b5e9fbca5bdcab701fa432622e34ef8b5c5d8324222fdc97cf981f53f59489e8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe
Size

344KB
MD5

cb4dbd5c7dde73292365646f690f9805
SHA1

66e64c458f36f6ae3a0e2990dabdcbaa42e181d3
SHA256

b5e9fbca5bdcab701fa432622e34ef8b5c5d8324222fdc97cf981f53f59489e8
SHA512

152dc39650017fee5b6530c0a897ca2d0c4d1807cea09a68b2fe87dd0e9c8aa9139920ff6ac247dc848d0f22050f330567edfc615f46b68435ecf296438a932e
SSDEEP

3072:mEGh0o9lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGzlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0223CD7F-7E34-4351-84C9-598B1BE147C6}\stubpath = "C:\\Windows\\{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe"	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{054FB391-0844-4af1-9F8A-D61F90D4A73E}	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{054FB391-0844-4af1-9F8A-D61F90D4A73E}\stubpath = "C:\\Windows\\{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe"	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2E74A56-7AC8-439f-8E69-CF37629F77C9}	{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}\stubpath = "C:\\Windows\\{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe"	{D385218D-A195-4f45-BE59-832EDF26928B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87D57002-245E-466f-89B2-067061BD948A}\stubpath = "C:\\Windows\\{87D57002-245E-466f-89B2-067061BD948A}.exe"	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C45A64FA-778E-4188-B026-FD4A568C9DB6}	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB04F97C-29E2-41ec-8D88-15B181B85A18}	{A2E74A56-7AC8-439f-8E69-CF37629F77C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}\stubpath = "C:\\Windows\\{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe"	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0223CD7F-7E34-4351-84C9-598B1BE147C6}	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D385218D-A195-4f45-BE59-832EDF26928B}	2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D385218D-A195-4f45-BE59-832EDF26928B}\stubpath = "C:\\Windows\\{D385218D-A195-4f45-BE59-832EDF26928B}.exe"	2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C45A64FA-778E-4188-B026-FD4A568C9DB6}\stubpath = "C:\\Windows\\{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe"	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}\stubpath = "C:\\Windows\\{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe"	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}\stubpath = "C:\\Windows\\{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe"	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9268E76-A40E-41e1-8F5B-22FD774E9686}\stubpath = "C:\\Windows\\{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe"	{87D57002-245E-466f-89B2-067061BD948A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2E74A56-7AC8-439f-8E69-CF37629F77C9}\stubpath = "C:\\Windows\\{A2E74A56-7AC8-439f-8E69-CF37629F77C9}.exe"	{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB04F97C-29E2-41ec-8D88-15B181B85A18}\stubpath = "C:\\Windows\\{FB04F97C-29E2-41ec-8D88-15B181B85A18}.exe"	{A2E74A56-7AC8-439f-8E69-CF37629F77C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}	{D385218D-A195-4f45-BE59-832EDF26928B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87D57002-245E-466f-89B2-067061BD948A}	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9268E76-A40E-41e1-8F5B-22FD774E9686}	{87D57002-245E-466f-89B2-067061BD948A}.exe

Executes dropped EXE 12 IoCs

pid	Process
3036	{D385218D-A195-4f45-BE59-832EDF26928B}.exe
5100	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe
4572	{87D57002-245E-466f-89B2-067061BD948A}.exe
2960	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe
1952	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe
3624	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe
212	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe
2500	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe
1796	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe
4212	{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe
1516	{A2E74A56-7AC8-439f-8E69-CF37629F77C9}.exe
2728	{FB04F97C-29E2-41ec-8D88-15B181B85A18}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FB04F97C-29E2-41ec-8D88-15B181B85A18}.exe	{A2E74A56-7AC8-439f-8E69-CF37629F77C9}.exe
File created	C:\Windows\{D385218D-A195-4f45-BE59-832EDF26928B}.exe	2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe
File created	C:\Windows\{87D57002-245E-466f-89B2-067061BD948A}.exe	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe
File created	C:\Windows\{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe
File created	C:\Windows\{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe
File created	C:\Windows\{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe
File created	C:\Windows\{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe
File created	C:\Windows\{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe
File created	C:\Windows\{A2E74A56-7AC8-439f-8E69-CF37629F77C9}.exe	{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe
File created	C:\Windows\{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe	{D385218D-A195-4f45-BE59-832EDF26928B}.exe
File created	C:\Windows\{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe	{87D57002-245E-466f-89B2-067061BD948A}.exe
File created	C:\Windows\{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB04F97C-29E2-41ec-8D88-15B181B85A18}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2E74A56-7AC8-439f-8E69-CF37629F77C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87D57002-245E-466f-89B2-067061BD948A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D385218D-A195-4f45-BE59-832EDF26928B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3004	2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3036	{D385218D-A195-4f45-BE59-832EDF26928B}.exe
Token: SeIncBasePriorityPrivilege	5100	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe
Token: SeIncBasePriorityPrivilege	4572	{87D57002-245E-466f-89B2-067061BD948A}.exe
Token: SeIncBasePriorityPrivilege	2960	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe
Token: SeIncBasePriorityPrivilege	1952	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe
Token: SeIncBasePriorityPrivilege	3624	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe
Token: SeIncBasePriorityPrivilege	212	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe
Token: SeIncBasePriorityPrivilege	2500	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe
Token: SeIncBasePriorityPrivilege	1796	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe
Token: SeIncBasePriorityPrivilege	4212	{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe
Token: SeIncBasePriorityPrivilege	1516	{A2E74A56-7AC8-439f-8E69-CF37629F77C9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 3036	3004	2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe	91
PID 3004 wrote to memory of 3036	3004	2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe	91
PID 3004 wrote to memory of 3036	3004	2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe	91
PID 3004 wrote to memory of 4848	3004	2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe	92
PID 3004 wrote to memory of 4848	3004	2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe	92
PID 3004 wrote to memory of 4848	3004	2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe	92
PID 3036 wrote to memory of 5100	3036	{D385218D-A195-4f45-BE59-832EDF26928B}.exe	93
PID 3036 wrote to memory of 5100	3036	{D385218D-A195-4f45-BE59-832EDF26928B}.exe	93
PID 3036 wrote to memory of 5100	3036	{D385218D-A195-4f45-BE59-832EDF26928B}.exe	93
PID 3036 wrote to memory of 1232	3036	{D385218D-A195-4f45-BE59-832EDF26928B}.exe	94
PID 3036 wrote to memory of 1232	3036	{D385218D-A195-4f45-BE59-832EDF26928B}.exe	94
PID 3036 wrote to memory of 1232	3036	{D385218D-A195-4f45-BE59-832EDF26928B}.exe	94
PID 5100 wrote to memory of 4572	5100	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe	97
PID 5100 wrote to memory of 4572	5100	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe	97
PID 5100 wrote to memory of 4572	5100	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe	97
PID 5100 wrote to memory of 1724	5100	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe	98
PID 5100 wrote to memory of 1724	5100	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe	98
PID 5100 wrote to memory of 1724	5100	{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe	98
PID 4572 wrote to memory of 2960	4572	{87D57002-245E-466f-89B2-067061BD948A}.exe	99
PID 4572 wrote to memory of 2960	4572	{87D57002-245E-466f-89B2-067061BD948A}.exe	99
PID 4572 wrote to memory of 2960	4572	{87D57002-245E-466f-89B2-067061BD948A}.exe	99
PID 4572 wrote to memory of 1628	4572	{87D57002-245E-466f-89B2-067061BD948A}.exe	100
PID 4572 wrote to memory of 1628	4572	{87D57002-245E-466f-89B2-067061BD948A}.exe	100
PID 4572 wrote to memory of 1628	4572	{87D57002-245E-466f-89B2-067061BD948A}.exe	100
PID 2960 wrote to memory of 1952	2960	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe	101
PID 2960 wrote to memory of 1952	2960	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe	101
PID 2960 wrote to memory of 1952	2960	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe	101
PID 2960 wrote to memory of 4516	2960	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe	102
PID 2960 wrote to memory of 4516	2960	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe	102
PID 2960 wrote to memory of 4516	2960	{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe	102
PID 1952 wrote to memory of 3624	1952	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe	103
PID 1952 wrote to memory of 3624	1952	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe	103
PID 1952 wrote to memory of 3624	1952	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe	103
PID 1952 wrote to memory of 1372	1952	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe	104
PID 1952 wrote to memory of 1372	1952	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe	104
PID 1952 wrote to memory of 1372	1952	{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe	104
PID 3624 wrote to memory of 212	3624	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe	105
PID 3624 wrote to memory of 212	3624	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe	105
PID 3624 wrote to memory of 212	3624	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe	105
PID 3624 wrote to memory of 3396	3624	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe	106
PID 3624 wrote to memory of 3396	3624	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe	106
PID 3624 wrote to memory of 3396	3624	{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe	106
PID 212 wrote to memory of 2500	212	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe	107
PID 212 wrote to memory of 2500	212	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe	107
PID 212 wrote to memory of 2500	212	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe	107
PID 212 wrote to memory of 2092	212	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe	108
PID 212 wrote to memory of 2092	212	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe	108
PID 212 wrote to memory of 2092	212	{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe	108
PID 2500 wrote to memory of 1796	2500	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe	109
PID 2500 wrote to memory of 1796	2500	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe	109
PID 2500 wrote to memory of 1796	2500	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe	109
PID 2500 wrote to memory of 1832	2500	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe	110
PID 2500 wrote to memory of 1832	2500	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe	110
PID 2500 wrote to memory of 1832	2500	{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe	110
PID 1796 wrote to memory of 4212	1796	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe	111
PID 1796 wrote to memory of 4212	1796	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe	111
PID 1796 wrote to memory of 4212	1796	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe	111
PID 1796 wrote to memory of 3484	1796	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe	112
PID 1796 wrote to memory of 3484	1796	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe	112
PID 1796 wrote to memory of 3484	1796	{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe	112
PID 4212 wrote to memory of 1516	4212	{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe	113
PID 4212 wrote to memory of 1516	4212	{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe	113
PID 4212 wrote to memory of 1516	4212	{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe	113
PID 4212 wrote to memory of 4428	4212	{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_cb4dbd5c7dde73292365646f690f9805_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\{D385218D-A195-4f45-BE59-832EDF26928B}.exe
  C:\Windows\{D385218D-A195-4f45-BE59-832EDF26928B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe
    C:\Windows\{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\{87D57002-245E-466f-89B2-067061BD948A}.exe
      C:\Windows\{87D57002-245E-466f-89B2-067061BD948A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe
        
        C:\Windows\{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe
        
        C:\Windows\{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe
        
        C:\Windows\{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe
        
        C:\Windows\{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe
        
        C:\Windows\{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe
        
        C:\Windows\{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe
        
        C:\Windows\{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\{A2E74A56-7AC8-439f-8E69-CF37629F77C9}.exe
        
        C:\Windows\{A2E74A56-7AC8-439f-8E69-CF37629F77C9}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\{FB04F97C-29E2-41ec-8D88-15B181B85A18}.exe
        
        C:\Windows\{FB04F97C-29E2-41ec-8D88-15B181B85A18}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2E74~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{054FB~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB8DC~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0223C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDB94~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6DFB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C45A6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9268~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87D57~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DCDD0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3852~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0223CD7F-7E34-4351-84C9-598B1BE147C6}.exe

Filesize
344KB

MD5
82716f14948ecacb9ba241f2c10871f4

SHA1
645ac454ca7e189c1a60be49b6f8d4493bd59534

SHA256
66b096fb16f676f2a767cf80328f8eaac3d0b7e9c8fc572cc40de1e84046ae57

SHA512
d90859e407ef2fe174cb1872233d8329003406c4ed32ab03e7a40908fd5ad0b8f3ffb7019d9550ae0d85f56980204566ec48151e7aab32b730d14142bbfef719

Download Submit
C:\Windows\{054FB391-0844-4af1-9F8A-D61F90D4A73E}.exe

Filesize
344KB

MD5
80d06854a92b6730525a28c1779d328e

SHA1
e1d7459ec772289f40273b9be071c884f5507a7e

SHA256
3d72cc3f254c06dca41b052092ddb403eab8060dd7a0132e07bc60ca935df233

SHA512
d933e44ab9b9cb9aa1639e1abefb4be41a1a9eee6a7e55d871b92050f95379ccb8e3078c393bd57c428890c88ef0ad8705ea9cff6e2b9f0148b7d292a729a51c

Download Submit
C:\Windows\{87D57002-245E-466f-89B2-067061BD948A}.exe

Filesize
344KB

MD5
7510dba8d4642f699ff5b433af9e82ed

SHA1
e044f7739bf1c43f99362e5691b5d79c65accf58

SHA256
e820cd70441ac427300de74c5c8149bad1fc768e6989f1a72232c635d5872065

SHA512
1531ae58f0c4e62e04af2cafbc4dfaf78459dc3f51e8f24cf2b14c565924b1ca46146ab16ab808538c55b066b434cc45971e7f06aa2d6af167560e7c35f5ab4c

Download Submit
C:\Windows\{A2E74A56-7AC8-439f-8E69-CF37629F77C9}.exe

Filesize
344KB

MD5
a9fbf46954d07824b597abcdfbf17169

SHA1
d13fbff1e8d185e3b09db556e5fc8d7a50a38fe2

SHA256
049df8f15f344faf59a190b9708a3264c37353c6847d79b694b98e68a12f0f98

SHA512
ddd1f9e919c8e75521fc197ce74ed2ea473b306be6494f5c2e724a37fceb0383e65e08f3e97c8072bfc8848aaa5ff10e181e2ff9bb504a5dc6b2d74c541b3c4d

Download Submit
C:\Windows\{BDB94ABA-4DBF-48e8-B7B7-C611B630381A}.exe

Filesize
344KB

MD5
29c4c116e74d82b4d5ded038e92ae6f7

SHA1
cebc87e72160a4994334b08aa9ed89045608452a

SHA256
72ba5d6209406de63961e21ca59594ea0dccc630a61e0340251a99ab6f54a84a

SHA512
81499bc49b49e131b36245bcf6e8d32ab13ec01953d9b2c9ba47758ae6dd1f8e629471b56fbcbc6f107c9eaf893f62f1340247fde4c32ddecfc5616371d3c775

Download Submit
C:\Windows\{C45A64FA-778E-4188-B026-FD4A568C9DB6}.exe

Filesize
344KB

MD5
8cc5f1799e09f8075856adc4f117dda8

SHA1
ac77c5b551a3d43dd46f6e4e8b695f6b46a6dbe7

SHA256
c1ab30d2f12d0c6e8067083fcee61385134da0540e2a01c9ad79afdb3f072fa9

SHA512
868a4637dc1edf7788a8f75a0ac202814e32b77a7f57827ac6d8eaefd98ea75191ff6929c6604998ce9f04ead486d023da651b81b5a208d280a0cfc42deb0333

Download Submit
C:\Windows\{D385218D-A195-4f45-BE59-832EDF26928B}.exe

Filesize
344KB

MD5
57eecdec8c31f3f36ae28531735ca04c

SHA1
436b1ece4bc86ddd9e1777a48c8f8e5d883c0280

SHA256
2e11384ccf3f172344ed015bf2b09770a3e77a4009ad896dd9e9118be17d4563

SHA512
e6d9b83d96d9c8b25bef020098d11bd0484271f1e7f197413bad80a61d46b03c1079e6f9542f1be2c6237bfc23a442e4309b438a3c73ec714ebaf1d5e979b3fd

Download Submit
C:\Windows\{D9268E76-A40E-41e1-8F5B-22FD774E9686}.exe

Filesize
344KB

MD5
4337cae43765e1640217071cf3a39cb9

SHA1
3fdd8685405d6ab575683b2f71307d39938a501e

SHA256
0595b4a69ec4afa24d5e919aacb617ce536da46f40e54ba8001bcf8ba5d969ec

SHA512
175ace2363a690f051f4e2058f807f3cf0890f95ef308555709e3943bdf2073340c4c2d6cf9701b11fe87bb37da92eb0ddb45e8a89e3f93ad6887a857378f2a9

Download Submit
C:\Windows\{DCDD0226-C3ED-43ab-9636-D53A38A4DABD}.exe

Filesize
344KB

MD5
314789fce88c7d5956f45d70e4345f22

SHA1
79b73a8bc80b9f263f3d99d4cc19e20db09391e8

SHA256
0fb11051164a0cd1f2538374ad4ee63060a0cce86892377d2677eed699ffd088

SHA512
7ec3f42720353bd4c07ee0ee57b02b57814ec6c4758f21b0db03cba1d706ad3ebf49bd60d01f32c38a20d89ef1a2a6bc0903bc15a91a2250b55a60940e44b7fd

Download Submit
C:\Windows\{E6DFBB35-9292-431f-96D7-CE52DB94F8B0}.exe

Filesize
344KB

MD5
cf0e8663dc3619813ac1155e1c286dc3

SHA1
5881d4452197a22ad0bd2dfb2d7657a5bff611fc

SHA256
f91ca8489fa25a4a7ce5dc52049f8f98033552c245233969a773ee44acb3d1f0

SHA512
a86fd9384466d26707ac4cd8d264325442e160ec5dfecbca1cf1b0059d9b2caa5025860d2e9911a0ce00f4c531aefbbdfdde9e6864465401934f5720943e19d5

Download Submit
C:\Windows\{FB04F97C-29E2-41ec-8D88-15B181B85A18}.exe

Filesize
344KB

MD5
a7f0f3cfaf89f502a3f677e82eb58849

SHA1
7ba4bbbab4710b9f16ba6111d7651fcf02cdfc7b

SHA256
eae8e61d53bd50ce1c4b6b9b52c69e08b2214d5136efd71335717c937208c419

SHA512
fbd26dfbd4dd4625006db11dd62ca5e816a9e4be4d1f40b5c720394f384ea634a0c23e505ec28189826645839368016f8ccc786cc6a0bf157c8f8e7e8b882048

Download Submit
C:\Windows\{FB8DC77C-0169-4dd6-88E6-0F7ACA7E923C}.exe

Filesize
344KB

MD5
3ebbd3005c89b3583616601a3c4f865d

SHA1
2880bf5c42bfcab52be82fe94a6009fd95311b56

SHA256
dfb70222f75fc206ed5d1cc2beb8001f0795256f106be6efcdfdc7f645ba4693

SHA512
4148760711f1cca71451ef5c51f5e8a9b4546aa45057e8371ef4b9e063c3f610c8830f345338d6c880544f1920c6fbfeb71dfaafd3ec6da7cc00c0c6bcce6812

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads