a99a2c428163aad4bdc669bc163b617930949ac4add6d8ed42982822b6bd6835

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe
Size

180KB
MD5

850c9dfe5baa234043e7c2a3251c5490
SHA1

7c9c05e2a03efcecbe6ad6fc8a3a1432d1493297
SHA256

a99a2c428163aad4bdc669bc163b617930949ac4add6d8ed42982822b6bd6835
SHA512

c9381d49e7a13e6ca76a24ac83dc3ddc0c231264c877136254e1b61f796075377d3a14d2b45a59c4e55c73e9ef178eef37b767d89597496231743b92f646fd3c
SSDEEP

3072:jEGh0otlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGzl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FF6E76A-520A-4a65-8AF1-6041A931DE68}\stubpath = "C:\\Windows\\{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe"	2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15145429-21D1-407d-850C-05DF7BA143C3}\stubpath = "C:\\Windows\\{15145429-21D1-407d-850C-05DF7BA143C3}.exe"	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}	{15145429-21D1-407d-850C-05DF7BA143C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A68FEBDB-5F70-48fd-984C-58C8657F8281}\stubpath = "C:\\Windows\\{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe"	{850215DF-6324-414c-BF9D-740E49BD7730}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CF53CFD-2497-4590-A0A0-D78A9A05E437}	{F647A469-E48F-439b-8AC7-160FA890588D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CF53CFD-2497-4590-A0A0-D78A9A05E437}\stubpath = "C:\\Windows\\{2CF53CFD-2497-4590-A0A0-D78A9A05E437}.exe"	{F647A469-E48F-439b-8AC7-160FA890588D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FF6E76A-520A-4a65-8AF1-6041A931DE68}	2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8832F329-F02B-473b-84CF-C0F7DE9D8D42}\stubpath = "C:\\Windows\\{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe"	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15145429-21D1-407d-850C-05DF7BA143C3}	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}\stubpath = "C:\\Windows\\{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe"	{15145429-21D1-407d-850C-05DF7BA143C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}\stubpath = "C:\\Windows\\{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe"	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F647A469-E48F-439b-8AC7-160FA890588D}\stubpath = "C:\\Windows\\{F647A469-E48F-439b-8AC7-160FA890588D}.exe"	{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21E54B59-3F21-4dce-9916-053F7AE05231}\stubpath = "C:\\Windows\\{21E54B59-3F21-4dce-9916-053F7AE05231}.exe"	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8832F329-F02B-473b-84CF-C0F7DE9D8D42}	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{850215DF-6324-414c-BF9D-740E49BD7730}	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBA0340-39C4-4dde-8136-3AA54FB27C74}	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EBA0340-39C4-4dde-8136-3AA54FB27C74}\stubpath = "C:\\Windows\\{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe"	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21E54B59-3F21-4dce-9916-053F7AE05231}	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{850215DF-6324-414c-BF9D-740E49BD7730}\stubpath = "C:\\Windows\\{850215DF-6324-414c-BF9D-740E49BD7730}.exe"	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A68FEBDB-5F70-48fd-984C-58C8657F8281}	{850215DF-6324-414c-BF9D-740E49BD7730}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D90611E5-5F93-4bd6-A488-36FD2C789E0E}	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D90611E5-5F93-4bd6-A488-36FD2C789E0E}\stubpath = "C:\\Windows\\{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe"	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F647A469-E48F-439b-8AC7-160FA890588D}	{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe

Executes dropped EXE 12 IoCs

pid	Process
1464	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe
4192	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe
4436	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe
4912	{15145429-21D1-407d-850C-05DF7BA143C3}.exe
1300	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe
1816	{850215DF-6324-414c-BF9D-740E49BD7730}.exe
1944	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe
3208	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe
2788	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe
4400	{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe
3256	{F647A469-E48F-439b-8AC7-160FA890588D}.exe
4592	{2CF53CFD-2497-4590-A0A0-D78A9A05E437}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe
File created	C:\Windows\{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe	{15145429-21D1-407d-850C-05DF7BA143C3}.exe
File created	C:\Windows\{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe
File created	C:\Windows\{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe
File created	C:\Windows\{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe
File created	C:\Windows\{F647A469-E48F-439b-8AC7-160FA890588D}.exe	{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe
File created	C:\Windows\{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe	2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe
File created	C:\Windows\{21E54B59-3F21-4dce-9916-053F7AE05231}.exe	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe
File created	C:\Windows\{15145429-21D1-407d-850C-05DF7BA143C3}.exe	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe
File created	C:\Windows\{850215DF-6324-414c-BF9D-740E49BD7730}.exe	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe
File created	C:\Windows\{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe	{850215DF-6324-414c-BF9D-740E49BD7730}.exe
File created	C:\Windows\{2CF53CFD-2497-4590-A0A0-D78A9A05E437}.exe	{F647A469-E48F-439b-8AC7-160FA890588D}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{850215DF-6324-414c-BF9D-740E49BD7730}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F647A469-E48F-439b-8AC7-160FA890588D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15145429-21D1-407d-850C-05DF7BA143C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2CF53CFD-2497-4590-A0A0-D78A9A05E437}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1656	2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1464	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe
Token: SeIncBasePriorityPrivilege	4192	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe
Token: SeIncBasePriorityPrivilege	4436	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe
Token: SeIncBasePriorityPrivilege	4912	{15145429-21D1-407d-850C-05DF7BA143C3}.exe
Token: SeIncBasePriorityPrivilege	1300	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe
Token: SeIncBasePriorityPrivilege	1816	{850215DF-6324-414c-BF9D-740E49BD7730}.exe
Token: SeIncBasePriorityPrivilege	1944	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe
Token: SeIncBasePriorityPrivilege	3208	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe
Token: SeIncBasePriorityPrivilege	2788	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe
Token: SeIncBasePriorityPrivilege	4400	{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe
Token: SeIncBasePriorityPrivilege	3256	{F647A469-E48F-439b-8AC7-160FA890588D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1464	1656	2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe	89
PID 1656 wrote to memory of 1464	1656	2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe	89
PID 1656 wrote to memory of 1464	1656	2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe	89
PID 1656 wrote to memory of 3228	1656	2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe	90
PID 1656 wrote to memory of 3228	1656	2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe	90
PID 1656 wrote to memory of 3228	1656	2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe	90
PID 1464 wrote to memory of 4192	1464	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe	91
PID 1464 wrote to memory of 4192	1464	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe	91
PID 1464 wrote to memory of 4192	1464	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe	91
PID 1464 wrote to memory of 2320	1464	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe	92
PID 1464 wrote to memory of 2320	1464	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe	92
PID 1464 wrote to memory of 2320	1464	{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe	92
PID 4192 wrote to memory of 4436	4192	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe	95
PID 4192 wrote to memory of 4436	4192	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe	95
PID 4192 wrote to memory of 4436	4192	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe	95
PID 4192 wrote to memory of 1308	4192	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe	96
PID 4192 wrote to memory of 1308	4192	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe	96
PID 4192 wrote to memory of 1308	4192	{21E54B59-3F21-4dce-9916-053F7AE05231}.exe	96
PID 4436 wrote to memory of 4912	4436	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe	97
PID 4436 wrote to memory of 4912	4436	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe	97
PID 4436 wrote to memory of 4912	4436	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe	97
PID 4436 wrote to memory of 5000	4436	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe	98
PID 4436 wrote to memory of 5000	4436	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe	98
PID 4436 wrote to memory of 5000	4436	{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe	98
PID 4912 wrote to memory of 1300	4912	{15145429-21D1-407d-850C-05DF7BA143C3}.exe	99
PID 4912 wrote to memory of 1300	4912	{15145429-21D1-407d-850C-05DF7BA143C3}.exe	99
PID 4912 wrote to memory of 1300	4912	{15145429-21D1-407d-850C-05DF7BA143C3}.exe	99
PID 4912 wrote to memory of 4932	4912	{15145429-21D1-407d-850C-05DF7BA143C3}.exe	100
PID 4912 wrote to memory of 4932	4912	{15145429-21D1-407d-850C-05DF7BA143C3}.exe	100
PID 4912 wrote to memory of 4932	4912	{15145429-21D1-407d-850C-05DF7BA143C3}.exe	100
PID 1300 wrote to memory of 1816	1300	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe	101
PID 1300 wrote to memory of 1816	1300	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe	101
PID 1300 wrote to memory of 1816	1300	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe	101
PID 1300 wrote to memory of 3532	1300	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe	102
PID 1300 wrote to memory of 3532	1300	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe	102
PID 1300 wrote to memory of 3532	1300	{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe	102
PID 1816 wrote to memory of 1944	1816	{850215DF-6324-414c-BF9D-740E49BD7730}.exe	103
PID 1816 wrote to memory of 1944	1816	{850215DF-6324-414c-BF9D-740E49BD7730}.exe	103
PID 1816 wrote to memory of 1944	1816	{850215DF-6324-414c-BF9D-740E49BD7730}.exe	103
PID 1816 wrote to memory of 3416	1816	{850215DF-6324-414c-BF9D-740E49BD7730}.exe	104
PID 1816 wrote to memory of 3416	1816	{850215DF-6324-414c-BF9D-740E49BD7730}.exe	104
PID 1816 wrote to memory of 3416	1816	{850215DF-6324-414c-BF9D-740E49BD7730}.exe	104
PID 1944 wrote to memory of 3208	1944	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe	105
PID 1944 wrote to memory of 3208	1944	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe	105
PID 1944 wrote to memory of 3208	1944	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe	105
PID 1944 wrote to memory of 2084	1944	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe	106
PID 1944 wrote to memory of 2084	1944	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe	106
PID 1944 wrote to memory of 2084	1944	{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe	106
PID 3208 wrote to memory of 2788	3208	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe	107
PID 3208 wrote to memory of 2788	3208	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe	107
PID 3208 wrote to memory of 2788	3208	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe	107
PID 3208 wrote to memory of 1228	3208	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe	108
PID 3208 wrote to memory of 1228	3208	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe	108
PID 3208 wrote to memory of 1228	3208	{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe	108
PID 2788 wrote to memory of 4400	2788	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe	109
PID 2788 wrote to memory of 4400	2788	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe	109
PID 2788 wrote to memory of 4400	2788	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe	109
PID 2788 wrote to memory of 2244	2788	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe	110
PID 2788 wrote to memory of 2244	2788	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe	110
PID 2788 wrote to memory of 2244	2788	{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe	110
PID 4400 wrote to memory of 3256	4400	{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe	111
PID 4400 wrote to memory of 3256	4400	{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe	111
PID 4400 wrote to memory of 3256	4400	{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe	111
PID 4400 wrote to memory of 1804	4400	{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_850c9dfe5baa234043e7c2a3251c5490_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe
  C:\Windows\{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\{21E54B59-3F21-4dce-9916-053F7AE05231}.exe
    C:\Windows\{21E54B59-3F21-4dce-9916-053F7AE05231}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe
      C:\Windows\{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\{15145429-21D1-407d-850C-05DF7BA143C3}.exe
        
        C:\Windows\{15145429-21D1-407d-850C-05DF7BA143C3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
      - C:\Windows\{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe
        
        C:\Windows\{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\{850215DF-6324-414c-BF9D-740E49BD7730}.exe
        
        C:\Windows\{850215DF-6324-414c-BF9D-740E49BD7730}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe
        
        C:\Windows\{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe
        
        C:\Windows\{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe
        
        C:\Windows\{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe
        
        C:\Windows\{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{F647A469-E48F-439b-8AC7-160FA890588D}.exe
        
        C:\Windows\{F647A469-E48F-439b-8AC7-160FA890588D}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
        
        C:\Windows\{2CF53CFD-2497-4590-A0A0-D78A9A05E437}.exe
        
        C:\Windows\{2CF53CFD-2497-4590-A0A0-D78A9A05E437}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F647A~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9061~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EBA0~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C9DA~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A68FE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85021~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92E89~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15145~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8832F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{21E54~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6FF6E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C9DA731-5470-43a9-A16F-BA3A4F98A1F3}.exe

Filesize
180KB

MD5
31d55049bf34b4ada5d1d4ab1e21477b

SHA1
3b82a334d07c9fb36cfcf6030f7625cb366f12d2

SHA256
78768e615085391c55c85c1747e3ad45ae9f6bd941c6c83962f7d4edccb552ff

SHA512
204f474f83abaaab35ed64feb4fde789220b52c5277b11aaaafdc6ea19bc6066f592087c9db7053e4621127f816cbd9768ac6a39bd17204e9c31e36f7c70c2a7

Download Submit
C:\Windows\{15145429-21D1-407d-850C-05DF7BA143C3}.exe

Filesize
180KB

MD5
fdb20b04b8387634b743fec552353e0a

SHA1
76755da17374559c8b707715c270cf8def8c0b00

SHA256
1d74de5c40c8dbb362b557efd15a9de9a90d08b09790507fcc626063b2906d85

SHA512
ea8c9b5b9a9eae3cf303cee765a1ea268e0123a094f5368aa205673618c3ab4a1445b06b38acb707115d3847a0db24978e50057e99b62275bc72f82a212f72b2

Download Submit
C:\Windows\{21E54B59-3F21-4dce-9916-053F7AE05231}.exe

Filesize
180KB

MD5
31e4112d4e5d2d71069f0fd15c1539ad

SHA1
9da5ba2c84ab0ab3c24040a2736aaa7396512dae

SHA256
3da7620c3c31daf542891d57a9fa2bb2e1375e589c7d4f12ac38f77bb6fafb47

SHA512
d84b4b974b0e1f012b0270bc8ce42b9ef8f88c73427f92eb0eb75aaf750c4e004d4b89add206d6d171501d0aa45e3ce6c376e5a91a567fa8b28940b973f92fc6

Download Submit
C:\Windows\{2CF53CFD-2497-4590-A0A0-D78A9A05E437}.exe

Filesize
180KB

MD5
f23b652ff7ddae2c3b2a0ffa8e074bec

SHA1
ce6f9966879a8573c405d1877c89d9f833aeb449

SHA256
11904ce2a7716d5e59dc57554910442d5c6dbaaeffaf37c133637116a5032e1b

SHA512
1ee2a717f4b488431a5851e96a466232b89c515d2b17c2529102b6ab41c51e644bcbbc653afa84f4904c4f053205daf1a85c5b47288c496c38f5f955af6f24bc

Download Submit
C:\Windows\{6FF6E76A-520A-4a65-8AF1-6041A931DE68}.exe

Filesize
180KB

MD5
6e0137d9d007d926c739685038efdb5f

SHA1
d32a617e2591f3abaada12a6c5c35f295c6dcc61

SHA256
c3816a36191312c7c8608a4a6956e1d1005755e2692663a7309d171524fc520e

SHA512
eca706f6eee1de7b033f9f7b34674185b49e56ed71e637e7a0a844953f17b9e2b713ce74c8aa7319e113c0ad06ba334958a3daaa078d01a75f8f285783374534

Download Submit
C:\Windows\{850215DF-6324-414c-BF9D-740E49BD7730}.exe

Filesize
180KB

MD5
172e5816f6e4c5b8bebe53a789f862f6

SHA1
a1ecdb20a33408866a2e1a06dda0af25f7f0dc5f

SHA256
712dbc7dd8125469d71002ca5bb785ab5c957bd1eb1279f6b50a72ebc733d5e2

SHA512
d8bf061d9e9ba3997e7e101f086332c201c38898f76a4f1fa7103bb610f53e97ddf9d801e97d54199bcb40a3dac9f23cbdb4ab975d04a763f63bbf2ade450240

Download Submit
C:\Windows\{8832F329-F02B-473b-84CF-C0F7DE9D8D42}.exe

Filesize
180KB

MD5
0d4d9e10963b1c602e3406efe5b85d53

SHA1
cb0eb8d7efc8bc41a5be5b5ce9c761255e997675

SHA256
3d70292ae75562b8a530b1e5ba028a7df29ddd2c61bf93d5e507eae728f2c43c

SHA512
51d9691e2841efafdc462bdb428902c0d62ca24349c413dc990a65e60499ea5b8701a868b73b207bd1447de7666611bc3f46101b73999b7bc39100b0b3456f75

Download Submit
C:\Windows\{92E89E1F-F22B-41ca-AA29-1F4552ADDD38}.exe

Filesize
180KB

MD5
8e11262653f5318b9b5872d05cabcdb3

SHA1
bf39902e51f3824acef2c564867e8d26b48c0f84

SHA256
21378c78f626c6952c2abacda7ac8f8e56e6bbd5acae6a4e4f6d51e0a2ca544e

SHA512
1f84240456a23f6bffafa55c465d15547b8a1f469b8a607c7dbed9d0abab20ed5d9ce17ba1ae117d8d4772b20c921be7f4f30e446ca2d638bda0b925da37b7c2

Download Submit
C:\Windows\{9EBA0340-39C4-4dde-8136-3AA54FB27C74}.exe

Filesize
180KB

MD5
890976e8e21bbab153d74cd4a150d3d1

SHA1
6090a5bf386f7b42c77d929e5f2f5b32a6365522

SHA256
1ad140f1a4649b204570c6ab8187f1c701282b59211c1299d30d564cd1cd4577

SHA512
c7e509924ffbecff9acb4877fc74e5822d8a70b23e21507080c01dda97b0bdcac3db70048e06736f0b804dcbb22d3d6e79e3d9a68019aa6beab53774003d7d13

Download Submit
C:\Windows\{A68FEBDB-5F70-48fd-984C-58C8657F8281}.exe

Filesize
180KB

MD5
dafca636a6989e52aa8f451bc068deb6

SHA1
abda943023f40130a7b960e984cb1471604b36c6

SHA256
96c01fc5f7e840fc85dd297f996f95b1c1328b3042cd10d80f30f9dfc256dfc5

SHA512
97e716d89e6ac6adee46a3c112fe4e1ed031d39f989c331c8b84e904067c2e0881ed23b5589829f1149caf99329ff243db4ad1d1701f1a5525dcabdd00eb48a7

Download Submit
C:\Windows\{D90611E5-5F93-4bd6-A488-36FD2C789E0E}.exe

Filesize
180KB

MD5
d3dba9c955f8d1493bc6d52e0f06753b

SHA1
bb8ba3005cd936a3ae145db7d641221e31cda431

SHA256
c95fd09d3ab0a3d8066cd7eca0ef58510e94d6ec2ef6f6f0a096422bd92ed66f

SHA512
f97b0c21149bfc3b2a0bd9d1c12f0d122b674a0c1d4dce4497a8281cbcad026772ed5c3d7b9f7927b2d57ba50101bd41d21be87926bb0c5499f4629efa3f03a2

Download Submit
C:\Windows\{F647A469-E48F-439b-8AC7-160FA890588D}.exe

Filesize
180KB

MD5
051209f9e7c8a2fd8e8dd26f8a26832a

SHA1
33e2d660ee8174757916b3fd6f5d5a9b82f7f2eb

SHA256
d2f0fef0e67a3e54f2d3ba5db78b1fa35223825afe88d6901c355b87c4719cc3

SHA512
37f2827096acb1652f771f4ecee30288d169a2971b9141c6d23c96df628cee5bac3cb3f4775fc10276f9cb12c66d4929abdc47a6aa51b28898121f17c8212306

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads