fd040d35c4137f03046a3276ff56b4ef48685b76c5e22552ac868c24b8c1356c

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
Size

197KB
MD5

9717c8f38a407aec955081e8949c66f8
SHA1

4a748fcb6103bad1d43078d4ecde5815dea1cb34
SHA256

fd040d35c4137f03046a3276ff56b4ef48685b76c5e22552ac868c24b8c1356c
SHA512

b54960cf41ab972e96a98da1fc1ad2e19d8438a74a053ff459d5f2d29e3b2f1eeb8bc0166961887215f48fa45d96eef6ce31aab92380c4cca59cf402a0eacfdf
SSDEEP

3072:jEGh0owl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGKlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD0988D3-E5D3-4899-B8BA-499353E647F1}\stubpath = "C:\\Windows\\{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe"	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54BA406-258F-474a-98C7-A045E3ADF748}	{319A2A13-2B67-43f1-905D-F797C8408F00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}\stubpath = "C:\\Windows\\{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe"	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD0988D3-E5D3-4899-B8BA-499353E647F1}	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{487D71EC-25C1-41db-8728-8A4DFBC2798F}	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{487D71EC-25C1-41db-8728-8A4DFBC2798F}\stubpath = "C:\\Windows\\{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe"	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}\stubpath = "C:\\Windows\\{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe"	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9CE439E-251E-48e8-8805-4BEE9896DD38}	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{319A2A13-2B67-43f1-905D-F797C8408F00}\stubpath = "C:\\Windows\\{319A2A13-2B67-43f1-905D-F797C8408F00}.exe"	{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}\stubpath = "C:\\Windows\\{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe"	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}\stubpath = "C:\\Windows\\{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe"	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37E8DB4D-3C5A-44c3-968B-907B5B718170}	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}\stubpath = "C:\\Windows\\{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe"	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37E8DB4D-3C5A-44c3-968B-907B5B718170}\stubpath = "C:\\Windows\\{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe"	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{319A2A13-2B67-43f1-905D-F797C8408F00}	{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8BC6640-B955-4ee3-83A2-40A897E9D443}	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8BC6640-B955-4ee3-83A2-40A897E9D443}\stubpath = "C:\\Windows\\{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe"	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9CE439E-251E-48e8-8805-4BEE9896DD38}\stubpath = "C:\\Windows\\{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe"	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54BA406-258F-474a-98C7-A045E3ADF748}\stubpath = "C:\\Windows\\{F54BA406-258F-474a-98C7-A045E3ADF748}.exe"	{319A2A13-2B67-43f1-905D-F797C8408F00}.exe

Executes dropped EXE 12 IoCs

pid	Process
536	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe
2180	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe
1756	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe
3272	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe
3344	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe
2300	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe
740	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe
1956	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe
3548	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe
4368	{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe
3016	{319A2A13-2B67-43f1-905D-F797C8408F00}.exe
5108	{F54BA406-258F-474a-98C7-A045E3ADF748}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe
File created	C:\Windows\{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe
File created	C:\Windows\{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe
File created	C:\Windows\{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe
File created	C:\Windows\{F54BA406-258F-474a-98C7-A045E3ADF748}.exe	{319A2A13-2B67-43f1-905D-F797C8408F00}.exe
File created	C:\Windows\{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
File created	C:\Windows\{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe
File created	C:\Windows\{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe
File created	C:\Windows\{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe
File created	C:\Windows\{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe
File created	C:\Windows\{319A2A13-2B67-43f1-905D-F797C8408F00}.exe	{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe
File created	C:\Windows\{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{319A2A13-2B67-43f1-905D-F797C8408F00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F54BA406-258F-474a-98C7-A045E3ADF748}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3208	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	536	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe
Token: SeIncBasePriorityPrivilege	2180	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe
Token: SeIncBasePriorityPrivilege	1756	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe
Token: SeIncBasePriorityPrivilege	3272	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe
Token: SeIncBasePriorityPrivilege	3344	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe
Token: SeIncBasePriorityPrivilege	2300	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe
Token: SeIncBasePriorityPrivilege	740	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe
Token: SeIncBasePriorityPrivilege	1956	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe
Token: SeIncBasePriorityPrivilege	3548	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe
Token: SeIncBasePriorityPrivilege	4368	{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe
Token: SeIncBasePriorityPrivilege	3016	{319A2A13-2B67-43f1-905D-F797C8408F00}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 536	3208	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	91
PID 3208 wrote to memory of 536	3208	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	91
PID 3208 wrote to memory of 536	3208	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	91
PID 3208 wrote to memory of 4912	3208	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	92
PID 3208 wrote to memory of 4912	3208	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	92
PID 3208 wrote to memory of 4912	3208	2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe	92
PID 536 wrote to memory of 2180	536	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe	93
PID 536 wrote to memory of 2180	536	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe	93
PID 536 wrote to memory of 2180	536	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe	93
PID 536 wrote to memory of 1964	536	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe	94
PID 536 wrote to memory of 1964	536	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe	94
PID 536 wrote to memory of 1964	536	{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe	94
PID 2180 wrote to memory of 1756	2180	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe	97
PID 2180 wrote to memory of 1756	2180	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe	97
PID 2180 wrote to memory of 1756	2180	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe	97
PID 2180 wrote to memory of 4856	2180	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe	98
PID 2180 wrote to memory of 4856	2180	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe	98
PID 2180 wrote to memory of 4856	2180	{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe	98
PID 1756 wrote to memory of 3272	1756	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe	99
PID 1756 wrote to memory of 3272	1756	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe	99
PID 1756 wrote to memory of 3272	1756	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe	99
PID 1756 wrote to memory of 3460	1756	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe	100
PID 1756 wrote to memory of 3460	1756	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe	100
PID 1756 wrote to memory of 3460	1756	{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe	100
PID 3272 wrote to memory of 3344	3272	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe	101
PID 3272 wrote to memory of 3344	3272	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe	101
PID 3272 wrote to memory of 3344	3272	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe	101
PID 3272 wrote to memory of 2608	3272	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe	102
PID 3272 wrote to memory of 2608	3272	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe	102
PID 3272 wrote to memory of 2608	3272	{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe	102
PID 3344 wrote to memory of 2300	3344	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe	103
PID 3344 wrote to memory of 2300	3344	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe	103
PID 3344 wrote to memory of 2300	3344	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe	103
PID 3344 wrote to memory of 4004	3344	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe	104
PID 3344 wrote to memory of 4004	3344	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe	104
PID 3344 wrote to memory of 4004	3344	{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe	104
PID 2300 wrote to memory of 740	2300	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe	105
PID 2300 wrote to memory of 740	2300	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe	105
PID 2300 wrote to memory of 740	2300	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe	105
PID 2300 wrote to memory of 3268	2300	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe	106
PID 2300 wrote to memory of 3268	2300	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe	106
PID 2300 wrote to memory of 3268	2300	{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe	106
PID 740 wrote to memory of 1956	740	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe	107
PID 740 wrote to memory of 1956	740	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe	107
PID 740 wrote to memory of 1956	740	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe	107
PID 740 wrote to memory of 3964	740	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe	108
PID 740 wrote to memory of 3964	740	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe	108
PID 740 wrote to memory of 3964	740	{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe	108
PID 1956 wrote to memory of 3548	1956	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe	109
PID 1956 wrote to memory of 3548	1956	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe	109
PID 1956 wrote to memory of 3548	1956	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe	109
PID 1956 wrote to memory of 4072	1956	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe	110
PID 1956 wrote to memory of 4072	1956	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe	110
PID 1956 wrote to memory of 4072	1956	{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe	110
PID 3548 wrote to memory of 4368	3548	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe	111
PID 3548 wrote to memory of 4368	3548	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe	111
PID 3548 wrote to memory of 4368	3548	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe	111
PID 3548 wrote to memory of 1504	3548	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe	112
PID 3548 wrote to memory of 1504	3548	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe	112
PID 3548 wrote to memory of 1504	3548	{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe	112
PID 4368 wrote to memory of 3016	4368	{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe	113
PID 4368 wrote to memory of 3016	4368	{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe	113
PID 4368 wrote to memory of 3016	4368	{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe	113
PID 4368 wrote to memory of 3672	4368	{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_9717c8f38a407aec955081e8949c66f8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe
  C:\Windows\{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe
    C:\Windows\{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe
      C:\Windows\{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Windows\{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe
        
        C:\Windows\{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3272
      - C:\Windows\{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe
        
        C:\Windows\{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe
        
        C:\Windows\{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe
        
        C:\Windows\{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe
        
        C:\Windows\{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe
        
        C:\Windows\{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe
        
        C:\Windows\{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\{319A2A13-2B67-43f1-905D-F797C8408F00}.exe
        
        C:\Windows\{319A2A13-2B67-43f1-905D-F797C8408F00}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\{F54BA406-258F-474a-98C7-A045E3ADF748}.exe
        
        C:\Windows\{F54BA406-258F-474a-98C7-A045E3ADF748}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{319A2~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37E8D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD098~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{487D7~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26D8A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7083~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06FFC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B3F1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9CE4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F8BC6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A2CC7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06FFC29B-8BDD-4e22-9640-56741AFF0BC1}.exe

Filesize
197KB

MD5
d4e636df65f4949ab436149a46a647e4

SHA1
8de10ff1ce0b653e3fce1ca05b21506edc886341

SHA256
fb49b2dbbff161d880fb6f17ec894c75e642c59f19c0328085bb01428b7eddf2

SHA512
e003de3d56b8fa2e3574cbf13a58cd0ef8fdec5aa681d89f1e11ec45df07f20436293a95efe480b7ebdfbc5cc270ede68836fb6b88a84c8f986a5267436f605a

Download Submit
C:\Windows\{26D8A430-A8B0-4ae8-A319-D9FAA3574B30}.exe

Filesize
197KB

MD5
7275612e7d99503e08ddf30822bad1f4

SHA1
90796339f4492311f4a22cb1ab5bd230d319ea1e

SHA256
8d8e7edd864f341a0d8f1edbb7752acbcc7c6e17e44ecc816d54db379c254526

SHA512
34e6b903cc26591843e0c322a64267d06072f18fa5d9fa284a7ae5cb6a70a8b45dce2043077d3a8ea92a84ccec1be6890d0408baee438a2d47e7c1b8548c9146

Download Submit
C:\Windows\{319A2A13-2B67-43f1-905D-F797C8408F00}.exe

Filesize
197KB

MD5
3b58bf5c5b8c3141b15c3b73fd65e091

SHA1
713cd8ef92ac692bda4b57b3f28f1fb30f48145f

SHA256
953ea2a4664c8280d3128b51a06000ad59409f3cf2c7be9a039f95043709708a

SHA512
b867639dcaa5cbde4eb044df20d79c83adb90964a5d19df05969e05094d0878c826e750ef99aca956bbd198ea7ba8bed8b3bc2ef80473c075cc1d9dea2951875

Download Submit
C:\Windows\{37E8DB4D-3C5A-44c3-968B-907B5B718170}.exe

Filesize
197KB

MD5
d38278ed12c4781c5d658205be607a08

SHA1
fd2e5192ebb17754edd72722b865279a44d85e88

SHA256
7e4d6cb2832e288c7358182899a3a05309d6f9d7ad7201576c42e1b31e7c2014

SHA512
d10479275a653d3da97fb5ba1188e7e7b27ad1fa1fcc380652cda3f55a44c4cdb748771b7b6c45a1e4e392e32550b51a2ae22a9c3980880d6f58199ffd35edeb

Download Submit
C:\Windows\{3B3F145A-F20C-4d03-B00D-B727A0AF6D33}.exe

Filesize
197KB

MD5
b886316306a03ecec6feafbf9fdfd84c

SHA1
a0c792c3f3232b9f4692e1a1f04fcd962eb81575

SHA256
6c950f71da38aa97cc190949caf3b3d7546c9ead7bb80772699295c41c3d6271

SHA512
988bad5e3e301da83afb41dad06a8a186f59797ceb51e5558ddba11cf2494b311b96b0f42da8a7b0cf81ab92c998dfe37b1b69d3c67d1fd9fee85e9ca9bb4b17

Download Submit
C:\Windows\{487D71EC-25C1-41db-8728-8A4DFBC2798F}.exe

Filesize
197KB

MD5
53111d4e5a1b434e697c35533a81315c

SHA1
32c8ca92df76f6d0c10a2737929d6460639b362d

SHA256
67518a62947466ee3d8fe35cc5befc477f933f8a9b27ca4248ff02bfb939d852

SHA512
57d9e501daa51af7f5cc72fd81f20111aa7fad5aaa400141f3cea174b0568fcc2502c681270deef4639092ea0dfe18e87dab26ca090ca9e52a500706d32ff199

Download Submit
C:\Windows\{A2CC7896-2274-4fcb-9B07-3CB2F76D22A9}.exe

Filesize
197KB

MD5
0a5446b2974de021b54eda0fd980ea68

SHA1
28de25f3bc2a697cf23e12afba5293f8589f7268

SHA256
a201a62cca30e0e2bfd2d7596ba26ab49d97e3164cb3cfd30f538a5391493770

SHA512
6779d452a00f4fccf1776b28e7dce640e76772ae7dcd6bce62ddb6b14f6a0194d9fd7a5e2b00f21cd75346543658eaf61a0ddb700a569fce93961b3732150bef

Download Submit
C:\Windows\{C9CE439E-251E-48e8-8805-4BEE9896DD38}.exe

Filesize
197KB

MD5
5481b471197aba2f258b55543e01d300

SHA1
c153ab9b5ff95c60667df9f5e50e7be3a585f8df

SHA256
3f82129fb33053ec477912ab4d4768c98f2edbe9f0749474138e6c5c965e116e

SHA512
b1779f6ae2feb4d126105cd50fb0f0fadc835e8d3377a661cdca7b3c3a9f9089decf0a0654f6efa750b37462a253d3d3e51b3c423c9a9bef096863cb64a5c2a5

Download Submit
C:\Windows\{E7083AB6-4F00-4450-9AAB-ED62E0DC925B}.exe

Filesize
197KB

MD5
b1047f5dc46b59dc27bc936b3e8c6260

SHA1
2e6699ffaa5b92120a85d46f2ad9dadf11fd501f

SHA256
ee6ae4cdcdd4aa3f81f2d8eefd57bf42df0468b8df0663f7a465cd8b23002ef5

SHA512
4fcab5239277d21f2bdd2439e2c4d4e8c1d18bde453ee27ccb0bf23b0b7c2ac9165808d8c50c6cb4c035c95ecfddbc583309ee7f11dcfc960c4e726bcefd9c1f

Download Submit
C:\Windows\{F54BA406-258F-474a-98C7-A045E3ADF748}.exe

Filesize
197KB

MD5
d9410f66b7931126e7b957cb036c6c22

SHA1
f2cb8516159fb552274fa8969fa909721a645cab

SHA256
ff58beccd6b47fc835cb9c2bd06cd48e753e174ae4b974facbed06ee4bf181c5

SHA512
340fcce518358154ce14f6405ea86ff1a7f91e56160359f098d23136d9210c1de29c0aeee0cd9769ba661d9cc3707f7f89b62aa10149d987e98146e0e98dc7f6

Download Submit
C:\Windows\{F8BC6640-B955-4ee3-83A2-40A897E9D443}.exe

Filesize
197KB

MD5
eab60ab8f37ed0032dd9528fc6c36b76

SHA1
eb7c8a3ec5b3a1d13292abc440341e8a782d05e6

SHA256
e94349cdb7955c4756cac5454cfe5024ed58cf53f4255e0095415ef19daf4df1

SHA512
804a312fbc5bb9af00c082a8167372769be0d0ed665b54dcd3d3c15272eda373b3e8162312e092a827639fa0ac9eec1807cc353589dbf7ebdde2a2340eb8f5f8

Download Submit
C:\Windows\{FD0988D3-E5D3-4899-B8BA-499353E647F1}.exe

Filesize
197KB

MD5
5b88455352c3a469c988649146c72deb

SHA1
36c384cfcc6e5be24e35d83dd0632aae82a5833e

SHA256
0a3a5b77193c06e947b43dc3a9de24193284e73328655dcb4fb2b4902d631237

SHA512
33f7c6144cb72cc69b76259fe8ee277a27910d2fb32bb050a82655dc37480172fac4a271f0d39fd200a835dd584ae9ffce40b00718ca358b84924d8bff972273

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads