16eae0ed1e47bfb71cdaff6a3a42be1297bcf2dfade2918f2aec3bfe3e7714df

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
Size

168KB
MD5

899ceecd0f8172f1d1c54ba07b35b342
SHA1

62f19ffa367b475361849be9d03829c6157f7932
SHA256

16eae0ed1e47bfb71cdaff6a3a42be1297bcf2dfade2918f2aec3bfe3e7714df
SHA512

85cd1e42ca98bd9e95cb27c476e7c4a04187b3334b65ce6542117138256adbef9ccc58e26a1d0baa3ed9ab6f015622e3eeadddc2713898438b251ec180395eb5
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}\stubpath = "C:\\Windows\\{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}.exe"	{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C725F8F-0000-43d4-A636-D2722D7AFF47}	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C725F8F-0000-43d4-A636-D2722D7AFF47}\stubpath = "C:\\Windows\\{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe"	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3476EE32-57C6-4e39-BE0C-D784AC55A33D}\stubpath = "C:\\Windows\\{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe"	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29A04520-8E28-4240-85D1-BBB7538E8EB7}	{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7107193-2BC2-4027-862B-68BBCBDEEC41}	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7107193-2BC2-4027-862B-68BBCBDEEC41}\stubpath = "C:\\Windows\\{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe"	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3476EE32-57C6-4e39-BE0C-D784AC55A33D}	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29A04520-8E28-4240-85D1-BBB7538E8EB7}\stubpath = "C:\\Windows\\{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe"	{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63D09C9F-D57B-4c77-9B23-371CABCBB996}	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}\stubpath = "C:\\Windows\\{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe"	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86922368-44E7-4b94-9CDE-5D082B5D8309}\stubpath = "C:\\Windows\\{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe"	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}\stubpath = "C:\\Windows\\{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe"	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51BEC851-9483-4224-84AD-47A43368CA0B}	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD3B58A5-E97E-4005-8CE7-9C472367F520}	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}	{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63D09C9F-D57B-4c77-9B23-371CABCBB996}\stubpath = "C:\\Windows\\{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe"	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A943ED39-E45A-406c-B33F-77F0966976F9}	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A943ED39-E45A-406c-B33F-77F0966976F9}\stubpath = "C:\\Windows\\{A943ED39-E45A-406c-B33F-77F0966976F9}.exe"	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86922368-44E7-4b94-9CDE-5D082B5D8309}	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51BEC851-9483-4224-84AD-47A43368CA0B}\stubpath = "C:\\Windows\\{51BEC851-9483-4224-84AD-47A43368CA0B}.exe"	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD3B58A5-E97E-4005-8CE7-9C472367F520}\stubpath = "C:\\Windows\\{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe"	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe

Executes dropped EXE 12 IoCs

pid	Process
2156	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe
2204	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe
3468	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe
3276	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe
1048	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe
1972	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe
2484	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe
4924	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe
2856	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe
2696	{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe
2472	{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe
2420	{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe
File created	C:\Windows\{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe
File created	C:\Windows\{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe	{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe
File created	C:\Windows\{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}.exe	{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe
File created	C:\Windows\{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
File created	C:\Windows\{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe
File created	C:\Windows\{A943ED39-E45A-406c-B33F-77F0966976F9}.exe	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe
File created	C:\Windows\{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe
File created	C:\Windows\{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe
File created	C:\Windows\{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe
File created	C:\Windows\{51BEC851-9483-4224-84AD-47A43368CA0B}.exe	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe
File created	C:\Windows\{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2464	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2156	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe
Token: SeIncBasePriorityPrivilege	2204	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe
Token: SeIncBasePriorityPrivilege	3468	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe
Token: SeIncBasePriorityPrivilege	3276	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe
Token: SeIncBasePriorityPrivilege	1048	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe
Token: SeIncBasePriorityPrivilege	1972	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe
Token: SeIncBasePriorityPrivilege	2484	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe
Token: SeIncBasePriorityPrivilege	4924	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe
Token: SeIncBasePriorityPrivilege	2856	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe
Token: SeIncBasePriorityPrivilege	2696	{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe
Token: SeIncBasePriorityPrivilege	2472	{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2156	2464	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	94
PID 2464 wrote to memory of 2156	2464	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	94
PID 2464 wrote to memory of 2156	2464	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	94
PID 2464 wrote to memory of 1932	2464	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	95
PID 2464 wrote to memory of 1932	2464	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	95
PID 2464 wrote to memory of 1932	2464	2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe	95
PID 2156 wrote to memory of 2204	2156	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe	96
PID 2156 wrote to memory of 2204	2156	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe	96
PID 2156 wrote to memory of 2204	2156	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe	96
PID 2156 wrote to memory of 1624	2156	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe	97
PID 2156 wrote to memory of 1624	2156	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe	97
PID 2156 wrote to memory of 1624	2156	{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe	97
PID 2204 wrote to memory of 3468	2204	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe	101
PID 2204 wrote to memory of 3468	2204	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe	101
PID 2204 wrote to memory of 3468	2204	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe	101
PID 2204 wrote to memory of 436	2204	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe	102
PID 2204 wrote to memory of 436	2204	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe	102
PID 2204 wrote to memory of 436	2204	{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe	102
PID 3468 wrote to memory of 3276	3468	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe	103
PID 3468 wrote to memory of 3276	3468	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe	103
PID 3468 wrote to memory of 3276	3468	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe	103
PID 3468 wrote to memory of 5116	3468	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe	104
PID 3468 wrote to memory of 5116	3468	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe	104
PID 3468 wrote to memory of 5116	3468	{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe	104
PID 3276 wrote to memory of 1048	3276	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe	105
PID 3276 wrote to memory of 1048	3276	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe	105
PID 3276 wrote to memory of 1048	3276	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe	105
PID 3276 wrote to memory of 1848	3276	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe	106
PID 3276 wrote to memory of 1848	3276	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe	106
PID 3276 wrote to memory of 1848	3276	{A943ED39-E45A-406c-B33F-77F0966976F9}.exe	106
PID 1048 wrote to memory of 1972	1048	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe	108
PID 1048 wrote to memory of 1972	1048	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe	108
PID 1048 wrote to memory of 1972	1048	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe	108
PID 1048 wrote to memory of 2420	1048	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe	109
PID 1048 wrote to memory of 2420	1048	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe	109
PID 1048 wrote to memory of 2420	1048	{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe	109
PID 1972 wrote to memory of 2484	1972	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe	110
PID 1972 wrote to memory of 2484	1972	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe	110
PID 1972 wrote to memory of 2484	1972	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe	110
PID 1972 wrote to memory of 4200	1972	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe	111
PID 1972 wrote to memory of 4200	1972	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe	111
PID 1972 wrote to memory of 4200	1972	{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe	111
PID 2484 wrote to memory of 4924	2484	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe	119
PID 2484 wrote to memory of 4924	2484	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe	119
PID 2484 wrote to memory of 4924	2484	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe	119
PID 2484 wrote to memory of 920	2484	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe	120
PID 2484 wrote to memory of 920	2484	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe	120
PID 2484 wrote to memory of 920	2484	{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe	120
PID 4924 wrote to memory of 2856	4924	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe	121
PID 4924 wrote to memory of 2856	4924	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe	121
PID 4924 wrote to memory of 2856	4924	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe	121
PID 4924 wrote to memory of 2500	4924	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe	122
PID 4924 wrote to memory of 2500	4924	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe	122
PID 4924 wrote to memory of 2500	4924	{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe	122
PID 2856 wrote to memory of 2696	2856	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe	123
PID 2856 wrote to memory of 2696	2856	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe	123
PID 2856 wrote to memory of 2696	2856	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe	123
PID 2856 wrote to memory of 4392	2856	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe	124
PID 2856 wrote to memory of 4392	2856	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe	124
PID 2856 wrote to memory of 4392	2856	{51BEC851-9483-4224-84AD-47A43368CA0B}.exe	124
PID 2696 wrote to memory of 2472	2696	{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe	127
PID 2696 wrote to memory of 2472	2696	{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe	127
PID 2696 wrote to memory of 2472	2696	{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe	127
PID 2696 wrote to memory of 3636	2696	{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-28_899ceecd0f8172f1d1c54ba07b35b342_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe
  C:\Windows\{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe
    C:\Windows\{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe
      C:\Windows\{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\{A943ED39-E45A-406c-B33F-77F0966976F9}.exe
        
        C:\Windows\{A943ED39-E45A-406c-B33F-77F0966976F9}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Windows\{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe
        
        C:\Windows\{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe
        
        C:\Windows\{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe
        
        C:\Windows\{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe
        
        C:\Windows\{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{51BEC851-9483-4224-84AD-47A43368CA0B}.exe
        
        C:\Windows\{51BEC851-9483-4224-84AD-47A43368CA0B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe
        
        C:\Windows\{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe
        
        C:\Windows\{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}.exe
        
        C:\Windows\{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29A04~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD3B5~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51BEC~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52BF9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86922~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3476E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6FF2~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A943E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7107~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{63D09~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1C725~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C725F8F-0000-43d4-A636-D2722D7AFF47}.exe

Filesize
168KB

MD5
24664f5302d0c0fbd65b286b23eb58d7

SHA1
d9bb31cbbe833050fcbfb7e3c2c4985e01839d4f

SHA256
7a6e404a2ff9086676ce87321a6df13e3c553c6de9de8ee0c70b2cbee7841025

SHA512
c8f639b38c334b9308ef05e26211428c0fff8e139f541bbd1c361daebe455b1db03fbc14856d3ba5b3b0ed57f67c0ba9ac27f0e913a42a4d24b46bc8195c73b1

Download Submit
C:\Windows\{29A04520-8E28-4240-85D1-BBB7538E8EB7}.exe

Filesize
168KB

MD5
59fc3d7045c16ad381dd5e9693be5700

SHA1
9d8a0187ea6196b1cf595a018df3bc30c02ae565

SHA256
a187a49d077efecb0b1b1f0e5c20f24b581136bf46daf3c93117e99ac679191d

SHA512
e873e08094a99cbeb066f538d23d9f79ec4e99d5c90dbcb23f05791349bebbca0da6765a5f89326a7b333f544b909691df2f0a3601ea85ec2a34798e01d3ca88

Download Submit
C:\Windows\{3476EE32-57C6-4e39-BE0C-D784AC55A33D}.exe

Filesize
168KB

MD5
4f6ced35e46ece004369081795d66d19

SHA1
6af8b207d59723aa734f24e10822533cfbb9be97

SHA256
3481679f002731876eed87926a2a4a7f23b8e600ae9db7662af619836ff9a809

SHA512
4fed53951f24021d465d5cdac7404040da5f5f517aa697cef62acfa431fd294f07e0669fdab6cbb0caa260bb1039b5f30e09bfe3984b523747d8035e487123c5

Download Submit
C:\Windows\{51BEC851-9483-4224-84AD-47A43368CA0B}.exe

Filesize
168KB

MD5
921b24af1eadcc1691d54c154c0c1fa3

SHA1
50264f3973da37e4ab1c3f99ebcee481fa8fdafd

SHA256
2ee31cd8e2c127bcf5be7c45c4af77996d43418bd7b4dd6ea37240f8fdcf6fc3

SHA512
fbd2c6ba881c7fc47acb87d0b5518d15101d6a71a3a98c2ea7fda18d6a303cd003c9bd6bc03f2afd7aafdd50c0c5b6ace730cc2f67fa3a0de83168677b7cfe87

Download Submit
C:\Windows\{52BF9657-EB06-4a61-8DE6-DFCB98F385BF}.exe

Filesize
168KB

MD5
d053a8195a078eb3cdf66b0e745f1f39

SHA1
7548c4d25bba08940fb556c00effa1abafb81359

SHA256
84f52699e7fa803a58470c3220b348d0162ac5d3a7260182a40143a9ce4f205b

SHA512
58b77dcd15ced66f4762ae390b665d523a75099b792358b75cd5a80f019f2b1edc827684afd02e8bde7285903d962b4f6fb4093c21a0664c76989fc9a95ed970

Download Submit
C:\Windows\{63D09C9F-D57B-4c77-9B23-371CABCBB996}.exe

Filesize
168KB

MD5
503422280e8b90b485ffa81b4f1a730b

SHA1
ab46b9ed111d32a90acca660ad86e4767a17b3ff

SHA256
31fb7b955910807fed7ca5456536f935a1d6e872edb474ea6c6036f0b49b0dff

SHA512
e49bfc7f2f84636c0cf5f321b55905c518b16d915054544dc110a16fcdb9b307d29561d4c4b0533a863412a48072c014581b013f8a3d388db3e8ed538f09c767

Download Submit
C:\Windows\{86922368-44E7-4b94-9CDE-5D082B5D8309}.exe

Filesize
168KB

MD5
51ae1e4b2cac6bec439afaa9594f0a62

SHA1
69e82c63a108b14d4bd3c65f0c9cb50c5d69c0ba

SHA256
26f7bccf121693ec8cb9aeb480e838fe1927827be08e0865c709df012fe10820

SHA512
7d22b6c94855c85cb77e7b88d2702fea7a43d3be9bdfad2e553bc74c57c4593a9968f779188bc71ffd25480be1aff4858686a2f6b8dac406529a62bea027c0d9

Download Submit
C:\Windows\{A943ED39-E45A-406c-B33F-77F0966976F9}.exe

Filesize
168KB

MD5
a9671289f50bc3b925c39fb4cbc8d25f

SHA1
f1637c36c5d38587afbd51774280ec727fb049c2

SHA256
0adc9e49adf9d2a0901ae9b4fbc7a31fdd50f5bcbb18b028220257c3573b8e36

SHA512
bfca1ca8889ed587198e85f7b18280a828c7cdad1d2e4b9bb4f308d538bc98e9ec605388b0a56028c9bd778c7b8e6e7a87d36600d02dc02c158ef51d423b1eae

Download Submit
C:\Windows\{B7107193-2BC2-4027-862B-68BBCBDEEC41}.exe

Filesize
168KB

MD5
47e93db6f56a4d8196a3171698cc229b

SHA1
0c759bacabfdb404d444ec0fd4738e73da2fb761

SHA256
3c07ecf5e9268886dc78e2f19036a691b957001407870cb9851fcc7c7d26f249

SHA512
d62031e138a4748f7dcead77c052dd51df0ca935b63cd800c7c0a760c29ec0650d6c7d4e614319c64f95de65cc551e6f9c00f9003c8c4c11eeed2cc1bac0656c

Download Submit
C:\Windows\{CD3B58A5-E97E-4005-8CE7-9C472367F520}.exe

Filesize
168KB

MD5
40db4319f630172ddb3ca1e0b74b1b70

SHA1
3bf44ea072fb2652100917f43b285be1f0880601

SHA256
d0d595ab65d7f4bc9e0bfcc9ea62484bc3c5d85db0a98b2d8f1bde8f19468543

SHA512
981ff3f99e231ee935d2fb89edd8045f4a15b60810c5ec00a5131c64e838f5437b8a78d7674aa687a9341d7594348faf2285a4bc4bdcd82dcdbe5791b0174a53

Download Submit
C:\Windows\{F4303DA5-649F-4a94-801F-4C27B7B0E4EF}.exe

Filesize
168KB

MD5
2cadd530b467688cd5cf152bf333e86a

SHA1
f9361f0a3749351264329a7b4033bb8b902d1ecb

SHA256
91adeafdb324622a26ded50ac88029c846608196a492b2b260ff1ea91b3fb234

SHA512
2d2c177e0b5d142d283fe55ad58899e15257939f69e007d9def64c2707de2c9313cf91e816f4aeaf55cec48bbe21ed6bd6aaf801407cd897711a5aea4b92133c

Download Submit
C:\Windows\{F6FF2367-B46D-4c9f-B0C2-2CEEF14DA3F1}.exe

Filesize
168KB

MD5
bf6e6d0a96f26b072106d37d54b4db30

SHA1
e14540cf9604933a8dd28d2d2650f4239d97685d

SHA256
9673318179b047788cff30615dd473856cb92fd90a467bf05cbb275d42730929

SHA512
45e4eae1004fef667af786b26d1e3def572749811446a6f228b3098eb47cc4e2025413c3b4eb1c52e8ec0ba1970d8566aabae208be2993e98d730651e93d2cd0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads