c99dc5efdcdf7bf29b9f883e71ee392252fa7c431056c81a602ce4dd19d7f83a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe
Size

197KB
MD5

9206b0dcae78734c7ccca68e6104babc
SHA1

8f913d7abcbbbfe748f50d9bdcb163cc9a92f68b
SHA256

c99dc5efdcdf7bf29b9f883e71ee392252fa7c431056c81a602ce4dd19d7f83a
SHA512

624b8c85733792e92915d459d2049df66798f10821032b05723e1567cfa85522b7dff81c92016c06d116a8c4ad89177a89d8a81dfce4cf4c6e539d03816b9738
SSDEEP

3072:jEGh0oDl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGJlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3201FE5C-516D-4bfd-B715-2C124CE739E2}\stubpath = "C:\\Windows\\{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe"	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9642C53-C2DF-4f26-A2C5-10CC12E04485}	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}\stubpath = "C:\\Windows\\{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe"	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}\stubpath = "C:\\Windows\\{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe"	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3E6F455-165C-420d-862B-2123F508533A}	{1FF46896-94ED-4128-9549-C365830FD56D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03BD8CC8-B1BB-4571-A8DE-819659251B99}	{F3E6F455-165C-420d-862B-2123F508533A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}\stubpath = "C:\\Windows\\{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe"	2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3201FE5C-516D-4bfd-B715-2C124CE739E2}	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}\stubpath = "C:\\Windows\\{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe"	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB83E948-7C81-4ea4-9D25-862B6B393C94}\stubpath = "C:\\Windows\\{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe"	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB83E948-7C81-4ea4-9D25-862B6B393C94}	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}	{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}	2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9642C53-C2DF-4f26-A2C5-10CC12E04485}\stubpath = "C:\\Windows\\{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe"	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}\stubpath = "C:\\Windows\\{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}.exe"	{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67CF9B44-40D1-4051-93B5-062AB0E8A4FC}	{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3E6F455-165C-420d-862B-2123F508533A}\stubpath = "C:\\Windows\\{F3E6F455-165C-420d-862B-2123F508533A}.exe"	{1FF46896-94ED-4128-9549-C365830FD56D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FF46896-94ED-4128-9549-C365830FD56D}\stubpath = "C:\\Windows\\{1FF46896-94ED-4128-9549-C365830FD56D}.exe"	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03BD8CC8-B1BB-4571-A8DE-819659251B99}\stubpath = "C:\\Windows\\{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe"	{F3E6F455-165C-420d-862B-2123F508533A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67CF9B44-40D1-4051-93B5-062AB0E8A4FC}\stubpath = "C:\\Windows\\{67CF9B44-40D1-4051-93B5-062AB0E8A4FC}.exe"	{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FF46896-94ED-4128-9549-C365830FD56D}	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe

Executes dropped EXE 12 IoCs

pid	Process
1020	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe
1292	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe
3412	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe
416	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe
2192	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe
3168	{1FF46896-94ED-4128-9549-C365830FD56D}.exe
5048	{F3E6F455-165C-420d-862B-2123F508533A}.exe
3628	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe
4372	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe
2344	{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe
4004	{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}.exe
4968	{67CF9B44-40D1-4051-93B5-062AB0E8A4FC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe
File created	C:\Windows\{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe
File created	C:\Windows\{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe
File created	C:\Windows\{1FF46896-94ED-4128-9549-C365830FD56D}.exe	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe
File created	C:\Windows\{F3E6F455-165C-420d-862B-2123F508533A}.exe	{1FF46896-94ED-4128-9549-C365830FD56D}.exe
File created	C:\Windows\{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe	{F3E6F455-165C-420d-862B-2123F508533A}.exe
File created	C:\Windows\{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe
File created	C:\Windows\{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe	2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe
File created	C:\Windows\{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe
File created	C:\Windows\{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe
File created	C:\Windows\{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}.exe	{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe
File created	C:\Windows\{67CF9B44-40D1-4051-93B5-062AB0E8A4FC}.exe	{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67CF9B44-40D1-4051-93B5-062AB0E8A4FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F3E6F455-165C-420d-862B-2123F508533A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1FF46896-94ED-4128-9549-C365830FD56D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4104	2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1020	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe
Token: SeIncBasePriorityPrivilege	1292	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe
Token: SeIncBasePriorityPrivilege	3412	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe
Token: SeIncBasePriorityPrivilege	416	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe
Token: SeIncBasePriorityPrivilege	2192	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe
Token: SeIncBasePriorityPrivilege	3168	{1FF46896-94ED-4128-9549-C365830FD56D}.exe
Token: SeIncBasePriorityPrivilege	5048	{F3E6F455-165C-420d-862B-2123F508533A}.exe
Token: SeIncBasePriorityPrivilege	3628	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe
Token: SeIncBasePriorityPrivilege	4372	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe
Token: SeIncBasePriorityPrivilege	2344	{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe
Token: SeIncBasePriorityPrivilege	4004	{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 1020	4104	2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe	89
PID 4104 wrote to memory of 1020	4104	2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe	89
PID 4104 wrote to memory of 1020	4104	2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe	89
PID 4104 wrote to memory of 3936	4104	2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe	90
PID 4104 wrote to memory of 3936	4104	2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe	90
PID 4104 wrote to memory of 3936	4104	2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe	90
PID 1020 wrote to memory of 1292	1020	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe	91
PID 1020 wrote to memory of 1292	1020	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe	91
PID 1020 wrote to memory of 1292	1020	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe	91
PID 1020 wrote to memory of 2508	1020	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe	92
PID 1020 wrote to memory of 2508	1020	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe	92
PID 1020 wrote to memory of 2508	1020	{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe	92
PID 1292 wrote to memory of 3412	1292	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe	95
PID 1292 wrote to memory of 3412	1292	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe	95
PID 1292 wrote to memory of 3412	1292	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe	95
PID 1292 wrote to memory of 4368	1292	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe	96
PID 1292 wrote to memory of 4368	1292	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe	96
PID 1292 wrote to memory of 4368	1292	{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe	96
PID 3412 wrote to memory of 416	3412	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe	97
PID 3412 wrote to memory of 416	3412	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe	97
PID 3412 wrote to memory of 416	3412	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe	97
PID 3412 wrote to memory of 2532	3412	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe	98
PID 3412 wrote to memory of 2532	3412	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe	98
PID 3412 wrote to memory of 2532	3412	{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe	98
PID 416 wrote to memory of 2192	416	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe	99
PID 416 wrote to memory of 2192	416	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe	99
PID 416 wrote to memory of 2192	416	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe	99
PID 416 wrote to memory of 1500	416	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe	100
PID 416 wrote to memory of 1500	416	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe	100
PID 416 wrote to memory of 1500	416	{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe	100
PID 2192 wrote to memory of 3168	2192	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe	101
PID 2192 wrote to memory of 3168	2192	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe	101
PID 2192 wrote to memory of 3168	2192	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe	101
PID 2192 wrote to memory of 1860	2192	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe	102
PID 2192 wrote to memory of 1860	2192	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe	102
PID 2192 wrote to memory of 1860	2192	{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe	102
PID 3168 wrote to memory of 5048	3168	{1FF46896-94ED-4128-9549-C365830FD56D}.exe	103
PID 3168 wrote to memory of 5048	3168	{1FF46896-94ED-4128-9549-C365830FD56D}.exe	103
PID 3168 wrote to memory of 5048	3168	{1FF46896-94ED-4128-9549-C365830FD56D}.exe	103
PID 3168 wrote to memory of 2996	3168	{1FF46896-94ED-4128-9549-C365830FD56D}.exe	104
PID 3168 wrote to memory of 2996	3168	{1FF46896-94ED-4128-9549-C365830FD56D}.exe	104
PID 3168 wrote to memory of 2996	3168	{1FF46896-94ED-4128-9549-C365830FD56D}.exe	104
PID 5048 wrote to memory of 3628	5048	{F3E6F455-165C-420d-862B-2123F508533A}.exe	105
PID 5048 wrote to memory of 3628	5048	{F3E6F455-165C-420d-862B-2123F508533A}.exe	105
PID 5048 wrote to memory of 3628	5048	{F3E6F455-165C-420d-862B-2123F508533A}.exe	105
PID 5048 wrote to memory of 1276	5048	{F3E6F455-165C-420d-862B-2123F508533A}.exe	106
PID 5048 wrote to memory of 1276	5048	{F3E6F455-165C-420d-862B-2123F508533A}.exe	106
PID 5048 wrote to memory of 1276	5048	{F3E6F455-165C-420d-862B-2123F508533A}.exe	106
PID 3628 wrote to memory of 4372	3628	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe	107
PID 3628 wrote to memory of 4372	3628	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe	107
PID 3628 wrote to memory of 4372	3628	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe	107
PID 3628 wrote to memory of 1304	3628	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe	108
PID 3628 wrote to memory of 1304	3628	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe	108
PID 3628 wrote to memory of 1304	3628	{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe	108
PID 4372 wrote to memory of 2344	4372	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe	109
PID 4372 wrote to memory of 2344	4372	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe	109
PID 4372 wrote to memory of 2344	4372	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe	109
PID 4372 wrote to memory of 3608	4372	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe	110
PID 4372 wrote to memory of 3608	4372	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe	110
PID 4372 wrote to memory of 3608	4372	{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe	110
PID 2344 wrote to memory of 4004	2344	{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe	111
PID 2344 wrote to memory of 4004	2344	{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe	111
PID 2344 wrote to memory of 4004	2344	{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe	111
PID 2344 wrote to memory of 2496	2344	{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_9206b0dcae78734c7ccca68e6104babc_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe
  C:\Windows\{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe
    C:\Windows\{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe
      C:\Windows\{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe
        
        C:\Windows\{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:416
      - C:\Windows\{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe
        
        C:\Windows\{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{1FF46896-94ED-4128-9549-C365830FD56D}.exe
        
        C:\Windows\{1FF46896-94ED-4128-9549-C365830FD56D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\{F3E6F455-165C-420d-862B-2123F508533A}.exe
        
        C:\Windows\{F3E6F455-165C-420d-862B-2123F508533A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe
        
        C:\Windows\{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe
        
        C:\Windows\{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe
        
        C:\Windows\{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}.exe
        
        C:\Windows\{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
        
        C:\Windows\{67CF9B44-40D1-4051-93B5-062AB0E8A4FC}.exe
        
        C:\Windows\{67CF9B44-40D1-4051-93B5-062AB0E8A4FC}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53DBB~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB83E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B65FD~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03BD8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3E6F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FF46~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{607D7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AE27~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9642~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3201F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{888BA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03BD8CC8-B1BB-4571-A8DE-819659251B99}.exe

Filesize
197KB

MD5
cda14428e992ee2c11754298d11d2552

SHA1
ff2f15f3ba58c98634e7497282d9f78d2a628caf

SHA256
1acff5bf68a3cd943e50f5af9d739116fd67b29322942b13679bb7713b5c5d47

SHA512
8eddd62df347e4aea01d92d9d339a461cc16cf1ebe688045777fd8d7e26511ebf0eb076412fae78ef0f72c520b93230c5692c6d5dea1136750eb2e41bd646eeb

Download Submit
C:\Windows\{1FF46896-94ED-4128-9549-C365830FD56D}.exe

Filesize
197KB

MD5
21cbcb135058b83652cc62c1131f85c6

SHA1
ecc8c54feb750d788c3fced1da0d2438a835ff92

SHA256
69f90e73acc4591ff481d48498899d32de8dc481c764961f5c51d8dbc5c465a9

SHA512
ba298ba976960f660f7e794f12c27daa3c7990ac809c469a8ba7439a7ff8a681a0c1318230ef0331d2df11cb5bce6eef5e6f6982bbd207621717b36294d85ab5

Download Submit
C:\Windows\{3201FE5C-516D-4bfd-B715-2C124CE739E2}.exe

Filesize
197KB

MD5
e03ca98d4de5497870c4accca069a035

SHA1
05bb91b9086ac3deecfc08184629f7ad5f04e3eb

SHA256
c3510070504737d044d74af386d588ce0d509a6f3578fd338c182c5a709da430

SHA512
0cc2d6dfda39c9d29af815c8eab2cc70e45e7c93d2bd06ddf6dbaffdb498aa0651e56a593c91460e3a272b12a58b2bdbdb64ab8d4af0612b7a1c5c874893f55b

Download Submit
C:\Windows\{53DBB7CA-1CF8-49eb-89FA-8A62A10507D1}.exe

Filesize
197KB

MD5
3fde31611d1c77ce637653799488377a

SHA1
c101cdc52fdd58adde1d00acf30b7f3fec8d8b4c

SHA256
ce32355c4d98e9046b93aea0126664a9d249e230c983e338cdaaa4f2505fc2ca

SHA512
6df111356204f69dc37c5a8a0034a791de076baaf73f230c9445d09ec632984933f3d5c8d9ecf9409d04b8828854fd1d922b2bb46a71784fa7c8e8ce134df0e2

Download Submit
C:\Windows\{607D7B16-48FF-4b2e-8F5A-09A709B4F5F8}.exe

Filesize
197KB

MD5
ee3af76e4e3e6579c6b1a4b89a1bffcc

SHA1
5856abd7fe00f73f5e9e61146367b9a493211756

SHA256
41aa71e467dfa390f925b4fb6bb2230e547aec657bf216f2c86070c476dba12f

SHA512
52d6391dd413088974acc5f6becc5f859525e58426ede77a59ee13c33ed140937a354d3956d895358a52e4453ae493a51931095ffbeab3aa496d26bb51681ca4

Download Submit
C:\Windows\{67CF9B44-40D1-4051-93B5-062AB0E8A4FC}.exe

Filesize
197KB

MD5
33ca19604f365c5f4582bfded4e39df9

SHA1
fb74b0d5469b7bff7e2c27665d19bf9c70bc9e61

SHA256
9233e5c075c2a9225ab9f4ec9323dc82cce74a0f77adf1da6b8dfdb5c53b4952

SHA512
799b057faa1c6416e273df9139a431310cb5454a4c2143e714ef8d8b137839b5848a0b1233e9b196944c1f4616b2b9114b28bd0eafddd518e24fa4283e762fb2

Download Submit
C:\Windows\{888BA6F3-01FD-4eee-BB84-11CDA3BCA566}.exe

Filesize
197KB

MD5
a55fd9f219997e0f9c0fb140b9a8aecc

SHA1
9a97afb30e8eab69647315236f37d778ec6b0ae9

SHA256
a5e3a5cb3760b68e5b4281db2e5ebfadee1e3a18fe41fc72f4fab327015fc879

SHA512
cb8efbf076e71edc5b00bc913bd5314579d4ae441f303ae226345924ebd6dae55595c37844ecfd683709402de0816dcc463f25fa30855f00e6a42ea38424c578

Download Submit
C:\Windows\{9AE27228-2BF4-4ca4-92CA-A904424DD2F6}.exe

Filesize
197KB

MD5
89092952598f0cf4bd6e0b408ba015ea

SHA1
3444eb059f9b140ab9862c1fdbdb20790a9edf69

SHA256
25e91d2c984e1e8662b7257bbdd995503fdd98972f02ea6549a231c55b899fd6

SHA512
fc025404bbff6dfe58cde112d40d1024f76109826cc44baa6d76fa08e2128b8f70651dd6e9a12f663a652024edeca3c1d61191d7f2e0647dd99aa464e8da837e

Download Submit
C:\Windows\{A9642C53-C2DF-4f26-A2C5-10CC12E04485}.exe

Filesize
197KB

MD5
4afc94c8725c8d0fd42b0a368e677344

SHA1
f110b6ce8e8970694818550f10229d4db4cad5aa

SHA256
aea1a3652fb695da600a61608667db52a2973f091ab03965abfd229f2562d8b0

SHA512
fae9dcde3863fc0052ccdb581cb696e7466c19e2f0c0217b9440fe3f47acf43fd0bf8567128acce82b87ac868f4b5c847eab9b12de78d67265a91651d768a264

Download Submit
C:\Windows\{B65FD3E9-EEB4-438b-91B4-AAD34D6D91AE}.exe

Filesize
197KB

MD5
c2671fc5849211c8452cfadbaed146fa

SHA1
28b11d71f16e4692e0e3b2f8cd6fe6b79e0d1c47

SHA256
8b97860d313e33b3237f1c983e41e913b1d885f6e05d488a5c17a7ea306a8395

SHA512
9b82203b29ba8feba8f60aea3d82164423a92da1ec424b1d07fc523ef0126f139a01a233fa25bc41bc3e841b795e810b5aeb6375b6c6c39502ceca8872aeb988

Download Submit
C:\Windows\{F3E6F455-165C-420d-862B-2123F508533A}.exe

Filesize
197KB

MD5
48f8a74b09fc16e30af20ffe06cbe969

SHA1
d6353b95878c947e48cbc4e615f0ba0e4c54d5e2

SHA256
aace6b9684f01adaa621c149ce96630fb4cd27f2a1ea84bf026e7f7e2397e941

SHA512
5fb3b4cd8f83a5325c51de6e430313d13bdf0d4211b608eec6483c7b5eb9a44b391e939858d0379cad1f058a0497cc34354e3a1c1ced4742077e1fb7938ca298

Download Submit
C:\Windows\{FB83E948-7C81-4ea4-9D25-862B6B393C94}.exe

Filesize
197KB

MD5
66c596e39c48e5c8d4214bbf3f1b8972

SHA1
fdb0afdcdb5d715ae0c491e133c71277febfdff6

SHA256
defaf92e652f7cadaf8604921f14558670ff1f61422430847c3c637a70708459

SHA512
5be6a29c806f3b351507de1fdd24684bcdef0a6c1b36ea8909d01e4c7c5de352d05a8ec8231d1ea0cbc07db7ab063f89a4ffc3b5a02f5d6aac95794af3a1568a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads