14e031b1a4b7fd8510480e46bede6bbfe28a2ddc1282785cc93b6b64a6810e24

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
Size

197KB
MD5

bbd5d45c77fd78e13c3074a7b77110a6
SHA1

750dd497fd97824c34327b493b44e4e9092e2316
SHA256

14e031b1a4b7fd8510480e46bede6bbfe28a2ddc1282785cc93b6b64a6810e24
SHA512

5486393646c2ae5d13fb78679a4d3e343bb34b0861077e0b324ea8d99749f32fa557c90f81cbee7eb124733f9f0a838b51a87b9898676e0bf36945a09aeae913
SSDEEP

3072:jEGh0o6l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGMlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0509E077-5C1C-4c14-9C48-B54B73BB5262}	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{853A55D2-F643-412f-B6CC-175D4E4B3BF1}\stubpath = "C:\\Windows\\{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe"	{E2282648-98D0-4855-A33C-64932E968D69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07D2D4E7-D08D-49fd-88D6-06EC61499E81}\stubpath = "C:\\Windows\\{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe"	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79C602F0-B986-4ade-B84B-13305835809E}	{E69F17FE-1E19-4057-B444-0671A7514A3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79C602F0-B986-4ade-B84B-13305835809E}\stubpath = "C:\\Windows\\{79C602F0-B986-4ade-B84B-13305835809E}.exe"	{E69F17FE-1E19-4057-B444-0671A7514A3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{853A55D2-F643-412f-B6CC-175D4E4B3BF1}	{E2282648-98D0-4855-A33C-64932E968D69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07D2D4E7-D08D-49fd-88D6-06EC61499E81}	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}\stubpath = "C:\\Windows\\{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe"	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E69F17FE-1E19-4057-B444-0671A7514A3C}	{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}\stubpath = "C:\\Windows\\{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe"	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2282648-98D0-4855-A33C-64932E968D69}	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2282648-98D0-4855-A33C-64932E968D69}\stubpath = "C:\\Windows\\{E2282648-98D0-4855-A33C-64932E968D69}.exe"	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A33CE77-C038-408f-B069-E61E819DCED2}	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A33CE77-C038-408f-B069-E61E819DCED2}\stubpath = "C:\\Windows\\{1A33CE77-C038-408f-B069-E61E819DCED2}.exe"	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D07362C8-488A-4086-A504-DC8CBC9A8363}	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D07362C8-488A-4086-A504-DC8CBC9A8363}\stubpath = "C:\\Windows\\{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe"	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}\stubpath = "C:\\Windows\\{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe"	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE662397-BF37-4fcd-AA46-725A02EB506C}	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E69F17FE-1E19-4057-B444-0671A7514A3C}\stubpath = "C:\\Windows\\{E69F17FE-1E19-4057-B444-0671A7514A3C}.exe"	{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0509E077-5C1C-4c14-9C48-B54B73BB5262}\stubpath = "C:\\Windows\\{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe"	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE662397-BF37-4fcd-AA46-725A02EB506C}\stubpath = "C:\\Windows\\{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe"	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe

Executes dropped EXE 12 IoCs

pid	Process
1344	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe
1396	{E2282648-98D0-4855-A33C-64932E968D69}.exe
2044	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe
4880	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe
1056	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe
2464	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe
1356	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe
2736	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe
4592	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe
3640	{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe
1888	{E69F17FE-1E19-4057-B444-0671A7514A3C}.exe
2548	{79C602F0-B986-4ade-B84B-13305835809E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E2282648-98D0-4855-A33C-64932E968D69}.exe	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe
File created	C:\Windows\{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe
File created	C:\Windows\{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe
File created	C:\Windows\{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe
File created	C:\Windows\{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
File created	C:\Windows\{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe	{E2282648-98D0-4855-A33C-64932E968D69}.exe
File created	C:\Windows\{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe
File created	C:\Windows\{1A33CE77-C038-408f-B069-E61E819DCED2}.exe	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe
File created	C:\Windows\{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe
File created	C:\Windows\{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe
File created	C:\Windows\{E69F17FE-1E19-4057-B444-0671A7514A3C}.exe	{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe
File created	C:\Windows\{79C602F0-B986-4ade-B84B-13305835809E}.exe	{E69F17FE-1E19-4057-B444-0671A7514A3C}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E2282648-98D0-4855-A33C-64932E968D69}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E69F17FE-1E19-4057-B444-0671A7514A3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79C602F0-B986-4ade-B84B-13305835809E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2292	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1344	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe
Token: SeIncBasePriorityPrivilege	1396	{E2282648-98D0-4855-A33C-64932E968D69}.exe
Token: SeIncBasePriorityPrivilege	2044	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe
Token: SeIncBasePriorityPrivilege	4880	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe
Token: SeIncBasePriorityPrivilege	1056	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe
Token: SeIncBasePriorityPrivilege	2464	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe
Token: SeIncBasePriorityPrivilege	1356	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe
Token: SeIncBasePriorityPrivilege	2736	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe
Token: SeIncBasePriorityPrivilege	4592	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe
Token: SeIncBasePriorityPrivilege	3640	{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe
Token: SeIncBasePriorityPrivilege	1888	{E69F17FE-1E19-4057-B444-0671A7514A3C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1344	2292	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	89
PID 2292 wrote to memory of 1344	2292	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	89
PID 2292 wrote to memory of 1344	2292	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	89
PID 2292 wrote to memory of 5064	2292	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	90
PID 2292 wrote to memory of 5064	2292	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	90
PID 2292 wrote to memory of 5064	2292	2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe	90
PID 1344 wrote to memory of 1396	1344	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe	91
PID 1344 wrote to memory of 1396	1344	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe	91
PID 1344 wrote to memory of 1396	1344	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe	91
PID 1344 wrote to memory of 4540	1344	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe	92
PID 1344 wrote to memory of 4540	1344	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe	92
PID 1344 wrote to memory of 4540	1344	{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe	92
PID 1396 wrote to memory of 2044	1396	{E2282648-98D0-4855-A33C-64932E968D69}.exe	95
PID 1396 wrote to memory of 2044	1396	{E2282648-98D0-4855-A33C-64932E968D69}.exe	95
PID 1396 wrote to memory of 2044	1396	{E2282648-98D0-4855-A33C-64932E968D69}.exe	95
PID 1396 wrote to memory of 404	1396	{E2282648-98D0-4855-A33C-64932E968D69}.exe	96
PID 1396 wrote to memory of 404	1396	{E2282648-98D0-4855-A33C-64932E968D69}.exe	96
PID 1396 wrote to memory of 404	1396	{E2282648-98D0-4855-A33C-64932E968D69}.exe	96
PID 2044 wrote to memory of 4880	2044	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe	97
PID 2044 wrote to memory of 4880	2044	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe	97
PID 2044 wrote to memory of 4880	2044	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe	97
PID 2044 wrote to memory of 4520	2044	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe	98
PID 2044 wrote to memory of 4520	2044	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe	98
PID 2044 wrote to memory of 4520	2044	{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe	98
PID 4880 wrote to memory of 1056	4880	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe	99
PID 4880 wrote to memory of 1056	4880	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe	99
PID 4880 wrote to memory of 1056	4880	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe	99
PID 4880 wrote to memory of 408	4880	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe	100
PID 4880 wrote to memory of 408	4880	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe	100
PID 4880 wrote to memory of 408	4880	{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe	100
PID 1056 wrote to memory of 2464	1056	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe	101
PID 1056 wrote to memory of 2464	1056	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe	101
PID 1056 wrote to memory of 2464	1056	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe	101
PID 1056 wrote to memory of 3140	1056	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe	102
PID 1056 wrote to memory of 3140	1056	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe	102
PID 1056 wrote to memory of 3140	1056	{1A33CE77-C038-408f-B069-E61E819DCED2}.exe	102
PID 2464 wrote to memory of 1356	2464	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe	103
PID 2464 wrote to memory of 1356	2464	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe	103
PID 2464 wrote to memory of 1356	2464	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe	103
PID 2464 wrote to memory of 2996	2464	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe	104
PID 2464 wrote to memory of 2996	2464	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe	104
PID 2464 wrote to memory of 2996	2464	{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe	104
PID 1356 wrote to memory of 2736	1356	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe	105
PID 1356 wrote to memory of 2736	1356	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe	105
PID 1356 wrote to memory of 2736	1356	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe	105
PID 1356 wrote to memory of 1940	1356	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe	106
PID 1356 wrote to memory of 1940	1356	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe	106
PID 1356 wrote to memory of 1940	1356	{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe	106
PID 2736 wrote to memory of 4592	2736	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe	107
PID 2736 wrote to memory of 4592	2736	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe	107
PID 2736 wrote to memory of 4592	2736	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe	107
PID 2736 wrote to memory of 5084	2736	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe	108
PID 2736 wrote to memory of 5084	2736	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe	108
PID 2736 wrote to memory of 5084	2736	{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe	108
PID 4592 wrote to memory of 3640	4592	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe	109
PID 4592 wrote to memory of 3640	4592	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe	109
PID 4592 wrote to memory of 3640	4592	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe	109
PID 4592 wrote to memory of 4272	4592	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe	110
PID 4592 wrote to memory of 4272	4592	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe	110
PID 4592 wrote to memory of 4272	4592	{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe	110
PID 3640 wrote to memory of 1888	3640	{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe	111
PID 3640 wrote to memory of 1888	3640	{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe	111
PID 3640 wrote to memory of 1888	3640	{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe	111
PID 3640 wrote to memory of 4836	3640	{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_bbd5d45c77fd78e13c3074a7b77110a6_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe
  C:\Windows\{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\{E2282648-98D0-4855-A33C-64932E968D69}.exe
    C:\Windows\{E2282648-98D0-4855-A33C-64932E968D69}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe
      C:\Windows\{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe
        
        C:\Windows\{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Windows\{1A33CE77-C038-408f-B069-E61E819DCED2}.exe
        
        C:\Windows\{1A33CE77-C038-408f-B069-E61E819DCED2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe
        
        C:\Windows\{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe
        
        C:\Windows\{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe
        
        C:\Windows\{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe
        
        C:\Windows\{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe
        
        C:\Windows\{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\{E69F17FE-1E19-4057-B444-0671A7514A3C}.exe
        
        C:\Windows\{E69F17FE-1E19-4057-B444-0671A7514A3C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\{79C602F0-B986-4ade-B84B-13305835809E}.exe
        
        C:\Windows\{79C602F0-B986-4ade-B84B-13305835809E}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E69F1~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE662~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D283~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AB63~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C4B1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0736~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A33C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07D2D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{853A5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E2282~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0509E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0509E077-5C1C-4c14-9C48-B54B73BB5262}.exe

Filesize
197KB

MD5
08a1e768122c32e2f887171c0f9c7856

SHA1
654276cc7f3a3f08bf064af83accf610dc194604

SHA256
a81c7f4db2a7143dd46012aab4d155f39f5b5dc248feed161bdf09ff5727d751

SHA512
db5b987e833a5ce18188a881321c3e456b0a187cd1c7009f3e83a4c2bef56cc8e1b58dbd568ebc376c831338151b3f15d45a5c8be0b80ad5b43576a5b69eb846

Download Submit
C:\Windows\{07D2D4E7-D08D-49fd-88D6-06EC61499E81}.exe

Filesize
197KB

MD5
e7830a389263ac1b39b639a90ab156ed

SHA1
6b5d14597946163da06d864754df6c108c400041

SHA256
eb0f3ca853c19dd0ca4975255f736a3b784563a9830f45c02aef9ac3391ecee2

SHA512
2e0c69269d43c619c54ede3de819f4f3860387f9f4a5c5a1a1623a6d4cb1babeaf79cd1ef56415ad550a1d5a209d97d9df127dad23be8081910c0ae3392310de

Download Submit
C:\Windows\{0AB63DFA-C5BF-4a12-9DC0-2768CBBCB0B3}.exe

Filesize
197KB

MD5
d93589cd0523f861246b375a73ac79a7

SHA1
d44c45cfaf071eb7e8c37e3a3c4dad21dcaaefb2

SHA256
03e189ae93863928b2ae334bdb29369de4649eb25a13050febbb0ec07f6384ef

SHA512
d4ab2a5cb6ebbabc441abf888f8597eabba6177894b7df7f8b2df0b566522e5b12367d4afad50808129c8bb75185151203480f266f725bed61b0c98c5d77383d

Download Submit
C:\Windows\{1A33CE77-C038-408f-B069-E61E819DCED2}.exe

Filesize
197KB

MD5
1660e9de545df5f5af8abd76705db453

SHA1
8ac29967ef583c42bf508da989006d80d81dce48

SHA256
a6ae2be10ed93218179a7ee6f9168d3b2e10187d7fb67afb4bace0a8a3ab3838

SHA512
a8795837f4a010e3b367d851cd644cbcef4c384ec9fd3a8d49769540358a864056d56fcba814993fbb7a4394e0b7ad6db548563e8e69e552895d57d3427985a8

Download Submit
C:\Windows\{4D2839DC-72F6-48ed-BE0C-8569BE8D26D5}.exe

Filesize
197KB

MD5
ea76e7045eedb34e75ef423b47e33b70

SHA1
b0d86fb41ff48686012da72cb51ab6344024ea48

SHA256
f8bbb2968825547b5b7b7b5d1ac24df6a01815e14105ae8576164e0a81894c76

SHA512
fe01f0d06b5ec87579f4c16944b3b5a9254a5ce26f07477d4eee5188db369f2db32623592e113c5772dc0f2e4e598197f33ce93d9665b1a642b4fbc1855ac8ac

Download Submit
C:\Windows\{79C602F0-B986-4ade-B84B-13305835809E}.exe

Filesize
197KB

MD5
8b4bc99d7fdd6cfb30bc5e452e714579

SHA1
32fa2686e33ef44b025afa5df15c562e4d88ab57

SHA256
1612de69391fb1a68acd926c58a2946c9d05285990518cf9755a995cfe933f87

SHA512
0b906efc1d14a577f74d97ba568957f0e2516766f063e87bcac6cf36232f261cb2784d6c7dd409dd3b1de255bd863f464cd473939191e5efb322112c26579794

Download Submit
C:\Windows\{853A55D2-F643-412f-B6CC-175D4E4B3BF1}.exe

Filesize
197KB

MD5
534fa5f9688bb0c039f8cbe18b766e56

SHA1
2f4aae416179a0f39c9b9890d217231fb172bff8

SHA256
994ce9d7e9f857635489ac7b2b2132c969da35a179939a3df7410d71ee7afd13

SHA512
649a96d321201a6927e9788b242574b287bb46c0b5876ede11c154f96f6d80d403dfc54a2b4c8020f258422a3dfa44bfdde417578e51c61434825a0279e28322

Download Submit
C:\Windows\{8C4B1D6E-CCC6-4739-9B2D-AD4CD4EFCF6D}.exe

Filesize
197KB

MD5
546e68d21b011093c9a96f1e629043a2

SHA1
1a49069c747700260edadfe0e11c5c869806bde7

SHA256
2ca032cd256371cd96c537f14dd994cc15bb27ef789e190f1afdbcd972d7e03a

SHA512
ba947b131456e68d3327597e47a791e929ee80c4a76dc6dc20d1618e379cfcc0c98733e6c4cbe563b5e87ab2d1f8f46ec48a3507cd89bcf4f0d4427c96e7601d

Download Submit
C:\Windows\{CE662397-BF37-4fcd-AA46-725A02EB506C}.exe

Filesize
197KB

MD5
71fc1379bad4dd954cb3e09a3b8f067b

SHA1
a305351d91f268364b40e067689ca36880a62594

SHA256
f53021330c68fc4aebf0b253ac6f28ae64a1e6e07ec67c748fc427a50688bd43

SHA512
8410d1fd6310d321683ac82141740f724c4f14b8f4194fae7c99d52ff7197c40c3bc0fece1c6c6ab2348f4ca781d7fd434c82f3e5bae0c32df35b456402d2399

Download Submit
C:\Windows\{D07362C8-488A-4086-A504-DC8CBC9A8363}.exe

Filesize
197KB

MD5
cd5245910d574a6210d58988e136b72d

SHA1
60034978b9aff9767502b63c79afbd22086eee92

SHA256
3b269466377754bbf0968b63ba142887270589888270f08d2c6e5c62bc3e342c

SHA512
e49380155917907db66eb8b56e7f7bbc99e6a21535cbf87f9add3b751f6cbb2d3360d177c36ba9ef26b8d1651697c36089138b57f66ee76b2073dce189adb08c

Download Submit
C:\Windows\{E2282648-98D0-4855-A33C-64932E968D69}.exe

Filesize
197KB

MD5
b9463500d7410c8683ecfedb645e2bda

SHA1
8d5ab2574ae232611fc7f2240eb14b0031b12308

SHA256
b8ae4190512de51d2e6e9fefb1c53eba7acf3904f4248636e6ed9ff8c9e457a9

SHA512
e354779951a669b600c1362885e922930929e7b817b97e2c6c368430bee89e987a2ff02e7a6fad2b0977ce9d57a31e261cc1abd66b51809836728ca6a201e252

Download Submit
C:\Windows\{E69F17FE-1E19-4057-B444-0671A7514A3C}.exe

Filesize
197KB

MD5
79feb8b3156d9d1d59d3d50d40af990a

SHA1
86472c384d90195ac12302d7bad38241f8bac9c1

SHA256
5b3be77bb24c6662ff8de1de139c0d9942acdd5e77218c420f4512bf882e865b

SHA512
3f5ca34ccb51674e236ea27529b942b6ea7003fd2fc785f92ab1304fcfed16e5afd86eb1c75fe77306b46aa411bac0971c107b2463e9a6659ae1dc4390a815d3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads