b3e99e8bd2d66b47b2b4fdfa363cfe389b8777db99b5b65ca0fc6cfcddae25db

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 19:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
Size

372KB
MD5

c0066adcba3177d1669a40d3bb466b8e
SHA1

40cac1419753c933779664d4388c91c1eaa7911a
SHA256

b3e99e8bd2d66b47b2b4fdfa363cfe389b8777db99b5b65ca0fc6cfcddae25db
SHA512

0c6c6cbb4f76b80baf1d2764843a97ef83652d7df2772b72abbe3fa4dd1397c6c42f2fafee03ba73aff8bf2d946ff00240b83e1f81f6ad3d4e35c6b4c9fa5483
SSDEEP

3072:CEGh0owmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGXl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5360BAEA-A439-4640-90C8-2FCCED15C055}	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5360BAEA-A439-4640-90C8-2FCCED15C055}\stubpath = "C:\\Windows\\{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe"	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4114BE3-43B1-4508-937F-F58CCCE78CFD}\stubpath = "C:\\Windows\\{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe"	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5438E157-915F-49ac-8347-169D79BE77FF}\stubpath = "C:\\Windows\\{5438E157-915F-49ac-8347-169D79BE77FF}.exe"	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07073F25-6461-467a-8FB9-F282A40D9782}\stubpath = "C:\\Windows\\{07073F25-6461-467a-8FB9-F282A40D9782}.exe"	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}\stubpath = "C:\\Windows\\{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe"	{07073F25-6461-467a-8FB9-F282A40D9782}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}	{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CCF0F2F-66ED-4246-9D8E-938B111267E1}	{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{504CB968-5C68-4ae9-A71B-3D200CC0906C}\stubpath = "C:\\Windows\\{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe"	{0A842675-FAF7-412d-8484-3A636C688B78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4114BE3-43B1-4508-937F-F58CCCE78CFD}	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5438E157-915F-49ac-8347-169D79BE77FF}	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07073F25-6461-467a-8FB9-F282A40D9782}	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74C90102-BF69-4e7f-AA5D-34793ACD6C87}	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74C90102-BF69-4e7f-AA5D-34793ACD6C87}\stubpath = "C:\\Windows\\{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe"	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A842675-FAF7-412d-8484-3A636C688B78}\stubpath = "C:\\Windows\\{0A842675-FAF7-412d-8484-3A636C688B78}.exe"	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{504CB968-5C68-4ae9-A71B-3D200CC0906C}	{0A842675-FAF7-412d-8484-3A636C688B78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}\stubpath = "C:\\Windows\\{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe"	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0443E21F-5A5A-4515-A247-F34D85669A6E}\stubpath = "C:\\Windows\\{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe"	{5438E157-915F-49ac-8347-169D79BE77FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A842675-FAF7-412d-8484-3A636C688B78}	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0443E21F-5A5A-4515-A247-F34D85669A6E}	{5438E157-915F-49ac-8347-169D79BE77FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}	{07073F25-6461-467a-8FB9-F282A40D9782}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}\stubpath = "C:\\Windows\\{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe"	{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CCF0F2F-66ED-4246-9D8E-938B111267E1}\stubpath = "C:\\Windows\\{2CCF0F2F-66ED-4246-9D8E-938B111267E1}.exe"	{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe

Executes dropped EXE 11 IoCs

pid	Process
3504	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe
2212	{0A842675-FAF7-412d-8484-3A636C688B78}.exe
3144	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe
2456	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe
1196	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe
3676	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe
1880	{5438E157-915F-49ac-8347-169D79BE77FF}.exe
2012	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe
2264	{07073F25-6461-467a-8FB9-F282A40D9782}.exe
3976	{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe
3852	{2CCF0F2F-66ED-4246-9D8E-938B111267E1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
File created	C:\Windows\{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe	{0A842675-FAF7-412d-8484-3A636C688B78}.exe
File created	C:\Windows\{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe	{5438E157-915F-49ac-8347-169D79BE77FF}.exe
File created	C:\Windows\{5438E157-915F-49ac-8347-169D79BE77FF}.exe	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe
File created	C:\Windows\{07073F25-6461-467a-8FB9-F282A40D9782}.exe	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe
File created	C:\Windows\{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe	{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe
File created	C:\Windows\{2CCF0F2F-66ED-4246-9D8E-938B111267E1}.exe	{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe
File created	C:\Windows\{0A842675-FAF7-412d-8484-3A636C688B78}.exe	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe
File created	C:\Windows\{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe
File created	C:\Windows\{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe
File created	C:\Windows\{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5438E157-915F-49ac-8347-169D79BE77FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2CCF0F2F-66ED-4246-9D8E-938B111267E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A842675-FAF7-412d-8484-3A636C688B78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07073F25-6461-467a-8FB9-F282A40D9782}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2208	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3504	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe
Token: SeIncBasePriorityPrivilege	2212	{0A842675-FAF7-412d-8484-3A636C688B78}.exe
Token: SeIncBasePriorityPrivilege	3144	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe
Token: SeIncBasePriorityPrivilege	2456	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe
Token: SeIncBasePriorityPrivilege	1196	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe
Token: SeIncBasePriorityPrivilege	3676	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe
Token: SeIncBasePriorityPrivilege	1880	{5438E157-915F-49ac-8347-169D79BE77FF}.exe
Token: SeIncBasePriorityPrivilege	2012	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe
Token: SeIncBasePriorityPrivilege	1904	{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe
Token: SeIncBasePriorityPrivilege	3976	{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3504	2208	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	89
PID 2208 wrote to memory of 3504	2208	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	89
PID 2208 wrote to memory of 3504	2208	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	89
PID 2208 wrote to memory of 2628	2208	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	90
PID 2208 wrote to memory of 2628	2208	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	90
PID 2208 wrote to memory of 2628	2208	2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe	90
PID 3504 wrote to memory of 2212	3504	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe	91
PID 3504 wrote to memory of 2212	3504	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe	91
PID 3504 wrote to memory of 2212	3504	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe	91
PID 3504 wrote to memory of 1948	3504	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe	92
PID 3504 wrote to memory of 1948	3504	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe	92
PID 3504 wrote to memory of 1948	3504	{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe	92
PID 2212 wrote to memory of 3144	2212	{0A842675-FAF7-412d-8484-3A636C688B78}.exe	95
PID 2212 wrote to memory of 3144	2212	{0A842675-FAF7-412d-8484-3A636C688B78}.exe	95
PID 2212 wrote to memory of 3144	2212	{0A842675-FAF7-412d-8484-3A636C688B78}.exe	95
PID 2212 wrote to memory of 916	2212	{0A842675-FAF7-412d-8484-3A636C688B78}.exe	96
PID 2212 wrote to memory of 916	2212	{0A842675-FAF7-412d-8484-3A636C688B78}.exe	96
PID 2212 wrote to memory of 916	2212	{0A842675-FAF7-412d-8484-3A636C688B78}.exe	96
PID 3144 wrote to memory of 2456	3144	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe	97
PID 3144 wrote to memory of 2456	3144	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe	97
PID 3144 wrote to memory of 2456	3144	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe	97
PID 3144 wrote to memory of 964	3144	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe	98
PID 3144 wrote to memory of 964	3144	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe	98
PID 3144 wrote to memory of 964	3144	{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe	98
PID 2456 wrote to memory of 1196	2456	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe	99
PID 2456 wrote to memory of 1196	2456	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe	99
PID 2456 wrote to memory of 1196	2456	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe	99
PID 2456 wrote to memory of 4532	2456	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe	100
PID 2456 wrote to memory of 4532	2456	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe	100
PID 2456 wrote to memory of 4532	2456	{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe	100
PID 1196 wrote to memory of 3676	1196	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe	101
PID 1196 wrote to memory of 3676	1196	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe	101
PID 1196 wrote to memory of 3676	1196	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe	101
PID 1196 wrote to memory of 2780	1196	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe	102
PID 1196 wrote to memory of 2780	1196	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe	102
PID 1196 wrote to memory of 2780	1196	{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe	102
PID 3676 wrote to memory of 1880	3676	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe	103
PID 3676 wrote to memory of 1880	3676	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe	103
PID 3676 wrote to memory of 1880	3676	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe	103
PID 3676 wrote to memory of 4488	3676	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe	104
PID 3676 wrote to memory of 4488	3676	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe	104
PID 3676 wrote to memory of 4488	3676	{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe	104
PID 1880 wrote to memory of 2012	1880	{5438E157-915F-49ac-8347-169D79BE77FF}.exe	105
PID 1880 wrote to memory of 2012	1880	{5438E157-915F-49ac-8347-169D79BE77FF}.exe	105
PID 1880 wrote to memory of 2012	1880	{5438E157-915F-49ac-8347-169D79BE77FF}.exe	105
PID 1880 wrote to memory of 1176	1880	{5438E157-915F-49ac-8347-169D79BE77FF}.exe	106
PID 1880 wrote to memory of 1176	1880	{5438E157-915F-49ac-8347-169D79BE77FF}.exe	106
PID 1880 wrote to memory of 1176	1880	{5438E157-915F-49ac-8347-169D79BE77FF}.exe	106
PID 2012 wrote to memory of 2264	2012	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe	107
PID 2012 wrote to memory of 2264	2012	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe	107
PID 2012 wrote to memory of 2264	2012	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe	107
PID 2012 wrote to memory of 4344	2012	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe	108
PID 2012 wrote to memory of 4344	2012	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe	108
PID 2012 wrote to memory of 4344	2012	{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe	108
PID 1904 wrote to memory of 3976	1904	{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe	111
PID 1904 wrote to memory of 3976	1904	{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe	111
PID 1904 wrote to memory of 3976	1904	{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe	111
PID 1904 wrote to memory of 4876	1904	{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe	112
PID 1904 wrote to memory of 4876	1904	{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe	112
PID 1904 wrote to memory of 4876	1904	{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe	112
PID 3976 wrote to memory of 3852	3976	{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe	113
PID 3976 wrote to memory of 3852	3976	{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe	113
PID 3976 wrote to memory of 3852	3976	{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe	113
PID 3976 wrote to memory of 4648	3976	{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_c0066adcba3177d1669a40d3bb466b8e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe
  C:\Windows\{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\{0A842675-FAF7-412d-8484-3A636C688B78}.exe
    C:\Windows\{0A842675-FAF7-412d-8484-3A636C688B78}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe
      C:\Windows\{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe
        
        C:\Windows\{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
      - C:\Windows\{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe
        
        C:\Windows\{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe
        
        C:\Windows\{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\{5438E157-915F-49ac-8347-169D79BE77FF}.exe
        
        C:\Windows\{5438E157-915F-49ac-8347-169D79BE77FF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe
        
        C:\Windows\{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{07073F25-6461-467a-8FB9-F282A40D9782}.exe
        
        C:\Windows\{07073F25-6461-467a-8FB9-F282A40D9782}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe
        
        C:\Windows\{B8CAEE1C-E29F-4e88-9CF1-D8AFE26C1379}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe
        
        C:\Windows\{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\{2CCF0F2F-66ED-4246-9D8E-938B111267E1}.exe
        
        C:\Windows\{2CCF0F2F-66ED-4246-9D8E-938B111267E1}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC641~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8CAE~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07073~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0443E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5438E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B2BE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4114~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5360B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{504CB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0A842~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{74C90~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0443E21F-5A5A-4515-A247-F34D85669A6E}.exe

Filesize
372KB

MD5
3ad60d647aa50fd103ec9b245f114ef4

SHA1
b91daf8a4be28b2af85680bfb86c522cfb51a336

SHA256
04b9929daf4ef94f6528cfa8a069fd811c83b8bacdae7e29083092bc5ee2878e

SHA512
a4f3f99cdc89e218628a416ca7f800f4953846643cb25a6f128970f9c8844959112fef8b11acc1c8aaa8524a96a709b81eda66ba7103856ca216a57281004acd

Download Submit
C:\Windows\{07073F25-6461-467a-8FB9-F282A40D9782}.exe

Filesize
372KB

MD5
77e4af389e91670a0c46650c99086170

SHA1
cb05351864d9942275d5bb29dea6a48033435404

SHA256
9cc89392c3accca84a746ec98e29810708951d069d7f5e7b2c2eb5d6b25e7c23

SHA512
f131c1616975361f212079e045f6558e2dae7d3cf084227bf0a0973b60eb0c611c954813ff50815b15d65f9ac6338fdc584966a8048df62bf6fceb5b12bc2549

Download Submit
C:\Windows\{0A842675-FAF7-412d-8484-3A636C688B78}.exe

Filesize
372KB

MD5
fba5ef736580a8b298cb1d326f76ce74

SHA1
1abfd68a1c4b7bd91a21c17a59f7e374b967b883

SHA256
0fd16cf55b679608c848ad457eb9c314b7cbdeac7601fcfbf7fc91cc99080d8f

SHA512
b5cf2770a242e07b24925183f7edec942cda26da64f97875d00137e3dbc1e41d9b84046c46eab3b5651d9ab9231a9906f75b45f3d015b5c5facd7793862ab336

Download Submit
C:\Windows\{0B2BE85E-998F-42ba-AD72-5EB1DDB83DB7}.exe

Filesize
372KB

MD5
96f8273190a763e991b09daa68ff2a27

SHA1
4bd0d71d593a69d7f1dbd25d0064bc4a3a532104

SHA256
539bdf1535c4ccd739790867d6c66e71d8f3844fc2e548031c5c97d8cba9ef81

SHA512
30abfea1faeea053e9188ecd2bd2ff8138704e321b6175453f364b8d5b7f75bed6a6ca287eec875903fe453eabfa7ce9c8a29b3ae587bee7bf0cae13c679ea0a

Download Submit
C:\Windows\{2CCF0F2F-66ED-4246-9D8E-938B111267E1}.exe

Filesize
372KB

MD5
c1441ac5acc185bf0505bb380723a3a6

SHA1
2768e9c1d5429d1a2fdeff96d3a65d10127ae533

SHA256
eee0c30d8da9a74ba62109a073a2c99c519144637c66a2ab2a3c41ff110384eb

SHA512
d2e2c9e9f6818b143180433ff057df9910179552afef1b93e1611e0921e5fc85aa604a11c6f6ca874b13dbbda29c887d6eb162803d7a47da3e66f252f99f3c90

Download Submit
C:\Windows\{504CB968-5C68-4ae9-A71B-3D200CC0906C}.exe

Filesize
372KB

MD5
61a364ccd72715ad1cc5bde94f1075de

SHA1
e7514d8e8677fcbb49257b0cdd73f59ef35441b6

SHA256
ba02f4887acaf6793b21966577e3163f6751b172ff2339975e3afccd630ba513

SHA512
3349f3a366acd1fad6d4b9c9b0925729a970ff6d67001851bb07f348cad711dc486038c707cfb66138a82547d564efe5ccc889af8d44d82e9f2536c0d91fdd67

Download Submit
C:\Windows\{5360BAEA-A439-4640-90C8-2FCCED15C055}.exe

Filesize
372KB

MD5
f0a53cbd5304722e0cf33bc633fb2de7

SHA1
261bccd911afa23e9f3fa968ff1cc1ffc817cb17

SHA256
37d3be179b983e3553e4b0a5b3e3ebd4aea245d1b4bdd8cf61da94b699310ba7

SHA512
933801630817014e367435abb7193bd25f1644ac2c0cd7af81025c754c7de3ca582b84c4f7ab2ecf3fb3eeaa8e718e214f3b7da46d9115bada5b731c06ce82af

Download Submit
C:\Windows\{5438E157-915F-49ac-8347-169D79BE77FF}.exe

Filesize
372KB

MD5
4aaf6781396a5917d92cea4774fb90dd

SHA1
7719c61a1578e2b67e763718a3dc30f963162b26

SHA256
e73afd9b58acd285da74688846034e7343efcd66d10e0ac5adf309c1d4e10816

SHA512
4c159fedc26143107c9548bc4d4e50c06eaa1e64a91894d313089b315bc0558bfe5233196e6b3fab8796342076279936471320b02728e83b973c6014b686e8a6

Download Submit
C:\Windows\{74C90102-BF69-4e7f-AA5D-34793ACD6C87}.exe

Filesize
372KB

MD5
5687b4bc9d4a56596eacdb5c792d9faa

SHA1
e2b81216e1d0656dea1cf84489519e031b7d475c

SHA256
68cb623e74c4c09e720e8f57fdbd9c482363c50e3a6f74cc18539146f71d3587

SHA512
33bfb1eaf87c187cff6caeb28dcc208acc1fd3cd3545a059a7cee0f2ca113d817f8430e5c73dd99ff90fe491b9ba9c40ac4c05bf840a2abec3116e99c9ed4828

Download Submit
C:\Windows\{E4114BE3-43B1-4508-937F-F58CCCE78CFD}.exe

Filesize
372KB

MD5
1a14dd3e46fe3d147a67433be0d00727

SHA1
dc76a5bdcc2048ec3ed1a80e60100f05a80a60b7

SHA256
2a627b6e2627631c2f1ea54e179777c74b9b4504a9bd333b07a2c631b4bd54b4

SHA512
6ce2acc16c40c31d0355e0ff6e3993813bb1d6738aba6531dc194a4c2e695b69a757b8d364b4a17c9b17c45c58c409413473d44ab36cafccd24055985c72b528

Download Submit
C:\Windows\{EC64199C-0CA8-4e30-916E-4FFAD4BC3A53}.exe

Filesize
372KB

MD5
ac37c06125493e42cd56402b02898eb7

SHA1
fd3accd99305bfd44bfd85d0aa105d2c5db6a9ca

SHA256
4c389c7ad643d739c1849e16e6eae5ab1f4e6e63b6266df2fed8998165ba675c

SHA512
72f81c9da679a36a9ccc2a5512cb74dcd03a8bc2d92bce004f0b1ee8b83cbb090263099c3e1c915a2b0f91111767ccfdd73ca2f51ce7bd38c0f6abf5a12592ef

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads