e9865884e418b297c969ccc456c3ac5232a225f8bf79c6a0e54b33499d37bcd8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
Size

344KB
MD5

13930bb335df125fcefd0b4c064a13c0
SHA1

4eea911afd2d59a43a6fa982eec34dbf1ecb3759
SHA256

e9865884e418b297c969ccc456c3ac5232a225f8bf79c6a0e54b33499d37bcd8
SHA512

c41c01f42345fd97e97b43d4a35fb3b294725d42c57ef79619c1749aea9f9c624888791488705eb7ee57bca263da69baeef70f42ce65049cf569763fb2f1f8d7
SSDEEP

3072:mEGh0oalVOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG8lVOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48227408-51E2-4bc1-B825-F1A8936AF2D0}\stubpath = "C:\\Windows\\{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe"	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E12D616-6A8B-4ebe-BBE0-5970045462B1}	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C182E296-A5DA-4ab4-8411-09D2FB027E78}	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}\stubpath = "C:\\Windows\\{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe"	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166A588C-F290-435d-B59F-BB6E81E8B6E2}	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{166A588C-F290-435d-B59F-BB6E81E8B6E2}\stubpath = "C:\\Windows\\{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe"	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}\stubpath = "C:\\Windows\\{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe"	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A88BC21-26A9-432d-9C8C-F675D4831F1E}\stubpath = "C:\\Windows\\{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe"	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}\stubpath = "C:\\Windows\\{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe"	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997880BE-3E03-4cf6-8869-A30C69DBAD24}	{BD39296A-756A-453b-8F95-3C612B16444E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E12D616-6A8B-4ebe-BBE0-5970045462B1}\stubpath = "C:\\Windows\\{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe"	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}\stubpath = "C:\\Windows\\{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe"	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48227408-51E2-4bc1-B825-F1A8936AF2D0}	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}\stubpath = "C:\\Windows\\{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe"	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A88BC21-26A9-432d-9C8C-F675D4831F1E}	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C182E296-A5DA-4ab4-8411-09D2FB027E78}\stubpath = "C:\\Windows\\{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe"	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD39296A-756A-453b-8F95-3C612B16444E}	{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD39296A-756A-453b-8F95-3C612B16444E}\stubpath = "C:\\Windows\\{BD39296A-756A-453b-8F95-3C612B16444E}.exe"	{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997880BE-3E03-4cf6-8869-A30C69DBAD24}\stubpath = "C:\\Windows\\{997880BE-3E03-4cf6-8869-A30C69DBAD24}.exe"	{BD39296A-756A-453b-8F95-3C612B16444E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe

Executes dropped EXE 12 IoCs

pid	Process
4892	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe
1876	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe
2208	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe
2124	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe
4092	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe
4696	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe
4856	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe
1620	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe
2624	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe
1020	{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe
1300	{BD39296A-756A-453b-8F95-3C612B16444E}.exe
2660	{997880BE-3E03-4cf6-8869-A30C69DBAD24}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BD39296A-756A-453b-8F95-3C612B16444E}.exe	{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe
File created	C:\Windows\{997880BE-3E03-4cf6-8869-A30C69DBAD24}.exe	{BD39296A-756A-453b-8F95-3C612B16444E}.exe
File created	C:\Windows\{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
File created	C:\Windows\{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe
File created	C:\Windows\{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe
File created	C:\Windows\{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe
File created	C:\Windows\{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe
File created	C:\Windows\{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe
File created	C:\Windows\{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe
File created	C:\Windows\{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe
File created	C:\Windows\{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe
File created	C:\Windows\{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD39296A-756A-453b-8F95-3C612B16444E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{997880BE-3E03-4cf6-8869-A30C69DBAD24}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3492	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4892	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe
Token: SeIncBasePriorityPrivilege	1876	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe
Token: SeIncBasePriorityPrivilege	2208	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe
Token: SeIncBasePriorityPrivilege	2124	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe
Token: SeIncBasePriorityPrivilege	4092	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe
Token: SeIncBasePriorityPrivilege	4696	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe
Token: SeIncBasePriorityPrivilege	4856	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe
Token: SeIncBasePriorityPrivilege	1620	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe
Token: SeIncBasePriorityPrivilege	2624	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe
Token: SeIncBasePriorityPrivilege	1020	{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe
Token: SeIncBasePriorityPrivilege	1300	{BD39296A-756A-453b-8F95-3C612B16444E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4892	3492	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	88
PID 3492 wrote to memory of 4892	3492	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	88
PID 3492 wrote to memory of 4892	3492	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	88
PID 3492 wrote to memory of 3300	3492	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	89
PID 3492 wrote to memory of 3300	3492	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	89
PID 3492 wrote to memory of 3300	3492	2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe	89
PID 4892 wrote to memory of 1876	4892	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe	91
PID 4892 wrote to memory of 1876	4892	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe	91
PID 4892 wrote to memory of 1876	4892	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe	91
PID 4892 wrote to memory of 4676	4892	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe	92
PID 4892 wrote to memory of 4676	4892	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe	92
PID 4892 wrote to memory of 4676	4892	{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe	92
PID 1876 wrote to memory of 2208	1876	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe	95
PID 1876 wrote to memory of 2208	1876	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe	95
PID 1876 wrote to memory of 2208	1876	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe	95
PID 1876 wrote to memory of 2652	1876	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe	96
PID 1876 wrote to memory of 2652	1876	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe	96
PID 1876 wrote to memory of 2652	1876	{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe	96
PID 2208 wrote to memory of 2124	2208	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe	97
PID 2208 wrote to memory of 2124	2208	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe	97
PID 2208 wrote to memory of 2124	2208	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe	97
PID 2208 wrote to memory of 4576	2208	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe	98
PID 2208 wrote to memory of 4576	2208	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe	98
PID 2208 wrote to memory of 4576	2208	{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe	98
PID 2124 wrote to memory of 4092	2124	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe	99
PID 2124 wrote to memory of 4092	2124	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe	99
PID 2124 wrote to memory of 4092	2124	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe	99
PID 2124 wrote to memory of 4328	2124	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe	100
PID 2124 wrote to memory of 4328	2124	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe	100
PID 2124 wrote to memory of 4328	2124	{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe	100
PID 4092 wrote to memory of 4696	4092	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe	101
PID 4092 wrote to memory of 4696	4092	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe	101
PID 4092 wrote to memory of 4696	4092	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe	101
PID 4092 wrote to memory of 4144	4092	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe	102
PID 4092 wrote to memory of 4144	4092	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe	102
PID 4092 wrote to memory of 4144	4092	{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe	102
PID 4696 wrote to memory of 4856	4696	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe	103
PID 4696 wrote to memory of 4856	4696	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe	103
PID 4696 wrote to memory of 4856	4696	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe	103
PID 4696 wrote to memory of 2344	4696	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe	104
PID 4696 wrote to memory of 2344	4696	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe	104
PID 4696 wrote to memory of 2344	4696	{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe	104
PID 4856 wrote to memory of 1620	4856	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe	105
PID 4856 wrote to memory of 1620	4856	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe	105
PID 4856 wrote to memory of 1620	4856	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe	105
PID 4856 wrote to memory of 3592	4856	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe	106
PID 4856 wrote to memory of 3592	4856	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe	106
PID 4856 wrote to memory of 3592	4856	{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe	106
PID 1620 wrote to memory of 2624	1620	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe	107
PID 1620 wrote to memory of 2624	1620	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe	107
PID 1620 wrote to memory of 2624	1620	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe	107
PID 1620 wrote to memory of 4876	1620	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe	108
PID 1620 wrote to memory of 4876	1620	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe	108
PID 1620 wrote to memory of 4876	1620	{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe	108
PID 2624 wrote to memory of 1020	2624	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe	109
PID 2624 wrote to memory of 1020	2624	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe	109
PID 2624 wrote to memory of 1020	2624	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe	109
PID 2624 wrote to memory of 820	2624	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe	110
PID 2624 wrote to memory of 820	2624	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe	110
PID 2624 wrote to memory of 820	2624	{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe	110
PID 1020 wrote to memory of 1300	1020	{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe	111
PID 1020 wrote to memory of 1300	1020	{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe	111
PID 1020 wrote to memory of 1300	1020	{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe	111
PID 1020 wrote to memory of 348	1020	{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_13930bb335df125fcefd0b4c064a13c0_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe
  C:\Windows\{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe
    C:\Windows\{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe
      C:\Windows\{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe
        
        C:\Windows\{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Windows\{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe
        
        C:\Windows\{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe
        
        C:\Windows\{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe
        
        C:\Windows\{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe
        
        C:\Windows\{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe
        
        C:\Windows\{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe
        
        C:\Windows\{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\{BD39296A-756A-453b-8F95-3C612B16444E}.exe
        
        C:\Windows\{BD39296A-756A-453b-8F95-3C612B16444E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\{997880BE-3E03-4cf6-8869-A30C69DBAD24}.exe
        
        C:\Windows\{997880BE-3E03-4cf6-8869-A30C69DBAD24}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD392~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C182E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E12D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A88B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AEE6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F7E0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{166A5~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06C04~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48227~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3F17~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F5D34~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06C04280-D714-4a7b-8F92-2F0E2DE44B1C}.exe

Filesize
344KB

MD5
1b147137a43196a89fc498c86aa18f8c

SHA1
c10f3e163aa581d1a889cc51f8c2062337779f28

SHA256
daa1759dd5e45b54c8bb342e829352c276dde9c4f7e114a31ed307fdabf984b7

SHA512
fb7bf5969d4ac7d55bbd12ad0810ecad76490323af0f4783fa750ac169a2a5ee9ad2ac721f211a031d1550c471ad21817c713e5623741dfd96bfe9184da3b2c0

Download Submit
C:\Windows\{166A588C-F290-435d-B59F-BB6E81E8B6E2}.exe

Filesize
344KB

MD5
19d6e2a1954bdad728a5801bd4186afe

SHA1
5c2e5504db6cc54ed1ab8d3c3e752c0f4567c417

SHA256
0027e90be7acd3824e39bae13b2fbaec5de23986e5cebf901e9b924d31013d67

SHA512
aabba84dea07ac4e82024a729ff7b67647aeb200112ef026ed6adef06d2346beacefb57e7f02207c3bbc86216b04c09f5039342493d0760dad016a8d6d875119

Download Submit
C:\Windows\{48227408-51E2-4bc1-B825-F1A8936AF2D0}.exe

Filesize
344KB

MD5
05f1d933adf458d12ad6c097b0fb8495

SHA1
a34581b2e558205aa5d4809dee768629175506d3

SHA256
9c9a588aeb708a8dc73e47881730e016b7900909d021c92ce8c8b8148a3a8010

SHA512
0a6aa767babe2e7dd3a4a398473ba104822a4aa87cfaa8e9e49c154a19a0d6087a53dfd28d09238f2c5548cbc59c49d851c5575962cd99ebbc358b0f1d4c65cb

Download Submit
C:\Windows\{8A88BC21-26A9-432d-9C8C-F675D4831F1E}.exe

Filesize
344KB

MD5
fd0b5c75eb7873f7983fd036dcc8f402

SHA1
25303c148e3ae78c17d0025c83fd55840990f268

SHA256
8c719442b238149573606a44a279261ffd266bbc70cf89cf92d4fe7d874992c6

SHA512
d4fb9c5b2d04ef3402064e078e1347c4ce85b94001911ff60b76b4a7375b2825b3af5215ba509235959b6df30de3a42be21c416a44d7cc59ba767e94a3fce96c

Download Submit
C:\Windows\{8AEE64BD-EB6D-4c7c-BC54-91F873759F5B}.exe

Filesize
344KB

MD5
e5f48396bcecc5c060750e9ee506eebc

SHA1
72e26018a40491d0520f9a6417167103e5b82f61

SHA256
47c4c851bbfa0b8560e15d9383c9f441e12aae2bdbe6dbae7017ee7aea18cae7

SHA512
8ba023e3f7471563bd7c51a58d81066c8f16e3fd572e048082244212cff99b47ddd41da05a9dae278f7e96174db6a29cfdde617496a558c559b9bec0c8549a32

Download Submit
C:\Windows\{997880BE-3E03-4cf6-8869-A30C69DBAD24}.exe

Filesize
344KB

MD5
416f73a4b1f7ddd84e1e94e6a53f9cb4

SHA1
cb62fd0263b47844258f4ee40f979bce1dc91634

SHA256
8312cc2ef288d29e6da130743dec4828ecde189038f2c3535a08dfc0762f9a20

SHA512
74a0ce93da4f0b7492300bcfb1343416af7af0cd97a1aa0f2adaab1f57a7d46a1877db39686058edd5101660f422a186c6a44e5281d0788a1877a182bd895545

Download Submit
C:\Windows\{9E12D616-6A8B-4ebe-BBE0-5970045462B1}.exe

Filesize
344KB

MD5
98c7c6ebf9e922e5687c77f2379f8929

SHA1
a080503bfb93dd66cbe3bb4b986a934e0b8122b6

SHA256
556e8e7bcc847b3e95e8a1e1b6819918d993c226dabb531b1f57e16c06bae2fe

SHA512
8cedaed90612f913066116a66f80c7f6997f814bb98d8716ea337f84847356da160a22f2c9d083de177ff86df7ac11eed990998d988e401d2da9dcf79c52d197

Download Submit
C:\Windows\{9F7E0591-A7CF-40aa-AD72-A5C29E2D1281}.exe

Filesize
344KB

MD5
c3188100beb16a68ebdf06b349799490

SHA1
55894861bf07e6b2516fccdd069c14925bc9773d

SHA256
67a69dd6e2e30e3e3e509ea972ca9808773f2af385854094bce0f30edf3f9d50

SHA512
cf4e4f923598c04c97d8eec19e52b787ba69caa078b1cb274dad50b7101b448310ca15f0890b7b921d43388fbe42860ecda8f9202d73f910a2f8da70d705221e

Download Submit
C:\Windows\{B3F1741F-0EFD-4f98-B1A8-1A16605FCD77}.exe

Filesize
344KB

MD5
244b46a52979472061f73b3818b0a254

SHA1
805a184494eb65eae8e9dab73534c20fe4138c98

SHA256
331e102216d12c344865ce0e256764494101391c82f875bbcc9c04b304a958e9

SHA512
db60c26174e3e620d9779ca5610a05fc36bc02b48dab556b4f9f78277545505de9f165a2d4a290d92134b5308f7cf7897808995740cd6117b2b9cd28c8d2a6a4

Download Submit
C:\Windows\{BD39296A-756A-453b-8F95-3C612B16444E}.exe

Filesize
344KB

MD5
6982d0f88858dd1ec31bd761e82584ab

SHA1
dd8dc055036a2b23361cf388fb5dc950fae3e9a3

SHA256
7a5edf1620ca1e4d3a9b6b1e73ba3c8b1786ac4022f718cdd2c86a16d45f054d

SHA512
f8bc7444f80fd319d13778b3f88f82ba37f8ba67df6669adc7384f1b945258e214d1bfdce597461f2ed1d78205cd94d4dc759487ef19c56fcf3ad05d37372de9

Download Submit
C:\Windows\{C182E296-A5DA-4ab4-8411-09D2FB027E78}.exe

Filesize
344KB

MD5
d281fc637b056e592ea8179dee4e57d7

SHA1
7ae898b27b4c64746ba6ebe232107e1b1d23b0f7

SHA256
3d5ab048952042ff821469ddf9379d5fe0bbd6cce6baca2d8b88834d1a8bf184

SHA512
cb1eabdab6167c8d4ac2f61c4f40bb24124e9ab0bfdc1a1a360dfc6a6dd04415477997d9f4049870acc6ad630e14b0cff28c24a8e3cbb269dccf990dc6dee413

Download Submit
C:\Windows\{F5D343DD-2B54-4d51-8B00-8B4BA031F4D3}.exe

Filesize
344KB

MD5
3661688900a93021df876ae751986021

SHA1
2769e982d9a6263eb8438e21e80efa78a2e15309

SHA256
835717d4395c092a9d95f83cf6762897fdaf085e2e602f7a86869d58c18eaa08

SHA512
860c58496acd85cba7ab2a891aa7c222e3590a59b5ae631f791fd4881dc4eaedccb96c39724a9f5f138a64bfe6a7883398c9629f3c7ad22db97f9900dcdf4f49

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads