8188f513079255958f65e17cb59c49f8b3ef878e99c4ba87b13005367eb34429

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe
Size

372KB
MD5

a768c808833bae094b2f9070cd39b37a
SHA1

da55e05a06cd634f2e993abcb585a485cf416c6f
SHA256

8188f513079255958f65e17cb59c49f8b3ef878e99c4ba87b13005367eb34429
SHA512

ab15c62476df0f682e78afeca3516515e0f7940a9cf77ed467e0498e5132ee8154db7002323d26b9d1d83718f946edcfd901dd2777c9b335bf93908caa9225c0
SSDEEP

3072:CEGh0oClMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG0lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}\stubpath = "C:\\Windows\\{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe"	2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E99F4ADC-0376-4916-92CD-7B26378C6969}\stubpath = "C:\\Windows\\{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe"	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93609006-8D06-4ad8-8FCF-4723AB1E62A8}	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BED6190A-FAC1-4e96-9829-05A46616E5E5}	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F8645BE-C509-4187-9B3D-F444E9231FB3}	{7A367109-EB05-4820-975E-BC89F833590D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87875BF2-254D-4fa1-8C6C-F4F993827B57}\stubpath = "C:\\Windows\\{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe"	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}\stubpath = "C:\\Windows\\{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe"	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A367109-EB05-4820-975E-BC89F833590D}\stubpath = "C:\\Windows\\{7A367109-EB05-4820-975E-BC89F833590D}.exe"	{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F8645BE-C509-4187-9B3D-F444E9231FB3}\stubpath = "C:\\Windows\\{9F8645BE-C509-4187-9B3D-F444E9231FB3}.exe"	{7A367109-EB05-4820-975E-BC89F833590D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3490C12A-4390-462b-BC23-77BA79FCCF34}	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87875BF2-254D-4fa1-8C6C-F4F993827B57}	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{391F1964-8F4A-448a-87A1-FEE00128A303}\stubpath = "C:\\Windows\\{391F1964-8F4A-448a-87A1-FEE00128A303}.exe"	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E99F4ADC-0376-4916-92CD-7B26378C6969}	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F474E2-B81D-407d-AAC9-F131D6F15479}\stubpath = "C:\\Windows\\{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe"	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BED6190A-FAC1-4e96-9829-05A46616E5E5}\stubpath = "C:\\Windows\\{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe"	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A367109-EB05-4820-975E-BC89F833590D}	{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}	2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3490C12A-4390-462b-BC23-77BA79FCCF34}\stubpath = "C:\\Windows\\{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe"	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{391F1964-8F4A-448a-87A1-FEE00128A303}	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A405563B-F229-43fd-8BE3-C16BA30D073B}	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A405563B-F229-43fd-8BE3-C16BA30D073B}\stubpath = "C:\\Windows\\{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe"	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F474E2-B81D-407d-AAC9-F131D6F15479}	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93609006-8D06-4ad8-8FCF-4723AB1E62A8}\stubpath = "C:\\Windows\\{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe"	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe

Executes dropped EXE 12 IoCs

pid	Process
2808	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe
3048	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe
1776	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe
4248	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe
1364	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe
1240	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe
3176	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe
1052	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe
2080	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe
736	{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe
880	{7A367109-EB05-4820-975E-BC89F833590D}.exe
5100	{9F8645BE-C509-4187-9B3D-F444E9231FB3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe
File created	C:\Windows\{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe
File created	C:\Windows\{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe
File created	C:\Windows\{7A367109-EB05-4820-975E-BC89F833590D}.exe	{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe
File created	C:\Windows\{9F8645BE-C509-4187-9B3D-F444E9231FB3}.exe	{7A367109-EB05-4820-975E-BC89F833590D}.exe
File created	C:\Windows\{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe	2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe
File created	C:\Windows\{391F1964-8F4A-448a-87A1-FEE00128A303}.exe	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe
File created	C:\Windows\{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe
File created	C:\Windows\{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe
File created	C:\Windows\{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe
File created	C:\Windows\{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe
File created	C:\Windows\{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A367109-EB05-4820-975E-BC89F833590D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F8645BE-C509-4187-9B3D-F444E9231FB3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2180	2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2808	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe
Token: SeIncBasePriorityPrivilege	3048	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe
Token: SeIncBasePriorityPrivilege	1776	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe
Token: SeIncBasePriorityPrivilege	4248	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe
Token: SeIncBasePriorityPrivilege	1364	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe
Token: SeIncBasePriorityPrivilege	1240	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe
Token: SeIncBasePriorityPrivilege	3176	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe
Token: SeIncBasePriorityPrivilege	1052	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe
Token: SeIncBasePriorityPrivilege	2080	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe
Token: SeIncBasePriorityPrivilege	736	{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe
Token: SeIncBasePriorityPrivilege	880	{7A367109-EB05-4820-975E-BC89F833590D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2808	2180	2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe	82
PID 2180 wrote to memory of 2808	2180	2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe	82
PID 2180 wrote to memory of 2808	2180	2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe	82
PID 2180 wrote to memory of 4060	2180	2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe	83
PID 2180 wrote to memory of 4060	2180	2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe	83
PID 2180 wrote to memory of 4060	2180	2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe	83
PID 2808 wrote to memory of 3048	2808	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe	91
PID 2808 wrote to memory of 3048	2808	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe	91
PID 2808 wrote to memory of 3048	2808	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe	91
PID 2808 wrote to memory of 1448	2808	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe	92
PID 2808 wrote to memory of 1448	2808	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe	92
PID 2808 wrote to memory of 1448	2808	{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe	92
PID 3048 wrote to memory of 1776	3048	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe	95
PID 3048 wrote to memory of 1776	3048	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe	95
PID 3048 wrote to memory of 1776	3048	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe	95
PID 3048 wrote to memory of 1844	3048	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe	96
PID 3048 wrote to memory of 1844	3048	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe	96
PID 3048 wrote to memory of 1844	3048	{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe	96
PID 1776 wrote to memory of 4248	1776	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe	97
PID 1776 wrote to memory of 4248	1776	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe	97
PID 1776 wrote to memory of 4248	1776	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe	97
PID 1776 wrote to memory of 1644	1776	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe	98
PID 1776 wrote to memory of 1644	1776	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe	98
PID 1776 wrote to memory of 1644	1776	{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe	98
PID 4248 wrote to memory of 1364	4248	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe	99
PID 4248 wrote to memory of 1364	4248	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe	99
PID 4248 wrote to memory of 1364	4248	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe	99
PID 4248 wrote to memory of 1680	4248	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe	100
PID 4248 wrote to memory of 1680	4248	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe	100
PID 4248 wrote to memory of 1680	4248	{391F1964-8F4A-448a-87A1-FEE00128A303}.exe	100
PID 1364 wrote to memory of 1240	1364	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe	101
PID 1364 wrote to memory of 1240	1364	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe	101
PID 1364 wrote to memory of 1240	1364	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe	101
PID 1364 wrote to memory of 4368	1364	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe	102
PID 1364 wrote to memory of 4368	1364	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe	102
PID 1364 wrote to memory of 4368	1364	{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe	102
PID 1240 wrote to memory of 3176	1240	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe	103
PID 1240 wrote to memory of 3176	1240	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe	103
PID 1240 wrote to memory of 3176	1240	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe	103
PID 1240 wrote to memory of 1472	1240	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe	104
PID 1240 wrote to memory of 1472	1240	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe	104
PID 1240 wrote to memory of 1472	1240	{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe	104
PID 3176 wrote to memory of 1052	3176	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe	105
PID 3176 wrote to memory of 1052	3176	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe	105
PID 3176 wrote to memory of 1052	3176	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe	105
PID 3176 wrote to memory of 976	3176	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe	106
PID 3176 wrote to memory of 976	3176	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe	106
PID 3176 wrote to memory of 976	3176	{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe	106
PID 1052 wrote to memory of 2080	1052	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe	107
PID 1052 wrote to memory of 2080	1052	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe	107
PID 1052 wrote to memory of 2080	1052	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe	107
PID 1052 wrote to memory of 3628	1052	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe	108
PID 1052 wrote to memory of 3628	1052	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe	108
PID 1052 wrote to memory of 3628	1052	{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe	108
PID 2080 wrote to memory of 736	2080	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe	109
PID 2080 wrote to memory of 736	2080	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe	109
PID 2080 wrote to memory of 736	2080	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe	109
PID 2080 wrote to memory of 4284	2080	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe	110
PID 2080 wrote to memory of 4284	2080	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe	110
PID 2080 wrote to memory of 4284	2080	{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe	110
PID 736 wrote to memory of 880	736	{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe	111
PID 736 wrote to memory of 880	736	{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe	111
PID 736 wrote to memory of 880	736	{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe	111
PID 736 wrote to memory of 1848	736	{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_a768c808833bae094b2f9070cd39b37a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe
  C:\Windows\{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe
    C:\Windows\{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe
      C:\Windows\{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\{391F1964-8F4A-448a-87A1-FEE00128A303}.exe
        
        C:\Windows\{391F1964-8F4A-448a-87A1-FEE00128A303}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
      - C:\Windows\{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe
        
        C:\Windows\{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe
        
        C:\Windows\{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe
        
        C:\Windows\{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe
        
        C:\Windows\{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe
        
        C:\Windows\{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe
        
        C:\Windows\{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\{7A367109-EB05-4820-975E-BC89F833590D}.exe
        
        C:\Windows\{7A367109-EB05-4820-975E-BC89F833590D}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\{9F8645BE-C509-4187-9B3D-F444E9231FB3}.exe
        
        C:\Windows\{9F8645BE-C509-4187-9B3D-F444E9231FB3}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A367~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BED61~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37EE5~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93609~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7F47~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4055~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E99F4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{391F1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87875~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3490C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D1018~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3490C12A-4390-462b-BC23-77BA79FCCF34}.exe

Filesize
372KB

MD5
7de30d543731d5b43e24b7a0f74c12dd

SHA1
065c77c01dc42238706e35899154bbdf93a3e60f

SHA256
902d312979bdfca19a3ee986abcfa22f3fb8565acc5fefa541fd64f5e14344d1

SHA512
deb7036361de6b2bf52bc35599c9012c84797aa1c3d55917e1902b80106af50432ca86a80f3f9d1c426d1e0982b1307df547b6a7a70d47ba850adddbdd86f865

Download Submit
C:\Windows\{37EE5BAE-D4C2-45d8-9E03-EBFA6AD0EA7F}.exe

Filesize
372KB

MD5
2541d14ba176a9e4098ca0a26cec27c5

SHA1
09df168aa2d3d0c0770e9287ef2af10b952f6e6e

SHA256
2a869902e5c51efd4f38e00982ddb8c6a9967b57d4bfce5c5b7c75abb73a3def

SHA512
151c0e245305c38b97396fa6b639a200a2877020469fe2892259773c9745728ef44763266c3e7d8a2a6cc2f075e9a4ff3b4fe045c5176bbd027a9f3ce43e1f98

Download Submit
C:\Windows\{391F1964-8F4A-448a-87A1-FEE00128A303}.exe

Filesize
372KB

MD5
6a4201e33f5ae585be3c93dfe3e5585f

SHA1
cb549dfd5c0efd279bfcabe5565e7d7275a57642

SHA256
a82a86c7d71612dac5c39a3207fdc36c20686aa4825a0cfd0af9cc3846bb7b8d

SHA512
efec7176fd32926166015aa267788da18396ec9b5cbc21f9b0987b3d0bf48fe68920138ce56e4cca24c7fa26ba8c0940232031680391d7db526accb20bc451b9

Download Submit
C:\Windows\{7A367109-EB05-4820-975E-BC89F833590D}.exe

Filesize
372KB

MD5
23e8b4c4398f7066078fb074283985f7

SHA1
46c26e29c5542325c8b96d3130328d4554008de1

SHA256
1edbbfbeb0a9b4e9547502a3552a4efe722c415e839d9c2dbd122c1ae0527a44

SHA512
e29411417a46a1f4047fe59b745dc89c3041fd12da5bb9b3701cc1ad9e54b709836d97483c8e5b80b81c095dd0a1409b697dccbb9ff125a17a9a3096f7c0a50e

Download Submit
C:\Windows\{87875BF2-254D-4fa1-8C6C-F4F993827B57}.exe

Filesize
372KB

MD5
2d5271fae66521cc540d86733e7fada3

SHA1
b34060f7122c42c9c990f37d0c90f3aa998341cd

SHA256
42447178007b3930f7773b02c3f695cd8bd12d10708325a749decc29347fcf5d

SHA512
0d9a20314ecdf135300fb51e142829cfccf8c1c477c7d05ed8801b7d4a3444d0bd84012bae927edd016532cf7c796afea5dfae8f27fe07a9918b4296c9cfff15

Download Submit
C:\Windows\{93609006-8D06-4ad8-8FCF-4723AB1E62A8}.exe

Filesize
372KB

MD5
85e4077481bd997321152aa5da33ee9f

SHA1
4a160130bf278bb7a77a831cf3a5ae46d0da5b6d

SHA256
53d6361ba305626f43c4ff9a23b0d91414008d44c93e913e95cfdd80616c0f25

SHA512
9b446b5c94025598bdf6e11e2e41bf335b7fe2961c378147257d9a7639b2aff478418ffc9ca78b359df9ddd193e543aef7f9946f33ab5b3a11911e7a5b82c105

Download Submit
C:\Windows\{9F8645BE-C509-4187-9B3D-F444E9231FB3}.exe

Filesize
372KB

MD5
5c94da93137d19b69f32376968ea789d

SHA1
35045c59210432d961b3e7ae708aae6d3c63a775

SHA256
1be24a5d6134459d0b202146e9ad82dcc66afa77838f4274679ba56a85ceccb9

SHA512
ab1387212f4b62f127cf50b76c2360dbf25241b9e05ebd64947e31d4adc4420b320c8e01fb140534d874dbee34db237987958422f1a501d27cf03cada643e60b

Download Submit
C:\Windows\{A405563B-F229-43fd-8BE3-C16BA30D073B}.exe

Filesize
372KB

MD5
8edbd39b6561507cb71637ad1c30612a

SHA1
174c104b380de3bd0484f68d931602a063824b5a

SHA256
8c245cf42b2d552eac29603e1e39620a51785dd3ba2c1ab93dd71bb09e173dc3

SHA512
171c0034afabbdcd36c0030bbb141d1ff753b8f8d8290ae662f170a22dcb0fd58ca91ec3311357e6bf5050fce28bfb17a110e16ee26297486c8c5879ebe257ff

Download Submit
C:\Windows\{A7F474E2-B81D-407d-AAC9-F131D6F15479}.exe

Filesize
372KB

MD5
7401a7821a96d8b9867483914a881c4e

SHA1
fd1ca73d2dd07e2d42c472cf1d27213de20c4404

SHA256
5488721df9e1334ba636f02c579f697c5b20cc7b2231ec40e1ff7f9a0ac7ab52

SHA512
3bf7ff0e57db3cc1944817e19daff721605cc0b30d8125d972e9c66b61de346bd8ba0cbf555f4471f813638b0d2cdf2f774647b1169dc54d0f36665e628df899

Download Submit
C:\Windows\{BED6190A-FAC1-4e96-9829-05A46616E5E5}.exe

Filesize
372KB

MD5
2074ddc273a30e89497e0f4bfc6c643a

SHA1
730dde87ff5c57c6c63e18c81dab9415fde7d5db

SHA256
6642350eb82869e39610a19a83582838eb511d895dc14fd87564dd6c21124cfb

SHA512
3ca53d7068276c12637e5d55a51b7b9d5741872f9b3319c588aefb221145c1a7a78c4bd6fa375f82dc1934269b73da63287b5db8df1539a0cd569b1593f4e3df

Download Submit
C:\Windows\{D1018D4F-1A50-4b21-9A5F-A25E6103F0A2}.exe

Filesize
372KB

MD5
33485f998da821e1d98b262cc586f8f3

SHA1
80647c9b9d6289858323d890a80880a3e714f43c

SHA256
c5852968de986de2c0a1a603ba6786609e3053bfc5d91342a7f8f12e04e001fa

SHA512
853762f955db03f15b8c54e8c58e4d3c2420ad555aac197b0d58eea8d499853f6b05ae123a5f8aa77dc1d4b01f0a617f2248e9aac658f3263f8cf51d29d25ffd

Download Submit
C:\Windows\{E99F4ADC-0376-4916-92CD-7B26378C6969}.exe

Filesize
372KB

MD5
05109586b8fa93cb1939ba1863aab011

SHA1
4ea9fc127f1429ec408272f0313835bc59d16d61

SHA256
9e99287844d0cf8202cb6f6082b036d4db8b5c4243900892cdb369aedd0f80f0

SHA512
839f8b4aba05b13279c0b200d2ad2be5940fe96e32846e8a9b45bc1c52c1de7d1eae396d6f83b3ad4eece70268248fdf7ab2d50fead1feb057410be346e90f3d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads