1a45944ffe115158fe3ecb700f7ddf8511e32076dfd09a2abe0a1c27a38fb8c8

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
Size

192KB
MD5

2bf2ed0a75c7e7e229fadaad83baebae
SHA1

ac921d8cd2608df104d7546bd5d61af45988d290
SHA256

1a45944ffe115158fe3ecb700f7ddf8511e32076dfd09a2abe0a1c27a38fb8c8
SHA512

4d21d1b4bd8f6505fb244e00f22acb26a5ea0b166d649e879f2b35759dd80c926a5d7211a77bd4de45681c356f01ddd55ba5429b52ab66335b41577b05981a70
SSDEEP

1536:1EGh0o7l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o7l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED62EE70-0C21-4926-803B-D753341E5871}\stubpath = "C:\\Windows\\{ED62EE70-0C21-4926-803B-D753341E5871}.exe"	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E59549C3-2435-4044-8E80-9DA09EAFA568}	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E59549C3-2435-4044-8E80-9DA09EAFA568}\stubpath = "C:\\Windows\\{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe"	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E06EF833-3F7C-41af-B0D8-9EBB230F0E9B}	{B3507769-ED5A-437e-B065-9A0C7A43F094}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDC6BDCE-18F6-4046-8388-A6871968E43F}\stubpath = "C:\\Windows\\{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe"	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}\stubpath = "C:\\Windows\\{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe"	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}	{ED62EE70-0C21-4926-803B-D753341E5871}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}\stubpath = "C:\\Windows\\{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe"	{ED62EE70-0C21-4926-803B-D753341E5871}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF78C706-AA70-473a-986C-C7947E791E4D}	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF78C706-AA70-473a-986C-C7947E791E4D}\stubpath = "C:\\Windows\\{EF78C706-AA70-473a-986C-C7947E791E4D}.exe"	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C32080-7F67-42ad-A7BD-339F2117CABF}	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}\stubpath = "C:\\Windows\\{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe"	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDC6BDCE-18F6-4046-8388-A6871968E43F}	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3507769-ED5A-437e-B065-9A0C7A43F094}	{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3507769-ED5A-437e-B065-9A0C7A43F094}\stubpath = "C:\\Windows\\{B3507769-ED5A-437e-B065-9A0C7A43F094}.exe"	{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27281F67-33EB-4836-B477-8ECC3490EFA3}	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27281F67-33EB-4836-B477-8ECC3490EFA3}\stubpath = "C:\\Windows\\{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe"	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C32080-7F67-42ad-A7BD-339F2117CABF}\stubpath = "C:\\Windows\\{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe"	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}\stubpath = "C:\\Windows\\{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe"	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED62EE70-0C21-4926-803B-D753341E5871}	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E06EF833-3F7C-41af-B0D8-9EBB230F0E9B}\stubpath = "C:\\Windows\\{E06EF833-3F7C-41af-B0D8-9EBB230F0E9B}.exe"	{B3507769-ED5A-437e-B065-9A0C7A43F094}.exe

Executes dropped EXE 12 IoCs

pid	Process
512	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe
1988	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe
1568	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe
4400	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe
4112	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe
4452	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe
3136	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe
3692	{ED62EE70-0C21-4926-803B-D753341E5871}.exe
3028	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe
1084	{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe
4076	{B3507769-ED5A-437e-B065-9A0C7A43F094}.exe
2588	{E06EF833-3F7C-41af-B0D8-9EBB230F0E9B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe
File created	C:\Windows\{ED62EE70-0C21-4926-803B-D753341E5871}.exe	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe
File created	C:\Windows\{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe
File created	C:\Windows\{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe
File created	C:\Windows\{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe
File created	C:\Windows\{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe	{ED62EE70-0C21-4926-803B-D753341E5871}.exe
File created	C:\Windows\{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe
File created	C:\Windows\{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
File created	C:\Windows\{EF78C706-AA70-473a-986C-C7947E791E4D}.exe	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe
File created	C:\Windows\{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe
File created	C:\Windows\{B3507769-ED5A-437e-B065-9A0C7A43F094}.exe	{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe
File created	C:\Windows\{E06EF833-3F7C-41af-B0D8-9EBB230F0E9B}.exe	{B3507769-ED5A-437e-B065-9A0C7A43F094}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E06EF833-3F7C-41af-B0D8-9EBB230F0E9B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3507769-ED5A-437e-B065-9A0C7A43F094}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED62EE70-0C21-4926-803B-D753341E5871}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3672	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
Token: SeIncBasePriorityPrivilege	512	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe
Token: SeIncBasePriorityPrivilege	1988	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe
Token: SeIncBasePriorityPrivilege	1568	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe
Token: SeIncBasePriorityPrivilege	4400	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe
Token: SeIncBasePriorityPrivilege	4112	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe
Token: SeIncBasePriorityPrivilege	4452	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe
Token: SeIncBasePriorityPrivilege	3136	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe
Token: SeIncBasePriorityPrivilege	3692	{ED62EE70-0C21-4926-803B-D753341E5871}.exe
Token: SeIncBasePriorityPrivilege	3028	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe
Token: SeIncBasePriorityPrivilege	1084	{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe
Token: SeIncBasePriorityPrivilege	4076	{B3507769-ED5A-437e-B065-9A0C7A43F094}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 512	3672	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	89
PID 3672 wrote to memory of 512	3672	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	89
PID 3672 wrote to memory of 512	3672	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	89
PID 3672 wrote to memory of 216	3672	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	90
PID 3672 wrote to memory of 216	3672	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	90
PID 3672 wrote to memory of 216	3672	2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe	90
PID 512 wrote to memory of 1988	512	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe	91
PID 512 wrote to memory of 1988	512	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe	91
PID 512 wrote to memory of 1988	512	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe	91
PID 512 wrote to memory of 3740	512	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe	92
PID 512 wrote to memory of 3740	512	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe	92
PID 512 wrote to memory of 3740	512	{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe	92
PID 1988 wrote to memory of 1568	1988	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe	95
PID 1988 wrote to memory of 1568	1988	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe	95
PID 1988 wrote to memory of 1568	1988	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe	95
PID 1988 wrote to memory of 2096	1988	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe	96
PID 1988 wrote to memory of 2096	1988	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe	96
PID 1988 wrote to memory of 2096	1988	{EF78C706-AA70-473a-986C-C7947E791E4D}.exe	96
PID 1568 wrote to memory of 4400	1568	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe	97
PID 1568 wrote to memory of 4400	1568	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe	97
PID 1568 wrote to memory of 4400	1568	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe	97
PID 1568 wrote to memory of 1260	1568	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe	98
PID 1568 wrote to memory of 1260	1568	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe	98
PID 1568 wrote to memory of 1260	1568	{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe	98
PID 4400 wrote to memory of 4112	4400	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe	99
PID 4400 wrote to memory of 4112	4400	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe	99
PID 4400 wrote to memory of 4112	4400	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe	99
PID 4400 wrote to memory of 4936	4400	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe	100
PID 4400 wrote to memory of 4936	4400	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe	100
PID 4400 wrote to memory of 4936	4400	{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe	100
PID 4112 wrote to memory of 4452	4112	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe	101
PID 4112 wrote to memory of 4452	4112	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe	101
PID 4112 wrote to memory of 4452	4112	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe	101
PID 4112 wrote to memory of 2408	4112	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe	102
PID 4112 wrote to memory of 2408	4112	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe	102
PID 4112 wrote to memory of 2408	4112	{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe	102
PID 4452 wrote to memory of 3136	4452	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe	103
PID 4452 wrote to memory of 3136	4452	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe	103
PID 4452 wrote to memory of 3136	4452	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe	103
PID 4452 wrote to memory of 376	4452	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe	104
PID 4452 wrote to memory of 376	4452	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe	104
PID 4452 wrote to memory of 376	4452	{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe	104
PID 3136 wrote to memory of 3692	3136	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe	105
PID 3136 wrote to memory of 3692	3136	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe	105
PID 3136 wrote to memory of 3692	3136	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe	105
PID 3136 wrote to memory of 1520	3136	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe	106
PID 3136 wrote to memory of 1520	3136	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe	106
PID 3136 wrote to memory of 1520	3136	{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe	106
PID 3692 wrote to memory of 3028	3692	{ED62EE70-0C21-4926-803B-D753341E5871}.exe	107
PID 3692 wrote to memory of 3028	3692	{ED62EE70-0C21-4926-803B-D753341E5871}.exe	107
PID 3692 wrote to memory of 3028	3692	{ED62EE70-0C21-4926-803B-D753341E5871}.exe	107
PID 3692 wrote to memory of 2952	3692	{ED62EE70-0C21-4926-803B-D753341E5871}.exe	108
PID 3692 wrote to memory of 2952	3692	{ED62EE70-0C21-4926-803B-D753341E5871}.exe	108
PID 3692 wrote to memory of 2952	3692	{ED62EE70-0C21-4926-803B-D753341E5871}.exe	108
PID 3028 wrote to memory of 1084	3028	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe	109
PID 3028 wrote to memory of 1084	3028	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe	109
PID 3028 wrote to memory of 1084	3028	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe	109
PID 3028 wrote to memory of 968	3028	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe	110
PID 3028 wrote to memory of 968	3028	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe	110
PID 3028 wrote to memory of 968	3028	{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe	110
PID 1084 wrote to memory of 4076	1084	{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe	111
PID 1084 wrote to memory of 4076	1084	{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe	111
PID 1084 wrote to memory of 4076	1084	{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe	111
PID 1084 wrote to memory of 4604	1084	{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_2bf2ed0a75c7e7e229fadaad83baebae_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe
  C:\Windows\{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\{EF78C706-AA70-473a-986C-C7947E791E4D}.exe
    C:\Windows\{EF78C706-AA70-473a-986C-C7947E791E4D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe
      C:\Windows\{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe
        
        C:\Windows\{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe
        
        C:\Windows\{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe
        
        C:\Windows\{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe
        
        C:\Windows\{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\{ED62EE70-0C21-4926-803B-D753341E5871}.exe
        
        C:\Windows\{ED62EE70-0C21-4926-803B-D753341E5871}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe
        
        C:\Windows\{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe
        
        C:\Windows\{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{B3507769-ED5A-437e-B065-9A0C7A43F094}.exe
        
        C:\Windows\{B3507769-ED5A-437e-B065-9A0C7A43F094}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
        
        C:\Windows\{E06EF833-3F7C-41af-B0D8-9EBB230F0E9B}.exe
        
        C:\Windows\{E06EF833-3F7C-41af-B0D8-9EBB230F0E9B}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3507~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5954~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A506~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED62E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{460A2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A2A0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDC6B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{070A0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53C32~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EF78C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{27281~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{070A0E62-7E75-4e7a-B25F-F9F46C2530C8}.exe

Filesize
192KB

MD5
850afa646c3b43b132b2d6774334b996

SHA1
3d313f1f98a7b7a960900acd9c042de2626ac0c9

SHA256
0a51ef913af31b70b1ed67a15d8690872c4f9831923f31483b3eda54bcd01174

SHA512
818860c233781ca060867c61d5f58815511889c8b27ee374c7c0726aad5153d6c0ca6d0510a61663e7bf2da6315588cdee6d06d7f7297a36921adfd9c6f35863

Download Submit
C:\Windows\{1A2A06D0-D19A-4743-9C47-03B1D0C176EC}.exe

Filesize
192KB

MD5
febdae8fd172b55ab5bdc61e57e750c1

SHA1
fd6402cf45d9ff5147768ca3675df28102c303c8

SHA256
77f2823e391ccc8cd017ba88f25925246414a6bd829cffee2af211b6ef407385

SHA512
5beefd769b66181b86df04aac2529e67dabb1ec4f07b7c2f37b321b95f83f1c5307cec01f0ec113faa739c4b39c54113bae7bf5e6fa646036b2c5a119db4804f

Download Submit
C:\Windows\{27281F67-33EB-4836-B477-8ECC3490EFA3}.exe

Filesize
192KB

MD5
6aa6fc0af5e2c812cad758ce91232c83

SHA1
731793049ee8d2a6946bc80e22c6461a6119416b

SHA256
d033cdb755bd83a76196e7698207269d0138efa21654f0d915c1ae70f88e20a0

SHA512
b0c1a9258a2c6eef6159e4f434ee8a40a9e2ac9dd0075e5a4b135ca47e66c8ea6eb570b3139d5cacaae7104c17704a07860d8a5b55eee7e5b2a23c4f1a8ba001

Download Submit
C:\Windows\{460A20A0-8F7C-4ca1-BAAD-387D4A9BA936}.exe

Filesize
192KB

MD5
cca34bc1d05d00f26358981080c706ab

SHA1
98d35e80a68c09dcf62c1ba16a2a6b9de6cd3503

SHA256
03174bcc4200599b95cc9631e60386c91a4a883690dc021a388216c859c0ca6c

SHA512
6b2568fcc6eafeb5600cd35b5c67b3f1f286543dcf5fc713f205bfd7bd2bbdc7250dab826a845c68f786b28023f13e83f52fe8da4aeafac8685bb85bf26072d1

Download Submit
C:\Windows\{53C32080-7F67-42ad-A7BD-339F2117CABF}.exe

Filesize
192KB

MD5
80198c615d149365a521714a20e9ac9a

SHA1
0ce0557eb568963463444d2ab2e7857e95d97a5c

SHA256
b022f01a0f17107f9882b80d20557493357f2e7553dd09003f989085a8eeb813

SHA512
313377a4573c61499120565dea982486a0a721d7603f50485ea011fc3eccf00b5869593fe7128307d70a2b415509836a324603bf29d5ac07aa7436bea17ae88a

Download Submit
C:\Windows\{9A5063CC-DF0C-42d7-8C8D-E877F7244E1C}.exe

Filesize
192KB

MD5
5b53bfdc811f006bfd9cfd36a72de035

SHA1
add80e82b40906c63364f04f337c3a9b437a2e6f

SHA256
abb3fd7c6b6d4d68a137467d99f0b428e787c1c0a23d904b213883646609a130

SHA512
a08dd19734249ac894410f7347bf9cce0623b47a8105deb100b29383a8ad007d91c20e5aef1ac23123a815a5489ac758f35e9cb790861cef7e35e72ebd3c6cc9

Download Submit
C:\Windows\{B3507769-ED5A-437e-B065-9A0C7A43F094}.exe

Filesize
192KB

MD5
5a54bd8c4d9ef47de699d32810994a79

SHA1
69440024804282cafe764f69271eb810d9362069

SHA256
d8f49759b3eff24d172f30b2107cffcaa07543bb594f5943039a3f7f1d0a92fc

SHA512
a2cce517c8c7e0e069925d1f559b5a8469189a6e480b78073eec33130169d4d16f38d24c05097df7a5297201ac6033d2da153d17b35c564cd5a612288641f0f7

Download Submit
C:\Windows\{BDC6BDCE-18F6-4046-8388-A6871968E43F}.exe

Filesize
192KB

MD5
8b8df5c0f7ca088c49a14471a0a3af9a

SHA1
db3980d65847fad93fe172677ca9d93803bf95fb

SHA256
93bb44c6bd6ce786f07c038c571ce9a9ace510c6665b12383d1781f5341d8862

SHA512
037904e77aea82b357040578fc4dc45a90f9fbd86b591f8a47003bd2ad24c86da31e147b6f8983fb116a3d1787fc2700ebeb2a140b4a13a1898035e07dc0b1a1

Download Submit
C:\Windows\{E06EF833-3F7C-41af-B0D8-9EBB230F0E9B}.exe

Filesize
192KB

MD5
f55018aac455c5e75c51c1325b077cae

SHA1
5c076218031ca3dd252cfeba36cbc53035fef252

SHA256
e55938ac01086c1d885c25846b6db86456894c86e323444e663ce94f16699e73

SHA512
7b246cc9af6d7edb9e15712d7bbe624253db96ee0098641b4a667e559d872134bea2d80bcf3f5f3e95c2a37bd054dec635c9934ea4bd4e98076c0fdbb1d6947c

Download Submit
C:\Windows\{E59549C3-2435-4044-8E80-9DA09EAFA568}.exe

Filesize
192KB

MD5
1f1052487c4320fe184c1408193aada7

SHA1
482ced37a246725ace1e496900a27bd4502a93a4

SHA256
b112d27ec5c5b8847097d5fc3801f2a8fdf327b1046ee5bf1f08bf5419735dd3

SHA512
0663f3a3eeba66ac650fe43513303326d26e33b0a1749ab26d568ae1d5825af01f22182d4041b629c34067f061dc458bcd03dc2ac62579f3b0802aca0368edb6

Download Submit
C:\Windows\{ED62EE70-0C21-4926-803B-D753341E5871}.exe

Filesize
192KB

MD5
1c9caf3a66f9272f13fb5094f3c29c59

SHA1
ab648e124685710efb5dc72b34d960a61e4da50f

SHA256
4a66a996f4b1cc24c94eadf1085704601917dd4f933e785d64f1bbcb194f39ac

SHA512
caa723ff3173c01bcfe9e4e14a15ade366559bbeb73311c98599e3dc093d942ac91672725865a66ec126c553f63c9332b94b6fb0dd489b2532ef56576dc6ab5b

Download Submit
C:\Windows\{EF78C706-AA70-473a-986C-C7947E791E4D}.exe

Filesize
192KB

MD5
cc37e37348c083d5b2efcdf74f5d5176

SHA1
ef941e9b0464a01c1afadde4039e946475e5cfca

SHA256
130bbc931875eeb11824ac36dde73cee7924c2aba71c953c3824155c0c9960ff

SHA512
4cc193ea102805069d9775af350de823a6e6a8c7e3678365862f8d43acc33d10b9f10f33d11682de8fdbed6fe7bafe00a5a1da84050df2327ca44521c467b564

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads