41a574da9509dcd9c8f081751eef4440ec4b393e7874684e1d5ac6eebd1ec097

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe
Size

408KB
MD5

d14ba25a6b9216e29ea7c09897a9033e
SHA1

c129db851911266f41dea28a7e1dc2923869f74b
SHA256

41a574da9509dcd9c8f081751eef4440ec4b393e7874684e1d5ac6eebd1ec097
SHA512

51d4a6e7ddfb76fd12a1d284f333afcfb2c52cc99e9bf5f6c1baeff966560ea5a2ad88046c78d802f2fa42aa5c5a89cf2a20761f049eefb7690cc6445631d2e6
SSDEEP

3072:CEGh0o9l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGrldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{409F8BDF-4059-456b-A95E-1CD3384BBDEC}\stubpath = "C:\\Windows\\{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe"	2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}\stubpath = "C:\\Windows\\{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe"	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D03376E2-245F-481e-AADE-BADFC4DD54FA}	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}\stubpath = "C:\\Windows\\{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe"	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{071447CD-E2FC-4f2b-9089-185BFE87597D}	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{409F8BDF-4059-456b-A95E-1CD3384BBDEC}	2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2662755D-F61F-4c16-B850-38010F5B7CD9}	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2662755D-F61F-4c16-B850-38010F5B7CD9}\stubpath = "C:\\Windows\\{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe"	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33B2BBA7-4B1B-4461-BF69-45E225844F4F}	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33B2BBA7-4B1B-4461-BF69-45E225844F4F}\stubpath = "C:\\Windows\\{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe"	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAA12F98-A654-4bb5-AF60-107E58678C06}\stubpath = "C:\\Windows\\{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe"	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35E8E284-EE96-4076-A38A-24289F7F5337}	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{071447CD-E2FC-4f2b-9089-185BFE87597D}\stubpath = "C:\\Windows\\{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe"	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B90ABB41-F1E9-40bf-894E-6DF0516B2130}	{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D03376E2-245F-481e-AADE-BADFC4DD54FA}\stubpath = "C:\\Windows\\{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe"	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35E8E284-EE96-4076-A38A-24289F7F5337}\stubpath = "C:\\Windows\\{35E8E284-EE96-4076-A38A-24289F7F5337}.exe"	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B90ABB41-F1E9-40bf-894E-6DF0516B2130}\stubpath = "C:\\Windows\\{B90ABB41-F1E9-40bf-894E-6DF0516B2130}.exe"	{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAA12F98-A654-4bb5-AF60-107E58678C06}	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}\stubpath = "C:\\Windows\\{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe"	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5089EA96-8CB6-434e-B437-0309B70C688C}	{B90ABB41-F1E9-40bf-894E-6DF0516B2130}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5089EA96-8CB6-434e-B437-0309B70C688C}\stubpath = "C:\\Windows\\{5089EA96-8CB6-434e-B437-0309B70C688C}.exe"	{B90ABB41-F1E9-40bf-894E-6DF0516B2130}.exe

Executes dropped EXE 12 IoCs

pid	Process
232	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe
5068	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe
2408	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe
2012	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe
1280	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe
2320	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe
3444	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe
2856	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe
4396	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe
4116	{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe
4260	{B90ABB41-F1E9-40bf-894E-6DF0516B2130}.exe
1576	{5089EA96-8CB6-434e-B437-0309B70C688C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B90ABB41-F1E9-40bf-894E-6DF0516B2130}.exe	{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe
File created	C:\Windows\{5089EA96-8CB6-434e-B437-0309B70C688C}.exe	{B90ABB41-F1E9-40bf-894E-6DF0516B2130}.exe
File created	C:\Windows\{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe
File created	C:\Windows\{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe
File created	C:\Windows\{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe
File created	C:\Windows\{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe
File created	C:\Windows\{35E8E284-EE96-4076-A38A-24289F7F5337}.exe	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe
File created	C:\Windows\{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe
File created	C:\Windows\{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe	2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe
File created	C:\Windows\{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe
File created	C:\Windows\{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe
File created	C:\Windows\{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B90ABB41-F1E9-40bf-894E-6DF0516B2130}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5089EA96-8CB6-434e-B437-0309B70C688C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4368	2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	232	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe
Token: SeIncBasePriorityPrivilege	5068	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe
Token: SeIncBasePriorityPrivilege	2408	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe
Token: SeIncBasePriorityPrivilege	2012	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe
Token: SeIncBasePriorityPrivilege	1280	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe
Token: SeIncBasePriorityPrivilege	2320	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe
Token: SeIncBasePriorityPrivilege	3444	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe
Token: SeIncBasePriorityPrivilege	2856	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe
Token: SeIncBasePriorityPrivilege	4396	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe
Token: SeIncBasePriorityPrivilege	4116	{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe
Token: SeIncBasePriorityPrivilege	4260	{B90ABB41-F1E9-40bf-894E-6DF0516B2130}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 232	4368	2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe	89
PID 4368 wrote to memory of 232	4368	2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe	89
PID 4368 wrote to memory of 232	4368	2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe	89
PID 4368 wrote to memory of 3668	4368	2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe	90
PID 4368 wrote to memory of 3668	4368	2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe	90
PID 4368 wrote to memory of 3668	4368	2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe	90
PID 232 wrote to memory of 5068	232	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe	91
PID 232 wrote to memory of 5068	232	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe	91
PID 232 wrote to memory of 5068	232	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe	91
PID 232 wrote to memory of 5060	232	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe	92
PID 232 wrote to memory of 5060	232	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe	92
PID 232 wrote to memory of 5060	232	{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe	92
PID 5068 wrote to memory of 2408	5068	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe	95
PID 5068 wrote to memory of 2408	5068	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe	95
PID 5068 wrote to memory of 2408	5068	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe	95
PID 5068 wrote to memory of 2340	5068	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe	96
PID 5068 wrote to memory of 2340	5068	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe	96
PID 5068 wrote to memory of 2340	5068	{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe	96
PID 2408 wrote to memory of 2012	2408	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe	97
PID 2408 wrote to memory of 2012	2408	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe	97
PID 2408 wrote to memory of 2012	2408	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe	97
PID 2408 wrote to memory of 3788	2408	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe	98
PID 2408 wrote to memory of 3788	2408	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe	98
PID 2408 wrote to memory of 3788	2408	{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe	98
PID 2012 wrote to memory of 1280	2012	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe	99
PID 2012 wrote to memory of 1280	2012	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe	99
PID 2012 wrote to memory of 1280	2012	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe	99
PID 2012 wrote to memory of 1748	2012	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe	100
PID 2012 wrote to memory of 1748	2012	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe	100
PID 2012 wrote to memory of 1748	2012	{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe	100
PID 1280 wrote to memory of 2320	1280	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe	101
PID 1280 wrote to memory of 2320	1280	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe	101
PID 1280 wrote to memory of 2320	1280	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe	101
PID 1280 wrote to memory of 4440	1280	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe	102
PID 1280 wrote to memory of 4440	1280	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe	102
PID 1280 wrote to memory of 4440	1280	{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe	102
PID 2320 wrote to memory of 3444	2320	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe	103
PID 2320 wrote to memory of 3444	2320	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe	103
PID 2320 wrote to memory of 3444	2320	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe	103
PID 2320 wrote to memory of 1308	2320	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe	104
PID 2320 wrote to memory of 1308	2320	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe	104
PID 2320 wrote to memory of 1308	2320	{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe	104
PID 3444 wrote to memory of 2856	3444	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe	105
PID 3444 wrote to memory of 2856	3444	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe	105
PID 3444 wrote to memory of 2856	3444	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe	105
PID 3444 wrote to memory of 1892	3444	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe	106
PID 3444 wrote to memory of 1892	3444	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe	106
PID 3444 wrote to memory of 1892	3444	{35E8E284-EE96-4076-A38A-24289F7F5337}.exe	106
PID 2856 wrote to memory of 4396	2856	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe	107
PID 2856 wrote to memory of 4396	2856	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe	107
PID 2856 wrote to memory of 4396	2856	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe	107
PID 2856 wrote to memory of 1984	2856	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe	108
PID 2856 wrote to memory of 1984	2856	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe	108
PID 2856 wrote to memory of 1984	2856	{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe	108
PID 4396 wrote to memory of 4116	4396	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe	109
PID 4396 wrote to memory of 4116	4396	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe	109
PID 4396 wrote to memory of 4116	4396	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe	109
PID 4396 wrote to memory of 4536	4396	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe	110
PID 4396 wrote to memory of 4536	4396	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe	110
PID 4396 wrote to memory of 4536	4396	{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe	110
PID 4116 wrote to memory of 4260	4116	{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe	111
PID 4116 wrote to memory of 4260	4116	{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe	111
PID 4116 wrote to memory of 4260	4116	{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe	111
PID 4116 wrote to memory of 1844	4116	{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_d14ba25a6b9216e29ea7c09897a9033e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe
  C:\Windows\{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe
    C:\Windows\{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe
      C:\Windows\{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe
        
        C:\Windows\{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe
        
        C:\Windows\{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe
        
        C:\Windows\{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{35E8E284-EE96-4076-A38A-24289F7F5337}.exe
        
        C:\Windows\{35E8E284-EE96-4076-A38A-24289F7F5337}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe
        
        C:\Windows\{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe
        
        C:\Windows\{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe
        
        C:\Windows\{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\{B90ABB41-F1E9-40bf-894E-6DF0516B2130}.exe
        
        C:\Windows\{B90ABB41-F1E9-40bf-894E-6DF0516B2130}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
        
        C:\Windows\{5089EA96-8CB6-434e-B437-0309B70C688C}.exe
        
        C:\Windows\{5089EA96-8CB6-434e-B437-0309B70C688C}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B90AB~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5C40~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07144~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E5EC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35E8E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAA12~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0337~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EC54~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33B2B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{26627~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{409F8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{071447CD-E2FC-4f2b-9089-185BFE87597D}.exe

Filesize
408KB

MD5
4b3e5d177b1a741d5ea26082ddbbad84

SHA1
4dc26d40de50aadf9505664235e2211ee76102a7

SHA256
471d636997b2bd20901c8b6f264fe9dc67e5309ed152c3777834317d4b9dd410

SHA512
e6b7cf46dd9a557ee7a721909978798be246f038cfb9b3638d2c79f52e865cc45e1dfa9acf624b4846b6b9915c0a7ff0f9f9be47f3b522a41f6a8159de78ebe9

Download Submit
C:\Windows\{2662755D-F61F-4c16-B850-38010F5B7CD9}.exe

Filesize
408KB

MD5
c6cd2fbaa27273f02e54e4c6f1d16362

SHA1
fd086f4a40c3b70dbe3d8e2932d634fc644f8fa1

SHA256
573a7d762cd139b78da52c5b8a2596526f78adf4e29b78ea4ab03c74cadd2778

SHA512
22e16011f21a224242acb737369379fde7b77f2ca7f0a806f1795c3729d9c20388e35de74d31673ed1b8963a246684e2058cdb44c23a4d4a631ef26768635be1

Download Submit
C:\Windows\{33B2BBA7-4B1B-4461-BF69-45E225844F4F}.exe

Filesize
408KB

MD5
5edf1c0733c14be086c9ae7ee92a8175

SHA1
bfa4bf9e8de6b87caa38fc9d5f8a3dd9f6d713a0

SHA256
f54659b86fee1fde587e6ed1acb82b8799c8565180a4369f6c7f6381d74baa9c

SHA512
2061f2da5bcfdf45494aa19162b0e0c1a35e564ce28a19ace9b2d731f467fa618da3dfbd5037007d194f74bdcece6dfb91d7b99aacaeb1b96e5b493c3912a9b3

Download Submit
C:\Windows\{35E8E284-EE96-4076-A38A-24289F7F5337}.exe

Filesize
408KB

MD5
99c403ae5a66bb778051ca017dcef5c3

SHA1
09c34ed8734dc2a609afa8c339249ec8c24bff40

SHA256
986485d100232f1fd2d1045d27bed767d53abc4b2acbec89d711a22759461c27

SHA512
139d9590da59bd1de299d5d4bab8221f3825796e93eb2534dcf938a119f1a200b19a5bd384407c42609e7569486e7d1ced6ab94a86279215fce8838594803fed

Download Submit
C:\Windows\{3EC54812-E3D7-46b4-8CFA-B5197A38A1AF}.exe

Filesize
408KB

MD5
0d255c012f42e87a63cc6f7cfb3ef631

SHA1
9f167aa345a71024be295a9a581abb39f025da76

SHA256
6f03a1b93ba5a4d529ec23cbc1db95c383da1921ec3428a652343076855f156e

SHA512
bdb3c41de933e4be3adec3ff21f551535cf60c3c667672fe5d69e0c6a1a5d4828e8959882984bf7e95dc80f59cb9f5894127515c47c3990a5841e12c8d83ffc1

Download Submit
C:\Windows\{409F8BDF-4059-456b-A95E-1CD3384BBDEC}.exe

Filesize
408KB

MD5
ff7620da4fbc837212c19007097e372f

SHA1
a45ab5bd217fa22df8596d75e2ea6626dd36c587

SHA256
8748cf39d7d5becfbc3e4f7a0d20711cdb436976576709a8bca248e78d56ca82

SHA512
b31dab7fa870bdd4f6204c1861bce6e9151a2ce3da81ad441b41bcb019fc70216f2a423e5cef1c99494bd870e2c7815806ec097762731120275bf7850d5a014e

Download Submit
C:\Windows\{5089EA96-8CB6-434e-B437-0309B70C688C}.exe

Filesize
408KB

MD5
b06cf2f632d712981b92ed3b6d9e67eb

SHA1
fa2f47f48722edca6edd6d0f1a6e2b8f1fea2e04

SHA256
70cbff0931e2cb86400009a1b53956ebb03b02fa1596572cc28355d55b7f72d7

SHA512
96f6bfc1a4761e85778cd3ed8c91375b7b919c458b0dae5e05d9e390e73695c657b4397a29b96bbbeee1facca2857755f68872039778776542572b25470de625

Download Submit
C:\Windows\{7E5EC175-2853-46da-8F9A-4AC0E4A0D08C}.exe

Filesize
408KB

MD5
d21398d6d6aebc0ba79b4ebe8b5ea260

SHA1
78f25c682200862e2de1760fad4e584c630e70b3

SHA256
018c366d26d702cb1dc34655851ecb6c160a16702a5765eaf0c6df2d84e9c5ab

SHA512
26b7e40e9c37584e0e712abdcf36b5e78de9d5037f9ca310a50033efef6cdaa5dbb4452050866cd3c728d09502e6750b2febc59f8ea4a90941f5faf3f2533b80

Download Submit
C:\Windows\{B90ABB41-F1E9-40bf-894E-6DF0516B2130}.exe

Filesize
408KB

MD5
e5fe36cc9664a70547e927a4ec1bc918

SHA1
3c59f558b8cd722ee097e6cf936e34bb1ac31f19

SHA256
c28524b358e0fcb5d1af5847a58f78ae417e9c507cedf87c757d272fb0dabfe4

SHA512
7dc453e229621aadf4f44a74b3005573bbdeb66d6e6c7249e237f0148802ac4a4c0b28f7253bc8ade8525712478854fee4434096c5b2a384ddb8f50b3347c048

Download Submit
C:\Windows\{BAA12F98-A654-4bb5-AF60-107E58678C06}.exe

Filesize
408KB

MD5
ce5198204169ccf67cec1264d248d738

SHA1
9c9e539ea64d7ba1776eff887e6b0fb596513fa2

SHA256
1898ee63b91966e76e652263cb2bcbf8d80adaa7a6ef5d22ba1cfe9efc20ab05

SHA512
c76dbc77ea270440f6a1c528bd950e320eeda694c7a1aee3f37c59b43024c141867588799df53a6c7f96af5e6ce39098e673f6a3e6bc70f1f23fe1781a461822

Download Submit
C:\Windows\{C5C40B2A-E7D6-4a5c-99B6-D5D17D29EA4C}.exe

Filesize
408KB

MD5
6d695cb3776087a4b4be78194f2a58c2

SHA1
31a123fb948ab98936b49ed9fe02e11580d70f61

SHA256
53cdd9b9a108bd836dab822f85a628f47c0c87cdce5b7ad77a7fee718c210c21

SHA512
80aac679f2b0f4102c7ee3baa5d1a821049b4c66d43082fc4cabb3a9f5104663498cd7f9d45f2a00da84f1e34a9709a438eebfa5b6882e6817d02137fc90dbb0

Download Submit
C:\Windows\{D03376E2-245F-481e-AADE-BADFC4DD54FA}.exe

Filesize
408KB

MD5
71f0f00d73c23f8ec3d9e68f23e6b248

SHA1
df7fac67acb1d3ab19c6a8abbd49d54c6c7107c5

SHA256
e42e9459a05cf1abaebcafe89dcec5ffed665f6a2bea76243fa71dd60254377b

SHA512
7ac1de885f020d8c5b320b28998edc0db62036ccc9c0a0de80be40b0d0f7403d161243e140f59fe3d39a96d0679eae98df816648eaac885b6966bd102b322c3a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads