373ab475e1f0754f412f6454704be63ab90713823b40c17373c36886b789dc0f

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
Size

197KB
MD5

d6db1960a12e825d74675e71f9fcff5e
SHA1

756bb2e04cbfb3cdb7b52595361800f17d631583
SHA256

373ab475e1f0754f412f6454704be63ab90713823b40c17373c36886b789dc0f
SHA512

ae2847330ad3163e4a648b1252d69bce845bd4426fccb0d7b7795f22622a2faabe20883393df5d21de6010f96939aa7c7587c028fc28335f120db8f0aa28e6a5
SSDEEP

3072:jEGh0oll+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGvlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59D78DFC-D33F-45c5-9AD2-434D91A200EF}	{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0904BA5-C903-4bee-A7EC-C685F04A8151}\stubpath = "C:\\Windows\\{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe"	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B7811B-C95D-4295-B6CE-7049DCB89CF6}	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}\stubpath = "C:\\Windows\\{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe"	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD09711F-5251-48e4-97DD-6464291EA68F}	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D51975ED-945B-4622-B4EA-77A3720DEA6D}\stubpath = "C:\\Windows\\{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe"	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}\stubpath = "C:\\Windows\\{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}.exe"	{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6598ACC-7502-4373-8D2F-FD3346148BE5}\stubpath = "C:\\Windows\\{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe"	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}\stubpath = "C:\\Windows\\{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe"	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2C28C3-C577-4307-A101-1E7E59A3C446}	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}	{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6598ACC-7502-4373-8D2F-FD3346148BE5}	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC4E6608-4BC2-4fac-9281-8B868DE2D304}	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC4E6608-4BC2-4fac-9281-8B868DE2D304}\stubpath = "C:\\Windows\\{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe"	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0904BA5-C903-4bee-A7EC-C685F04A8151}	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}\stubpath = "C:\\Windows\\{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe"	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59D78DFC-D33F-45c5-9AD2-434D91A200EF}\stubpath = "C:\\Windows\\{59D78DFC-D33F-45c5-9AD2-434D91A200EF}.exe"	{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A2C28C3-C577-4307-A101-1E7E59A3C446}\stubpath = "C:\\Windows\\{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe"	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B7811B-C95D-4295-B6CE-7049DCB89CF6}\stubpath = "C:\\Windows\\{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe"	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD09711F-5251-48e4-97DD-6464291EA68F}\stubpath = "C:\\Windows\\{AD09711F-5251-48e4-97DD-6464291EA68F}.exe"	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D51975ED-945B-4622-B4EA-77A3720DEA6D}	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe

Executes dropped EXE 12 IoCs

pid	Process
3000	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe
3480	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe
2648	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe
3996	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe
3160	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe
2936	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe
228	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe
4288	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe
1636	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe
3952	{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe
2644	{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}.exe
1652	{59D78DFC-D33F-45c5-9AD2-434D91A200EF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe
File created	C:\Windows\{AD09711F-5251-48e4-97DD-6464291EA68F}.exe	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe
File created	C:\Windows\{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe
File created	C:\Windows\{59D78DFC-D33F-45c5-9AD2-434D91A200EF}.exe	{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}.exe
File created	C:\Windows\{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe
File created	C:\Windows\{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe
File created	C:\Windows\{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe
File created	C:\Windows\{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe
File created	C:\Windows\{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe
File created	C:\Windows\{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}.exe	{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe
File created	C:\Windows\{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
File created	C:\Windows\{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{59D78DFC-D33F-45c5-9AD2-434D91A200EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4180	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3000	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe
Token: SeIncBasePriorityPrivilege	3480	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe
Token: SeIncBasePriorityPrivilege	2648	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe
Token: SeIncBasePriorityPrivilege	3996	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe
Token: SeIncBasePriorityPrivilege	3160	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe
Token: SeIncBasePriorityPrivilege	2936	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe
Token: SeIncBasePriorityPrivilege	228	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe
Token: SeIncBasePriorityPrivilege	4288	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe
Token: SeIncBasePriorityPrivilege	1636	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe
Token: SeIncBasePriorityPrivilege	3952	{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe
Token: SeIncBasePriorityPrivilege	2644	{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 3000	4180	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	89
PID 4180 wrote to memory of 3000	4180	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	89
PID 4180 wrote to memory of 3000	4180	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	89
PID 4180 wrote to memory of 4388	4180	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	90
PID 4180 wrote to memory of 4388	4180	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	90
PID 4180 wrote to memory of 4388	4180	2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe	90
PID 3000 wrote to memory of 3480	3000	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe	91
PID 3000 wrote to memory of 3480	3000	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe	91
PID 3000 wrote to memory of 3480	3000	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe	91
PID 3000 wrote to memory of 2544	3000	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe	92
PID 3000 wrote to memory of 2544	3000	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe	92
PID 3000 wrote to memory of 2544	3000	{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe	92
PID 3480 wrote to memory of 2648	3480	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe	95
PID 3480 wrote to memory of 2648	3480	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe	95
PID 3480 wrote to memory of 2648	3480	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe	95
PID 3480 wrote to memory of 1448	3480	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe	96
PID 3480 wrote to memory of 1448	3480	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe	96
PID 3480 wrote to memory of 1448	3480	{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe	96
PID 2648 wrote to memory of 3996	2648	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe	97
PID 2648 wrote to memory of 3996	2648	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe	97
PID 2648 wrote to memory of 3996	2648	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe	97
PID 2648 wrote to memory of 3448	2648	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe	98
PID 2648 wrote to memory of 3448	2648	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe	98
PID 2648 wrote to memory of 3448	2648	{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe	98
PID 3996 wrote to memory of 3160	3996	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe	99
PID 3996 wrote to memory of 3160	3996	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe	99
PID 3996 wrote to memory of 3160	3996	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe	99
PID 3996 wrote to memory of 1836	3996	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe	100
PID 3996 wrote to memory of 1836	3996	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe	100
PID 3996 wrote to memory of 1836	3996	{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe	100
PID 3160 wrote to memory of 2936	3160	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe	101
PID 3160 wrote to memory of 2936	3160	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe	101
PID 3160 wrote to memory of 2936	3160	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe	101
PID 3160 wrote to memory of 928	3160	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe	102
PID 3160 wrote to memory of 928	3160	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe	102
PID 3160 wrote to memory of 928	3160	{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe	102
PID 2936 wrote to memory of 228	2936	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe	103
PID 2936 wrote to memory of 228	2936	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe	103
PID 2936 wrote to memory of 228	2936	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe	103
PID 2936 wrote to memory of 4588	2936	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe	104
PID 2936 wrote to memory of 4588	2936	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe	104
PID 2936 wrote to memory of 4588	2936	{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe	104
PID 228 wrote to memory of 4288	228	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe	105
PID 228 wrote to memory of 4288	228	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe	105
PID 228 wrote to memory of 4288	228	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe	105
PID 228 wrote to memory of 3476	228	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe	106
PID 228 wrote to memory of 3476	228	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe	106
PID 228 wrote to memory of 3476	228	{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe	106
PID 4288 wrote to memory of 1636	4288	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe	107
PID 4288 wrote to memory of 1636	4288	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe	107
PID 4288 wrote to memory of 1636	4288	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe	107
PID 4288 wrote to memory of 4420	4288	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe	108
PID 4288 wrote to memory of 4420	4288	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe	108
PID 4288 wrote to memory of 4420	4288	{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe	108
PID 1636 wrote to memory of 3952	1636	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe	109
PID 1636 wrote to memory of 3952	1636	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe	109
PID 1636 wrote to memory of 3952	1636	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe	109
PID 1636 wrote to memory of 4192	1636	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe	110
PID 1636 wrote to memory of 4192	1636	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe	110
PID 1636 wrote to memory of 4192	1636	{AD09711F-5251-48e4-97DD-6464291EA68F}.exe	110
PID 3952 wrote to memory of 2644	3952	{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe	111
PID 3952 wrote to memory of 2644	3952	{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe	111
PID 3952 wrote to memory of 2644	3952	{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe	111
PID 3952 wrote to memory of 3140	3952	{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_d6db1960a12e825d74675e71f9fcff5e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe
  C:\Windows\{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe
    C:\Windows\{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe
      C:\Windows\{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe
        
        C:\Windows\{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
      - C:\Windows\{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe
        
        C:\Windows\{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe
        
        C:\Windows\{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe
        
        C:\Windows\{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe
        
        C:\Windows\{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{AD09711F-5251-48e4-97DD-6464291EA68F}.exe
        
        C:\Windows\{AD09711F-5251-48e4-97DD-6464291EA68F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe
        
        C:\Windows\{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}.exe
        
        C:\Windows\{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\{59D78DFC-D33F-45c5-9AD2-434D91A200EF}.exe
        
        C:\Windows\{59D78DFC-D33F-45c5-9AD2-434D91A200EF}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E007C~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5197~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD097~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CECE8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72B78~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A2C2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C345~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0904~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03247~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CC4E6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6598~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03247A48-53BE-4f9d-B3F4-DFD3DBD5B81D}.exe

Filesize
197KB

MD5
192fc1ee0cbf8e17b5193f36787f70be

SHA1
288908ebeb14fdb299817ce03afad471652ad9e1

SHA256
6ddbc1f5df526885f3a8b56942489bd0cfd7f90e37debc706db0b45e3585686c

SHA512
8263a64cbc654dd48295f28fc0234e6588d8be4f977352d8e37eadd3f58f821e1a71fb5ae7638981be6a002baea40dbd5ec70152d88d976bf66b0f0e9514c18a

Download Submit
C:\Windows\{0A2C28C3-C577-4307-A101-1E7E59A3C446}.exe

Filesize
197KB

MD5
6a13cf85dd4c18e2c2db12130a1cb30a

SHA1
e669047ea95c901ce375439c0698d0738c8fc621

SHA256
ad63ce1115b31b23afb050e67e43f4d5223e39a628f815db12b81300edd77e83

SHA512
fbf587111e60998b09a4d41ed12a15ff2c81b029a2041e6828e67f9d2f3653b078751c4b3adbf9bc0c1872e872b21b8e8429f6dde360593e7c409dc1f97a5142

Download Submit
C:\Windows\{4C3452E6-D5B9-4f80-A4FB-6FEA14084CA3}.exe

Filesize
197KB

MD5
96eddbc6d2f47c0aa82dbb5e6671aea2

SHA1
5445b94206fca69df0e02d3d193b652d4fbfad10

SHA256
b6c5eba441602c777ba794c1387abd2a60c2205f5f5c87d6c86be7537463aaf3

SHA512
27b4c3d11dd4f1f3c765455e25fab21ab212283434df3a79033da451274ed722daee829b531c6c0cf959044bf4c14888b438a9ec49a837686673fa56d593bc11

Download Submit
C:\Windows\{59D78DFC-D33F-45c5-9AD2-434D91A200EF}.exe

Filesize
197KB

MD5
555b64e0af759b0697108c2255bd1fc6

SHA1
49de145637677bc8df65add144e98b524606427c

SHA256
1b6bd35ff0300b00c0e5ca815b55aeb4f2d997bd1cfcdd82c3971a87e43f7664

SHA512
545ae68e0c063daa61f09c1070ee0eb506b3d6fed805de7da2493f9bd898b69d364cf8b859c2ad5bb29abe9e88d8c5b3acbbe2f846201f97063459662211e60c

Download Submit
C:\Windows\{72B7811B-C95D-4295-B6CE-7049DCB89CF6}.exe

Filesize
197KB

MD5
00daadb17b6ec9ecda468965367373f1

SHA1
cacc19c8739d067006de8c719fb9b8c07ffe97c5

SHA256
b6aec6ccdc4672730d010cd0a308767642bb0f6732422d8d780bf6353cd5dc8c

SHA512
a3a46b17b2f48da034631794360ed28872d8b69de01b17c116168a549b734a461f6a18ffa350eb75af47405925f8357ca118de8525421d7936934afb6b6d5e61

Download Submit
C:\Windows\{A6598ACC-7502-4373-8D2F-FD3346148BE5}.exe

Filesize
197KB

MD5
e6b111c933d0330895737f7b6b6d36ba

SHA1
87b03c3afb0b51dd6c24e29ca7d7c3866b9ec785

SHA256
a5ef1cf307e4a3382b663bdbc1fbd20abde408ca3bbe829f477c47a5e4b0b1f3

SHA512
dd4d587aab9261ced8f53904cd776087ee7189d310d94737b43a6a242ba7d5a4ec4b92fbb755ffd50065079580d6c552f0d09a333bef87b49a48dec798997911

Download Submit
C:\Windows\{AD09711F-5251-48e4-97DD-6464291EA68F}.exe

Filesize
197KB

MD5
b3f3f4de260a032bedce597ce83ce3e9

SHA1
d73a78ff49b0d1901926f68c86d28623f2c4c7fc

SHA256
15e3dd6eed1cc2125e38a5e06698a101bcd1e7cdd976cff042b440e85ba92e1e

SHA512
01ad00180d8d7ee77f83ba44fe21000c30f05c5bf29ebbe68eaf161ef3e558fdcd4f12fd9b5093b5f6935fcc70bfc3e08b28c63844b61f45453598beb91290ba

Download Submit
C:\Windows\{C0904BA5-C903-4bee-A7EC-C685F04A8151}.exe

Filesize
197KB

MD5
7d30db3634e677eaf2c20c50222881cc

SHA1
25d26011b280ba97cf6165558cb764a7f355b8d6

SHA256
113c22ce3f84650a30c06b7640dc044da4314705a3a05b79a44c3166535dac9e

SHA512
d62f0227dd9e2bec73498df4dc7b79ee2aa55e7aea5e88b37f490dfccc091321cf6d5fe40f63757d2c63b0293356a4eb78646c401c8e3fb0f945657471c10d64

Download Submit
C:\Windows\{CC4E6608-4BC2-4fac-9281-8B868DE2D304}.exe

Filesize
197KB

MD5
940f8b9c2aba59c4d348664d5074af70

SHA1
13c054c3e4be3ba602a21b9aa2e89a9208313035

SHA256
4e6de7daf2bfea96fe98aa155c1b8ecb0f5dccd44a2c4be70004c1e26f71e382

SHA512
4f73feb590313db53230bd7d7cfb4bc28e7ece9438fb187ab0061fc702fdd4ddd69d2e018ea7be21073c1261f4343a8fb40b8baba68edc122755ec1fa11c1c11

Download Submit
C:\Windows\{CECE8C6D-2B75-449e-B7C6-FE12F0F5D359}.exe

Filesize
197KB

MD5
10bf3f9bc5632c70fc33ac532696c5d5

SHA1
97e5080bd799a7f38ab6cee6bda259812199f2ed

SHA256
c113122b21f29a4ec1f143e4ed2a2c68471c448c4896a7eb62e9d897924b811e

SHA512
0c5f5cb7e6367fadf50eed94fe9bf8e397c84e9525c1d68e93318b4420e4ba2391d5edb151071eb4b6c21473aac4414996726c383f94fd72af1188ac111532a9

Download Submit
C:\Windows\{D51975ED-945B-4622-B4EA-77A3720DEA6D}.exe

Filesize
197KB

MD5
9839a7efd4b0701cbc3bd4893aa909a9

SHA1
fe26fdd512c6eee22054d3f3f3b394b26227a23d

SHA256
b96d12ce39c6689a72891771b522545ade3c2bcd11ee38a53efc87d7ec0fc9f9

SHA512
dc164055915987b2fb2c24e35813f0882783c97ccd1ccc2af61675f27dbd9ddf94c035ec8fcfeedd3cc19220dd4ef0b49d12bd9779a188a0ba6247c1ed460476

Download Submit
C:\Windows\{E007C71D-FF6E-41ca-8ED4-8C41FD2D2B08}.exe

Filesize
197KB

MD5
d5481f977af6d5dc716c782a478726a1

SHA1
753ea286f3f97a0a235ad8e43300b3c68d1848ee

SHA256
39a2888725e8c6b5f3bafaa991f5ba7b9c36c89f271dd8eaaebb3940955a4d1b

SHA512
2b2f0d57167624dce899f277b653b431e10b86dfb85e4e3713b4d8579f2cededd122ae8ee8d40585152c7d3f3dd681e952a1507d4614a11397d143a84c19ad94

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads