2a9d544fe84445f3fa192e494c0e6246a8b37e254483d63753db865b58be0ebb

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe
Size

168KB
MD5

430bcaeeac9b82fd285aff150b12c846
SHA1

40df45355f9da6dd9fede7bb0b43a6ae6a50e31b
SHA256

2a9d544fe84445f3fa192e494c0e6246a8b37e254483d63753db865b58be0ebb
SHA512

e16078d4ade4ecc03482b09565c6b39d71f3b447416bf750065e184d7653606b2d00795c84c7823983dfee15f4c1bb3d994310138e0b10246be80e7aaaf82b51
SSDEEP

1536:1EGh0oMlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oMlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC220153-3EB2-4a71-8C32-3A118B5681AC}	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3432516E-9463-44cb-BF7E-7D9F64E3ED85}\stubpath = "C:\\Windows\\{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe"	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0DA9476-0443-4061-989C-A8B9099E40D8}\stubpath = "C:\\Windows\\{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe"	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}\stubpath = "C:\\Windows\\{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe"	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}\stubpath = "C:\\Windows\\{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe"	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42781F62-A786-4ac4-9FD0-CA21C0645CB5}	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}	2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0DA9476-0443-4061-989C-A8B9099E40D8}	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A7BC677-FC88-4994-895A-1D88C794ECFA}\stubpath = "C:\\Windows\\{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe"	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}\stubpath = "C:\\Windows\\{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}.exe"	{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB899939-9FED-4cfd-84CB-BFFA9690B57B}	{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3432516E-9463-44cb-BF7E-7D9F64E3ED85}	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B17A691F-130E-4bf1-BD89-1A3E61936A95}\stubpath = "C:\\Windows\\{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe"	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC220153-3EB2-4a71-8C32-3A118B5681AC}\stubpath = "C:\\Windows\\{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe"	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B17A691F-130E-4bf1-BD89-1A3E61936A95}	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42781F62-A786-4ac4-9FD0-CA21C0645CB5}\stubpath = "C:\\Windows\\{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe"	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A7BC677-FC88-4994-895A-1D88C794ECFA}	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}	{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB899939-9FED-4cfd-84CB-BFFA9690B57B}\stubpath = "C:\\Windows\\{DB899939-9FED-4cfd-84CB-BFFA9690B57B}.exe"	{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}\stubpath = "C:\\Windows\\{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe"	2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}\stubpath = "C:\\Windows\\{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe"	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe

Executes dropped EXE 12 IoCs

pid	Process
872	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe
228	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe
2992	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe
4544	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe
1640	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe
220	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe
4552	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe
5036	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe
4764	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe
2228	{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe
2204	{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}.exe
2852	{DB899939-9FED-4cfd-84CB-BFFA9690B57B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DB899939-9FED-4cfd-84CB-BFFA9690B57B}.exe	{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}.exe
File created	C:\Windows\{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe	2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe
File created	C:\Windows\{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe
File created	C:\Windows\{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe
File created	C:\Windows\{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe
File created	C:\Windows\{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe
File created	C:\Windows\{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe
File created	C:\Windows\{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}.exe	{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe
File created	C:\Windows\{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe
File created	C:\Windows\{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe
File created	C:\Windows\{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe
File created	C:\Windows\{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB899939-9FED-4cfd-84CB-BFFA9690B57B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4372	2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe
Token: SeIncBasePriorityPrivilege	872	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe
Token: SeIncBasePriorityPrivilege	228	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe
Token: SeIncBasePriorityPrivilege	2992	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe
Token: SeIncBasePriorityPrivilege	4544	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe
Token: SeIncBasePriorityPrivilege	1640	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe
Token: SeIncBasePriorityPrivilege	220	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe
Token: SeIncBasePriorityPrivilege	4552	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe
Token: SeIncBasePriorityPrivilege	5036	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe
Token: SeIncBasePriorityPrivilege	4764	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe
Token: SeIncBasePriorityPrivilege	2228	{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe
Token: SeIncBasePriorityPrivilege	2204	{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 872	4372	2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe	94
PID 4372 wrote to memory of 872	4372	2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe	94
PID 4372 wrote to memory of 872	4372	2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe	94
PID 4372 wrote to memory of 4028	4372	2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe	95
PID 4372 wrote to memory of 4028	4372	2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe	95
PID 4372 wrote to memory of 4028	4372	2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe	95
PID 872 wrote to memory of 228	872	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe	96
PID 872 wrote to memory of 228	872	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe	96
PID 872 wrote to memory of 228	872	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe	96
PID 872 wrote to memory of 4884	872	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe	97
PID 872 wrote to memory of 4884	872	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe	97
PID 872 wrote to memory of 4884	872	{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe	97
PID 228 wrote to memory of 2992	228	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe	100
PID 228 wrote to memory of 2992	228	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe	100
PID 228 wrote to memory of 2992	228	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe	100
PID 228 wrote to memory of 3960	228	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe	101
PID 228 wrote to memory of 3960	228	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe	101
PID 228 wrote to memory of 3960	228	{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe	101
PID 2992 wrote to memory of 4544	2992	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe	102
PID 2992 wrote to memory of 4544	2992	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe	102
PID 2992 wrote to memory of 4544	2992	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe	102
PID 2992 wrote to memory of 4652	2992	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe	103
PID 2992 wrote to memory of 4652	2992	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe	103
PID 2992 wrote to memory of 4652	2992	{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe	103
PID 4544 wrote to memory of 1640	4544	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe	104
PID 4544 wrote to memory of 1640	4544	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe	104
PID 4544 wrote to memory of 1640	4544	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe	104
PID 4544 wrote to memory of 4484	4544	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe	105
PID 4544 wrote to memory of 4484	4544	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe	105
PID 4544 wrote to memory of 4484	4544	{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe	105
PID 1640 wrote to memory of 220	1640	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe	106
PID 1640 wrote to memory of 220	1640	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe	106
PID 1640 wrote to memory of 220	1640	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe	106
PID 1640 wrote to memory of 2300	1640	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe	107
PID 1640 wrote to memory of 2300	1640	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe	107
PID 1640 wrote to memory of 2300	1640	{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe	107
PID 220 wrote to memory of 4552	220	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe	108
PID 220 wrote to memory of 4552	220	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe	108
PID 220 wrote to memory of 4552	220	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe	108
PID 220 wrote to memory of 3040	220	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe	109
PID 220 wrote to memory of 3040	220	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe	109
PID 220 wrote to memory of 3040	220	{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe	109
PID 4552 wrote to memory of 5036	4552	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe	110
PID 4552 wrote to memory of 5036	4552	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe	110
PID 4552 wrote to memory of 5036	4552	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe	110
PID 4552 wrote to memory of 4752	4552	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe	111
PID 4552 wrote to memory of 4752	4552	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe	111
PID 4552 wrote to memory of 4752	4552	{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe	111
PID 5036 wrote to memory of 4764	5036	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe	112
PID 5036 wrote to memory of 4764	5036	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe	112
PID 5036 wrote to memory of 4764	5036	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe	112
PID 5036 wrote to memory of 3232	5036	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe	113
PID 5036 wrote to memory of 3232	5036	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe	113
PID 5036 wrote to memory of 3232	5036	{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe	113
PID 4764 wrote to memory of 2228	4764	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe	114
PID 4764 wrote to memory of 2228	4764	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe	114
PID 4764 wrote to memory of 2228	4764	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe	114
PID 4764 wrote to memory of 4592	4764	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe	115
PID 4764 wrote to memory of 4592	4764	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe	115
PID 4764 wrote to memory of 4592	4764	{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe	115
PID 2228 wrote to memory of 2204	2228	{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe	116
PID 2228 wrote to memory of 2204	2228	{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe	116
PID 2228 wrote to memory of 2204	2228	{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe	116
PID 2228 wrote to memory of 3416	2228	{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_430bcaeeac9b82fd285aff150b12c846_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe
  C:\Windows\{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe
    C:\Windows\{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe
      C:\Windows\{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe
        
        C:\Windows\{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - C:\Windows\{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe
        
        C:\Windows\{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe
        
        C:\Windows\{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe
        
        C:\Windows\{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe
        
        C:\Windows\{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe
        
        C:\Windows\{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe
        
        C:\Windows\{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}.exe
        
        C:\Windows\{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\{DB899939-9FED-4cfd-84CB-BFFA9690B57B}.exe
        
        C:\Windows\{DB899939-9FED-4cfd-84CB-BFFA9690B57B}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A291A~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A7BC~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42781~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B17A6~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC220~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9CAB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E11D9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD772~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34325~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E0DA9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{868AE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3432516E-9463-44cb-BF7E-7D9F64E3ED85}.exe

Filesize
168KB

MD5
7b81349823ca187907d81041b823cdf0

SHA1
75c49546375ea2f372befb9e8487cdbda011150a

SHA256
af964ed72e29396766194971fdd961e6ad1a0887f503c20d7d1df58a84bfb643

SHA512
f9a9183ca18509a5bc88f406101164b43b0c1380521600ea16b83507cf7df6d81fcfa881ac2066440ec8cf9ceef0d3d57a4d340c777f9de9fbeb3770a7255251

Download Submit
C:\Windows\{42781F62-A786-4ac4-9FD0-CA21C0645CB5}.exe

Filesize
168KB

MD5
6098a1a2bcf618ac94567a022113c78f

SHA1
97ecf77fe5ba9f034fa085cab4cdb82902c6f3c4

SHA256
b8e89563673ae4f1e20c844e9d14776f9deeb2c045ed257552ac5074bd0c90d3

SHA512
0efdf4c7131e79687b8c7e1a78d454645fbbe6751de26be4c5b54df8b078bea9e3788ee6da7c4c37b3510d054b60a281165eb81e342d2f202fe99ea1acb1c1f5

Download Submit
C:\Windows\{868AEA0E-2C8B-4e70-ABBB-C132EECFA673}.exe

Filesize
168KB

MD5
82ecd36c26d06146e53b598806fca10d

SHA1
d16aa895105ce9003e13bfc2780b6fb81e916d36

SHA256
6068d2d6b3660e05571f855d0512f76dcae05ff54cd4fabdb0503cd33db85625

SHA512
a5c95d4232f0e111e774614b073367a9d49962b206fd8766827981e0d6845435b180005e5b8cad2303e19a82c1daeb090cadd6bcd51fdbef172b0e2773af4a2f

Download Submit
C:\Windows\{8A7BC677-FC88-4994-895A-1D88C794ECFA}.exe

Filesize
168KB

MD5
6c9c34b57f09ac79a50a1d6ca1172d38

SHA1
b2cfdb13b14b6a6df7a66c78ecac688b39ef72b3

SHA256
2310784fb9e7af84e65e10392b8884fd6373763711d03d31b6ee01b3eff18ff4

SHA512
b4a5aa4a081d7db0d100047e4e8ab472c007daad1f831880e3c6989c4bef6e8bbd004cdb16230ccd410113453abc6f6eea0c4344778a34587eac0c842bad7241

Download Submit
C:\Windows\{A291ABA3-AFD0-4ba9-9ECB-C0EEAE800337}.exe

Filesize
168KB

MD5
d657091f99fd75f5934bea36a3ea6926

SHA1
9552029480cf2a0c3cdc578d10ca0d61811d5ef8

SHA256
2a0ea6f1e41b16238bffe4f98266414ae4d6dbd4e91b96fe92d6c39d667e9fb0

SHA512
f17a2c359793216dd4ead21ec4a9435b7e1cbe53fd12a20080d719c5cc2aa0225dbc10a5d4960dbf427d83e251daad05b38c591bd2f0a1596dbf50bd801d4ada

Download Submit
C:\Windows\{B17A691F-130E-4bf1-BD89-1A3E61936A95}.exe

Filesize
168KB

MD5
b0e68c37745171ca08339abd58044591

SHA1
ef477a495235d611d078bd690d4983d50f615677

SHA256
c6a8c5ac28ba645d4a19a4c1e26c71b5fb0c21ada1691cdd9f5f21dec3bf86ba

SHA512
b0a59b122a54a8581fef3e9554dcb55cbc7dda59359278c8b88c3863bf075e668a2e92818315feeb6f772bdde80fda371772d9cd4e6cea78acd7fd2b1337f962

Download Submit
C:\Windows\{CD772142-4BA8-48df-86C0-1DCBF9AE62E3}.exe

Filesize
168KB

MD5
1ce0d267674dd8377cc9fea3e014d4d8

SHA1
9fb11961cf3b9bcde3fa528a1c6d18877ab3fcd1

SHA256
96bf9c7c4447b8800cabe07ed2ffb6a9f7c00ac49a7c1da6c21bcab6e4c27a8a

SHA512
36b6d506cb226a60b8dd6b2df7286decc3c29ad50651c859737055756f1ce4a870287527f4e863b313f94f1edac99611031c2c28288b1ab9b362f8da6960af64

Download Submit
C:\Windows\{DB899939-9FED-4cfd-84CB-BFFA9690B57B}.exe

Filesize
168KB

MD5
ff5ff8dd05f21342855ff2eb8323ce9d

SHA1
b2bce55a814181defccbb11799b1fe8a99853e01

SHA256
4709b36a86ac525aa73deaf026a0376755c9cb94fed1ac66952e51cd0e6fc27a

SHA512
5715053efc9ed4e173c4b170b68731981fa2cd4e1960023d31b2d0e3e1b5017047da90750ea9a2a93f4e986945e8a726a0e073e1f45c63c015e9f343806e8f18

Download Submit
C:\Windows\{E0DA9476-0443-4061-989C-A8B9099E40D8}.exe

Filesize
168KB

MD5
9d97907657118796f2f1ccd276fb0fb9

SHA1
2d22366fca051c04714eaf352e50dc65dcfb41d8

SHA256
3b9609edacfc3ef27a27dccba2284f0f489def869fb85901bfe50c3a9fbccbe7

SHA512
4ff1a1230448acc4ac7c7605bd3b7634139a4f76d7f91972c7c06fe0fe888d09261ddd9ee29aef7254d48f2438349bf73831b009efd7657dfd3caa218daa9e39

Download Submit
C:\Windows\{E11D9DF6-92BE-4aca-A1B1-AAFEFEA41D00}.exe

Filesize
168KB

MD5
44b3a0057d85ede9fdee5a7e217cb6b8

SHA1
55fb77203b7347b13d8851d167519544aabb4d6c

SHA256
8095a02d6da1c4660a5f2ad17e59eb6dbda7c5e49fd21fd8da40d49825d839c8

SHA512
37b07060ba63c4ed11e7911f420a612856556349ae00487fe3d6bdb65880a4770eaab442c8c7addde0809ffcb5eaabba594ccd129816c0a5dec3630fae93adea

Download Submit
C:\Windows\{F9CAB9A0-217B-4fcc-ADD2-B0B98A373C08}.exe

Filesize
168KB

MD5
ed991e233c999958332aa43276c14320

SHA1
321249ae927745bcca9bc7f89fcb8f583d58395a

SHA256
28d60fcb8bd7f60bbb7106a87b8d22aeca0341a8ff07e65d77c6d0f2b89726de

SHA512
d9a7d4492a43828a48f3fd63b04c4fd18cd3a336284926111141470c6e8ea042f179c74390234c66a6b9e591a45097e95b2ddc067c338961896b500713ff2a63

Download Submit
C:\Windows\{FC220153-3EB2-4a71-8C32-3A118B5681AC}.exe

Filesize
168KB

MD5
90754afc3511bdd9eca0d830ba05ea30

SHA1
67a9421129085a78b37f2cbb3785d04a24bacdd9

SHA256
1f29bb04c0b7334b807e6dc52ea62c3f9f693a1809e17da54489f762e00a17d5

SHA512
118638c5c05ada7b641af86bb3598a3009f9b2aad444e74154cc46f9c8d31bcd591e7e5f28039eb16d85537cd97a71c9f7fddd7c727b85775fecacec17e00c3f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads