a4658b1438b78a179f8a3de23000048a874801b51d7bec84f0009f2d51149ff6

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe
Size

192KB
MD5

eac8781453cf8ebbb83913c377f44cb2
SHA1

f3bfac5137ab017fe49d19c79fe4a74bad8c10cf
SHA256

a4658b1438b78a179f8a3de23000048a874801b51d7bec84f0009f2d51149ff6
SHA512

2da77603029dac157fc6080de058f8044bb40c4a343b825426c539c835bb4c22aff96ee636dbbe2dd1c7ca1a6fa15e6cc4a68b41077ec9ab4de0cd2d228709b8
SSDEEP

1536:1EGh0oll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oll1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC9A79C0-CF00-413e-B051-55B8FE1746B3}\stubpath = "C:\\Windows\\{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe"	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C21B32D7-38E4-4d68-8097-F52983508B8D}\stubpath = "C:\\Windows\\{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe"	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}\stubpath = "C:\\Windows\\{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe"	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}\stubpath = "C:\\Windows\\{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}.exe"	{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F0D1BC1-0E5F-4f4b-8953-FEA307C54815}\stubpath = "C:\\Windows\\{5F0D1BC1-0E5F-4f4b-8953-FEA307C54815}.exe"	{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9519E50-AFA2-4521-B24E-E2F266E75511}\stubpath = "C:\\Windows\\{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe"	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE3C4484-E6AA-4542-804B-30E9F3C122E0}	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE3C4484-E6AA-4542-804B-30E9F3C122E0}\stubpath = "C:\\Windows\\{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe"	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC9A79C0-CF00-413e-B051-55B8FE1746B3}	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}\stubpath = "C:\\Windows\\{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe"	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1473B75-8FF0-422f-8914-8E2B0791CB11}\stubpath = "C:\\Windows\\{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe"	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}	{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F0D1BC1-0E5F-4f4b-8953-FEA307C54815}	{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}\stubpath = "C:\\Windows\\{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe"	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1473B75-8FF0-422f-8914-8E2B0791CB11}	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9519E50-AFA2-4521-B24E-E2F266E75511}	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}\stubpath = "C:\\Windows\\{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe"	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C21B32D7-38E4-4d68-8097-F52983508B8D}	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}\stubpath = "C:\\Windows\\{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe"	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
3280	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe
3432	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe
868	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe
940	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe
3592	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe
4860	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe
4064	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe
4140	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe
1360	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe
1876	{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe
692	{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}.exe
1368	{5F0D1BC1-0E5F-4f4b-8953-FEA307C54815}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe
File created	C:\Windows\{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe
File created	C:\Windows\{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}.exe	{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe
File created	C:\Windows\{5F0D1BC1-0E5F-4f4b-8953-FEA307C54815}.exe	{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}.exe
File created	C:\Windows\{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe
File created	C:\Windows\{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe
File created	C:\Windows\{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe
File created	C:\Windows\{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe
File created	C:\Windows\{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe
File created	C:\Windows\{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe
File created	C:\Windows\{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe
File created	C:\Windows\{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F0D1BC1-0E5F-4f4b-8953-FEA307C54815}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2440	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3280	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe
Token: SeIncBasePriorityPrivilege	3432	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe
Token: SeIncBasePriorityPrivilege	868	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe
Token: SeIncBasePriorityPrivilege	940	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe
Token: SeIncBasePriorityPrivilege	3592	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe
Token: SeIncBasePriorityPrivilege	4860	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe
Token: SeIncBasePriorityPrivilege	4064	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe
Token: SeIncBasePriorityPrivilege	4140	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe
Token: SeIncBasePriorityPrivilege	1360	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe
Token: SeIncBasePriorityPrivilege	1876	{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe
Token: SeIncBasePriorityPrivilege	692	{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 3280	2440	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	89
PID 2440 wrote to memory of 3280	2440	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	89
PID 2440 wrote to memory of 3280	2440	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	89
PID 2440 wrote to memory of 4376	2440	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	90
PID 2440 wrote to memory of 4376	2440	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	90
PID 2440 wrote to memory of 4376	2440	2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe	90
PID 3280 wrote to memory of 3432	3280	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe	91
PID 3280 wrote to memory of 3432	3280	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe	91
PID 3280 wrote to memory of 3432	3280	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe	91
PID 3280 wrote to memory of 3744	3280	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe	92
PID 3280 wrote to memory of 3744	3280	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe	92
PID 3280 wrote to memory of 3744	3280	{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe	92
PID 3432 wrote to memory of 868	3432	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe	95
PID 3432 wrote to memory of 868	3432	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe	95
PID 3432 wrote to memory of 868	3432	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe	95
PID 3432 wrote to memory of 4168	3432	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe	96
PID 3432 wrote to memory of 4168	3432	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe	96
PID 3432 wrote to memory of 4168	3432	{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe	96
PID 868 wrote to memory of 940	868	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe	97
PID 868 wrote to memory of 940	868	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe	97
PID 868 wrote to memory of 940	868	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe	97
PID 868 wrote to memory of 1264	868	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe	98
PID 868 wrote to memory of 1264	868	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe	98
PID 868 wrote to memory of 1264	868	{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe	98
PID 940 wrote to memory of 3592	940	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe	99
PID 940 wrote to memory of 3592	940	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe	99
PID 940 wrote to memory of 3592	940	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe	99
PID 940 wrote to memory of 3784	940	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe	100
PID 940 wrote to memory of 3784	940	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe	100
PID 940 wrote to memory of 3784	940	{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe	100
PID 3592 wrote to memory of 4860	3592	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe	101
PID 3592 wrote to memory of 4860	3592	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe	101
PID 3592 wrote to memory of 4860	3592	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe	101
PID 3592 wrote to memory of 3288	3592	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe	102
PID 3592 wrote to memory of 3288	3592	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe	102
PID 3592 wrote to memory of 3288	3592	{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe	102
PID 4860 wrote to memory of 4064	4860	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe	103
PID 4860 wrote to memory of 4064	4860	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe	103
PID 4860 wrote to memory of 4064	4860	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe	103
PID 4860 wrote to memory of 4360	4860	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe	104
PID 4860 wrote to memory of 4360	4860	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe	104
PID 4860 wrote to memory of 4360	4860	{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe	104
PID 4064 wrote to memory of 4140	4064	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe	105
PID 4064 wrote to memory of 4140	4064	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe	105
PID 4064 wrote to memory of 4140	4064	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe	105
PID 4064 wrote to memory of 4952	4064	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe	106
PID 4064 wrote to memory of 4952	4064	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe	106
PID 4064 wrote to memory of 4952	4064	{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe	106
PID 4140 wrote to memory of 1360	4140	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe	107
PID 4140 wrote to memory of 1360	4140	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe	107
PID 4140 wrote to memory of 1360	4140	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe	107
PID 4140 wrote to memory of 3556	4140	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe	108
PID 4140 wrote to memory of 3556	4140	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe	108
PID 4140 wrote to memory of 3556	4140	{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe	108
PID 1360 wrote to memory of 1876	1360	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe	109
PID 1360 wrote to memory of 1876	1360	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe	109
PID 1360 wrote to memory of 1876	1360	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe	109
PID 1360 wrote to memory of 4092	1360	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe	110
PID 1360 wrote to memory of 4092	1360	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe	110
PID 1360 wrote to memory of 4092	1360	{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe	110
PID 1876 wrote to memory of 692	1876	{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe	111
PID 1876 wrote to memory of 692	1876	{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe	111
PID 1876 wrote to memory of 692	1876	{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe	111
PID 1876 wrote to memory of 2148	1876	{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_eac8781453cf8ebbb83913c377f44cb2_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe
  C:\Windows\{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe
    C:\Windows\{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe
      C:\Windows\{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Windows\{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe
        
        C:\Windows\{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Windows\{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe
        
        C:\Windows\{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe
        
        C:\Windows\{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe
        
        C:\Windows\{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe
        
        C:\Windows\{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe
        
        C:\Windows\{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe
        
        C:\Windows\{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}.exe
        
        C:\Windows\{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\{5F0D1BC1-0E5F-4f4b-8953-FEA307C54815}.exe
        
        C:\Windows\{5F0D1BC1-0E5F-4f4b-8953-FEA307C54815}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB9C~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{683B8~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1473~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C21B3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAA57~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E643E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC9A7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB25E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE3C4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B9519~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B85F6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5F0D1BC1-0E5F-4f4b-8953-FEA307C54815}.exe

Filesize
192KB

MD5
7e5bb73aba9aece6d95d264c2c0c7d13

SHA1
01a12d2f786ce19120b26b7f70deeadf8995160f

SHA256
eb3b6bbc6e35bb923c1ec0713965a981e2900d47e09c14c1d596208c36babb15

SHA512
884476040cd112b31acca840f78b74acdd9370fd2b3c03d1031e8974fdc2a0b4f83f2001efe357a82f4e31febad25c43bbd3bbe98f35da65a06d8db8008c0ee8

Download Submit
C:\Windows\{683B8A1C-9359-4bfd-A0B7-115EB8E000D1}.exe

Filesize
192KB

MD5
52d351e0f5db77ab1d49ea8d387e9617

SHA1
bfab12d4fa285aecd9fbe50bcfbdb1c08b69df3d

SHA256
9832310dca92c14a7987f8badcc65c5496e7b3eda8fe79472be8b46c1c5bbbd8

SHA512
912623366c90c8bf36251a2378085ab72e1907b2775bdd311500779eabc98a5f890d3d647965b7d758aa8f35f9ef9a514df74398d02fa3b0db7963bc590fd31b

Download Submit
C:\Windows\{8AB9C67E-A8BC-4caf-AF34-236CF690FAF1}.exe

Filesize
192KB

MD5
2cda91f362313119fd00df4cb77887c7

SHA1
44e07a39a7b37396546ddd7861dc3c385fb17ff4

SHA256
5e951a27fd59459ff90a3c3663811e5b123c169d444279607e1a499d6cab3024

SHA512
7938cec151d3ea34d3f4c1a0a2f55e57628e2da22bcfc1eaa2c318e8f84a65575d0dc45ad9256ebf40f01d104a27d8dcbd344fbe65b6d01f212dd23c2ea00a26

Download Submit
C:\Windows\{AAA57840-EBA6-4ef3-AF5D-E3C62D4E8A3C}.exe

Filesize
192KB

MD5
e1d16d28c1b786c59ea79dbdda91e78d

SHA1
4abba1c60cc55cc5e3131256d3775819346e9799

SHA256
859dfe73c18faf8c9964b439a6b9dc74def9b48c0f1ca96ca644cfbe4d60edd2

SHA512
f6cca0aa2a5bca43cf31fde027214a472b7622fa14ca0dc792ebef6c8671186b1d56a9cbaf5d6820be7c7369789c1182f7f6aef7a243d183f562aa3794fc2b02

Download Submit
C:\Windows\{B1473B75-8FF0-422f-8914-8E2B0791CB11}.exe

Filesize
192KB

MD5
174428a23c560c9155f17736000809b0

SHA1
5bc0ba611af84f12dafd38efba535501f055cae4

SHA256
3d3e9b399c927bdd0b46b5e0588f158ed2ed81282e4199e69987168d1ef91d21

SHA512
078d2bb8ae6a9d13c0da469b6576a9fd405e2f4568b475eed7e6e0e48521690413a2ee5904b37ebbe9906d4142a1274bc38e87be1eba4594beb124057b58c68a

Download Submit
C:\Windows\{B85F6A4E-B6E8-4f7e-918D-0FA3F4BECA4F}.exe

Filesize
192KB

MD5
2c6be52c7388ddf718ec35f3ae9912e7

SHA1
eedbcaf1eaba3f022a145b091e8a08c387769f83

SHA256
7eb57fd8c075ea64cc69d7dceac1a06e67064d8af52f89a45c7be02fd3d786c4

SHA512
060c44f789faeba475b32a208dfee29188078571b37fc5410e77201ae9968b72f61674ae50c60418d5003983d7eea1eb8de600a7b0b84b9e705c0340c22f3215

Download Submit
C:\Windows\{B9519E50-AFA2-4521-B24E-E2F266E75511}.exe

Filesize
192KB

MD5
52c01976d0a797d13a4643170c4c31ab

SHA1
1d65d2a848d612b730f12b8a3046f0aabf009d59

SHA256
7f87d56eb4c6e41fbfd6b3497fd9ad0370b5937e80cb7bf929926b3fa6402915

SHA512
cab01813a3829c22aed720a2c592a7060bf46415957b27db42508d2b40501d3d54ae434f9939e14429e259bae9335a3ca6551ded47195a01dabcaa0207a76e4d

Download Submit
C:\Windows\{BC9A79C0-CF00-413e-B051-55B8FE1746B3}.exe

Filesize
192KB

MD5
05af3258e602273d09e4d1b551ecf6a0

SHA1
8aaeb08d8e58eb50404f5cc98bfb2a3e421e558c

SHA256
11d7a2b12dc5804191eb2a8217a87a7db2caaafe335eeeacc766da0ff074553d

SHA512
47d9996c652a2055e2258d2450bdc3eab3cdd571856c5555f781251471507bfa63f6a8900cb5219ed7779a30f279c824e740ebd8065b4c9a77439afb24bfb13f

Download Submit
C:\Windows\{C21B32D7-38E4-4d68-8097-F52983508B8D}.exe

Filesize
192KB

MD5
e8e25a4b03846bf3cea91f61a2921706

SHA1
1a38e2f767de246ea309d85b839d8d9466df26e1

SHA256
906fb0124c1a94f1368b15ae3aaacfb63e6287661770bd402a4a9389a263946a

SHA512
e0498d69f578e8e8c8e3989f7cd29b26916292420bb0e3ed5d299c90b1722c845b68dc45b9285212365067bcc65bac121922aec3d6b6469850854c1c46330d9d

Download Submit
C:\Windows\{DE3C4484-E6AA-4542-804B-30E9F3C122E0}.exe

Filesize
192KB

MD5
1913cdee2baf2f18e4e9e27759d42255

SHA1
bfbf89550e13a57d16d4d8aedaa1448d2815076b

SHA256
12cd681ec5c480d9139d86876d8e9d86e153d0cae80cedf8d1df3a4fba3cd27f

SHA512
531d7990dd810d78c85233d65b5f36448b21f9f335173fb4f4c459f1aac3e0cd921c5d5ad7f2fd8dbf7a9df3308ad89381e09818bbb7df6d45a984760b515295

Download Submit
C:\Windows\{E643E2E2-64D7-4e6e-A5F7-B800ADD72E27}.exe

Filesize
192KB

MD5
cd25f4ec43bda44399f53d5750ae1d4b

SHA1
bed31be43dc055d66cdcafebd527d80d87d34d17

SHA256
06a1a8ff9e307f99a44e1fe73f47bb187bc3e4a072b08d8c532d03c6699d0b33

SHA512
7e1b725a0f9f3507b0e761e8baa7f783414b5f516052665ef461da674d337bf8457c2fd482ad2a1e9f418cbd96ed2e2ef5fcbeded4a63bb3e4401fd3f89993b7

Download Submit
C:\Windows\{FB25ECC1-3C69-4ea7-9C37-012C1A4BB314}.exe

Filesize
192KB

MD5
1d29df136590a3adebd4d30968c8f618

SHA1
e21660d076df68262484c30bcfe36da6e9ff1449

SHA256
4171f2bab4aeff2c4847b5fdc9fb493a9ea0197fda8c67941493b946165c9eb3

SHA512
2e96982ffd9ce01c3082875875285a30ecfe66cecb67dc9f2cb10828bd956289fbae8902c7dca490f69d0bd35bc0885e20f103091c05daf1de77c8c36f3d25ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads