061c80dd028f5e0e2e48898236d0951f3f336a90e70cc8dfdc69ebc74565069d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe
Size

180KB
MD5

d63afda7dbfcaf0c309171dd648b8ec5
SHA1

1f0dcea04787560021c93affb4d8b78b78896451
SHA256

061c80dd028f5e0e2e48898236d0951f3f336a90e70cc8dfdc69ebc74565069d
SHA512

4b6d97583b68dae31223f915f5f70471c64c2ffc6901a1d443639777abdc63abb59a8f41ee9cd197e237119863f6cfd87807376a5f5676a674559d18b811cb7a
SSDEEP

3072:jEGh0osklfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGbl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}\stubpath = "C:\\Windows\\{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe"	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}\stubpath = "C:\\Windows\\{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe"	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26159FF0-DE0E-4911-970F-099F9F1B4935}\stubpath = "C:\\Windows\\{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe"	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69D92E5B-90E6-4740-9867-59CED3FB364A}	{719282E8-C783-4335-867E-42ECC0490883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11000B19-9A26-4efe-957D-E1E163B6ACA6}\stubpath = "C:\\Windows\\{11000B19-9A26-4efe-957D-E1E163B6ACA6}.exe"	{69D92E5B-90E6-4740-9867-59CED3FB364A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{719282E8-C783-4335-867E-42ECC0490883}\stubpath = "C:\\Windows\\{719282E8-C783-4335-867E-42ECC0490883}.exe"	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11000B19-9A26-4efe-957D-E1E163B6ACA6}	{69D92E5B-90E6-4740-9867-59CED3FB364A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}\stubpath = "C:\\Windows\\{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe"	2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}\stubpath = "C:\\Windows\\{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe"	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}\stubpath = "C:\\Windows\\{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe"	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{719282E8-C783-4335-867E-42ECC0490883}	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69D92E5B-90E6-4740-9867-59CED3FB364A}\stubpath = "C:\\Windows\\{69D92E5B-90E6-4740-9867-59CED3FB364A}.exe"	{719282E8-C783-4335-867E-42ECC0490883}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}	2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E819C441-F55C-4026-8309-5B3E7143A659}	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}	{E819C441-F55C-4026-8309-5B3E7143A659}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}\stubpath = "C:\\Windows\\{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe"	{E819C441-F55C-4026-8309-5B3E7143A659}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}\stubpath = "C:\\Windows\\{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe"	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E819C441-F55C-4026-8309-5B3E7143A659}\stubpath = "C:\\Windows\\{E819C441-F55C-4026-8309-5B3E7143A659}.exe"	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26159FF0-DE0E-4911-970F-099F9F1B4935}	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe

Executes dropped EXE 12 IoCs

pid	Process
2752	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe
2892	{E819C441-F55C-4026-8309-5B3E7143A659}.exe
4432	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe
3096	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe
2184	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe
1856	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe
2156	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe
5116	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe
3328	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe
4304	{719282E8-C783-4335-867E-42ECC0490883}.exe
5016	{69D92E5B-90E6-4740-9867-59CED3FB364A}.exe
920	{11000B19-9A26-4efe-957D-E1E163B6ACA6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{69D92E5B-90E6-4740-9867-59CED3FB364A}.exe	{719282E8-C783-4335-867E-42ECC0490883}.exe
File created	C:\Windows\{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe	{E819C441-F55C-4026-8309-5B3E7143A659}.exe
File created	C:\Windows\{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe
File created	C:\Windows\{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe
File created	C:\Windows\{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe
File created	C:\Windows\{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe
File created	C:\Windows\{719282E8-C783-4335-867E-42ECC0490883}.exe	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe
File created	C:\Windows\{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe	2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe
File created	C:\Windows\{E819C441-F55C-4026-8309-5B3E7143A659}.exe	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe
File created	C:\Windows\{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe
File created	C:\Windows\{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe
File created	C:\Windows\{11000B19-9A26-4efe-957D-E1E163B6ACA6}.exe	{69D92E5B-90E6-4740-9867-59CED3FB364A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{719282E8-C783-4335-867E-42ECC0490883}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69D92E5B-90E6-4740-9867-59CED3FB364A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E819C441-F55C-4026-8309-5B3E7143A659}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11000B19-9A26-4efe-957D-E1E163B6ACA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2652	2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2752	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe
Token: SeIncBasePriorityPrivilege	2892	{E819C441-F55C-4026-8309-5B3E7143A659}.exe
Token: SeIncBasePriorityPrivilege	4432	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe
Token: SeIncBasePriorityPrivilege	3096	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe
Token: SeIncBasePriorityPrivilege	2184	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe
Token: SeIncBasePriorityPrivilege	1856	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe
Token: SeIncBasePriorityPrivilege	2156	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe
Token: SeIncBasePriorityPrivilege	5116	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe
Token: SeIncBasePriorityPrivilege	3328	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe
Token: SeIncBasePriorityPrivilege	4304	{719282E8-C783-4335-867E-42ECC0490883}.exe
Token: SeIncBasePriorityPrivilege	5016	{69D92E5B-90E6-4740-9867-59CED3FB364A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2752	2652	2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe	91
PID 2652 wrote to memory of 2752	2652	2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe	91
PID 2652 wrote to memory of 2752	2652	2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe	91
PID 2652 wrote to memory of 4468	2652	2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe	92
PID 2652 wrote to memory of 4468	2652	2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe	92
PID 2652 wrote to memory of 4468	2652	2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe	92
PID 2752 wrote to memory of 2892	2752	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe	96
PID 2752 wrote to memory of 2892	2752	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe	96
PID 2752 wrote to memory of 2892	2752	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe	96
PID 2752 wrote to memory of 1188	2752	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe	97
PID 2752 wrote to memory of 1188	2752	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe	97
PID 2752 wrote to memory of 1188	2752	{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe	97
PID 2892 wrote to memory of 4432	2892	{E819C441-F55C-4026-8309-5B3E7143A659}.exe	100
PID 2892 wrote to memory of 4432	2892	{E819C441-F55C-4026-8309-5B3E7143A659}.exe	100
PID 2892 wrote to memory of 4432	2892	{E819C441-F55C-4026-8309-5B3E7143A659}.exe	100
PID 2892 wrote to memory of 4588	2892	{E819C441-F55C-4026-8309-5B3E7143A659}.exe	101
PID 2892 wrote to memory of 4588	2892	{E819C441-F55C-4026-8309-5B3E7143A659}.exe	101
PID 2892 wrote to memory of 4588	2892	{E819C441-F55C-4026-8309-5B3E7143A659}.exe	101
PID 4432 wrote to memory of 3096	4432	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe	102
PID 4432 wrote to memory of 3096	4432	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe	102
PID 4432 wrote to memory of 3096	4432	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe	102
PID 4432 wrote to memory of 2152	4432	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe	103
PID 4432 wrote to memory of 2152	4432	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe	103
PID 4432 wrote to memory of 2152	4432	{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe	103
PID 3096 wrote to memory of 2184	3096	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe	104
PID 3096 wrote to memory of 2184	3096	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe	104
PID 3096 wrote to memory of 2184	3096	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe	104
PID 3096 wrote to memory of 1092	3096	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe	105
PID 3096 wrote to memory of 1092	3096	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe	105
PID 3096 wrote to memory of 1092	3096	{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe	105
PID 2184 wrote to memory of 1856	2184	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe	106
PID 2184 wrote to memory of 1856	2184	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe	106
PID 2184 wrote to memory of 1856	2184	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe	106
PID 2184 wrote to memory of 4084	2184	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe	107
PID 2184 wrote to memory of 4084	2184	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe	107
PID 2184 wrote to memory of 4084	2184	{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe	107
PID 1856 wrote to memory of 2156	1856	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe	108
PID 1856 wrote to memory of 2156	1856	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe	108
PID 1856 wrote to memory of 2156	1856	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe	108
PID 1856 wrote to memory of 4188	1856	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe	109
PID 1856 wrote to memory of 4188	1856	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe	109
PID 1856 wrote to memory of 4188	1856	{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe	109
PID 2156 wrote to memory of 5116	2156	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe	110
PID 2156 wrote to memory of 5116	2156	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe	110
PID 2156 wrote to memory of 5116	2156	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe	110
PID 2156 wrote to memory of 4616	2156	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe	111
PID 2156 wrote to memory of 4616	2156	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe	111
PID 2156 wrote to memory of 4616	2156	{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe	111
PID 5116 wrote to memory of 3328	5116	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe	112
PID 5116 wrote to memory of 3328	5116	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe	112
PID 5116 wrote to memory of 3328	5116	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe	112
PID 5116 wrote to memory of 224	5116	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe	113
PID 5116 wrote to memory of 224	5116	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe	113
PID 5116 wrote to memory of 224	5116	{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe	113
PID 3328 wrote to memory of 4304	3328	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe	114
PID 3328 wrote to memory of 4304	3328	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe	114
PID 3328 wrote to memory of 4304	3328	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe	114
PID 3328 wrote to memory of 1376	3328	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe	115
PID 3328 wrote to memory of 1376	3328	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe	115
PID 3328 wrote to memory of 1376	3328	{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe	115
PID 4304 wrote to memory of 5016	4304	{719282E8-C783-4335-867E-42ECC0490883}.exe	116
PID 4304 wrote to memory of 5016	4304	{719282E8-C783-4335-867E-42ECC0490883}.exe	116
PID 4304 wrote to memory of 5016	4304	{719282E8-C783-4335-867E-42ECC0490883}.exe	116
PID 4304 wrote to memory of 1340	4304	{719282E8-C783-4335-867E-42ECC0490883}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_d63afda7dbfcaf0c309171dd648b8ec5_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe
  C:\Windows\{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\{E819C441-F55C-4026-8309-5B3E7143A659}.exe
    C:\Windows\{E819C441-F55C-4026-8309-5B3E7143A659}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe
      C:\Windows\{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe
        
        C:\Windows\{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Windows\{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe
        
        C:\Windows\{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe
        
        C:\Windows\{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe
        
        C:\Windows\{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe
        
        C:\Windows\{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe
        
        C:\Windows\{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\{719282E8-C783-4335-867E-42ECC0490883}.exe
        
        C:\Windows\{719282E8-C783-4335-867E-42ECC0490883}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\{69D92E5B-90E6-4740-9867-59CED3FB364A}.exe
        
        C:\Windows\{69D92E5B-90E6-4740-9867-59CED3FB364A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Windows\{11000B19-9A26-4efe-957D-E1E163B6ACA6}.exe
        
        C:\Windows\{11000B19-9A26-4efe-957D-E1E163B6ACA6}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69D92~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71928~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26159~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56AD0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEA1C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{357D0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FCC9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87DFB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2E5A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E819C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4D96C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11000B19-9A26-4efe-957D-E1E163B6ACA6}.exe

Filesize
180KB

MD5
53656bcb4bf0d1f4305f95e75edcad40

SHA1
9eaa53add0f929a3120bf37bbadc28a3a9bf603e

SHA256
dda4e0295c8e73a180f317f16702410414ae31ae073770cbbdf12fa6ccc64984

SHA512
a2565750f317065ce9f52f9ceaa2d132f3b9e447d2b23f1a2c0ce2a26e36dc8540a229af9c505b716198e2d47ff01c00ecb8c262f11fb824933e0a8d209e8f24

Download Submit
C:\Windows\{26159FF0-DE0E-4911-970F-099F9F1B4935}.exe

Filesize
180KB

MD5
8b7052c398cf299c2d2ffae69873ac51

SHA1
f2710bedbeebf5cfb15179e84dda540013db15bb

SHA256
9d92c9c9df0a188781177b6bd9adca4ec8d3452bfb7837d508aed35de14c4de8

SHA512
cb67d9ec3dc6b88553f78fdbb90b3c1a086b39105cb1af2cd2f63f7fd17e049f7a373a28ffbe717efb0870cedb2fc78b9448cac97e5817f89991c2a267d6277f

Download Submit
C:\Windows\{357D06E1-D293-4a10-82D1-CED9A8DFA9D4}.exe

Filesize
180KB

MD5
d90c9d43d1bb49b28cb36222db2cca2c

SHA1
52fdcd76e9022e35a685e32fc6f97a5228fa6152

SHA256
1a5dba8eb70ef230051e98e3a420fc89894fcd169684c24132621ed7ed4211d2

SHA512
b1bbcc89ce4b593154602d5e3f1f28e18abfdc6c8ceb8c5755ef8f1f350f137b3b0144e66701aedcfc6f8ad723179a55daa9730fe0c10834999eb114f13df45b

Download Submit
C:\Windows\{3FCC9CB0-2D9E-4bf0-9C6E-3035CE8BA2E6}.exe

Filesize
180KB

MD5
c960ae67f39b4192293a82fd6effd374

SHA1
721f2cf2f2f1960c1b5a27e6c78d3756a64be019

SHA256
ac4fb30bb8c936670d67b107ece89e1461fa129af9ad8000986836dea92d70d8

SHA512
a836c01daf817b0a5304e2129819a74882be14f2e890a6eea0d0bc7004d09115d18b48e9dd52023353bc92c3ccbceab3386eff8917d08f45b946244435318fc3

Download Submit
C:\Windows\{4D96C62F-0342-4e32-9E16-EEEE60BA1A6C}.exe

Filesize
180KB

MD5
0f39dcfb0a28a81d062b704d2528902b

SHA1
34744711bd8440b487004c6be70d66a5cc81769d

SHA256
ba7a0215f1ac186c31ef2df39a2d7d329f5c48ff43ad59359997457090374186

SHA512
88389ff9f81b992c6423a9999a0f93ca89f13b6932c2a1200aa9820343e01808f9cf3edd17afe11e10557ece8b498064e16fa423c5ae3e1d132485875c4bf3ab

Download Submit
C:\Windows\{56AD022F-D8AB-4b7d-A35A-B529AACDCF76}.exe

Filesize
180KB

MD5
b83bff4fc4a2a99778ef3dc64d0d3662

SHA1
c68dd3ef36f97c365a0d9a756ff4f2c28942f6dd

SHA256
8ae97464e1622bd4d56d4959252ba21ee5cb82d909c956cb3bad712dd5c25ed9

SHA512
b43f0ef90ae422ee2534d3e25168a41ae8bd52a65cc10cecda64453f99d74201839ce591f4b6216a2fc253da5c0778c47ae6fcc81394eb284a4d3b30f156f722

Download Submit
C:\Windows\{69D92E5B-90E6-4740-9867-59CED3FB364A}.exe

Filesize
180KB

MD5
bcd13c6535814bec5005aafa18c33c72

SHA1
1c34ad01d36259d27892ac1bd68864cb9c4a1155

SHA256
256ce96847f5d252a7bd1d4bf56d118cb9df98886255d8a80b4ea9ad28f95a4b

SHA512
d977e4e97cc42165299b2dedc11cf03f70af53d25b27245faea8f97738e4b83ec32e113d1da73d8e3d1d63d13bb3dbbda8985ebd145e48a1a4a32332925e58e2

Download Submit
C:\Windows\{719282E8-C783-4335-867E-42ECC0490883}.exe

Filesize
180KB

MD5
19d7616fba7984c3988d2522d5a9c3f0

SHA1
d4ff44439b417d01bfef897733ef40a53e2ca3c4

SHA256
68b3a2db4b60b5b6eca96a20f0047fc5fc8b467d0cf94b2f2e1579f25463b2c7

SHA512
baf1744b07a4d0a784cd02c2460870f12d71ed65dc5937e7e17fdf56c256661ed3030dff2fbfc806646e9130eed263b6978064b24cb447b229d97b915ddaaeee

Download Submit
C:\Windows\{87DFBC4A-0F10-4e66-A1F0-E751683BDD4E}.exe

Filesize
180KB

MD5
5fcf50d0ef0d1b1d0e6f199675a617df

SHA1
98b977e9be0de752bc6dc67d04ce0206e3c8bfbe

SHA256
1ac33e7c57b9de91b7c7e9e71beb23f5f730259f15ed4d051eee7c626d497c0c

SHA512
f44bc1668e325378b5fc7965c7c318493e10c9c8f32bf8986dfbaf06b650456eb333e93d7d705cdfa88fef7b2446b2f370c960486220fbc4c547020651fa3347

Download Submit
C:\Windows\{C2E5AEB2-7BFA-488a-99B9-65387A246A0D}.exe

Filesize
180KB

MD5
12fded1a7a0827604f81b2f7d8205135

SHA1
6877cb747436b3bed3a95bf8ae6d2053ab324b1b

SHA256
32a4a8422addff5a10d58a978a5e8532e8c6ad8b7533ddf4df510ad3fd7ae435

SHA512
b2d4372b99a0ee552507e94a9c247b2c9cc1855694bc1d1619a06812bd360171a8dbfaeacf88c271df66e66aa0ee99bf6b0ec7b0d2693e73326608fefcfc4a5f

Download Submit
C:\Windows\{E819C441-F55C-4026-8309-5B3E7143A659}.exe

Filesize
180KB

MD5
2fc8f23b57884b8f10ff87372b6bf13a

SHA1
e828824759d5309f518ccf5447ce6ca5a9dd947b

SHA256
007717556aa0e4e7401a960a2c7268001c6a1a90291ce116058c2528052ab647

SHA512
5639674eb9e9b618c1743284ab145595750f8af0e22d1bc6e1cb8ce2f2e368fcb49fcf2a282fdd7c7a8be641b4e0323a9bf6c55b49b95c1efb8445acd166bafb

Download Submit
C:\Windows\{FEA1C3E6-83AB-47c2-B7CB-BB3B433F6BD4}.exe

Filesize
180KB

MD5
c3c0e5b4cd623cec610301df25902396

SHA1
4bd35b6fb3a458905a197407b54dfff8a953d95d

SHA256
995c104b51f0ee61e3339c72bdbb00dd7e9518af3bcd641ec40ea5f8dc466e6f

SHA512
8e6e661150caebd11d711cc81385541c27d0483666c0d12defe81f73b29197de5777d4a9aa9af57051a1e79d2aedf81d7bf098035ab3409cd890cf74e27e71ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads