361e219b849142c6495b61d56ddd5c1ec57c6d4e93c3e44ea06492fe350429cf

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
Size

168KB
MD5

ecac19819c9c0ba74f0f0a7ecb43dde5
SHA1

0971906ec216eff8fcc2d0e0e57df3e9951f16d6
SHA256

361e219b849142c6495b61d56ddd5c1ec57c6d4e93c3e44ea06492fe350429cf
SHA512

46c30621e0f2eff88682cf55b46a015b0d908bf66c64470aca79705b37be09760846e6a88bb75fc0e6dcbd0fded102ef71bc559a1635bf7d2ea5b277ad73c21c
SSDEEP

1536:1EGh0oOlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oOlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}\stubpath = "C:\\Windows\\{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe"	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95D8F777-5584-43b2-94BA-D5557BAF0760}\stubpath = "C:\\Windows\\{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe"	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}\stubpath = "C:\\Windows\\{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe"	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613A5403-0E22-4210-986D-C363A1C38F82}\stubpath = "C:\\Windows\\{613A5403-0E22-4210-986D-C363A1C38F82}.exe"	{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6874E25E-A889-44fb-A373-E121F6BF8940}	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32B0979F-306B-4f39-AF84-AFE67FC751F9}\stubpath = "C:\\Windows\\{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe"	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F45D05DB-9BF2-4411-8CBB-C627ED030489}	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F45D05DB-9BF2-4411-8CBB-C627ED030489}\stubpath = "C:\\Windows\\{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe"	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3896C938-F0BC-4593-AD0E-67C4BD23B098}	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95D8F777-5584-43b2-94BA-D5557BAF0760}	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613A5403-0E22-4210-986D-C363A1C38F82}	{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32B0979F-306B-4f39-AF84-AFE67FC751F9}	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99954FE7-65D3-4062-BBBB-549BE7C18FE0}	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}\stubpath = "C:\\Windows\\{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe"	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5355FA9-0239-4a11-9781-50003EF9BA00}\stubpath = "C:\\Windows\\{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe"	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3896C938-F0BC-4593-AD0E-67C4BD23B098}\stubpath = "C:\\Windows\\{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe"	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6874E25E-A889-44fb-A373-E121F6BF8940}\stubpath = "C:\\Windows\\{6874E25E-A889-44fb-A373-E121F6BF8940}.exe"	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99954FE7-65D3-4062-BBBB-549BE7C18FE0}\stubpath = "C:\\Windows\\{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe"	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5355FA9-0239-4a11-9781-50003EF9BA00}	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E5D89F-018C-47f7-9BEF-7258DF6E56D0}	{613A5403-0E22-4210-986D-C363A1C38F82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E5D89F-018C-47f7-9BEF-7258DF6E56D0}\stubpath = "C:\\Windows\\{C5E5D89F-018C-47f7-9BEF-7258DF6E56D0}.exe"	{613A5403-0E22-4210-986D-C363A1C38F82}.exe

Executes dropped EXE 12 IoCs

pid	Process
3764	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe
4076	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe
5076	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe
884	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe
4744	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe
3068	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe
740	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe
5060	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe
1396	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe
1008	{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe
2016	{613A5403-0E22-4210-986D-C363A1C38F82}.exe
2908	{C5E5D89F-018C-47f7-9BEF-7258DF6E56D0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe
File created	C:\Windows\{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe
File created	C:\Windows\{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe
File created	C:\Windows\{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe
File created	C:\Windows\{613A5403-0E22-4210-986D-C363A1C38F82}.exe	{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe
File created	C:\Windows\{C5E5D89F-018C-47f7-9BEF-7258DF6E56D0}.exe	{613A5403-0E22-4210-986D-C363A1C38F82}.exe
File created	C:\Windows\{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe
File created	C:\Windows\{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe
File created	C:\Windows\{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe
File created	C:\Windows\{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe
File created	C:\Windows\{6874E25E-A889-44fb-A373-E121F6BF8940}.exe	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
File created	C:\Windows\{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{613A5403-0E22-4210-986D-C363A1C38F82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5E5D89F-018C-47f7-9BEF-7258DF6E56D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4576	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3764	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe
Token: SeIncBasePriorityPrivilege	4076	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe
Token: SeIncBasePriorityPrivilege	5076	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe
Token: SeIncBasePriorityPrivilege	884	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe
Token: SeIncBasePriorityPrivilege	4744	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe
Token: SeIncBasePriorityPrivilege	3068	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe
Token: SeIncBasePriorityPrivilege	740	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe
Token: SeIncBasePriorityPrivilege	5060	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe
Token: SeIncBasePriorityPrivilege	1396	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe
Token: SeIncBasePriorityPrivilege	1008	{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe
Token: SeIncBasePriorityPrivilege	2016	{613A5403-0E22-4210-986D-C363A1C38F82}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 3764	4576	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	91
PID 4576 wrote to memory of 3764	4576	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	91
PID 4576 wrote to memory of 3764	4576	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	91
PID 4576 wrote to memory of 2020	4576	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	92
PID 4576 wrote to memory of 2020	4576	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	92
PID 4576 wrote to memory of 2020	4576	2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe	92
PID 3764 wrote to memory of 4076	3764	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe	93
PID 3764 wrote to memory of 4076	3764	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe	93
PID 3764 wrote to memory of 4076	3764	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe	93
PID 3764 wrote to memory of 4476	3764	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe	94
PID 3764 wrote to memory of 4476	3764	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe	94
PID 3764 wrote to memory of 4476	3764	{6874E25E-A889-44fb-A373-E121F6BF8940}.exe	94
PID 4076 wrote to memory of 5076	4076	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe	97
PID 4076 wrote to memory of 5076	4076	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe	97
PID 4076 wrote to memory of 5076	4076	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe	97
PID 4076 wrote to memory of 368	4076	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe	98
PID 4076 wrote to memory of 368	4076	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe	98
PID 4076 wrote to memory of 368	4076	{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe	98
PID 5076 wrote to memory of 884	5076	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe	99
PID 5076 wrote to memory of 884	5076	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe	99
PID 5076 wrote to memory of 884	5076	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe	99
PID 5076 wrote to memory of 5112	5076	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe	100
PID 5076 wrote to memory of 5112	5076	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe	100
PID 5076 wrote to memory of 5112	5076	{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe	100
PID 884 wrote to memory of 4744	884	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe	101
PID 884 wrote to memory of 4744	884	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe	101
PID 884 wrote to memory of 4744	884	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe	101
PID 884 wrote to memory of 3344	884	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe	102
PID 884 wrote to memory of 3344	884	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe	102
PID 884 wrote to memory of 3344	884	{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe	102
PID 4744 wrote to memory of 3068	4744	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe	103
PID 4744 wrote to memory of 3068	4744	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe	103
PID 4744 wrote to memory of 3068	4744	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe	103
PID 4744 wrote to memory of 2420	4744	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe	104
PID 4744 wrote to memory of 2420	4744	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe	104
PID 4744 wrote to memory of 2420	4744	{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe	104
PID 3068 wrote to memory of 740	3068	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe	105
PID 3068 wrote to memory of 740	3068	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe	105
PID 3068 wrote to memory of 740	3068	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe	105
PID 3068 wrote to memory of 3268	3068	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe	106
PID 3068 wrote to memory of 3268	3068	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe	106
PID 3068 wrote to memory of 3268	3068	{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe	106
PID 740 wrote to memory of 5060	740	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe	107
PID 740 wrote to memory of 5060	740	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe	107
PID 740 wrote to memory of 5060	740	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe	107
PID 740 wrote to memory of 4936	740	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe	108
PID 740 wrote to memory of 4936	740	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe	108
PID 740 wrote to memory of 4936	740	{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe	108
PID 5060 wrote to memory of 1396	5060	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe	109
PID 5060 wrote to memory of 1396	5060	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe	109
PID 5060 wrote to memory of 1396	5060	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe	109
PID 5060 wrote to memory of 3528	5060	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe	110
PID 5060 wrote to memory of 3528	5060	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe	110
PID 5060 wrote to memory of 3528	5060	{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe	110
PID 1396 wrote to memory of 1008	1396	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe	111
PID 1396 wrote to memory of 1008	1396	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe	111
PID 1396 wrote to memory of 1008	1396	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe	111
PID 1396 wrote to memory of 1724	1396	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe	112
PID 1396 wrote to memory of 1724	1396	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe	112
PID 1396 wrote to memory of 1724	1396	{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe	112
PID 1008 wrote to memory of 2016	1008	{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe	113
PID 1008 wrote to memory of 2016	1008	{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe	113
PID 1008 wrote to memory of 2016	1008	{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe	113
PID 1008 wrote to memory of 4464	1008	{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_ecac19819c9c0ba74f0f0a7ecb43dde5_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\{6874E25E-A889-44fb-A373-E121F6BF8940}.exe
  C:\Windows\{6874E25E-A889-44fb-A373-E121F6BF8940}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe
    C:\Windows\{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe
      C:\Windows\{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe
        
        C:\Windows\{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
      - C:\Windows\{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe
        
        C:\Windows\{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe
        
        C:\Windows\{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe
        
        C:\Windows\{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe
        
        C:\Windows\{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe
        
        C:\Windows\{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe
        
        C:\Windows\{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\{613A5403-0E22-4210-986D-C363A1C38F82}.exe
        
        C:\Windows\{613A5403-0E22-4210-986D-C363A1C38F82}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\{C5E5D89F-018C-47f7-9BEF-7258DF6E56D0}.exe
        
        C:\Windows\{C5E5D89F-018C-47f7-9BEF-7258DF6E56D0}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{613A5~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8AB4~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95D8F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{881EC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3896C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F45D0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5355~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ECF1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99954~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{32B09~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6874E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{32B0979F-306B-4f39-AF84-AFE67FC751F9}.exe

Filesize
168KB

MD5
887db08e0da186ea186ddf1b82553c5c

SHA1
7e75aa27d1ef1471f9dd5e7a0c7c9b9998bdf7a0

SHA256
5a4654dfa4ec2a3e75cf533dca37691d7e762ae107e72028a1a32ed82a37db37

SHA512
64a4d97f2cf80f21366ceb575948c2f2f93b3b1202a78341bb9e00c876bc7d6d221c95b530396f8270988d487b3ff11b9de05ea2a06a214f852909373ec7f3a2

Download Submit
C:\Windows\{3896C938-F0BC-4593-AD0E-67C4BD23B098}.exe

Filesize
168KB

MD5
55bbe2dc061badce4df667ed78a833a6

SHA1
362453b6c2df105f32a01024aa9aa901b054c010

SHA256
e29bd062c25cea5013329e91cb3790d15dc278f8f273ac75ece2b58b3f0f6c6d

SHA512
b1521c098265017cb6821462333a5873e0d50c6da494b521a2e233f6f5aadc6682b8a4d2ebb25cbd40ca723e617d4fe0ed4802f64aaedf5c346a626a2b9505d4

Download Submit
C:\Windows\{613A5403-0E22-4210-986D-C363A1C38F82}.exe

Filesize
168KB

MD5
32c3f7d19c1b3bd8188fe1339610fbe3

SHA1
fae79529a9b58157027da6710d32d6a391feab55

SHA256
2232fa4a9a7676af96838a7a1b371255016724662b905a94d7a4f2da7bf84a23

SHA512
74fcab87fd7bdb1b0d1c1bf67ab168632e2f05189e56ec2bc55dde0a2c2835e349079547b50de55d5f984e496e9fb95331a99285cb294b3470e9b552d37eb736

Download Submit
C:\Windows\{6874E25E-A889-44fb-A373-E121F6BF8940}.exe

Filesize
168KB

MD5
dbf85bd67536108a8b053fcb894dbd57

SHA1
99cc4596c99b8ac43a3fec236212f60fd38baa30

SHA256
0df13af4c9ba67f51aa01523e5ad6292a2500fe828f96fe479854308ae9bb512

SHA512
77eb6e7e5e5e75c87430362858783dc66c4ec7e90cffc26a20202063cd851e65f680b76d38de889a9771e8ecb9e9eb3801ed0af40de8a34fb56dd2386e71ff30

Download Submit
C:\Windows\{7ECF1D89-AA65-4eb9-B464-C408CB63FC0F}.exe

Filesize
168KB

MD5
7b843efb9ecd49dad4d2253bc51ee975

SHA1
2bc2a4180f2a1aa8e7eb594eaddb3e274ebfffcc

SHA256
f66ea79e6a9e4f850fa7f337a90a2882dcb13bf73968279c17f8d332150eb986

SHA512
132930f74741decf5d3e03c443463c569af9496b43987755ac1e48ee67a524fef12d3ddbffbd556707bf19197eb68bdd2bda06bb74db5b80bf7ea4741e1be28b

Download Submit
C:\Windows\{881EC3F5-0FD2-4a37-A630-2FAA46BF04C5}.exe

Filesize
168KB

MD5
58883a4671433a27e9e0242edca9ab8c

SHA1
059d335fa5bb48b46e7ac90f7b5b7af856067863

SHA256
817f5f5ba089755e7acae3cd8eb083e00055f474efe1c5969317a6165e379281

SHA512
371cad91a05c53dfc2fef20b02e9ddfd18182fbfc3a4d7aacb5ad2a53f9734f57fc13f7103a44071a13f14990aeb60949b288ce0fceb18fb0c6f4591e25abb6a

Download Submit
C:\Windows\{95D8F777-5584-43b2-94BA-D5557BAF0760}.exe

Filesize
168KB

MD5
31e81a1f51d7815317e421645d5e92c4

SHA1
78f6292d13859e3c8e484177f10390af43297712

SHA256
56680793d9b08ed78828e2d0db8156110ffb241e8378825fa791e8dee21f3e11

SHA512
50e834b9d9a29ed808ee9969dc30a4e367c08fb1f9c7637667d1799fa8d049a450acf86dd77097fc5ceb7f29f17bbc1fe48ea5c87bb3a82f4bd9b05913ca2c6e

Download Submit
C:\Windows\{99954FE7-65D3-4062-BBBB-549BE7C18FE0}.exe

Filesize
168KB

MD5
81f987ce2a47a3582f9c429b15e61bf5

SHA1
f4bc8fe9237560da944f528d64012a74539ebaa7

SHA256
add4fd26673ad795277e800032c859d79066cb3afff174b19a0fab9769ea4db2

SHA512
f7202d03d5ca39171a382a6f984daa0dcbdd1354ca6cc2b8d40a338e327400ef272f71667cd2406a4332e2eff598589f8869751591f79b90faf94f61d34da03c

Download Submit
C:\Windows\{C5355FA9-0239-4a11-9781-50003EF9BA00}.exe

Filesize
168KB

MD5
172d2b8f98461b375f18807b7bd00b5f

SHA1
117e1d298d2890205244bbff54d2b42bce782051

SHA256
851631a87921ec60b2914ac7eb5723bc955315f6b7cf7e535970888c46bc1763

SHA512
3ee1c4387574ca7e1f80fed3b860157e02906b3c8d193914a720050733befe8bf85786a5e6dc887f65e70e0729ac704a2d926da325534b105234172e47e87d55

Download Submit
C:\Windows\{C5E5D89F-018C-47f7-9BEF-7258DF6E56D0}.exe

Filesize
168KB

MD5
e0b7dc421d2e33e1c3099718108d1b16

SHA1
a23ef9202b85b158bba50f0897a08a96caea058b

SHA256
afffe299ba61e1c76bbdfa2e3ee9af8e4272306356143f41ec749712a34dfb97

SHA512
9e3a88fe32ce34af1b8338144ef55695f52b9241e48d70dfab18a31bfb094c19332c30e7fa0bd1eb1369128f8fb7145df7f13aabf3880a15057b5ead4f68cdf2

Download Submit
C:\Windows\{C8AB459D-08D8-4cc3-A780-4AC153B7A0E5}.exe

Filesize
168KB

MD5
4cabba0de2a3042d70a4b4f0d671b31e

SHA1
73b333e87136fe16fea2bd342434bf81a3fb89bc

SHA256
374877974ec8f7bf1e272d1ce7c7e85f29431eea6f77ab1a77aae61d6c0586d1

SHA512
488e1becfa90b35e6cb07bfeb9d335071af4a619d7ff9dde9398c008b5ec5cd2f985908213db208d31ab3352ae397198ebea7a6d88aa0cd7637d395c5d6cc452

Download Submit
C:\Windows\{F45D05DB-9BF2-4411-8CBB-C627ED030489}.exe

Filesize
168KB

MD5
15ab3ad1a658ec20c84bb8f6a09288ee

SHA1
c8664f48984ee49bce1c99542600bc51a6c08261

SHA256
3b8fe02ab026602b2d8b33f4ab66d997487597ac631667031c0968c08d42c572

SHA512
ec6a6ade40cce09242cd871e55971b268d34485bda5268af144ded37db2595dda5c23a36cbcede0a387756e649b27a6a01d3a98f07c8ecac58beba1f1e7876c7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads