7087eed83d72b0d678831314675f5bc7cd72f1874929df4accd4e29cbf1a1f29

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 16:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe
Size

344KB
MD5

16d8ca4f32204d91776cdd32187d67f4
SHA1

870ce37947988dab2320815a7d7bad024980ab3f
SHA256

7087eed83d72b0d678831314675f5bc7cd72f1874929df4accd4e29cbf1a1f29
SHA512

24802eafed6f4df0e4301c8fe681b4d649f25fd77aca1372501f841bc3d5eb7a715c9457b57cc89439fecf884d2300be781094974d248eb4efd83b47e05e8ae1
SSDEEP

3072:mEGh0ollEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGvlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A7F209F-E065-4a78-99DA-48F7648135D7}\stubpath = "C:\\Windows\\{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe"	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{906C3792-DA2C-44ea-84A3-F91467F272CD}\stubpath = "C:\\Windows\\{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe"	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B308D0B-C867-4cce-9094-CBD8AB53EA15}\stubpath = "C:\\Windows\\{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe"	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C75AB31B-80D3-420b-AFB0-750FE7D47382}	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ABA6859-9790-4b66-B971-3281F8ED05C0}\stubpath = "C:\\Windows\\{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe"	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA8306F5-7D7F-48c0-9461-31496A063035}	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C75AB31B-80D3-420b-AFB0-750FE7D47382}\stubpath = "C:\\Windows\\{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe"	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C24207E8-3CA4-47c2-A387-F4EAC64C9ACB}\stubpath = "C:\\Windows\\{C24207E8-3CA4-47c2-A387-F4EAC64C9ACB}.exe"	{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}	2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA8306F5-7D7F-48c0-9461-31496A063035}\stubpath = "C:\\Windows\\{DA8306F5-7D7F-48c0-9461-31496A063035}.exe"	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{906C3792-DA2C-44ea-84A3-F91467F272CD}	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}\stubpath = "C:\\Windows\\{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe"	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}\stubpath = "C:\\Windows\\{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe"	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}	{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}\stubpath = "C:\\Windows\\{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe"	2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ABA6859-9790-4b66-B971-3281F8ED05C0}	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A7F209F-E065-4a78-99DA-48F7648135D7}	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}\stubpath = "C:\\Windows\\{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe"	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B308D0B-C867-4cce-9094-CBD8AB53EA15}	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}\stubpath = "C:\\Windows\\{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}.exe"	{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C24207E8-3CA4-47c2-A387-F4EAC64C9ACB}	{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4964	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe
672	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe
4900	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe
2512	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe
2488	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe
4212	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe
3384	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe
1744	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe
3276	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe
2300	{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe
1500	{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}.exe
808	{C24207E8-3CA4-47c2-A387-F4EAC64C9ACB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe
File created	C:\Windows\{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe
File created	C:\Windows\{DA8306F5-7D7F-48c0-9461-31496A063035}.exe	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe
File created	C:\Windows\{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe
File created	C:\Windows\{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe
File created	C:\Windows\{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe
File created	C:\Windows\{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe	2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe
File created	C:\Windows\{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe
File created	C:\Windows\{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe
File created	C:\Windows\{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe
File created	C:\Windows\{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}.exe	{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe
File created	C:\Windows\{C24207E8-3CA4-47c2-A387-F4EAC64C9ACB}.exe	{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C24207E8-3CA4-47c2-A387-F4EAC64C9ACB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2352	2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4964	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe
Token: SeIncBasePriorityPrivilege	672	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe
Token: SeIncBasePriorityPrivilege	4900	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe
Token: SeIncBasePriorityPrivilege	2512	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe
Token: SeIncBasePriorityPrivilege	2488	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe
Token: SeIncBasePriorityPrivilege	4212	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe
Token: SeIncBasePriorityPrivilege	3384	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe
Token: SeIncBasePriorityPrivilege	1744	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe
Token: SeIncBasePriorityPrivilege	3276	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe
Token: SeIncBasePriorityPrivilege	2300	{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe
Token: SeIncBasePriorityPrivilege	1500	{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 4964	2352	2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe	88
PID 2352 wrote to memory of 4964	2352	2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe	88
PID 2352 wrote to memory of 4964	2352	2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe	88
PID 2352 wrote to memory of 4980	2352	2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe	89
PID 2352 wrote to memory of 4980	2352	2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe	89
PID 2352 wrote to memory of 4980	2352	2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe	89
PID 4964 wrote to memory of 672	4964	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe	90
PID 4964 wrote to memory of 672	4964	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe	90
PID 4964 wrote to memory of 672	4964	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe	90
PID 4964 wrote to memory of 4160	4964	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe	91
PID 4964 wrote to memory of 4160	4964	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe	91
PID 4964 wrote to memory of 4160	4964	{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe	91
PID 672 wrote to memory of 4900	672	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe	95
PID 672 wrote to memory of 4900	672	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe	95
PID 672 wrote to memory of 4900	672	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe	95
PID 672 wrote to memory of 3116	672	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe	96
PID 672 wrote to memory of 3116	672	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe	96
PID 672 wrote to memory of 3116	672	{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe	96
PID 4900 wrote to memory of 2512	4900	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe	97
PID 4900 wrote to memory of 2512	4900	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe	97
PID 4900 wrote to memory of 2512	4900	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe	97
PID 4900 wrote to memory of 3748	4900	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe	98
PID 4900 wrote to memory of 3748	4900	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe	98
PID 4900 wrote to memory of 3748	4900	{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe	98
PID 2512 wrote to memory of 2488	2512	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe	99
PID 2512 wrote to memory of 2488	2512	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe	99
PID 2512 wrote to memory of 2488	2512	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe	99
PID 2512 wrote to memory of 1328	2512	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe	100
PID 2512 wrote to memory of 1328	2512	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe	100
PID 2512 wrote to memory of 1328	2512	{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe	100
PID 2488 wrote to memory of 4212	2488	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe	101
PID 2488 wrote to memory of 4212	2488	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe	101
PID 2488 wrote to memory of 4212	2488	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe	101
PID 2488 wrote to memory of 4100	2488	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe	102
PID 2488 wrote to memory of 4100	2488	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe	102
PID 2488 wrote to memory of 4100	2488	{DA8306F5-7D7F-48c0-9461-31496A063035}.exe	102
PID 4212 wrote to memory of 3384	4212	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe	103
PID 4212 wrote to memory of 3384	4212	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe	103
PID 4212 wrote to memory of 3384	4212	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe	103
PID 4212 wrote to memory of 1140	4212	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe	104
PID 4212 wrote to memory of 1140	4212	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe	104
PID 4212 wrote to memory of 1140	4212	{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe	104
PID 3384 wrote to memory of 1744	3384	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe	105
PID 3384 wrote to memory of 1744	3384	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe	105
PID 3384 wrote to memory of 1744	3384	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe	105
PID 3384 wrote to memory of 1216	3384	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe	106
PID 3384 wrote to memory of 1216	3384	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe	106
PID 3384 wrote to memory of 1216	3384	{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe	106
PID 1744 wrote to memory of 3276	1744	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe	107
PID 1744 wrote to memory of 3276	1744	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe	107
PID 1744 wrote to memory of 3276	1744	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe	107
PID 1744 wrote to memory of 4440	1744	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe	108
PID 1744 wrote to memory of 4440	1744	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe	108
PID 1744 wrote to memory of 4440	1744	{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe	108
PID 3276 wrote to memory of 2300	3276	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe	109
PID 3276 wrote to memory of 2300	3276	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe	109
PID 3276 wrote to memory of 2300	3276	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe	109
PID 3276 wrote to memory of 3088	3276	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe	110
PID 3276 wrote to memory of 3088	3276	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe	110
PID 3276 wrote to memory of 3088	3276	{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe	110
PID 2300 wrote to memory of 1500	2300	{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe	111
PID 2300 wrote to memory of 1500	2300	{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe	111
PID 2300 wrote to memory of 1500	2300	{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe	111
PID 2300 wrote to memory of 4064	2300	{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_16d8ca4f32204d91776cdd32187d67f4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe
  C:\Windows\{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe
    C:\Windows\{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Windows\{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe
      C:\Windows\{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe
        
        C:\Windows\{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\{DA8306F5-7D7F-48c0-9461-31496A063035}.exe
        
        C:\Windows\{DA8306F5-7D7F-48c0-9461-31496A063035}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe
        
        C:\Windows\{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe
        
        C:\Windows\{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe
        
        C:\Windows\{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe
        
        C:\Windows\{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe
        
        C:\Windows\{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}.exe
        
        C:\Windows\{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\{C24207E8-3CA4-47c2-A387-F4EAC64C9ACB}.exe
        
        C:\Windows\{C24207E8-3CA4-47c2-A387-F4EAC64C9ACB}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5671~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3AD1~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D0D9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C75AB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B308~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{906C3~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA830~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F585B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A7F2~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6ABA6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F32F3~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B308D0B-C867-4cce-9094-CBD8AB53EA15}.exe

Filesize
344KB

MD5
478053c3caa14a455bd441c85dd7f182

SHA1
991bde34edc10b0efb25f43782c8a1dbda24d576

SHA256
2d2919a35d6246fe14fc30004e9f01bd66070ac4ea7898a632eacf01907600f8

SHA512
24dd879240a4acab92c555a2baa88d290c314b6c2061187c7270cf46c440425df5a62100bf4b33eb8d7e6a7fb12ca43b1bfde4371012e9ecb7b76dc9e59fb8b8

Download Submit
C:\Windows\{3A7F209F-E065-4a78-99DA-48F7648135D7}.exe

Filesize
344KB

MD5
5178be2a224b7cec5efba03ff07838ec

SHA1
49df77fe3226f4e2fd3fc9b2830189f128458fc2

SHA256
448964d4b1e0ed58cb4ad1d5dc94601d569419ca3e004ec3d5b0c8a3841bb8be

SHA512
2a5ff96ab7e88d1ed558e943f9f93c1f5c121521b5eb98e5e115d6007825586ca0f792dac07add781b11f8c211b2b4777b7b73aaf1547847836d54ca246b554d

Download Submit
C:\Windows\{6ABA6859-9790-4b66-B971-3281F8ED05C0}.exe

Filesize
344KB

MD5
4a3eb7d5b54403ed6251e958842904cd

SHA1
e476fd96db07b20bcecd548ac21e5beda91ae8cc

SHA256
584634ecda3ba4ef25f46699e8f1fcfe2dd63d4b0522a2cf35855ed7d251ca80

SHA512
c09af1544d862ab95547acbbbe029927459324aaa08735c9aeae67167e6673697a12db9faddf5db917d5850d75839bf70c8ec27e730fef3f43ba9a04c9dc7909

Download Submit
C:\Windows\{6D0D9230-8C5D-47ac-B1AF-921CCFB96F01}.exe

Filesize
344KB

MD5
ff66db8a9113ea3bc965af1fd645e1a3

SHA1
d724930ad81e5152e1fbaab31b21f10c050fc705

SHA256
780b5332b7e7b6b6bd4b2ead682e18a4e093f1185a3e29e458ac8125a6a1e1a1

SHA512
604c4e9b549d06534de222c2ea06e7f4d625b7f2e94588c506c24f23b70b31d95e8b8afd4c62e8093c30c3b9d80d435187236287d8824df53aaf63595e73fd07

Download Submit
C:\Windows\{906C3792-DA2C-44ea-84A3-F91467F272CD}.exe

Filesize
344KB

MD5
db9adacd0f8e108470fa73541cc661c3

SHA1
b25f662e90bcf161a2ace92e48263db09e892ca0

SHA256
80eafe87c81d57a7cb9a4a143499ccd916f1b65043377992e2b63fc74a00e311

SHA512
b27744e59c5b19e24eda3fc8e705f751e6628c7089b2fee2af918fdef404fffb8fc59f03ab57f34af2059186f9e412957547f5de6d20fd92352630fdb2276689

Download Submit
C:\Windows\{B3AD1042-1A14-4ebf-96F8-4F0722F95C3D}.exe

Filesize
344KB

MD5
bff54e7979ad56c619453f3341f62d37

SHA1
542d28f93a25b335b8cd1ca5ce51e76d7b42b5ce

SHA256
b213a42d86c94340440fcc88122199ee7b081f1bd54fe55d28d3994a666ba6fe

SHA512
63c94b32b0ab52ab8601953c362c0962a9ba5236e9f5dae3267e2276cec81d0aa51b8e33f97fc3ea5353083f95d2ed608fd855e5a9bde75bfda99d9ac953de12

Download Submit
C:\Windows\{B56710C3-5BC5-4f69-A1D2-2D8D67680D0B}.exe

Filesize
344KB

MD5
1848858c8a785dbf344ed39ed7e0b9cf

SHA1
4cbd7b6e144fca1afe8b2823ee19513f68be196e

SHA256
5e3911eff30f09668ede9549a1e6fccb2e75edece9ef21550216647ec1a4865f

SHA512
ae0e4f0acca2ae905cd9a3df882a62bf8862cb4a190b53d37f85859b9b13087bdbeac8670b12201e5b5f38df143e16a07a3ad64af1f40582a481456194e7b488

Download Submit
C:\Windows\{C24207E8-3CA4-47c2-A387-F4EAC64C9ACB}.exe

Filesize
344KB

MD5
5dad8b23a5460ce1dc41448dfa47454c

SHA1
6a25469c6940789fbb06177e04b622f6e68eca86

SHA256
f5330928ebe09ce0e3dd7c26e33423e38d25ca19a078b625ba4e2d2b3ca39470

SHA512
0537859f39a8e18e59a49b1e3aa6afbd739bf1661b89862353d161ec6246c4f633d2877ab92cefe2ff7cbe7c405d15361464eb0b8f178d8ed36ab29d5bdabf75

Download Submit
C:\Windows\{C75AB31B-80D3-420b-AFB0-750FE7D47382}.exe

Filesize
344KB

MD5
7213d4851579f0e31802d5c5966af38f

SHA1
744f4842df5302af275f7f26ee2b424e2e60c660

SHA256
bf560d15d8e8b42aedfef8cfc1e62477da18b4dffe191fca85289d530b323eb5

SHA512
91dd40c0f68fdafe72b2b49ca72b190da73038adbf9e1c21f516f822c220ef159a7a74648b5e6ce145decf9bde474089494e8fd5dab8a94525241f4da480fcc9

Download Submit
C:\Windows\{DA8306F5-7D7F-48c0-9461-31496A063035}.exe

Filesize
344KB

MD5
9cd0f95817b8387c1a9f67c086fd236e

SHA1
7eb9117886a97ca014c869a19c8987a4057445fb

SHA256
09d83ea344e12f16ce8e81049ef6807eefe8a7d92ed5c0fafd46e4d3190c078c

SHA512
eacca2cbcffa025eb7c361db3876fdd460b9a27bc633b6518e1f12b33f0d55f4f114c140747f7a52924a432988d058b00c31ebc3d67230e25ef9ace28e63072b

Download Submit
C:\Windows\{F32F34F3-0B30-492a-B6CE-DC71A1A7B93A}.exe

Filesize
344KB

MD5
425ec86436a69b98140c485f8dfd9b67

SHA1
3673f850e4ea5dafe8aa8f5b80285bb1e6f84bcb

SHA256
0870ac82847aa03c2f44ba3a86de3b6620fd8b80612796c4258bc4e0fb0e7d10

SHA512
394a6cb800ecaf8e3713ff2128517eb1817f642951fb2031a9d584474103bd4db544f75195180ed16d7d3fa03665152471b96c0b5ce1e473361c44234d3b2064

Download Submit
C:\Windows\{F585B4FD-5CDC-42ce-984C-C6EB7ECCCCFA}.exe

Filesize
344KB

MD5
89fdc2d4bde8703a0941f5ba92c9d9f9

SHA1
b405ab223a7c7351921293a5bfb90aea27620489

SHA256
f667dcc598f5999e3cd78be0ba028007b2b7a809eac0fe1aa9a79995b121741b

SHA512
fbf42f832e1a9bf3c85d74fa0bd377718e4713f39cc62ccdac5b6f2b2ba54c4c48faad9dd26809ef91a6e2e772aa75f4538bf8498764e58f0026bef74bb953bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads