d9ea53acf53b7a52df1a5f602b4442f6bcb37eb3e893743906b26cf7d9ea2d8c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
Size

197KB
MD5

f35c140cfca4f56c6b1ff77178900bad
SHA1

d7ca4b2b4bcd28fa10751a130182adee71acaebc
SHA256

d9ea53acf53b7a52df1a5f602b4442f6bcb37eb3e893743906b26cf7d9ea2d8c
SHA512

b3f7c9b503a31d0dae8b45ca9b6636a6c8f2db276aa0858cada72a5567459ce24b9d996a26ba721cb66dfd797fe06c122c87e6331fb178b635eb80520ee7b711
SSDEEP

3072:jEGh0ofl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGplEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52041FEE-8B03-48f9-AB80-1A02C5196DD2}\stubpath = "C:\\Windows\\{52041FEE-8B03-48f9-AB80-1A02C5196DD2}.exe"	{11D8594F-EBC5-4688-9C55-58934389CD2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}\stubpath = "C:\\Windows\\{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe"	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}\stubpath = "C:\\Windows\\{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe"	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}\stubpath = "C:\\Windows\\{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe"	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC7F0ABC-B388-49a9-BBC9-B70219601D93}	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3190EC31-AFDA-4283-848E-16DF4382FAD2}	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{141641F4-451A-4254-B7F6-98A17DAA6493}\stubpath = "C:\\Windows\\{141641F4-451A-4254-B7F6-98A17DAA6493}.exe"	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}\stubpath = "C:\\Windows\\{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe"	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}\stubpath = "C:\\Windows\\{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe"	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC7F0ABC-B388-49a9-BBC9-B70219601D93}\stubpath = "C:\\Windows\\{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe"	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3190EC31-AFDA-4283-848E-16DF4382FAD2}\stubpath = "C:\\Windows\\{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe"	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{141641F4-451A-4254-B7F6-98A17DAA6493}	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52041FEE-8B03-48f9-AB80-1A02C5196DD2}	{11D8594F-EBC5-4688-9C55-58934389CD2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}\stubpath = "C:\\Windows\\{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe"	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}\stubpath = "C:\\Windows\\{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe"	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11D8594F-EBC5-4688-9C55-58934389CD2D}	{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11D8594F-EBC5-4688-9C55-58934389CD2D}\stubpath = "C:\\Windows\\{11D8594F-EBC5-4688-9C55-58934389CD2D}.exe"	{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe

Executes dropped EXE 12 IoCs

pid	Process
4496	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe
4480	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe
4084	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe
4816	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe
2900	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe
1624	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe
4360	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe
4584	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe
4716	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe
3520	{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe
4432	{11D8594F-EBC5-4688-9C55-58934389CD2D}.exe
2612	{52041FEE-8B03-48f9-AB80-1A02C5196DD2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe
File created	C:\Windows\{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe
File created	C:\Windows\{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe
File created	C:\Windows\{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe
File created	C:\Windows\{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe
File created	C:\Windows\{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe
File created	C:\Windows\{141641F4-451A-4254-B7F6-98A17DAA6493}.exe	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe
File created	C:\Windows\{11D8594F-EBC5-4688-9C55-58934389CD2D}.exe	{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe
File created	C:\Windows\{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
File created	C:\Windows\{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe
File created	C:\Windows\{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe
File created	C:\Windows\{52041FEE-8B03-48f9-AB80-1A02C5196DD2}.exe	{11D8594F-EBC5-4688-9C55-58934389CD2D}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11D8594F-EBC5-4688-9C55-58934389CD2D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52041FEE-8B03-48f9-AB80-1A02C5196DD2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3088	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4496	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe
Token: SeIncBasePriorityPrivilege	4480	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe
Token: SeIncBasePriorityPrivilege	4084	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe
Token: SeIncBasePriorityPrivilege	4816	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe
Token: SeIncBasePriorityPrivilege	2900	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe
Token: SeIncBasePriorityPrivilege	1624	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe
Token: SeIncBasePriorityPrivilege	4360	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe
Token: SeIncBasePriorityPrivilege	4584	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe
Token: SeIncBasePriorityPrivilege	4716	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe
Token: SeIncBasePriorityPrivilege	3520	{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe
Token: SeIncBasePriorityPrivilege	4432	{11D8594F-EBC5-4688-9C55-58934389CD2D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 4496	3088	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	94
PID 3088 wrote to memory of 4496	3088	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	94
PID 3088 wrote to memory of 4496	3088	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	94
PID 3088 wrote to memory of 4432	3088	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	95
PID 3088 wrote to memory of 4432	3088	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	95
PID 3088 wrote to memory of 4432	3088	2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe	95
PID 4496 wrote to memory of 4480	4496	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe	96
PID 4496 wrote to memory of 4480	4496	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe	96
PID 4496 wrote to memory of 4480	4496	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe	96
PID 4496 wrote to memory of 4044	4496	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe	97
PID 4496 wrote to memory of 4044	4496	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe	97
PID 4496 wrote to memory of 4044	4496	{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe	97
PID 4480 wrote to memory of 4084	4480	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe	100
PID 4480 wrote to memory of 4084	4480	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe	100
PID 4480 wrote to memory of 4084	4480	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe	100
PID 4480 wrote to memory of 1436	4480	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe	101
PID 4480 wrote to memory of 1436	4480	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe	101
PID 4480 wrote to memory of 1436	4480	{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe	101
PID 4084 wrote to memory of 4816	4084	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe	102
PID 4084 wrote to memory of 4816	4084	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe	102
PID 4084 wrote to memory of 4816	4084	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe	102
PID 4084 wrote to memory of 3284	4084	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe	103
PID 4084 wrote to memory of 3284	4084	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe	103
PID 4084 wrote to memory of 3284	4084	{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe	103
PID 4816 wrote to memory of 2900	4816	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe	104
PID 4816 wrote to memory of 2900	4816	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe	104
PID 4816 wrote to memory of 2900	4816	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe	104
PID 4816 wrote to memory of 3164	4816	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe	105
PID 4816 wrote to memory of 3164	4816	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe	105
PID 4816 wrote to memory of 3164	4816	{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe	105
PID 2900 wrote to memory of 1624	2900	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe	106
PID 2900 wrote to memory of 1624	2900	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe	106
PID 2900 wrote to memory of 1624	2900	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe	106
PID 2900 wrote to memory of 1480	2900	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe	107
PID 2900 wrote to memory of 1480	2900	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe	107
PID 2900 wrote to memory of 1480	2900	{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe	107
PID 1624 wrote to memory of 4360	1624	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe	108
PID 1624 wrote to memory of 4360	1624	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe	108
PID 1624 wrote to memory of 4360	1624	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe	108
PID 1624 wrote to memory of 4004	1624	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe	109
PID 1624 wrote to memory of 4004	1624	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe	109
PID 1624 wrote to memory of 4004	1624	{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe	109
PID 4360 wrote to memory of 4584	4360	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe	110
PID 4360 wrote to memory of 4584	4360	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe	110
PID 4360 wrote to memory of 4584	4360	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe	110
PID 4360 wrote to memory of 3768	4360	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe	111
PID 4360 wrote to memory of 3768	4360	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe	111
PID 4360 wrote to memory of 3768	4360	{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe	111
PID 4584 wrote to memory of 4716	4584	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe	112
PID 4584 wrote to memory of 4716	4584	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe	112
PID 4584 wrote to memory of 4716	4584	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe	112
PID 4584 wrote to memory of 3600	4584	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe	113
PID 4584 wrote to memory of 3600	4584	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe	113
PID 4584 wrote to memory of 3600	4584	{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe	113
PID 4716 wrote to memory of 3520	4716	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe	114
PID 4716 wrote to memory of 3520	4716	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe	114
PID 4716 wrote to memory of 3520	4716	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe	114
PID 4716 wrote to memory of 3968	4716	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe	115
PID 4716 wrote to memory of 3968	4716	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe	115
PID 4716 wrote to memory of 3968	4716	{141641F4-451A-4254-B7F6-98A17DAA6493}.exe	115
PID 3520 wrote to memory of 4432	3520	{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe	116
PID 3520 wrote to memory of 4432	3520	{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe	116
PID 3520 wrote to memory of 4432	3520	{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe	116
PID 3520 wrote to memory of 3880	3520	{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-15_f35c140cfca4f56c6b1ff77178900bad_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe
  C:\Windows\{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe
    C:\Windows\{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe
      C:\Windows\{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe
        
        C:\Windows\{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Windows\{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe
        
        C:\Windows\{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe
        
        C:\Windows\{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe
        
        C:\Windows\{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe
        
        C:\Windows\{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\{141641F4-451A-4254-B7F6-98A17DAA6493}.exe
        
        C:\Windows\{141641F4-451A-4254-B7F6-98A17DAA6493}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe
        
        C:\Windows\{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\{11D8594F-EBC5-4688-9C55-58934389CD2D}.exe
        
        C:\Windows\{11D8594F-EBC5-4688-9C55-58934389CD2D}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\{52041FEE-8B03-48f9-AB80-1A02C5196DD2}.exe
        
        C:\Windows\{52041FEE-8B03-48f9-AB80-1A02C5196DD2}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11D85~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DBA4~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14164~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AADE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3190E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC7F0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4845~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F25C6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14ED6~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{45EF8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6C9D6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DBA44D6-9F9F-43e1-8FF6-C83E3B9E8E61}.exe

Filesize
197KB

MD5
85bb28e5a01206aaf4de55528c703ac7

SHA1
a29bf15f0650ce8243509bebdcf1584c78c82df6

SHA256
2b3b181a40d765faf6a2d97e3e6e2f7ffa3112f818653025ac8edf8e365ec313

SHA512
ea5c426db7af231441bc2f6d34e2320445c0d9b5bda241f953dc599bc6b3e85eee2096af6039fd3713b8506fb9fa3308bf1188ac1dcbb4b880db2012ceaee33a

Download Submit
C:\Windows\{11D8594F-EBC5-4688-9C55-58934389CD2D}.exe

Filesize
197KB

MD5
e91e99e238e45efa17321b45db9dbfb0

SHA1
5194ce42a5f527b5847984ddc1a84d450922d14e

SHA256
64b37209d796f0d7210cb061deaee2b41c21df6e973b0af2cbf0548046813f1e

SHA512
a5edfcbbbb9b4fc07bda92a463396ec10ac2e84bf3868d0aeaec0164bfcce00cc3150622d759717d97fb696195f1a9e015feb8fb5dc887a750480afdb626e17f

Download Submit
C:\Windows\{141641F4-451A-4254-B7F6-98A17DAA6493}.exe

Filesize
197KB

MD5
652a0df2b37b86748fbea0dc500f2573

SHA1
19db5d755b928dc8bde05f1104125c5a00b36ed3

SHA256
1338af005f400c7c37cacdcf411c4211740840f4377ae5f2638bbef5c41e9455

SHA512
22a9df0d49404773c678fe1d99b0c115d3f3c0b114288d87a9f58408116cb9a089d894a84e818d1922fef99a924ed89719473e486fdb5dc4e7a774625a491160

Download Submit
C:\Windows\{14ED6F29-B9FE-453e-8762-DEEC4AA31C22}.exe

Filesize
197KB

MD5
e8288801e4be2f6f305389de4f027cbd

SHA1
4095d3039c7e747bf05f5a7bbcb6c24ce7312934

SHA256
c2e441e80b450a2e7d972d0654444dd373b9f149e0b5e0ebb2f2ccf13d7675fe

SHA512
d5c8256c1165ca0c42f86ee302946835a49c2271c993f8f0aa37188f5e8bac2ac1a01d71991c94cb673fa10d72014cd4a70ddb48801d4ef197a8e790e7af7131

Download Submit
C:\Windows\{3190EC31-AFDA-4283-848E-16DF4382FAD2}.exe

Filesize
197KB

MD5
d57d78c0d9f7e04a52b2b16d07ef477a

SHA1
1f96f931a7082071433a6e7572a18dd945311f4d

SHA256
89f3081546add80254d7bbf0e22b1569ecb227671163e2b525fbb1f60c2a9a86

SHA512
5f44bd1b528e131153dd96976014c54f8e3e17ceb4db77c76a160615e2f71e1180511ea75d0ebe476c56044fc7ffaf1765c1daf09feea940fa3672472c7d9ea5

Download Submit
C:\Windows\{45EF830E-D5C0-414a-83A9-BDDD3E6A81D9}.exe

Filesize
197KB

MD5
78d14c536a4208301fdc822e8e912011

SHA1
f4cc2f97decb48a32b43ad2783851831cef46e3d

SHA256
cc4017fb6bcf0f0e8b4ebe064750866823b0d12fa4629c49576c8b99c50dd757

SHA512
45b39022b76cde74c1a19bb8bcb9042090c257bff9323e868c48ae674727bd82ada275e1cdb9b7791ca71a8e0ef407f575c4f90d8b1233e3f5817f8b5fb9e7b8

Download Submit
C:\Windows\{4AADE4DD-C46D-46e1-A1C0-48AFA110BD53}.exe

Filesize
197KB

MD5
93ae2aa682ce0237055a6807a5e8390c

SHA1
8e14d027f0577d79991158667333e14a33c9a589

SHA256
98a52d05e6d618fb5ad0938dc780935df0d69ea697200860d1d606e0f2b37697

SHA512
c5f45b0a40913fe3cb7552021cdaaa1e8fcb14deb9d7dc2ce95ca40de9b9a12735fc8127aaca6ebd7d96cf4c56ca372e1e9df270b758e6bcf4d774a5f8fd423e

Download Submit
C:\Windows\{52041FEE-8B03-48f9-AB80-1A02C5196DD2}.exe

Filesize
197KB

MD5
b6e248a0238656b7875f699f95e826d9

SHA1
7a5e9643682350b3d7c4e740c2f1b4033f14c50d

SHA256
0704b5095479f00103a278299cc08cd672f670f602637723d2895a46c749713c

SHA512
0fe69d0154a8b9a87911f15f3aed5320369fc9b4a2621be3a1e1a826cb26d6e58a3d100816d95a683f821d50629fd8b1e65a45223cb54e8f0b8d4b845732a25e

Download Submit
C:\Windows\{6C9D6BD9-9612-44ce-ACD4-4D6CFA4B3054}.exe

Filesize
197KB

MD5
c849325d0f76e1f3973ac83f3476dd1f

SHA1
dcda38c843ceecf2bfe2fdb2010fd78767704a9e

SHA256
d32481e5f7a046d979e21dbf838afaeacef0768a193a0a705efb463ad964a50d

SHA512
84f66770cabfdf5633e252f577025fdda1a5fe864b6b4edafb97f6d839dac9c747abfdd88f3541e1824cfd866f9f9641c7db8cd5b2f692284834cbf969365ace

Download Submit
C:\Windows\{A4845DA6-7358-4a27-B3AA-FC79CE805EEC}.exe

Filesize
197KB

MD5
71f18cfe8040118f429fd86193d6408a

SHA1
76d6c272f0662ce14312eda2e3b9b2785623d5ab

SHA256
f545115f2a94f6992d228f7aee685d73301bcb9b5a8a5a5bba3931532df298e0

SHA512
fa840669ca065486e63a7bb2cc89505df56c8cdc4ccb844bcf9dfa28c56d69de401f5913f75cb49e01e19dbdcd17afa173e82522dd2e7c4a6ed72e500a8f5284

Download Submit
C:\Windows\{F25C6F19-9F43-4f19-9F3E-33178F3BC4F0}.exe

Filesize
197KB

MD5
a87d8903717a949264013cc8a744cf71

SHA1
1cdc61299e7f801b8a5c6c47a39140e57cdb01bf

SHA256
aadef5665f298a090ee474554bb41fcd1b760bef800c03558a023be30aa4492b

SHA512
2b835d3ce5bf0063d6f84e58d96908d4b868ee1361b4ad12a36bb6fc806755d1a4657e53d45706068f3500c7c0317ee1e7430c83cb7151d0340e51a1d6bcc031

Download Submit
C:\Windows\{FC7F0ABC-B388-49a9-BBC9-B70219601D93}.exe

Filesize
197KB

MD5
509e26f116d751cfc20a0e60f7855945

SHA1
fcc3ab549f2765257665d44fd918aaaa35ca6f8f

SHA256
2e4e6280684b06068cde49efe20e6a186391fca3d12d49359984bff44bd9a53e

SHA512
786834e7930fb39c7df973b207bb46076532b92fb23be28110e9ea5af3b06e0c5e869e2c7a0c6ccbee70cc5b35508955a800e12719dd564b8a1be7c27c58cfcd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads