fcb3438274e7d174338f83dc25ea90df07664acc8d142a9969245bb4735793fad9e004bf51ccd2a70e9847236e9764cf3d0

Download Submit
C:\Windows\{BA70AE7D-54EC-4b50-95C6-0F60AE21A2ED}.exe

Filesize
168KB

MD5
cd82777601ca0cec65ac1efff5ba4f4c

SHA1
e796eef9fd285ff9f6020384356d31779d44d1d6

SHA256
65ff4bb73807b6254252e6e10df12581126550ddcf4317f100e2eed11328ede7

SHA512
0e43456615e63a5e222b3f7e479aec62b4ff5fd93a9c6d80b7a09726d622737017e64e177ac3883c579322a89a1dddc08a72a7c24f20692e33166c3a297f24ff

Download Submit
C:\Windows\{C63F92CB-A627-4780-80CF-BD7FFD58ADB2}.exe

Filesize
168KB

MD5
c741d3b5bbb5eadcc83d8290f8da81a9

SHA1
2d6a13b8ae1e55ba08f1013d49f58c89d682b831

SHA256
30e69e278f3d32c6fe6412764d2b99fb4da9e4cd8797a7304a5a944a9d1bad16

SHA512
92f55f7293c09e00da0262a278e2d7f18fb39d7e19c13d107733a79d610459a717b76d64f501cab666025fa340701716a6d49b6574ec70b0faf11725165b69a4

Download Submit
C:\Windows\{FA3153CB-E2CE-4ac9-BF5E-2411EC077FA2}.exe

Filesize
168KB

MD5
5d7a3e67e90a9f2e5efd7b37ce2f61d0

SHA1
4dfb2668d68caeb6aa59ad85e461ac096d8c7c7d

SHA256
846144dd75097d874f76108e259d8d21258351ba34348a5d87a9af4c3e67aae1

SHA512
90cc8ac7a4b48bc702a9e4c1751da53babb1469cc9fa3586934bbff84bf4dd3bf4ad52371cb8a4d7d4c99ecbb18ec096e5ca972f2a2fa74569fdae0348d1bad3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads