f509bfc9181521dee5c86871a9445425393af0b03a5e54628b4af7bc092b6231

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
Size

168KB
MD5

39f0f0ac91587a550a4d87f57cdaae63
SHA1

26b701582c1ce0f1718790b799e7973f6bf328c1
SHA256

f509bfc9181521dee5c86871a9445425393af0b03a5e54628b4af7bc092b6231
SHA512

f2e9b027006e3a40911b972c0f95173b7b0f954d48002b4955d097ecf414b5ed165b28d93c26909658bc2e5818300dfdac9472b1012d3aa6f5f626599e43ece4
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01A28566-B5D9-4b00-8273-772022DF8831}\stubpath = "C:\\Windows\\{01A28566-B5D9-4b00-8273-772022DF8831}.exe"	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}	{01A28566-B5D9-4b00-8273-772022DF8831}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6CEBFB9-F754-4585-8A21-6E22107D9E07}\stubpath = "C:\\Windows\\{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe"	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C681C648-5881-4f86-A089-F3DE1F51DED1}	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A24659D-50CB-4402-BFD6-12C55F74B4E2}\stubpath = "C:\\Windows\\{6A24659D-50CB-4402-BFD6-12C55F74B4E2}.exe"	{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99155991-0459-4ac5-B959-7DD7EAEB8829}	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01A28566-B5D9-4b00-8273-772022DF8831}	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}\stubpath = "C:\\Windows\\{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe"	{01A28566-B5D9-4b00-8273-772022DF8831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54A2839A-6EEA-447b-A135-0BDD31B15FB8}	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54A2839A-6EEA-447b-A135-0BDD31B15FB8}\stubpath = "C:\\Windows\\{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe"	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A24659D-50CB-4402-BFD6-12C55F74B4E2}	{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}\stubpath = "C:\\Windows\\{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe"	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}\stubpath = "C:\\Windows\\{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe"	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6CEBFB9-F754-4585-8A21-6E22107D9E07}	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}\stubpath = "C:\\Windows\\{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe"	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C681C648-5881-4f86-A089-F3DE1F51DED1}\stubpath = "C:\\Windows\\{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe"	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BA4D2E-A614-4368-81D0-49555CAC8218}\stubpath = "C:\\Windows\\{F1BA4D2E-A614-4368-81D0-49555CAC8218}.exe"	{6A24659D-50CB-4402-BFD6-12C55F74B4E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99155991-0459-4ac5-B959-7DD7EAEB8829}\stubpath = "C:\\Windows\\{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe"	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}\stubpath = "C:\\Windows\\{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe"	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1BA4D2E-A614-4368-81D0-49555CAC8218}	{6A24659D-50CB-4402-BFD6-12C55F74B4E2}.exe

Executes dropped EXE 12 IoCs

pid	Process
4684	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe
3804	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe
4664	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe
512	{01A28566-B5D9-4b00-8273-772022DF8831}.exe
4804	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe
2896	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe
3832	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe
1992	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe
1100	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe
4436	{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe
2212	{6A24659D-50CB-4402-BFD6-12C55F74B4E2}.exe
1144	{F1BA4D2E-A614-4368-81D0-49555CAC8218}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe
File created	C:\Windows\{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
File created	C:\Windows\{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe
File created	C:\Windows\{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe	{01A28566-B5D9-4b00-8273-772022DF8831}.exe
File created	C:\Windows\{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe
File created	C:\Windows\{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe
File created	C:\Windows\{6A24659D-50CB-4402-BFD6-12C55F74B4E2}.exe	{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe
File created	C:\Windows\{F1BA4D2E-A614-4368-81D0-49555CAC8218}.exe	{6A24659D-50CB-4402-BFD6-12C55F74B4E2}.exe
File created	C:\Windows\{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe
File created	C:\Windows\{01A28566-B5D9-4b00-8273-772022DF8831}.exe	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe
File created	C:\Windows\{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe
File created	C:\Windows\{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A24659D-50CB-4402-BFD6-12C55F74B4E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1BA4D2E-A614-4368-81D0-49555CAC8218}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{01A28566-B5D9-4b00-8273-772022DF8831}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1052	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4684	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe
Token: SeIncBasePriorityPrivilege	3804	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe
Token: SeIncBasePriorityPrivilege	4664	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe
Token: SeIncBasePriorityPrivilege	512	{01A28566-B5D9-4b00-8273-772022DF8831}.exe
Token: SeIncBasePriorityPrivilege	4804	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe
Token: SeIncBasePriorityPrivilege	2896	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe
Token: SeIncBasePriorityPrivilege	3832	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe
Token: SeIncBasePriorityPrivilege	1992	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe
Token: SeIncBasePriorityPrivilege	1100	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe
Token: SeIncBasePriorityPrivilege	4436	{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe
Token: SeIncBasePriorityPrivilege	2212	{6A24659D-50CB-4402-BFD6-12C55F74B4E2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 4684	1052	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	92
PID 1052 wrote to memory of 4684	1052	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	92
PID 1052 wrote to memory of 4684	1052	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	92
PID 1052 wrote to memory of 1144	1052	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	93
PID 1052 wrote to memory of 1144	1052	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	93
PID 1052 wrote to memory of 1144	1052	2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe	93
PID 4684 wrote to memory of 3804	4684	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe	94
PID 4684 wrote to memory of 3804	4684	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe	94
PID 4684 wrote to memory of 3804	4684	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe	94
PID 4684 wrote to memory of 3900	4684	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe	95
PID 4684 wrote to memory of 3900	4684	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe	95
PID 4684 wrote to memory of 3900	4684	{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe	95
PID 3804 wrote to memory of 4664	3804	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe	98
PID 3804 wrote to memory of 4664	3804	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe	98
PID 3804 wrote to memory of 4664	3804	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe	98
PID 3804 wrote to memory of 2692	3804	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe	99
PID 3804 wrote to memory of 2692	3804	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe	99
PID 3804 wrote to memory of 2692	3804	{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe	99
PID 4664 wrote to memory of 512	4664	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe	100
PID 4664 wrote to memory of 512	4664	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe	100
PID 4664 wrote to memory of 512	4664	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe	100
PID 4664 wrote to memory of 4312	4664	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe	101
PID 4664 wrote to memory of 4312	4664	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe	101
PID 4664 wrote to memory of 4312	4664	{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe	101
PID 512 wrote to memory of 4804	512	{01A28566-B5D9-4b00-8273-772022DF8831}.exe	102
PID 512 wrote to memory of 4804	512	{01A28566-B5D9-4b00-8273-772022DF8831}.exe	102
PID 512 wrote to memory of 4804	512	{01A28566-B5D9-4b00-8273-772022DF8831}.exe	102
PID 512 wrote to memory of 4720	512	{01A28566-B5D9-4b00-8273-772022DF8831}.exe	103
PID 512 wrote to memory of 4720	512	{01A28566-B5D9-4b00-8273-772022DF8831}.exe	103
PID 512 wrote to memory of 4720	512	{01A28566-B5D9-4b00-8273-772022DF8831}.exe	103
PID 4804 wrote to memory of 2896	4804	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe	104
PID 4804 wrote to memory of 2896	4804	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe	104
PID 4804 wrote to memory of 2896	4804	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe	104
PID 4804 wrote to memory of 2444	4804	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe	105
PID 4804 wrote to memory of 2444	4804	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe	105
PID 4804 wrote to memory of 2444	4804	{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe	105
PID 2896 wrote to memory of 3832	2896	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe	106
PID 2896 wrote to memory of 3832	2896	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe	106
PID 2896 wrote to memory of 3832	2896	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe	106
PID 2896 wrote to memory of 4292	2896	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe	107
PID 2896 wrote to memory of 4292	2896	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe	107
PID 2896 wrote to memory of 4292	2896	{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe	107
PID 3832 wrote to memory of 1992	3832	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe	108
PID 3832 wrote to memory of 1992	3832	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe	108
PID 3832 wrote to memory of 1992	3832	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe	108
PID 3832 wrote to memory of 3056	3832	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe	109
PID 3832 wrote to memory of 3056	3832	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe	109
PID 3832 wrote to memory of 3056	3832	{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe	109
PID 1992 wrote to memory of 1100	1992	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe	110
PID 1992 wrote to memory of 1100	1992	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe	110
PID 1992 wrote to memory of 1100	1992	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe	110
PID 1992 wrote to memory of 3120	1992	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe	111
PID 1992 wrote to memory of 3120	1992	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe	111
PID 1992 wrote to memory of 3120	1992	{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe	111
PID 1100 wrote to memory of 4436	1100	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe	112
PID 1100 wrote to memory of 4436	1100	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe	112
PID 1100 wrote to memory of 4436	1100	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe	112
PID 1100 wrote to memory of 968	1100	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe	113
PID 1100 wrote to memory of 968	1100	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe	113
PID 1100 wrote to memory of 968	1100	{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe	113
PID 4436 wrote to memory of 2212	4436	{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe	114
PID 4436 wrote to memory of 2212	4436	{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe	114
PID 4436 wrote to memory of 2212	4436	{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe	114
PID 4436 wrote to memory of 4808	4436	{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_39f0f0ac91587a550a4d87f57cdaae63_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe
  C:\Windows\{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe
    C:\Windows\{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe
      C:\Windows\{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4664
    - - C:\Windows\{01A28566-B5D9-4b00-8273-772022DF8831}.exe
        
        C:\Windows\{01A28566-B5D9-4b00-8273-772022DF8831}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:512
      - C:\Windows\{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe
        
        C:\Windows\{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe
        
        C:\Windows\{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe
        
        C:\Windows\{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe
        
        C:\Windows\{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe
        
        C:\Windows\{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe
        
        C:\Windows\{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{6A24659D-50CB-4402-BFD6-12C55F74B4E2}.exe
        
        C:\Windows\{6A24659D-50CB-4402-BFD6-12C55F74B4E2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\{F1BA4D2E-A614-4368-81D0-49555CAC8218}.exe
        
        C:\Windows\{F1BA4D2E-A614-4368-81D0-49555CAC8218}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A246~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DEFB~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C681C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6BF9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54A28~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6CEB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDFB6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01A28~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99155~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DFF3F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{81C9C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01A28566-B5D9-4b00-8273-772022DF8831}.exe

Filesize
168KB

MD5
9a797fb36a3ba11e5ab80a772fee743e

SHA1
13884b3cf6bdc0b671569bde4da233956ad30d24

SHA256
bf2f9071cd1faeadc238ab5387574b987666b6663e52913e44fe1cde1f5b8bf7

SHA512
0857fd4eacf00867fb586e2a804957dc7ce06f82d39a8ca9a132c69ccf2ad72db2b798746c062d0b5f01c49b2243b8922d56c6b5ee4022c621b8d57e365ff372

Download Submit
C:\Windows\{54A2839A-6EEA-447b-A135-0BDD31B15FB8}.exe

Filesize
168KB

MD5
8f2a4ea9680824d79be20f2bad19a364

SHA1
52ac002e60aa652d631c9f383b8e7af7e5f756be

SHA256
00e07c7615a63cae8ef359b10778942c37741e8f86801b19317a667522d45686

SHA512
f2e03b0a47b7a8914eba1f2b62576a21079f12010ae04bd52966502330837a96c5e2de0696b75327c95d50824bb44e7223a5f83366c1b9f0e89a9fa3cbc7429b

Download Submit
C:\Windows\{6A24659D-50CB-4402-BFD6-12C55F74B4E2}.exe

Filesize
168KB

MD5
6fdea4eeea0b3812adb55968e5404d6d

SHA1
6a94677204a85ea0a83899a45b3849dfc5752228

SHA256
f19339289294a31a1c451349d149df90fee0b276fa2056dbfdd8ddd19428f40a

SHA512
95ee4f5b3c3c0fbebc6563efcb944ec393a1323e6cd1df889199ca6afbd835564ca9d015d241bc69b38e930e6300a2381587d7c4c626995bc47fc52ae99746d3

Download Submit
C:\Windows\{81C9CDF2-EC1B-423c-9BE0-2D6C89B1EFB0}.exe

Filesize
168KB

MD5
ddf8963e1d064b2419b818d7b3ad23f4

SHA1
46fb3a0a7bc929813397e976b72f178ceb21755b

SHA256
c1846bd720bb5db47800891e7543093da821dee9e20e3d931054994fd007b025

SHA512
722602c5d1e12c204e7b9e894e8093061dd919274980b9c32ba1fdbe95364235b55c654d57a73bc0232c1c194f046f3109dabd7e47f5cfc477bb21e0758951af

Download Submit
C:\Windows\{99155991-0459-4ac5-B959-7DD7EAEB8829}.exe

Filesize
168KB

MD5
f77434aff8bac7cd9c82e4001c951503

SHA1
8710b551352f93ac3e587469df4a2e0e8e59b589

SHA256
4a05e0cd9a155915fd78b54881f13f4dd4b40fbc1cb58f586dc8656cf7debe40

SHA512
db47a372c27b8a8c908e879737caed2050622c84573b5c22263dd1c3c9227da38b3f6145f527a1234281a92d2627c6270bbc82292c48b03beb98a1969edced08

Download Submit
C:\Windows\{9DEFB6AD-35BB-4a5d-BA47-5C10C9F695C6}.exe

Filesize
168KB

MD5
2fc5382c823bb7272ff6c8620bb7a595

SHA1
857e490d7a2b100e3c469ddfc91ac777240eef9a

SHA256
680f4483d1d7720eb33469a6cbe9038ccbc93633434ddcde2c2a5d1238f63792

SHA512
55c6279649d6d038f16b208b601d2754cb73ecf3f545ca7f493fcc3a65ab639b1496fc92fc570eede2a85df6f43094643991262cc7b9067950a623cadee8495b

Download Submit
C:\Windows\{A6CEBFB9-F754-4585-8A21-6E22107D9E07}.exe

Filesize
168KB

MD5
90e1c7d3b9c051340832afb8f3440025

SHA1
13a5b44c13147fff62e3a1160e9e309f9b4b46bd

SHA256
8417d2ac2e4a875545e61a61e49f7c21370e2fb80dc24858477058105ce32ad2

SHA512
681082e65b17833b04da60b7f990f4cd7eceae68829b9a3eceeedce07b8461d36230d9e42ef6684a6c20870a62f2537e6fbcce39dedf8270554a6022110b2f34

Download Submit
C:\Windows\{C681C648-5881-4f86-A089-F3DE1F51DED1}.exe

Filesize
168KB

MD5
1379843e5cc23b115debdda383103e66

SHA1
643a94deb915bfe6886cc0dc5752b3e6900fbf76

SHA256
be6129989bee6b05a4d1e9d548c3ceb0933216227c7d18ce91a5f68f53cf33bf

SHA512
3f9b405af1f06cdeb0620b20f2015942597c07f57ab0b65797926496d08ac943d01a408f7e42689092ba62b8e8dc11347e607b5e109620b32eac012496e9149c

Download Submit
C:\Windows\{CDFB6637-5345-4f9e-ACAB-7C5A70CEF8C9}.exe

Filesize
168KB

MD5
4bd1b650322499923eab895131967417

SHA1
9e8386509e36d07a1b8fcad2a71173bdc1dd1576

SHA256
7613a62d4b8067404167380716ed79fdf26d780f6b240fb2412ebed2921da6ac

SHA512
ae6f4698449e5e53850f40e12e1107799c1e9f8618493e26fc539e27216d6d9b8710618dcfcc7b05513e3d9182e3e7ef6f57fabceb73cde2e1bd437778f2d48f

Download Submit
C:\Windows\{D6BF97AD-92EC-4733-92E3-E6D6DC9BACAB}.exe

Filesize
168KB

MD5
950acbbdcf36358940ab90f24cab8944

SHA1
fa31510adf99ba41c2c0ed7fc326364a01c6b214

SHA256
d82db163eec8c0813c4d56f863378b334f402d73a0b50d57412e25e8c7c682aa

SHA512
67b3b59d046fbee6381379cccff54e4ab6d0a4079ea31b94ee1874a5adb76a364a96be6e4d7255226c0e573a4b24b20b5531e2f6c855eefc20665886daac7214

Download Submit
C:\Windows\{DFF3FCD9-1DCA-4064-A75A-CB25A1A900ED}.exe

Filesize
168KB

MD5
2e18404c7018bb96bdf987d5ff81cd5c

SHA1
31defc38710ff91fece9a273607d8011bfef8f96

SHA256
6e036f4a349d77cd90b595ab05fdedbe9d7cc56493c67eec865b671000a76b0f

SHA512
c53b3d3a201611006697042ab93d6b5057612ba5f1fd58cbecb84dcff94b7001ac9b83b2cd5fb7acef11c69067ebc65bec0c087d9f7aec69045ea039a1b8ad6d

Download Submit
C:\Windows\{F1BA4D2E-A614-4368-81D0-49555CAC8218}.exe

Filesize
168KB

MD5
34ab88a78c21701c9603c4d1c1f64a6c

SHA1
260ef35659890905772250f79771a7a5a4b20b44

SHA256
e4fe9fb94e83b4b61734b0a26a95c07cfd5f2c4352303b4db958dc2e91e31d9d

SHA512
d2dc2633b614ea2ee15d8f7268c649721186fd94bebfd9fdc1138bc05e4b13291a8467ff381dc26792d1cfdae80565dd945ddce8ef673adf71170e26378f0cb8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads