a39d8d0d783faa49096904ec31549c68725406fb8710f2fd97224c37dee69b27

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe
Size

380KB
MD5

ebbd0d34e6a9031e245a8c8f753f39ec
SHA1

9c65151242e44f93bbf4aeab1d3354861cdfda23
SHA256

a39d8d0d783faa49096904ec31549c68725406fb8710f2fd97224c37dee69b27
SHA512

97e5b8c006b07c8a5d1fac00c2a845586d8c0465b04cc2670885892f8abebb02c06cf2fc16b353cf77b870078715266e9b3bd72ef2213d919995c67e3608f93b
SSDEEP

3072:mEGh0oulPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGcl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{674F43F4-84AC-4de1-BD08-644D84C550ED}	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{674F43F4-84AC-4de1-BD08-644D84C550ED}\stubpath = "C:\\Windows\\{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe"	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{567D3C41-48BB-4b81-B861-02F70570E889}	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{567D3C41-48BB-4b81-B861-02F70570E889}\stubpath = "C:\\Windows\\{567D3C41-48BB-4b81-B861-02F70570E889}.exe"	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}\stubpath = "C:\\Windows\\{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe"	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E4F9507-5863-4aba-8D22-D0916BEBECD6}\stubpath = "C:\\Windows\\{7E4F9507-5863-4aba-8D22-D0916BEBECD6}.exe"	{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACC984EE-0600-4f76-AB07-C5F408FCE51B}	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACC984EE-0600-4f76-AB07-C5F408FCE51B}\stubpath = "C:\\Windows\\{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe"	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1921CD0-5EEE-4076-A90E-6C1EC440AD5D}	{7E4F9507-5863-4aba-8D22-D0916BEBECD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1921CD0-5EEE-4076-A90E-6C1EC440AD5D}\stubpath = "C:\\Windows\\{F1921CD0-5EEE-4076-A90E-6C1EC440AD5D}.exe"	{7E4F9507-5863-4aba-8D22-D0916BEBECD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C03A15C6-6C12-494e-A418-AE80E1D5FC08}	{567D3C41-48BB-4b81-B861-02F70570E889}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E4F9507-5863-4aba-8D22-D0916BEBECD6}	{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{566E48B1-1A49-4a33-8134-B1BEBD5C9714}	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{566E48B1-1A49-4a33-8134-B1BEBD5C9714}\stubpath = "C:\\Windows\\{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe"	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}\stubpath = "C:\\Windows\\{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe"	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}	2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}\stubpath = "C:\\Windows\\{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe"	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}\stubpath = "C:\\Windows\\{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe"	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C03A15C6-6C12-494e-A418-AE80E1D5FC08}\stubpath = "C:\\Windows\\{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe"	{567D3C41-48BB-4b81-B861-02F70570E889}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}\stubpath = "C:\\Windows\\{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe"	2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe

Executes dropped EXE 12 IoCs

pid	Process
4584	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe
4388	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe
2052	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe
3612	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe
4724	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe
4980	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe
3628	{567D3C41-48BB-4b81-B861-02F70570E889}.exe
3196	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe
3732	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe
3956	{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe
2952	{7E4F9507-5863-4aba-8D22-D0916BEBECD6}.exe
2704	{F1921CD0-5EEE-4076-A90E-6C1EC440AD5D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7E4F9507-5863-4aba-8D22-D0916BEBECD6}.exe	{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe
File created	C:\Windows\{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe
File created	C:\Windows\{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe
File created	C:\Windows\{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe
File created	C:\Windows\{567D3C41-48BB-4b81-B861-02F70570E889}.exe	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe
File created	C:\Windows\{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe	{567D3C41-48BB-4b81-B861-02F70570E889}.exe
File created	C:\Windows\{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe
File created	C:\Windows\{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe	2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe
File created	C:\Windows\{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe
File created	C:\Windows\{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe
File created	C:\Windows\{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe
File created	C:\Windows\{F1921CD0-5EEE-4076-A90E-6C1EC440AD5D}.exe	{7E4F9507-5863-4aba-8D22-D0916BEBECD6}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1921CD0-5EEE-4076-A90E-6C1EC440AD5D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{567D3C41-48BB-4b81-B861-02F70570E889}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E4F9507-5863-4aba-8D22-D0916BEBECD6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4912	2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4584	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe
Token: SeIncBasePriorityPrivilege	4388	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe
Token: SeIncBasePriorityPrivilege	2052	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe
Token: SeIncBasePriorityPrivilege	3612	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe
Token: SeIncBasePriorityPrivilege	4724	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe
Token: SeIncBasePriorityPrivilege	4980	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe
Token: SeIncBasePriorityPrivilege	3628	{567D3C41-48BB-4b81-B861-02F70570E889}.exe
Token: SeIncBasePriorityPrivilege	3196	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe
Token: SeIncBasePriorityPrivilege	3732	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe
Token: SeIncBasePriorityPrivilege	3956	{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe
Token: SeIncBasePriorityPrivilege	2952	{7E4F9507-5863-4aba-8D22-D0916BEBECD6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4584	4912	2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe	97
PID 4912 wrote to memory of 4584	4912	2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe	97
PID 4912 wrote to memory of 4584	4912	2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe	97
PID 4912 wrote to memory of 3756	4912	2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe	98
PID 4912 wrote to memory of 3756	4912	2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe	98
PID 4912 wrote to memory of 3756	4912	2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe	98
PID 4584 wrote to memory of 4388	4584	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe	99
PID 4584 wrote to memory of 4388	4584	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe	99
PID 4584 wrote to memory of 4388	4584	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe	99
PID 4584 wrote to memory of 1200	4584	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe	100
PID 4584 wrote to memory of 1200	4584	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe	100
PID 4584 wrote to memory of 1200	4584	{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe	100
PID 4388 wrote to memory of 2052	4388	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe	103
PID 4388 wrote to memory of 2052	4388	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe	103
PID 4388 wrote to memory of 2052	4388	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe	103
PID 4388 wrote to memory of 4500	4388	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe	104
PID 4388 wrote to memory of 4500	4388	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe	104
PID 4388 wrote to memory of 4500	4388	{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe	104
PID 2052 wrote to memory of 3612	2052	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe	105
PID 2052 wrote to memory of 3612	2052	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe	105
PID 2052 wrote to memory of 3612	2052	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe	105
PID 2052 wrote to memory of 452	2052	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe	106
PID 2052 wrote to memory of 452	2052	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe	106
PID 2052 wrote to memory of 452	2052	{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe	106
PID 3612 wrote to memory of 4724	3612	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe	107
PID 3612 wrote to memory of 4724	3612	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe	107
PID 3612 wrote to memory of 4724	3612	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe	107
PID 3612 wrote to memory of 2356	3612	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe	108
PID 3612 wrote to memory of 2356	3612	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe	108
PID 3612 wrote to memory of 2356	3612	{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe	108
PID 4724 wrote to memory of 4980	4724	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe	109
PID 4724 wrote to memory of 4980	4724	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe	109
PID 4724 wrote to memory of 4980	4724	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe	109
PID 4724 wrote to memory of 1384	4724	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe	110
PID 4724 wrote to memory of 1384	4724	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe	110
PID 4724 wrote to memory of 1384	4724	{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe	110
PID 4980 wrote to memory of 3628	4980	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe	111
PID 4980 wrote to memory of 3628	4980	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe	111
PID 4980 wrote to memory of 3628	4980	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe	111
PID 4980 wrote to memory of 1732	4980	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe	112
PID 4980 wrote to memory of 1732	4980	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe	112
PID 4980 wrote to memory of 1732	4980	{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe	112
PID 3628 wrote to memory of 3196	3628	{567D3C41-48BB-4b81-B861-02F70570E889}.exe	113
PID 3628 wrote to memory of 3196	3628	{567D3C41-48BB-4b81-B861-02F70570E889}.exe	113
PID 3628 wrote to memory of 3196	3628	{567D3C41-48BB-4b81-B861-02F70570E889}.exe	113
PID 3628 wrote to memory of 3716	3628	{567D3C41-48BB-4b81-B861-02F70570E889}.exe	114
PID 3628 wrote to memory of 3716	3628	{567D3C41-48BB-4b81-B861-02F70570E889}.exe	114
PID 3628 wrote to memory of 3716	3628	{567D3C41-48BB-4b81-B861-02F70570E889}.exe	114
PID 3196 wrote to memory of 3732	3196	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe	115
PID 3196 wrote to memory of 3732	3196	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe	115
PID 3196 wrote to memory of 3732	3196	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe	115
PID 3196 wrote to memory of 3596	3196	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe	116
PID 3196 wrote to memory of 3596	3196	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe	116
PID 3196 wrote to memory of 3596	3196	{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe	116
PID 3732 wrote to memory of 3956	3732	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe	117
PID 3732 wrote to memory of 3956	3732	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe	117
PID 3732 wrote to memory of 3956	3732	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe	117
PID 3732 wrote to memory of 2076	3732	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe	118
PID 3732 wrote to memory of 2076	3732	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe	118
PID 3732 wrote to memory of 2076	3732	{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe	118
PID 3956 wrote to memory of 2952	3956	{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe	119
PID 3956 wrote to memory of 2952	3956	{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe	119
PID 3956 wrote to memory of 2952	3956	{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe	119
PID 3956 wrote to memory of 1836	3956	{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_ebbd0d34e6a9031e245a8c8f753f39ec_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe
  C:\Windows\{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe
    C:\Windows\{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe
      C:\Windows\{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe
        
        C:\Windows\{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
      - C:\Windows\{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe
        
        C:\Windows\{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe
        
        C:\Windows\{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\{567D3C41-48BB-4b81-B861-02F70570E889}.exe
        
        C:\Windows\{567D3C41-48BB-4b81-B861-02F70570E889}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe
        
        C:\Windows\{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe
        
        C:\Windows\{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe
        
        C:\Windows\{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\{7E4F9507-5863-4aba-8D22-D0916BEBECD6}.exe
        
        C:\Windows\{7E4F9507-5863-4aba-8D22-D0916BEBECD6}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\{F1921CD0-5EEE-4076-A90E-6C1EC440AD5D}.exe
        
        C:\Windows\{F1921CD0-5EEE-4076-A90E-6C1EC440AD5D}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E4F9~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5016D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCBDD~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C03A1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{567D3~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{674F4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DE10~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACC98~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46B1B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{566E4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3B9E9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3B9E9AEF-E0F7-4dc8-9088-C2C44ED320E2}.exe

Filesize
380KB

MD5
54d788cc6152e7650826c12a39e5ce75

SHA1
228067ebdb4444dd6f8c9408eab1ca2fdf1bd903

SHA256
3568689dc7896f0a01dd3bc3d53702468495225ebf608f3cc1f7af59732a2bdf

SHA512
8fa1ae759b6d50526400be2bc92fe302ba765db70d54627a48997e12bd4f54b7d14e838262730db5eed8121fea46fad7c75f185b11871bf2070a8b6ed2019451

Download Submit
C:\Windows\{46B1B8A5-5F67-4cee-BD97-C67E451DFAC3}.exe

Filesize
380KB

MD5
f7ebe3b8266e3c9e0caec25b63eb9b96

SHA1
9b60b36ff8a27eadb43cf6294efe9d387d7add06

SHA256
c79ad11de6e52c6f78ea644dcee08ef2673de92c04c242cf61eeaf8c18ea9f33

SHA512
f1540357dea2351e3dcec376f791ed037292aad05ad319923c469bea1edae2bb6d3a0cab6944827055c5451d378997d1cdfe58776612b62286ca3623b64d8076

Download Submit
C:\Windows\{5016D1DE-25FC-41d9-97D9-1C4B55980BE4}.exe

Filesize
380KB

MD5
2b5ed19a53461e75380f65ee7a30d4c9

SHA1
2d4f4e0186a3b31c9c600a3598cf7af546e2ff41

SHA256
b3070f32a49e9dfadb25465bf8c5bba67e9507c6de668301d19e472d47cafbb6

SHA512
5fbfa84a8f1d1ceb91b8647a2fc464180a89216cc7b67c89ca1ee50ce454493fd2ea959ef4381305c144525c3a3ba28d3e106541d56f54de1d060fdd71b5a79e

Download Submit
C:\Windows\{566E48B1-1A49-4a33-8134-B1BEBD5C9714}.exe

Filesize
380KB

MD5
328c4a6040726724eefa990df892a8c1

SHA1
c0c3dead4186cce902facbfabe9c7d2be9ed1d71

SHA256
32c24103d3f863673b1e81b11429eb57117c49c56ca6f1a9dc86642795eba622

SHA512
7324edcd766645b8c2d0367e3aa1c65fcae8e9ae4b5e554301c08b0520f74d7f76925209240e7562a8065457b04853977680f44d94b3d30291663a79b73df03d

Download Submit
C:\Windows\{567D3C41-48BB-4b81-B861-02F70570E889}.exe

Filesize
380KB

MD5
1eac44206e932dbe6302d159e778220c

SHA1
c30ef805b638d1ab0ce01ce2a09a8205df9604f6

SHA256
089f3a4f1e55d5a9508f646d266938c48f51ecd88b2bf668fe7307ce5c87cbc4

SHA512
224366a50b2c8726e22cef301b93e43857679b8e4ee71d72ec6d3c3756476445d08aabadd5439aa8966111930881f2a73276f98fba39367ac21fbdf8939baa1d

Download Submit
C:\Windows\{674F43F4-84AC-4de1-BD08-644D84C550ED}.exe

Filesize
380KB

MD5
2fea3b3ae725bb9944b570552b8c1c66

SHA1
448e9f004e90fe13e44893099ecef5f7fa432777

SHA256
660656688ad0e7769c80fc346c75dddd9281cb4f31182a69622605bb5c523a46

SHA512
b3f72247efa587269ff62b2d833c1b2d93c52e9c5bbcab7b5c7625ba5a13052e0b6e9c45829191c20053bcd89db7ec92bff273a85d11d20fbef464df4225672f

Download Submit
C:\Windows\{7E4F9507-5863-4aba-8D22-D0916BEBECD6}.exe

Filesize
380KB

MD5
490117747651c36960998618cac6e203

SHA1
2b2921646123d5bb951a2d2aa8e5f418b77a9b87

SHA256
2b242fec93a007e534b10531439a72b82b307d4c1ae6ff058363c518783adcd3

SHA512
289c13d36fc0ee879d5c15d4a43b71c5ad87f310109f368c603942e331309f6465e9bfbcb4f6fd3e4df4f9d17d0fc17b1a32ec971a60b80fd16f0218c01bb6f4

Download Submit
C:\Windows\{9DE1034E-B33B-4cb2-ACF6-37EEB3A2A40B}.exe

Filesize
380KB

MD5
cba72b261c9122ba0a09b1b04b090e67

SHA1
eea8216cd547c5036557b99652375fffcf2dc02a

SHA256
814f60fe4092d682ab2605a117a24c76629b039549a28b828e556d7a65fe401b

SHA512
dbcdff9ffe87920a84276e6105ac0cede3ac3c172e4330c983225d7581b916fcf0f369644e20cdf27fe28662913cb2426277d7c0ff32222141eb5f84b35237a6

Download Submit
C:\Windows\{ACC984EE-0600-4f76-AB07-C5F408FCE51B}.exe

Filesize
380KB

MD5
a5ab877763367352f62d9be843166273

SHA1
886ba5fdc8ab3858072a9858f6f3f947795a9a9a

SHA256
0b179618bb983ea045d683afd1da445ac6031483fe3fe3e8b3264aea020335da

SHA512
f1412a73fc426f32d6855de7e4a0a578a140b3ae1929e52c7514fd4cfdc8b7d500c2830a9958aba2a0615b73412ded4794bfa77aeae85389065301c114395a79

Download Submit
C:\Windows\{BCBDDB91-976C-4e90-B6C4-11B8BED8049B}.exe

Filesize
380KB

MD5
5eb0210c8b08f6df23bc9aab472122c0

SHA1
598b59d176dc03ba8fc191ec34a09ec4e52416d0

SHA256
2098fbcd31e630be98d6d55ecfcfcf503ae61e4167aa15c8a23ee740bb0f1630

SHA512
7ed9ddcde905d0173996164fb5fd0384d8e46e63ed4eb843d412d576e9b8c87f7d073930a743c54767b94886224284588c51b767062bc3dfcc9246c8f2043e67

Download Submit
C:\Windows\{C03A15C6-6C12-494e-A418-AE80E1D5FC08}.exe

Filesize
380KB

MD5
f9fcde5474cbfc43195233a0a9d969ac

SHA1
a91e108cabb88c8ed03529b33c6965613006ee9e

SHA256
1103a8a683f03e90db9d29f087bd469479318c6e8081d6f8be7e528bf8d7cdb0

SHA512
982512b79507cb58605abb48805b73efae9477260fe2213556b4737c3fee96db41d29795fc38d0da5b268f067520fc194c68e5d4dc1f051bdcd8c19b65f1fe44

Download Submit
C:\Windows\{F1921CD0-5EEE-4076-A90E-6C1EC440AD5D}.exe

Filesize
380KB

MD5
0ca3653d536dd1ac0d86d58131e7daad

SHA1
bdd259cd13a04b099131056ba4885883333b7ada

SHA256
8fc8ab7a7c6c83dc3778b003cb01b394eeb3d8a47087ac867a75bc1858be2ee6

SHA512
914f29dca55020893b4358eaf29bdcf4177108f20ff12236152d261fe95b6a113273fbbd873fa43638421c06e23b9b31262782ddf6e68085615e4b29ef887252

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads