54ad90f99ca7977f86d1610a98f8550c0a4ccd77c4434e45a25cd76aafb4a507

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
Size

380KB
MD5

401a30d11ab6c7b7bfafd3479ae1ecaa
SHA1

6a509eb833950b6a796238afa1e605d91811f41f
SHA256

54ad90f99ca7977f86d1610a98f8550c0a4ccd77c4434e45a25cd76aafb4a507
SHA512

1ab57f078a873a1048a8f4a58a34ed6b7d10b35191cba77b2ac71c38a9404f6d6f0b7ff342fdf158fdde6aa8d48c825edf4307f1c0417bb69de0de33f272e726
SSDEEP

3072:mEGh0oQlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGal7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8963E4F7-84C1-4172-9451-6636E4ABE1EA}	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF99C50E-71C2-4eb7-AA40-B6975F48A079}	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{443D8FBF-373B-4c64-AA0D-0874D4364793}	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{507E989D-D9F1-4719-A473-AA89BD79CCC9}	{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFEA2F75-6B41-4bf6-9BB0-03488264568A}	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}\stubpath = "C:\\Windows\\{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe"	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74329EE8-3663-46ce-A47F-7A848E3D1730}\stubpath = "C:\\Windows\\{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe"	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5920558-E208-4998-BCC5-271EBB704C95}\stubpath = "C:\\Windows\\{C5920558-E208-4998-BCC5-271EBB704C95}.exe"	{507E989D-D9F1-4719-A473-AA89BD79CCC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{507E989D-D9F1-4719-A473-AA89BD79CCC9}\stubpath = "C:\\Windows\\{507E989D-D9F1-4719-A473-AA89BD79CCC9}.exe"	{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5920558-E208-4998-BCC5-271EBB704C95}	{507E989D-D9F1-4719-A473-AA89BD79CCC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8963E4F7-84C1-4172-9451-6636E4ABE1EA}\stubpath = "C:\\Windows\\{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe"	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}\stubpath = "C:\\Windows\\{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe"	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74329EE8-3663-46ce-A47F-7A848E3D1730}	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{443D8FBF-373B-4c64-AA0D-0874D4364793}\stubpath = "C:\\Windows\\{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe"	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}\stubpath = "C:\\Windows\\{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe"	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9478233A-B9F6-488b-A0F3-D54227D1EDDA}	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFEA2F75-6B41-4bf6-9BB0-03488264568A}\stubpath = "C:\\Windows\\{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe"	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}\stubpath = "C:\\Windows\\{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe"	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF99C50E-71C2-4eb7-AA40-B6975F48A079}\stubpath = "C:\\Windows\\{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe"	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9478233A-B9F6-488b-A0F3-D54227D1EDDA}\stubpath = "C:\\Windows\\{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe"	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe

Executes dropped EXE 12 IoCs

pid	Process
1412	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe
2548	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe
2164	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe
1528	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe
4292	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe
4552	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe
4524	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe
3716	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe
3908	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe
1092	{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe
4560	{507E989D-D9F1-4719-A473-AA89BD79CCC9}.exe
5024	{C5920558-E208-4998-BCC5-271EBB704C95}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe
File created	C:\Windows\{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe
File created	C:\Windows\{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe
File created	C:\Windows\{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe
File created	C:\Windows\{507E989D-D9F1-4719-A473-AA89BD79CCC9}.exe	{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe
File created	C:\Windows\{C5920558-E208-4998-BCC5-271EBB704C95}.exe	{507E989D-D9F1-4719-A473-AA89BD79CCC9}.exe
File created	C:\Windows\{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
File created	C:\Windows\{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe
File created	C:\Windows\{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe
File created	C:\Windows\{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe
File created	C:\Windows\{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe
File created	C:\Windows\{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{507E989D-D9F1-4719-A473-AA89BD79CCC9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5920558-E208-4998-BCC5-271EBB704C95}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2924	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1412	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe
Token: SeIncBasePriorityPrivilege	2548	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe
Token: SeIncBasePriorityPrivilege	2164	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe
Token: SeIncBasePriorityPrivilege	1528	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe
Token: SeIncBasePriorityPrivilege	4292	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe
Token: SeIncBasePriorityPrivilege	4552	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe
Token: SeIncBasePriorityPrivilege	4524	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe
Token: SeIncBasePriorityPrivilege	3716	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe
Token: SeIncBasePriorityPrivilege	3908	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe
Token: SeIncBasePriorityPrivilege	1092	{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe
Token: SeIncBasePriorityPrivilege	4560	{507E989D-D9F1-4719-A473-AA89BD79CCC9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1412	2924	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	89
PID 2924 wrote to memory of 1412	2924	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	89
PID 2924 wrote to memory of 1412	2924	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	89
PID 2924 wrote to memory of 1252	2924	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	90
PID 2924 wrote to memory of 1252	2924	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	90
PID 2924 wrote to memory of 1252	2924	2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe	90
PID 1412 wrote to memory of 2548	1412	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe	91
PID 1412 wrote to memory of 2548	1412	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe	91
PID 1412 wrote to memory of 2548	1412	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe	91
PID 1412 wrote to memory of 4244	1412	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe	92
PID 1412 wrote to memory of 4244	1412	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe	92
PID 1412 wrote to memory of 4244	1412	{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe	92
PID 2548 wrote to memory of 2164	2548	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe	95
PID 2548 wrote to memory of 2164	2548	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe	95
PID 2548 wrote to memory of 2164	2548	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe	95
PID 2548 wrote to memory of 4192	2548	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe	96
PID 2548 wrote to memory of 4192	2548	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe	96
PID 2548 wrote to memory of 4192	2548	{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe	96
PID 2164 wrote to memory of 1528	2164	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe	97
PID 2164 wrote to memory of 1528	2164	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe	97
PID 2164 wrote to memory of 1528	2164	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe	97
PID 2164 wrote to memory of 2076	2164	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe	98
PID 2164 wrote to memory of 2076	2164	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe	98
PID 2164 wrote to memory of 2076	2164	{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe	98
PID 1528 wrote to memory of 4292	1528	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe	99
PID 1528 wrote to memory of 4292	1528	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe	99
PID 1528 wrote to memory of 4292	1528	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe	99
PID 1528 wrote to memory of 3480	1528	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe	100
PID 1528 wrote to memory of 3480	1528	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe	100
PID 1528 wrote to memory of 3480	1528	{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe	100
PID 4292 wrote to memory of 4552	4292	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe	101
PID 4292 wrote to memory of 4552	4292	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe	101
PID 4292 wrote to memory of 4552	4292	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe	101
PID 4292 wrote to memory of 740	4292	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe	102
PID 4292 wrote to memory of 740	4292	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe	102
PID 4292 wrote to memory of 740	4292	{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe	102
PID 4552 wrote to memory of 4524	4552	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe	103
PID 4552 wrote to memory of 4524	4552	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe	103
PID 4552 wrote to memory of 4524	4552	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe	103
PID 4552 wrote to memory of 1508	4552	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe	104
PID 4552 wrote to memory of 1508	4552	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe	104
PID 4552 wrote to memory of 1508	4552	{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe	104
PID 4524 wrote to memory of 3716	4524	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe	105
PID 4524 wrote to memory of 3716	4524	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe	105
PID 4524 wrote to memory of 3716	4524	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe	105
PID 4524 wrote to memory of 1064	4524	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe	106
PID 4524 wrote to memory of 1064	4524	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe	106
PID 4524 wrote to memory of 1064	4524	{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe	106
PID 3716 wrote to memory of 3908	3716	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe	107
PID 3716 wrote to memory of 3908	3716	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe	107
PID 3716 wrote to memory of 3908	3716	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe	107
PID 3716 wrote to memory of 224	3716	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe	108
PID 3716 wrote to memory of 224	3716	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe	108
PID 3716 wrote to memory of 224	3716	{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe	108
PID 3908 wrote to memory of 1092	3908	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe	109
PID 3908 wrote to memory of 1092	3908	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe	109
PID 3908 wrote to memory of 1092	3908	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe	109
PID 3908 wrote to memory of 1684	3908	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe	110
PID 3908 wrote to memory of 1684	3908	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe	110
PID 3908 wrote to memory of 1684	3908	{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe	110
PID 1092 wrote to memory of 4560	1092	{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe	111
PID 1092 wrote to memory of 4560	1092	{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe	111
PID 1092 wrote to memory of 4560	1092	{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe	111
PID 1092 wrote to memory of 3516	1092	{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_401a30d11ab6c7b7bfafd3479ae1ecaa_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe
  C:\Windows\{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe
    C:\Windows\{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe
      C:\Windows\{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe
        
        C:\Windows\{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Windows\{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe
        
        C:\Windows\{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe
        
        C:\Windows\{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe
        
        C:\Windows\{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe
        
        C:\Windows\{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe
        
        C:\Windows\{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe
        
        C:\Windows\{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\{507E989D-D9F1-4719-A473-AA89BD79CCC9}.exe
        
        C:\Windows\{507E989D-D9F1-4719-A473-AA89BD79CCC9}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\{C5920558-E208-4998-BCC5-271EBB704C95}.exe
        
        C:\Windows\{C5920558-E208-4998-BCC5-271EBB704C95}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{507E9~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94782~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C314~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{443D8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74329~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC4D5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF99C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8963E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C5C7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E4B1A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DFEA2~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{443D8FBF-373B-4c64-AA0D-0874D4364793}.exe

Filesize
380KB

MD5
0b13c959c8b439bfa322193e1eeb27bf

SHA1
44817c8f1853c36558d9e83b0a9895844a7e3de3

SHA256
1e66b754afb90cc122debb76b5edb7e57a957c869888a447306c9f15fb7a7cec

SHA512
3bf11d29b6ca1e613775db5115718547d9d38d1164b1b91f347f22d01c303ab68237b98e60aab16c7ee465b498a4b90715b5bd0136ad89ad118106ea88d9668c

Download Submit
C:\Windows\{4C5C71CE-350B-4017-BCDA-7F583E5A06F0}.exe

Filesize
380KB

MD5
243a4a1c065befd9f761430c5551b7bc

SHA1
41c7559680b8090ce58e77e6622bd323d8abf980

SHA256
2fee90aa89d30daf3c1632125cd5cf89da525d2ed2527b14ead7332ddeb34449

SHA512
303c3a2ac5a21019d393bfd8fb10244ae8d0ae10c5a0bd0f9ad0496203c93bf624625cb693d3320d13c45c5790b1410458234360d8eeaece647a4acdf80a7068

Download Submit
C:\Windows\{507E989D-D9F1-4719-A473-AA89BD79CCC9}.exe

Filesize
380KB

MD5
4aeb72392ca7f5da08068cd44fed9af5

SHA1
11e422f90ee070b9f971d4db5992b799c3fcb667

SHA256
2714d557256b7b7ccc54a7fdafab185b9ae973fc4dc180d1cf76ea0bd6f6b3ef

SHA512
a33c335bbb4c9db82526f8e9546ed2f47e61c99562dc7ade7a827336a2fe6da1bba70a716afddfaaf4c73f1c8965fb88e526376365f1ca58e51150e9ec245746

Download Submit
C:\Windows\{74329EE8-3663-46ce-A47F-7A848E3D1730}.exe

Filesize
380KB

MD5
c3ea896fd49b3c4f4ffcf2a375c93a03

SHA1
67feb6117d4ff99ce7f6d88d8d4e9dce4c8d3f9f

SHA256
504594d8c7d2a5b7f77cb7e2068b2710b5ca41a45ccb4915b084dc1c4197a304

SHA512
723e851195f6aa385cc04beb36c3c8dcd3f8e430508155a0e9cc8b41233fc52dc77f643d735ca3aade619f69eaa365f57ec2f90d386291b66adde1c30ca10235

Download Submit
C:\Windows\{8963E4F7-84C1-4172-9451-6636E4ABE1EA}.exe

Filesize
380KB

MD5
1be2b4efc70b14d01b00e3960efa53c3

SHA1
8d699af176377094a0d2378cb746fa89771e5d04

SHA256
a9251094bb54bf2ea3410de3f76a4c4a4031413bc598a27e813dd9e46098cc89

SHA512
1173d3ba79980b3c8e83354720ecf23d76813eda41dcd2524d4dd71de4c99821675f435755d6f13e073079219739317278f4eca5d1b523070ad0391856b50465

Download Submit
C:\Windows\{8C31434A-D0D4-4d33-A4FB-7854C1CBE2BC}.exe

Filesize
380KB

MD5
208c1606e83a44445a9911d2d13e72ad

SHA1
68e95f490262cca6b9f0db98de5bfaaafe617995

SHA256
4ba34010ab0bb33706871a5f66b4888f48455c2994a68ff1df9ff977fe374bc1

SHA512
41df89a02a24abef9150d5a8e4d7ebec9009851cc66a855b18f407fd3eb366dee51d1a912c6e8d9970cc12dad3e0c2b28da294ad89d9b7811c64f11c8b695f29

Download Submit
C:\Windows\{9478233A-B9F6-488b-A0F3-D54227D1EDDA}.exe

Filesize
380KB

MD5
244e300f6c08fc4c94808f7eba822761

SHA1
58c6b61e21e4b3a9a0a990a3254f54339eb8c1a5

SHA256
109bc8465b6a66786f1509fd17b490459df4c7d1b6155c732bc8dab4f06ef0fc

SHA512
a99f8bce931cf9cacb93cd97c3331bdbc360db71e64fb31ecb37f846933c8b4363ff6dabf7148f160df7856672f77df175ccf1522ede9c63cee31f0b13b6ff2b

Download Submit
C:\Windows\{AC4D5E91-03FD-4d31-A997-CAF84DED2C75}.exe

Filesize
380KB

MD5
c40c8b110cf2b550f3ae63598499cc34

SHA1
cafb523761ffbd8edb95de3d0411b0634abbd067

SHA256
cdaa758ca3aea5336ef3385b98fb85fc4ad114f649e52b168d53ba85bf28fe0c

SHA512
e62ffad845a77659b683c9eb80994deb45991b2b75034b8666a807e59967a9051cb698790db3b2bcb70a838e432e82a8120ae0c86020af89cff62ee7f8719170

Download Submit
C:\Windows\{C5920558-E208-4998-BCC5-271EBB704C95}.exe

Filesize
380KB

MD5
2845149c80f189a611f5e193192228f9

SHA1
5a5cc68a1c8678d902615e1a04721b1a4bf61708

SHA256
73ec2706ffb6cf5b61ef32b85e5f2e11c4d5095bd1c32fc884a775e405b88647

SHA512
c8cda8aad237dccf8d07793424f4eda6860e556dc074847bbe4ef5b65c0362e576a721451d1b7e49a03e63c97d2e90a6591f27cfe4b0b83813244be71344532b

Download Submit
C:\Windows\{DF99C50E-71C2-4eb7-AA40-B6975F48A079}.exe

Filesize
380KB

MD5
829ba672327f7eccc0ae1b68272ba69d

SHA1
ac73fcebd8b0cecdf51a7544140f888e7d631884

SHA256
e5177af4fdf9feec877b3ddb16d3d98dec0d7f4087aa02b6814c68005274855a

SHA512
f32ea163141683040847881e829644427d46eee7f2900cecef0583301f80c6fca3b34147a665d072a767a7dfad495f2ec28bd9656bcd1521ce7dcaaac3010e96

Download Submit
C:\Windows\{DFEA2F75-6B41-4bf6-9BB0-03488264568A}.exe

Filesize
380KB

MD5
0a54369b5a6d04f3c5b1b74595f1b972

SHA1
cb1463582fc9a231c6e0830ee6a6dcf1a06141fd

SHA256
070b6003f8724cc18ee5d47b62bbddd7b7cddad75866e16f421f97c1eb9eae95

SHA512
6886a5b3f635474713aa1e8b154e0e4aad353736a6cfbcdab4e20cf2ac7725e78b0d44c8e0269dc2049be7fcb62138e940666b65f8a528adce5a6cfcadcbb4a3

Download Submit
C:\Windows\{E4B1ACCD-01FE-4da1-9513-F25DFF9E9E18}.exe

Filesize
380KB

MD5
df8b07d106752b421640bee7d1662aac

SHA1
9c3d08c8b694a88c0412dd0f091a003f638cef18

SHA256
4fd8d833cc59b788a4753a5a854dbb8f2155388d65b99e468c8515e844e7b6a6

SHA512
593078a87c61d76a02710fb4684ff91f675966d2de40100ecc7811454a50147316bc6e82064def8bbbb703036e8c0465127aa0bf78be17bed994d6ebad778fb9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads