2a23a96b0916b6424da55d684b8f6ea2e6542910d6ec76c8de6cb526cdbc5101

Analysis

max time kernel
149s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 09:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe
Size

192KB
MD5

a8d82a2ebd236a7eedfefe6a561489dc
SHA1

3bb3397eefccae415898f39538d6982dcf9ddaca
SHA256

2a23a96b0916b6424da55d684b8f6ea2e6542910d6ec76c8de6cb526cdbc5101
SHA512

1bbc9510f5f287384e45ac18532bc83a8899dd802fa16bea1893def363db00b420ee92bc1498bbb60032d78dcc16836666d1f82a172895be5487a89a2430fe6d
SSDEEP

1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oxl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07091A37-B509-467c-A502-1A396ADDE9A6}\stubpath = "C:\\Windows\\{07091A37-B509-467c-A502-1A396ADDE9A6}.exe"	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08FA7923-9181-49c4-B4F2-376D87C53C07}	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{584CF54E-981B-4c8a-9975-7665964AE3E8}\stubpath = "C:\\Windows\\{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe"	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}\stubpath = "C:\\Windows\\{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe"	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}\stubpath = "C:\\Windows\\{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe"	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53680205-87C9-4f5d-8FAF-A82D97E43B7E}	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{584CF54E-981B-4c8a-9975-7665964AE3E8}	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41FA63E2-B637-447c-A574-C54E015DA02D}\stubpath = "C:\\Windows\\{41FA63E2-B637-447c-A574-C54E015DA02D}.exe"	{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A1D442C-CE82-4835-AE41-A1BDDD141C92}	{41FA63E2-B637-447c-A574-C54E015DA02D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8719209D-9C6D-4b88-9A97-40FB367A42F6}	2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8719209D-9C6D-4b88-9A97-40FB367A42F6}\stubpath = "C:\\Windows\\{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe"	2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C22CA6E-B001-40bd-A599-7529E1C74095}\stubpath = "C:\\Windows\\{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe"	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60A170D7-2CDF-4018-87E6-EE4F7F71438F}	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60A170D7-2CDF-4018-87E6-EE4F7F71438F}\stubpath = "C:\\Windows\\{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe"	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A1D442C-CE82-4835-AE41-A1BDDD141C92}\stubpath = "C:\\Windows\\{3A1D442C-CE82-4835-AE41-A1BDDD141C92}.exe"	{41FA63E2-B637-447c-A574-C54E015DA02D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07091A37-B509-467c-A502-1A396ADDE9A6}	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C22CA6E-B001-40bd-A599-7529E1C74095}	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08FA7923-9181-49c4-B4F2-376D87C53C07}\stubpath = "C:\\Windows\\{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe"	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53680205-87C9-4f5d-8FAF-A82D97E43B7E}\stubpath = "C:\\Windows\\{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe"	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28430BA7-538A-42cf-94E2-38F3F2D5879D}	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28430BA7-538A-42cf-94E2-38F3F2D5879D}\stubpath = "C:\\Windows\\{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe"	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41FA63E2-B637-447c-A574-C54E015DA02D}	{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe

Executes dropped EXE 12 IoCs

pid	Process
312	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe
1600	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe
764	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe
1552	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe
4488	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe
2452	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe
892	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe
3172	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe
4380	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe
1144	{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe
1624	{41FA63E2-B637-447c-A574-C54E015DA02D}.exe
4320	{3A1D442C-CE82-4835-AE41-A1BDDD141C92}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{07091A37-B509-467c-A502-1A396ADDE9A6}.exe	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe
File created	C:\Windows\{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe
File created	C:\Windows\{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe
File created	C:\Windows\{41FA63E2-B637-447c-A574-C54E015DA02D}.exe	{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe
File created	C:\Windows\{3A1D442C-CE82-4835-AE41-A1BDDD141C92}.exe	{41FA63E2-B637-447c-A574-C54E015DA02D}.exe
File created	C:\Windows\{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe
File created	C:\Windows\{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe
File created	C:\Windows\{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe	2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe
File created	C:\Windows\{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe
File created	C:\Windows\{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe
File created	C:\Windows\{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe
File created	C:\Windows\{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{41FA63E2-B637-447c-A574-C54E015DA02D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A1D442C-CE82-4835-AE41-A1BDDD141C92}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4404	2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	312	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe
Token: SeIncBasePriorityPrivilege	1600	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe
Token: SeIncBasePriorityPrivilege	764	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe
Token: SeIncBasePriorityPrivilege	1552	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe
Token: SeIncBasePriorityPrivilege	4488	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe
Token: SeIncBasePriorityPrivilege	2452	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe
Token: SeIncBasePriorityPrivilege	892	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe
Token: SeIncBasePriorityPrivilege	3172	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe
Token: SeIncBasePriorityPrivilege	4380	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe
Token: SeIncBasePriorityPrivilege	1144	{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe
Token: SeIncBasePriorityPrivilege	1624	{41FA63E2-B637-447c-A574-C54E015DA02D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 312	4404	2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe	89
PID 4404 wrote to memory of 312	4404	2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe	89
PID 4404 wrote to memory of 312	4404	2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe	89
PID 4404 wrote to memory of 2876	4404	2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe	90
PID 4404 wrote to memory of 2876	4404	2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe	90
PID 4404 wrote to memory of 2876	4404	2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe	90
PID 312 wrote to memory of 1600	312	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe	91
PID 312 wrote to memory of 1600	312	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe	91
PID 312 wrote to memory of 1600	312	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe	91
PID 312 wrote to memory of 1120	312	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe	92
PID 312 wrote to memory of 1120	312	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe	92
PID 312 wrote to memory of 1120	312	{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe	92
PID 1600 wrote to memory of 764	1600	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe	95
PID 1600 wrote to memory of 764	1600	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe	95
PID 1600 wrote to memory of 764	1600	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe	95
PID 1600 wrote to memory of 3984	1600	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe	96
PID 1600 wrote to memory of 3984	1600	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe	96
PID 1600 wrote to memory of 3984	1600	{07091A37-B509-467c-A502-1A396ADDE9A6}.exe	96
PID 764 wrote to memory of 1552	764	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe	97
PID 764 wrote to memory of 1552	764	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe	97
PID 764 wrote to memory of 1552	764	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe	97
PID 764 wrote to memory of 4292	764	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe	98
PID 764 wrote to memory of 4292	764	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe	98
PID 764 wrote to memory of 4292	764	{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe	98
PID 1552 wrote to memory of 4488	1552	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe	99
PID 1552 wrote to memory of 4488	1552	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe	99
PID 1552 wrote to memory of 4488	1552	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe	99
PID 1552 wrote to memory of 1044	1552	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe	100
PID 1552 wrote to memory of 1044	1552	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe	100
PID 1552 wrote to memory of 1044	1552	{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe	100
PID 4488 wrote to memory of 2452	4488	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe	101
PID 4488 wrote to memory of 2452	4488	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe	101
PID 4488 wrote to memory of 2452	4488	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe	101
PID 4488 wrote to memory of 5028	4488	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe	102
PID 4488 wrote to memory of 5028	4488	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe	102
PID 4488 wrote to memory of 5028	4488	{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe	102
PID 2452 wrote to memory of 892	2452	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe	103
PID 2452 wrote to memory of 892	2452	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe	103
PID 2452 wrote to memory of 892	2452	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe	103
PID 2452 wrote to memory of 4728	2452	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe	104
PID 2452 wrote to memory of 4728	2452	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe	104
PID 2452 wrote to memory of 4728	2452	{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe	104
PID 892 wrote to memory of 3172	892	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe	105
PID 892 wrote to memory of 3172	892	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe	105
PID 892 wrote to memory of 3172	892	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe	105
PID 892 wrote to memory of 4832	892	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe	106
PID 892 wrote to memory of 4832	892	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe	106
PID 892 wrote to memory of 4832	892	{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe	106
PID 3172 wrote to memory of 4380	3172	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe	107
PID 3172 wrote to memory of 4380	3172	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe	107
PID 3172 wrote to memory of 4380	3172	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe	107
PID 3172 wrote to memory of 1800	3172	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe	108
PID 3172 wrote to memory of 1800	3172	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe	108
PID 3172 wrote to memory of 1800	3172	{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe	108
PID 4380 wrote to memory of 1144	4380	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe	109
PID 4380 wrote to memory of 1144	4380	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe	109
PID 4380 wrote to memory of 1144	4380	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe	109
PID 4380 wrote to memory of 1568	4380	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe	110
PID 4380 wrote to memory of 1568	4380	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe	110
PID 4380 wrote to memory of 1568	4380	{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe	110
PID 1144 wrote to memory of 1624	1144	{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe	111
PID 1144 wrote to memory of 1624	1144	{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe	111
PID 1144 wrote to memory of 1624	1144	{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe	111
PID 1144 wrote to memory of 4748	1144	{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_a8d82a2ebd236a7eedfefe6a561489dc_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe
  C:\Windows\{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\{07091A37-B509-467c-A502-1A396ADDE9A6}.exe
    C:\Windows\{07091A37-B509-467c-A502-1A396ADDE9A6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe
      C:\Windows\{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe
        
        C:\Windows\{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Windows\{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe
        
        C:\Windows\{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe
        
        C:\Windows\{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe
        
        C:\Windows\{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe
        
        C:\Windows\{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe
        
        C:\Windows\{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe
        
        C:\Windows\{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\{41FA63E2-B637-447c-A574-C54E015DA02D}.exe
        
        C:\Windows\{41FA63E2-B637-447c-A574-C54E015DA02D}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\{3A1D442C-CE82-4835-AE41-A1BDDD141C92}.exe
        
        C:\Windows\{3A1D442C-CE82-4835-AE41-A1BDDD141C92}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41FA6~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6663C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{584CF~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28430~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53680~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08FA7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60A17~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C22C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A0B8~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{07091~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{87192~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07091A37-B509-467c-A502-1A396ADDE9A6}.exe

Filesize
192KB

MD5
a94a80d0550025ca2ade3c1663055daf

SHA1
91a3c664d1f9ba7291e661c6740f9f1dd57b0b72

SHA256
0e04333a3784e8738f41a0b9581b30862c28aab2636a1976b27f91a9bb6e2c13

SHA512
7851f75bde784ce890e25950ab8475ebdefb19fa4f83f0a231c99fe961d7f367ce592e9871169f355756eaf521ac3e2914ccb6d5affdb7270910d5082c940be0

Download Submit
C:\Windows\{08FA7923-9181-49c4-B4F2-376D87C53C07}.exe

Filesize
192KB

MD5
67631031a47cc8e02b226bb735597a27

SHA1
d6be8253a87fdeb4e58e04584da578a5e3a2943a

SHA256
1a23f364f002aab9ddc4667145ddb79d8cd197dd1a2255eb89705fc7f657a553

SHA512
2e4ae1661a83c4ea102f99ff48582d49c04d97b37005c43a3fddd5f2192dd5cabad8cea20482f7361264ac3c7e1f6f8866e84e356f7cf562c9f9ab04ff29e593

Download Submit
C:\Windows\{28430BA7-538A-42cf-94E2-38F3F2D5879D}.exe

Filesize
192KB

MD5
acfa4ef7de3c244a8d2f0c720a9d4c1b

SHA1
2a7090876c362a0ffbb8245804f0a0e6a1d9b82b

SHA256
acac55c575e9077882689268afb70588c04925cddb5f573e6eae03d2845dddaa

SHA512
53d6e9c6685873ce094104169282ff142ffb828e2ca35ad759baba6757301937587e00688fa05fb0c9da3af9947bd00fcc0ba8dc1795e19590db21483105d748

Download Submit
C:\Windows\{3A1D442C-CE82-4835-AE41-A1BDDD141C92}.exe

Filesize
192KB

MD5
f56ff6930514ee98b435aebf1fcc4527

SHA1
08d6696e04c9adc3b8820c84158ae72448c2e1c6

SHA256
5ecbf0a073caf36ad9a81f492ef32de70c8d95cf0141e9879b32e19520c9fded

SHA512
cbf775fa600d3a7c13df4f2115325b911bbf55d373786b0e0c5a154ae0e8eb1e8a4b80aaa21833e039b2aca7e347222c4452f6541bfd5b32f9ca9459c1362cbe

Download Submit
C:\Windows\{41FA63E2-B637-447c-A574-C54E015DA02D}.exe

Filesize
192KB

MD5
ab11d421704489d8a9e0a52aade6f93d

SHA1
29614420fc1986f930840c1c67d209f21a03491e

SHA256
9fdf7d19fda7a9705d62a5bc115cbc351f5e788058dd6be528a45d40f2ba5ecf

SHA512
902b9abd4166b2b5067d71f03086444d80e28f0c0e49aac366dc322d879f61739473b500b8046ff7386e09ddf6e04502de49354a2bf53a86e5ff18479343ffd9

Download Submit
C:\Windows\{53680205-87C9-4f5d-8FAF-A82D97E43B7E}.exe

Filesize
192KB

MD5
873c1f5df93980b54690bb784ea505bf

SHA1
15e0db3fc1f2e619682850c539b72b945b6db362

SHA256
9906a2968fb513b9745d0789b5c96c837cc5d3bd9530d9c42164f9233cca86bf

SHA512
69d427c4069d3b14ee08bde2af4e6620d1c5db1d46a9ff0f48baa0ee2587481c906b17981226da47563af205dabf69279cbed1ccb1723b4a103417691271a32b

Download Submit
C:\Windows\{584CF54E-981B-4c8a-9975-7665964AE3E8}.exe

Filesize
192KB

MD5
25bcc75212415d13452c2776d50db936

SHA1
a3aa35afed7b6c849a167a0776da8cfcd19d916f

SHA256
7d49e704e3d8c5d2988ec20e271077ab6e1e0d42afd8c02de7852afd3cc178c9

SHA512
bd8fa2e8e7b4290fefd818bd7988dda8776711c7233cafe005441af6fdfb5d7fa8aee1f664c6f491eb405f114bac52e1142a8f1b815bbc3fde8f903f6aff9485

Download Submit
C:\Windows\{5A0B836D-7B2E-47b6-822D-A7AEA93B1F29}.exe

Filesize
192KB

MD5
3827874c686172e8d8ce1eeeab07dfb9

SHA1
7ddd98ec3f49ea2718cf97b361c871bba4d150b7

SHA256
410965802758d81bf16e1fc29c7cc6dd2e43fb083552b309b8bcdc5a33d19c17

SHA512
d92394e65c3078d19e4b944c2325f2cea45e39bb47e890623d0121d24562f1f8ec58f30057b0f37225ca0d1b2ea92694b0b9205bd08a25bed3335c614f720186

Download Submit
C:\Windows\{60A170D7-2CDF-4018-87E6-EE4F7F71438F}.exe

Filesize
192KB

MD5
aa452b96a02e7905d5d591f0093443e0

SHA1
6576ddb6835fd6368d93865055c3583fd2536b5a

SHA256
1cefedc7176389356e8575289a58a2046350d085e84e9349f754480d4de09a4a

SHA512
6aab7b7ef5f3b7441b61a6980d6ff03adab9e390b716b4818e0fa1d4be5e706cb0ced98657816c13a18dc07bedf6650f3de71dc3c8b764b487fa494c3eda67e4

Download Submit
C:\Windows\{6663C236-8BFE-4bb1-8BFF-DBBC3E9F072F}.exe

Filesize
192KB

MD5
1df0e2a8483bd57859c52b212d35d34a

SHA1
a2699939651e3205b97be489040650e1999b8635

SHA256
b42e1fac597208cfb1769be4582fbe9700ff22fd650778859481b8cff096329c

SHA512
53c98e4c0bad92652d13c9577fca58fe96070b444bda3e3dd863b4574bf806985b1f18195f928780dea657a221364ba867d9e7946bf97df627121ba4e5eed9c6

Download Submit
C:\Windows\{6C22CA6E-B001-40bd-A599-7529E1C74095}.exe

Filesize
192KB

MD5
03b76acdc191188b7abf869899e995f6

SHA1
6a2c6fcc987e7f7b91794f913ff84492de02a139

SHA256
e2468bac2fc6c841f773c52b6d0c0f3077eb4193c531bb7d108cccf5c31a66d9

SHA512
fecb351694d9823e14f48b42188ae0067645c7a692bd594fefd4e45986b29180f461dc2f20dd55139d00d3625f02b4f680317ae4db2b5902456df59fb419da42

Download Submit
C:\Windows\{8719209D-9C6D-4b88-9A97-40FB367A42F6}.exe

Filesize
192KB

MD5
f9c1127cd6db4323fd3bfe567bb6a2ee

SHA1
f9e8f1517d4a3b567919ca0574ff03319906db34

SHA256
c755ed3abcd44f415b346fd4d4f57f905b6cbf7972bddca257461c0c4b77fe4e

SHA512
1e083263dd0e35b5b0fdb2e1c6b43234ac728f21bb2620742dc64a4269ee2fc277bb130c2a6d2704dc4525a49bb8abcd79ee1a081cb0eaf3cc89d7d9075d425b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads