79452ea75069f14b89efd4440facca77d54b7f284207b36c2149afa6f2d4fe6b

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe
Size

372KB
MD5

a85a60579d91f34dbe932702e61d16e6
SHA1

31b36ba209a3412f00564f81840e6498ec14e5a1
SHA256

79452ea75069f14b89efd4440facca77d54b7f284207b36c2149afa6f2d4fe6b
SHA512

f0359115024c1a8ac31c47906791916b244402f43ec80f09b9aab41bd39498a1c02e668957f4eb9e7849d84517407d89760d77f6b5ae7b1266d649cc3a8c0788
SSDEEP

3072:CEGh0oclMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGKlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}\stubpath = "C:\\Windows\\{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe"	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D9A64BA-102D-4339-B579-7A80A4D2AA23}\stubpath = "C:\\Windows\\{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe"	{8089918A-B036-4929-997D-3F79876F8ECB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF36D90-FF24-4e0c-9348-5BDF36708828}	{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AADBB3F-E4AB-4213-A514-BD6C953386CD}\stubpath = "C:\\Windows\\{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe"	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E48724D-DD2F-41d1-A9D9-674E1995422B}\stubpath = "C:\\Windows\\{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe"	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}\stubpath = "C:\\Windows\\{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe"	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9A0EB19-E517-4d0f-84B9-9B67F0639419}\stubpath = "C:\\Windows\\{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe"	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A49927D1-4D16-47c3-9808-6A58A6C5D105}	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A49927D1-4D16-47c3-9808-6A58A6C5D105}\stubpath = "C:\\Windows\\{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe"	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E48724D-DD2F-41d1-A9D9-674E1995422B}	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}	2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AADBB3F-E4AB-4213-A514-BD6C953386CD}	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF36D90-FF24-4e0c-9348-5BDF36708828}\stubpath = "C:\\Windows\\{6BF36D90-FF24-4e0c-9348-5BDF36708828}.exe"	{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8089918A-B036-4929-997D-3F79876F8ECB}	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8089918A-B036-4929-997D-3F79876F8ECB}\stubpath = "C:\\Windows\\{8089918A-B036-4929-997D-3F79876F8ECB}.exe"	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D9A64BA-102D-4339-B579-7A80A4D2AA23}	{8089918A-B036-4929-997D-3F79876F8ECB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}\stubpath = "C:\\Windows\\{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe"	2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63DCB176-5076-46fb-99A5-7901A73345AA}	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63DCB176-5076-46fb-99A5-7901A73345AA}\stubpath = "C:\\Windows\\{63DCB176-5076-46fb-99A5-7901A73345AA}.exe"	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9A0EB19-E517-4d0f-84B9-9B67F0639419}	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}\stubpath = "C:\\Windows\\{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe"	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe

Executes dropped EXE 12 IoCs

pid	Process
1576	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe
4520	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe
4092	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe
552	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe
1472	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe
1824	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe
2956	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe
1304	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe
3596	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe
2992	{8089918A-B036-4929-997D-3F79876F8ECB}.exe
4568	{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe
1064	{6BF36D90-FF24-4e0c-9348-5BDF36708828}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe	{8089918A-B036-4929-997D-3F79876F8ECB}.exe
File created	C:\Windows\{6BF36D90-FF24-4e0c-9348-5BDF36708828}.exe	{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe
File created	C:\Windows\{63DCB176-5076-46fb-99A5-7901A73345AA}.exe	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe
File created	C:\Windows\{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe
File created	C:\Windows\{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe
File created	C:\Windows\{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe
File created	C:\Windows\{8089918A-B036-4929-997D-3F79876F8ECB}.exe	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe
File created	C:\Windows\{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe	2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe
File created	C:\Windows\{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe
File created	C:\Windows\{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe
File created	C:\Windows\{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe
File created	C:\Windows\{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6BF36D90-FF24-4e0c-9348-5BDF36708828}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8089918A-B036-4929-997D-3F79876F8ECB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1856	2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1576	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe
Token: SeIncBasePriorityPrivilege	4520	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe
Token: SeIncBasePriorityPrivilege	4092	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe
Token: SeIncBasePriorityPrivilege	552	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe
Token: SeIncBasePriorityPrivilege	1472	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe
Token: SeIncBasePriorityPrivilege	1824	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe
Token: SeIncBasePriorityPrivilege	2956	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe
Token: SeIncBasePriorityPrivilege	1304	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe
Token: SeIncBasePriorityPrivilege	3596	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe
Token: SeIncBasePriorityPrivilege	2992	{8089918A-B036-4929-997D-3F79876F8ECB}.exe
Token: SeIncBasePriorityPrivilege	4568	{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1576	1856	2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe	86
PID 1856 wrote to memory of 1576	1856	2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe	86
PID 1856 wrote to memory of 1576	1856	2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe	86
PID 1856 wrote to memory of 944	1856	2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe	87
PID 1856 wrote to memory of 944	1856	2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe	87
PID 1856 wrote to memory of 944	1856	2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe	87
PID 1576 wrote to memory of 4520	1576	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe	91
PID 1576 wrote to memory of 4520	1576	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe	91
PID 1576 wrote to memory of 4520	1576	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe	91
PID 1576 wrote to memory of 3052	1576	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe	92
PID 1576 wrote to memory of 3052	1576	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe	92
PID 1576 wrote to memory of 3052	1576	{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe	92
PID 4520 wrote to memory of 4092	4520	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe	95
PID 4520 wrote to memory of 4092	4520	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe	95
PID 4520 wrote to memory of 4092	4520	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe	95
PID 4520 wrote to memory of 636	4520	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe	96
PID 4520 wrote to memory of 636	4520	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe	96
PID 4520 wrote to memory of 636	4520	{63DCB176-5076-46fb-99A5-7901A73345AA}.exe	96
PID 4092 wrote to memory of 552	4092	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe	97
PID 4092 wrote to memory of 552	4092	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe	97
PID 4092 wrote to memory of 552	4092	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe	97
PID 4092 wrote to memory of 3880	4092	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe	98
PID 4092 wrote to memory of 3880	4092	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe	98
PID 4092 wrote to memory of 3880	4092	{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe	98
PID 552 wrote to memory of 1472	552	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe	99
PID 552 wrote to memory of 1472	552	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe	99
PID 552 wrote to memory of 1472	552	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe	99
PID 552 wrote to memory of 2780	552	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe	100
PID 552 wrote to memory of 2780	552	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe	100
PID 552 wrote to memory of 2780	552	{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe	100
PID 1472 wrote to memory of 1824	1472	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe	101
PID 1472 wrote to memory of 1824	1472	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe	101
PID 1472 wrote to memory of 1824	1472	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe	101
PID 1472 wrote to memory of 2288	1472	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe	102
PID 1472 wrote to memory of 2288	1472	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe	102
PID 1472 wrote to memory of 2288	1472	{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe	102
PID 1824 wrote to memory of 2956	1824	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe	103
PID 1824 wrote to memory of 2956	1824	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe	103
PID 1824 wrote to memory of 2956	1824	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe	103
PID 1824 wrote to memory of 4344	1824	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe	104
PID 1824 wrote to memory of 4344	1824	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe	104
PID 1824 wrote to memory of 4344	1824	{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe	104
PID 2956 wrote to memory of 1304	2956	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe	105
PID 2956 wrote to memory of 1304	2956	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe	105
PID 2956 wrote to memory of 1304	2956	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe	105
PID 2956 wrote to memory of 1244	2956	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe	106
PID 2956 wrote to memory of 1244	2956	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe	106
PID 2956 wrote to memory of 1244	2956	{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe	106
PID 1304 wrote to memory of 3596	1304	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe	107
PID 1304 wrote to memory of 3596	1304	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe	107
PID 1304 wrote to memory of 3596	1304	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe	107
PID 1304 wrote to memory of 3932	1304	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe	108
PID 1304 wrote to memory of 3932	1304	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe	108
PID 1304 wrote to memory of 3932	1304	{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe	108
PID 3596 wrote to memory of 2992	3596	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe	109
PID 3596 wrote to memory of 2992	3596	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe	109
PID 3596 wrote to memory of 2992	3596	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe	109
PID 3596 wrote to memory of 4440	3596	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe	110
PID 3596 wrote to memory of 4440	3596	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe	110
PID 3596 wrote to memory of 4440	3596	{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe	110
PID 2992 wrote to memory of 4568	2992	{8089918A-B036-4929-997D-3F79876F8ECB}.exe	111
PID 2992 wrote to memory of 4568	2992	{8089918A-B036-4929-997D-3F79876F8ECB}.exe	111
PID 2992 wrote to memory of 4568	2992	{8089918A-B036-4929-997D-3F79876F8ECB}.exe	111
PID 2992 wrote to memory of 912	2992	{8089918A-B036-4929-997D-3F79876F8ECB}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_a85a60579d91f34dbe932702e61d16e6_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe
  C:\Windows\{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\{63DCB176-5076-46fb-99A5-7901A73345AA}.exe
    C:\Windows\{63DCB176-5076-46fb-99A5-7901A73345AA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe
      C:\Windows\{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Windows\{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe
        
        C:\Windows\{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
      - C:\Windows\{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe
        
        C:\Windows\{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe
        
        C:\Windows\{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe
        
        C:\Windows\{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe
        
        C:\Windows\{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe
        
        C:\Windows\{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\{8089918A-B036-4929-997D-3F79876F8ECB}.exe
        
        C:\Windows\{8089918A-B036-4929-997D-3F79876F8ECB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe
        
        C:\Windows\{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
        
        C:\Windows\{6BF36D90-FF24-4e0c-9348-5BDF36708828}.exe
        
        C:\Windows\{6BF36D90-FF24-4e0c-9348-5BDF36708828}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D9A6~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80899~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D5A6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFF59~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E487~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4992~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9A0E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAB7D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AADB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{63DCB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3CE15~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D9A64BA-102D-4339-B579-7A80A4D2AA23}.exe

Filesize
372KB

MD5
8d6da331dc21ab67d208d6266ccf0875

SHA1
2fe8584f01c8feba4b96725e26be64694fe28862

SHA256
d53c5526be1731de0c52c49f32867f6e0d8bf7b689cd2d1f4bcc29fa390ddb70

SHA512
0ab5782a44ba194b2b49591343b24c56a92cb03e785427c04f9345de227277c5b37d2fd5e476894cf84d481dab80acfc135e541d8a7e5f7f11e5168711e8b00b

Download Submit
C:\Windows\{3CE15D5A-E8EB-4aa4-A615-B8AB0A08C815}.exe

Filesize
372KB

MD5
23255874223ac1a4e30a366d09f22c3d

SHA1
b9441cb56d9bb85cb748aa5332d8480861d114b0

SHA256
a00599fcb749745f04b0ce264f9328d04117728ba53d98e6fe03077d083d5406

SHA512
4f036733c516cf70b791bd1087bd7605b53d73c9bfc22d00fac678ea1151f3ad36ce58fd63a530caa9fcde49d4720b59211ce6b23affc6b7edffbdd54a948b29

Download Submit
C:\Windows\{63DCB176-5076-46fb-99A5-7901A73345AA}.exe

Filesize
372KB

MD5
c5d4a3df1227fc5e1828c65fe585d07a

SHA1
9253591d03604a2e426c2522b846c4f0ee3783e7

SHA256
f9fbcf677c0cb8705e3fdabb5755aa33e88f24598b17a0b5fe92fbdc1a1e2cfc

SHA512
a28bec7edda961955338a70d97b0e4bd7ff0d8cffc06b9340ec634498f4d7777664b7d29ff5025c33b27377f50247c8f5f6aedd7f7808b11bbcca8a26e2591ca

Download Submit
C:\Windows\{6BF36D90-FF24-4e0c-9348-5BDF36708828}.exe

Filesize
372KB

MD5
3495981cb512db3a404feba37f60d08b

SHA1
826cc1c64023fe2556e02cc01d99e6974bbdbbde

SHA256
769b6f3d0a9d6cb0893afd6a8b5afc1f24552fac8d6633a6113d15d6c452ee00

SHA512
f5700028c03e349be1046bf6feab6de33244a9bff8433f35677f51e4e23f484d16faba50d0781d182584e36f938d5b2e80b010b3cf2468e4df8512f3886c7bd4

Download Submit
C:\Windows\{6D5A6A4E-F78E-49e0-9274-026B3FF40BB1}.exe

Filesize
372KB

MD5
b6c3d24fb9cf127124c47784433545b2

SHA1
106b5d4ccf33d6c3f64ebdddd4695fbbd3e2bf0d

SHA256
325a543998d56f0b141046da1a313cf5dfad66eedbaf63806492ea34c2f3f3c1

SHA512
e7c9b8954bd4d254f515bab61eb5ef33520a30e2beec27979c8c9b7bf00bcc8a5b5949bd6358d975f0b7f1a2a4654a2baf3108701935aac98943dbfc6dd85cc6

Download Submit
C:\Windows\{8089918A-B036-4929-997D-3F79876F8ECB}.exe

Filesize
372KB

MD5
c5ca794bfa4ffb6c28c912e6ba95e01e

SHA1
7c2aa944acec2c5b577c81ca45f045ad798965f2

SHA256
4f70ffb84cd62539385cb3b6f375014e65e7fecef91878a760fc5016e0032c20

SHA512
c88a81bc3b2c6795eb76970e8e06d25d102e4cd71153049ac90e45ade94aef938c5167e167fc14121a709c5b6fe6ab617a2d66024b7ef97589dc73a0014b1130

Download Submit
C:\Windows\{9AADBB3F-E4AB-4213-A514-BD6C953386CD}.exe

Filesize
372KB

MD5
58287208e02b9b2559709ad7ba005f18

SHA1
05a29242b2337d9dc8faadaf398a52f6ef9a10e5

SHA256
26a5974322bb7f2dff40ad143dd10652a2ae8c6926443d653021458f56831e51

SHA512
162183b636ac234e72aa29d8808d5fdbbef432d8602e36c44ba74f891ac1e8c8cbfbac225c9fb4f909b80d13c61a414aff7478be2790fd90bc1d4f55c181fe21

Download Submit
C:\Windows\{9E48724D-DD2F-41d1-A9D9-674E1995422B}.exe

Filesize
372KB

MD5
081d0296e486573fe60dde36f311717d

SHA1
399c4120b6e001f1e137f30625a9c5d2af0faacd

SHA256
b00a9b7284ac23328710c9a350bcb4399bf652004466717f49cf38a0286e2bb5

SHA512
50b5f01c8e952dc4f61b6776a54a011c0d1b75ed6df21a5d47e366f4a59783aa9ba696910dc024cf5785d911bdc9ab6dcc21ed894c50d82390ca28117d9b2d0d

Download Submit
C:\Windows\{A49927D1-4D16-47c3-9808-6A58A6C5D105}.exe

Filesize
372KB

MD5
f4315b67b97adb67be4c47adee610a81

SHA1
c423254974253a4c9d8f82674a86ba914bb67cf0

SHA256
958cdd955abf79c6ec4d850d11dd3b4b56ea7bf00d3dc2c4d01e033a490e1559

SHA512
cac94334fbc2780a01d3baaa28fbab7f4e909bde050c447a2d57cc86598a3a4511b4f74869aa40bcfde2c84fedddce6712e69ebb9dd00547419d3b4e7a763c11

Download Submit
C:\Windows\{AFF590DD-A442-4d0c-96AA-FB3B09EE690A}.exe

Filesize
372KB

MD5
c7881b2700da012de7a5744366665795

SHA1
41d9506d0c586644501d8dc3737db136d3c4c84d

SHA256
89c32c8e6f9051441addc1a3126099fba71fe57df9e9a8b8791aa0a524fad5c6

SHA512
ffb7490f66bdaedc5c3b9ab3cc3d4ac4fa94f37b678ddc723d2347535523d8b72c74c070f7174109a0fb1bd70da757ecd7a19e327c4cd87a8f29c97ff3de808b

Download Submit
C:\Windows\{BAB7DF54-43A4-49e3-AF07-34F5E53841B5}.exe

Filesize
372KB

MD5
c065e153fa324c42576b7a3b9f377e2e

SHA1
f8de6af1ad3cf2c40cae68ef392152cd97d8b4ed

SHA256
d9f313ae9672538b5bd6b25c099d1bbd096027256504ad10e4410edfe5fd9352

SHA512
066878d9487f3fbf383d66e5b13b8111d15eaaad18a2822863c9c1027675a01ebea1795c6f1501222b34c19769fe497761afd911d585b857b100317800f887ee

Download Submit
C:\Windows\{C9A0EB19-E517-4d0f-84B9-9B67F0639419}.exe

Filesize
372KB

MD5
98ee42ccac0bed374b98e156db8c9a8a

SHA1
8665ef37e1d0ea9c517c4427f9b8ea02558911f1

SHA256
755216230e178cdafafb4a087a6fc9f4c45f9966460e9ca2b9bd0eccc5542cd2

SHA512
5829e7c8045f5361b216f5c996109826a30c631eced884a333c68ab60888c9e54a927c66a3645b0ba208ab9b277c80e792ba6e4eef2ae6bc85374e262921597a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads