0546acd9318c73f19c333da447064d42dfd9a00900ff373e1dca0c30b692dca7

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe
Size

192KB
MD5

ae7306d02832cbd5653c97d6af790e01
SHA1

80c6b488315f8c700fe921dd280aace126f28a2b
SHA256

0546acd9318c73f19c333da447064d42dfd9a00900ff373e1dca0c30b692dca7
SHA512

63494661d622970b3b9986571c24dce5227faa087d3961370b60fa8a884911a71b01b4c74b3524c851ac616df47ab068791f37135b6c72ca32babf559bb189fd
SSDEEP

1536:1EGh0ovl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ovl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C7676C5-1213-455e-87CA-67E45631CC37}\stubpath = "C:\\Windows\\{3C7676C5-1213-455e-87CA-67E45631CC37}.exe"	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB93BDF-A9AD-4658-9155-A038EC816BF5}	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4A9172-2454-4a1b-82B3-32B8069A5019}\stubpath = "C:\\Windows\\{EE4A9172-2454-4a1b-82B3-32B8069A5019}.exe"	{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACE5158B-1DE3-4e59-9363-23F0768B85DB}	2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACE5158B-1DE3-4e59-9363-23F0768B85DB}\stubpath = "C:\\Windows\\{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe"	2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D8FEA4C-F693-4707-AEE6-2791823365CA}	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C7676C5-1213-455e-87CA-67E45631CC37}	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF92D38C-793C-496d-88A4-7090954ECEE1}	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CA67304-52CF-4bd0-A376-257F8C75C641}	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1BC867-E946-481c-888B-4619CBE5CE53}	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D8FEA4C-F693-4707-AEE6-2791823365CA}\stubpath = "C:\\Windows\\{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe"	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{396DFEB8-CBE0-472b-AEBA-A1597A35C079}\stubpath = "C:\\Windows\\{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe"	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}\stubpath = "C:\\Windows\\{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe"	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}	{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4A9172-2454-4a1b-82B3-32B8069A5019}	{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CA67304-52CF-4bd0-A376-257F8C75C641}\stubpath = "C:\\Windows\\{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe"	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1BC867-E946-481c-888B-4619CBE5CE53}\stubpath = "C:\\Windows\\{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe"	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{396DFEB8-CBE0-472b-AEBA-A1597A35C079}	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}\stubpath = "C:\\Windows\\{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}.exe"	{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF92D38C-793C-496d-88A4-7090954ECEE1}\stubpath = "C:\\Windows\\{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe"	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB93BDF-A9AD-4658-9155-A038EC816BF5}\stubpath = "C:\\Windows\\{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe"	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}\stubpath = "C:\\Windows\\{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe"	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe

Executes dropped EXE 12 IoCs

pid	Process
2692	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe
2652	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe
1604	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe
744	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe
2324	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe
1556	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe
4408	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe
1600	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe
4452	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe
3708	{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe
4324	{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}.exe
2140	{EE4A9172-2454-4a1b-82B3-32B8069A5019}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}.exe	{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe
File created	C:\Windows\{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe	2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe
File created	C:\Windows\{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe
File created	C:\Windows\{3C7676C5-1213-455e-87CA-67E45631CC37}.exe	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe
File created	C:\Windows\{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe
File created	C:\Windows\{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe
File created	C:\Windows\{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe
File created	C:\Windows\{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe
File created	C:\Windows\{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe
File created	C:\Windows\{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe
File created	C:\Windows\{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe
File created	C:\Windows\{EE4A9172-2454-4a1b-82B3-32B8069A5019}.exe	{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE4A9172-2454-4a1b-82B3-32B8069A5019}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3540	2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2692	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe
Token: SeIncBasePriorityPrivilege	2652	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe
Token: SeIncBasePriorityPrivilege	1604	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe
Token: SeIncBasePriorityPrivilege	744	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe
Token: SeIncBasePriorityPrivilege	2324	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe
Token: SeIncBasePriorityPrivilege	1556	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe
Token: SeIncBasePriorityPrivilege	4408	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe
Token: SeIncBasePriorityPrivilege	1600	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe
Token: SeIncBasePriorityPrivilege	4452	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe
Token: SeIncBasePriorityPrivilege	3708	{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe
Token: SeIncBasePriorityPrivilege	4324	{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 2692	3540	2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe	94
PID 3540 wrote to memory of 2692	3540	2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe	94
PID 3540 wrote to memory of 2692	3540	2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe	94
PID 3540 wrote to memory of 1240	3540	2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe	95
PID 3540 wrote to memory of 1240	3540	2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe	95
PID 3540 wrote to memory of 1240	3540	2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe	95
PID 2692 wrote to memory of 2652	2692	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe	96
PID 2692 wrote to memory of 2652	2692	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe	96
PID 2692 wrote to memory of 2652	2692	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe	96
PID 2692 wrote to memory of 3480	2692	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe	97
PID 2692 wrote to memory of 3480	2692	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe	97
PID 2692 wrote to memory of 3480	2692	{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe	97
PID 2652 wrote to memory of 1604	2652	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe	100
PID 2652 wrote to memory of 1604	2652	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe	100
PID 2652 wrote to memory of 1604	2652	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe	100
PID 2652 wrote to memory of 1712	2652	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe	101
PID 2652 wrote to memory of 1712	2652	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe	101
PID 2652 wrote to memory of 1712	2652	{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe	101
PID 1604 wrote to memory of 744	1604	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe	102
PID 1604 wrote to memory of 744	1604	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe	102
PID 1604 wrote to memory of 744	1604	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe	102
PID 1604 wrote to memory of 3188	1604	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe	103
PID 1604 wrote to memory of 3188	1604	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe	103
PID 1604 wrote to memory of 3188	1604	{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe	103
PID 744 wrote to memory of 2324	744	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe	104
PID 744 wrote to memory of 2324	744	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe	104
PID 744 wrote to memory of 2324	744	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe	104
PID 744 wrote to memory of 452	744	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe	105
PID 744 wrote to memory of 452	744	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe	105
PID 744 wrote to memory of 452	744	{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe	105
PID 2324 wrote to memory of 1556	2324	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe	106
PID 2324 wrote to memory of 1556	2324	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe	106
PID 2324 wrote to memory of 1556	2324	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe	106
PID 2324 wrote to memory of 3068	2324	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe	107
PID 2324 wrote to memory of 3068	2324	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe	107
PID 2324 wrote to memory of 3068	2324	{3C7676C5-1213-455e-87CA-67E45631CC37}.exe	107
PID 1556 wrote to memory of 4408	1556	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe	108
PID 1556 wrote to memory of 4408	1556	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe	108
PID 1556 wrote to memory of 4408	1556	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe	108
PID 1556 wrote to memory of 4264	1556	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe	109
PID 1556 wrote to memory of 4264	1556	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe	109
PID 1556 wrote to memory of 4264	1556	{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe	109
PID 4408 wrote to memory of 1600	4408	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe	110
PID 4408 wrote to memory of 1600	4408	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe	110
PID 4408 wrote to memory of 1600	4408	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe	110
PID 4408 wrote to memory of 636	4408	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe	111
PID 4408 wrote to memory of 636	4408	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe	111
PID 4408 wrote to memory of 636	4408	{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe	111
PID 1600 wrote to memory of 4452	1600	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe	112
PID 1600 wrote to memory of 4452	1600	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe	112
PID 1600 wrote to memory of 4452	1600	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe	112
PID 1600 wrote to memory of 2664	1600	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe	113
PID 1600 wrote to memory of 2664	1600	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe	113
PID 1600 wrote to memory of 2664	1600	{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe	113
PID 4452 wrote to memory of 3708	4452	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe	114
PID 4452 wrote to memory of 3708	4452	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe	114
PID 4452 wrote to memory of 3708	4452	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe	114
PID 4452 wrote to memory of 2024	4452	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe	115
PID 4452 wrote to memory of 2024	4452	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe	115
PID 4452 wrote to memory of 2024	4452	{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe	115
PID 3708 wrote to memory of 4324	3708	{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe	116
PID 3708 wrote to memory of 4324	3708	{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe	116
PID 3708 wrote to memory of 4324	3708	{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe	116
PID 3708 wrote to memory of 4224	3708	{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_ae7306d02832cbd5653c97d6af790e01_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe
  C:\Windows\{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe
    C:\Windows\{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe
      C:\Windows\{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe
        
        C:\Windows\{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
      - C:\Windows\{3C7676C5-1213-455e-87CA-67E45631CC37}.exe
        
        C:\Windows\{3C7676C5-1213-455e-87CA-67E45631CC37}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe
        
        C:\Windows\{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe
        
        C:\Windows\{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe
        
        C:\Windows\{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe
        
        C:\Windows\{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe
        
        C:\Windows\{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}.exe
        
        C:\Windows\{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\{EE4A9172-2454-4a1b-82B3-32B8069A5019}.exe
        
        C:\Windows\{EE4A9172-2454-4a1b-82B3-32B8069A5019}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BA37~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F709~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2B8F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{396DF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FB93~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF92D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C767~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D8FE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F1BC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9CA67~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ACE51~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F1BC867-E946-481c-888B-4619CBE5CE53}.exe

Filesize
192KB

MD5
819416dbe1ae0b3160269a48a848f2a4

SHA1
4b078518736d60c881485052a171cc6cebccb2f4

SHA256
3c1d1134441bed04f761d980547718347b531cc8f031a2cbef82f2e422f2f451

SHA512
6c16b04681c43c80cdc4189de5b9502e2495f5c571435d4e17d1937d9a3972028391f38d688be9a39acac07350bca606d3457dcc6ad7368ced34d7f34ee5ab1b

Download Submit
C:\Windows\{0F709E53-A95E-4aa1-BD4D-FF2AC5F04A9A}.exe

Filesize
192KB

MD5
1c8f065879eb09ce26417aaf481c0edb

SHA1
dae7231840d5cfd04bfc611cfa45ffc883648456

SHA256
4275a1cd6b514c6c5e5eb7958ea6af56c55cca5b6ced24cc7ebd3c6a04816a4e

SHA512
cb2d0c94845b33c9351f7b003fb7c4e4c437a79c2b346911b4aea03fc561960b89e6af88ba202ff28bb99fd8f65eaac38ff6bd44a3454eeacdcbf9e9dbb9fcc6

Download Submit
C:\Windows\{396DFEB8-CBE0-472b-AEBA-A1597A35C079}.exe

Filesize
192KB

MD5
864a13311139fd47417ef66e6cdec572

SHA1
326d73fd7e03c76339badfdfed54585d8993e7c1

SHA256
4f4cada0854656601d04d340954bef0c553089acb93ea635eac79955ca300e09

SHA512
6cdac547a76e67a4b3056723848d35546d91d41c1e194bb322df6d5e4f8f8acdcd3c04680aaf06c0bb97fb8d331e084fd5e9effc76a19bf885dc3aeeb3f9b966

Download Submit
C:\Windows\{3BA376B0-2A23-4d7c-84DE-28E6C86A5E33}.exe

Filesize
192KB

MD5
da577b11c8ca105e5cc6175bf15a2b88

SHA1
58052c3840ef8c516b674ba93bf5b484a75c7bd3

SHA256
32da55a86b62ffe47f179065eba955ee505da408bef4c11ed29e10e7e41651c5

SHA512
7a34fb313ae57be6fa2b7fb7494da4f112520e7c953c1cbe08bc43bd8a4153194d17a8efa0d9f3457e945d26afbd20680109d940f148af10a3a27efdc6442dbf

Download Submit
C:\Windows\{3C7676C5-1213-455e-87CA-67E45631CC37}.exe

Filesize
192KB

MD5
09499f30ce2ebbd947e73f1e806d9756

SHA1
2f27fe1909c7cfaf216eaf9cfb29a389435c764c

SHA256
1bdca1ab6f0c5925a68fe02c5c86cee8f36901e5e8d496740a43674f1f506278

SHA512
315b41b78f0e22d60c2d1e094d4da0636fecf83952d6693a4970bcfccbbd23df2e3695555c756e363a368c9cceae20f5cd604ac333a2c57e4997db6ef84f4f62

Download Submit
C:\Windows\{5D8FEA4C-F693-4707-AEE6-2791823365CA}.exe

Filesize
192KB

MD5
0a77747d47879609fe51b958f436a443

SHA1
fd0327823dff6ba16a07805eccb74b1814d72f14

SHA256
fd5e32e4102a82545c3405ac686fcaec5572a7eb3f0c03973feaed000568a9b5

SHA512
dab031341e95819a91c22bb5790c82e8e1e0ae13ed41289de7651e8117ffef6f51d474a573845fe2337bcac44d2f308b55054dd56eaff5cbea469c685df6376b

Download Submit
C:\Windows\{7FB93BDF-A9AD-4658-9155-A038EC816BF5}.exe

Filesize
192KB

MD5
f084025024d81ebd0d7559835b4f22c2

SHA1
d726cd8b7a0d23f7c816f6b331cda49495ef661a

SHA256
77dfcf798541b88da244fb9290358864fdd7d1609f00d7b4bd4fd618e500e4d9

SHA512
ec8a648d34940c4ef3eb9010b487c9e9e31f8da495de9e2481ce47100dd759ad5e583d42a5b004aec47814b6bf6fd160ff604a2e099b7c76e1da01cb8fe3d871

Download Submit
C:\Windows\{9CA67304-52CF-4bd0-A376-257F8C75C641}.exe

Filesize
192KB

MD5
2f128c9272866cd8d762eb38c87133f2

SHA1
a0fc02725407c32dbcc103ac49e6c792b2b35371

SHA256
2af4d7352eacdcb64709d6a896c67388c13a236dafe5ff9b3b5bf7deb72c15e9

SHA512
dfe5a0ea0e775d145df911eb27c71a66353d5fdcef55254eee33743ca1a5cc2b97252e73475862b6ce50d3ba41dbd05c0356af6a846a52de30b531b94acc34c6

Download Submit
C:\Windows\{A2B8F47C-3C82-40e7-B1B4-6D8BE5C23E26}.exe

Filesize
192KB

MD5
7363ad4bae06371e4b29683df05f87c8

SHA1
7ddfbb88f6f8fb76897b3faf078b688071456c9b

SHA256
b714dfaae8511a5db27e72c230a829d596be7f8269837515517b118252b581f5

SHA512
1d9cdd4c9e71875d0302d57ceb8bb540bc0891216372d32ea86605e7bdc5837c2d132c789151ebc2eb99c4ca88e84f657ecf9ba651755bb29165f0e16fa995c6

Download Submit
C:\Windows\{ACE5158B-1DE3-4e59-9363-23F0768B85DB}.exe

Filesize
192KB

MD5
a7bac51ef0eb2328941aaf1188814dd9

SHA1
dd58064728d5462e5fe982034834b72009e51006

SHA256
3545700bbfe3dc730786b2f82b4ce2fece57127b495f25905cfaad920a906fbe

SHA512
a3e052b4ba2e43c6fe2eda7933d38cf4a10c9a2b840cbf10ed178a05ba8fef2564b82e788f7d6ef224c926a326e5e7d7184bbc88280838a8740de9202bdfd62b

Download Submit
C:\Windows\{AF92D38C-793C-496d-88A4-7090954ECEE1}.exe

Filesize
192KB

MD5
9cfa7b379fa99afa90a5c8b8e47e3764

SHA1
a76fbfdbc9f954734f628dcc33f25ffcf3fe8128

SHA256
c2a97d8dadd21b103ee3cc3c823a464c08b0eca04fcccdf7dd6ecf420b20be06

SHA512
41cf0cc51d318961b8b1b3ad8ded660740ccf5088766034635525c9982a50eb8cf56c6a1f185404b99fd175166d02275af2551ac6a5ba5c3d9a156789590ca11

Download Submit
C:\Windows\{EE4A9172-2454-4a1b-82B3-32B8069A5019}.exe

Filesize
192KB

MD5
9afefb75ef6f197cc9f9f34ae6d51298

SHA1
b910478c204920dd66f69aa76a74a6a45d509f52

SHA256
c6df2e9eb3bc4ed7c78d20e65f92b766dcbd1f0bf37c455eb54e39ab018e369c

SHA512
8051105de7d717f13a6ae4292d7db6b670b81357f2ae34c95f3b7e95a484973ee9f37584064e73eeec99309aa09ced2e4c7362c0cb38b116bd4c9dbc9d05fd0c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads