55f585e451bf2bdbbcd0721335a1b91149b73453a0b2192aadeae10b53b41869

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 09:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
Size

372KB
MD5

f54b76f3d9f7bc9fa7e92abe1a84dc5f
SHA1

fc8c320029c62257b6b8db9a40c44c393d24d7a0
SHA256

55f585e451bf2bdbbcd0721335a1b91149b73453a0b2192aadeae10b53b41869
SHA512

f954ef279088f6e8153f3d74643cc5548a8be0b458f94a48f78c50d8f0bd1bfc2add7974fa1d8f938a9fa17facb508c8266baed66c003646039d5a0a02349854
SSDEEP

3072:CEGh0oQlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGilkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}\stubpath = "C:\\Windows\\{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe"	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{370571BC-C874-4b60-BA9C-FBB071F4A6B8}	{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82000894-404B-4a46-85C4-EC5A7B8E785E}\stubpath = "C:\\Windows\\{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe"	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F88F299-0D44-4e32-864A-AB775A860E54}\stubpath = "C:\\Windows\\{2F88F299-0D44-4e32-864A-AB775A860E54}.exe"	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{370571BC-C874-4b60-BA9C-FBB071F4A6B8}\stubpath = "C:\\Windows\\{370571BC-C874-4b60-BA9C-FBB071F4A6B8}.exe"	{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0751AD4-7277-4118-A745-A044F55098EB}	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F54999-B56A-4b30-A22B-08E886DD9F33}	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}\stubpath = "C:\\Windows\\{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe"	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}	{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0DE8612-13D3-416a-B094-E8459044D364}\stubpath = "C:\\Windows\\{F0DE8612-13D3-416a-B094-E8459044D364}.exe"	{F0751AD4-7277-4118-A745-A044F55098EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82000894-404B-4a46-85C4-EC5A7B8E785E}	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F88F299-0D44-4e32-864A-AB775A860E54}	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}\stubpath = "C:\\Windows\\{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe"	{F0DE8612-13D3-416a-B094-E8459044D364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}\stubpath = "C:\\Windows\\{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe"	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}\stubpath = "C:\\Windows\\{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe"	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F54999-B56A-4b30-A22B-08E886DD9F33}\stubpath = "C:\\Windows\\{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe"	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0751AD4-7277-4118-A745-A044F55098EB}\stubpath = "C:\\Windows\\{F0751AD4-7277-4118-A745-A044F55098EB}.exe"	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0DE8612-13D3-416a-B094-E8459044D364}	{F0751AD4-7277-4118-A745-A044F55098EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}	{F0DE8612-13D3-416a-B094-E8459044D364}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}\stubpath = "C:\\Windows\\{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}.exe"	{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe

Executes dropped EXE 12 IoCs

pid	Process
2496	{F0751AD4-7277-4118-A745-A044F55098EB}.exe
1576	{F0DE8612-13D3-416a-B094-E8459044D364}.exe
4748	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe
5052	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe
2148	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe
3176	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe
4832	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe
3672	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe
4280	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe
3200	{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe
4512	{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}.exe
1424	{370571BC-C874-4b60-BA9C-FBB071F4A6B8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F0DE8612-13D3-416a-B094-E8459044D364}.exe	{F0751AD4-7277-4118-A745-A044F55098EB}.exe
File created	C:\Windows\{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe	{F0DE8612-13D3-416a-B094-E8459044D364}.exe
File created	C:\Windows\{F0751AD4-7277-4118-A745-A044F55098EB}.exe	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
File created	C:\Windows\{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe
File created	C:\Windows\{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe
File created	C:\Windows\{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe
File created	C:\Windows\{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe
File created	C:\Windows\{2F88F299-0D44-4e32-864A-AB775A860E54}.exe	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe
File created	C:\Windows\{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe
File created	C:\Windows\{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}.exe	{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe
File created	C:\Windows\{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe
File created	C:\Windows\{370571BC-C874-4b60-BA9C-FBB071F4A6B8}.exe	{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0DE8612-13D3-416a-B094-E8459044D364}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{370571BC-C874-4b60-BA9C-FBB071F4A6B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0751AD4-7277-4118-A745-A044F55098EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1076	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2496	{F0751AD4-7277-4118-A745-A044F55098EB}.exe
Token: SeIncBasePriorityPrivilege	1576	{F0DE8612-13D3-416a-B094-E8459044D364}.exe
Token: SeIncBasePriorityPrivilege	4748	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe
Token: SeIncBasePriorityPrivilege	5052	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe
Token: SeIncBasePriorityPrivilege	2148	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe
Token: SeIncBasePriorityPrivilege	3176	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe
Token: SeIncBasePriorityPrivilege	4832	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe
Token: SeIncBasePriorityPrivilege	3672	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe
Token: SeIncBasePriorityPrivilege	4280	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe
Token: SeIncBasePriorityPrivilege	3200	{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe
Token: SeIncBasePriorityPrivilege	4512	{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 2496	1076	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	86
PID 1076 wrote to memory of 2496	1076	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	86
PID 1076 wrote to memory of 2496	1076	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	86
PID 1076 wrote to memory of 528	1076	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	87
PID 1076 wrote to memory of 528	1076	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	87
PID 1076 wrote to memory of 528	1076	2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe	87
PID 2496 wrote to memory of 1576	2496	{F0751AD4-7277-4118-A745-A044F55098EB}.exe	91
PID 2496 wrote to memory of 1576	2496	{F0751AD4-7277-4118-A745-A044F55098EB}.exe	91
PID 2496 wrote to memory of 1576	2496	{F0751AD4-7277-4118-A745-A044F55098EB}.exe	91
PID 2496 wrote to memory of 1480	2496	{F0751AD4-7277-4118-A745-A044F55098EB}.exe	92
PID 2496 wrote to memory of 1480	2496	{F0751AD4-7277-4118-A745-A044F55098EB}.exe	92
PID 2496 wrote to memory of 1480	2496	{F0751AD4-7277-4118-A745-A044F55098EB}.exe	92
PID 1576 wrote to memory of 4748	1576	{F0DE8612-13D3-416a-B094-E8459044D364}.exe	95
PID 1576 wrote to memory of 4748	1576	{F0DE8612-13D3-416a-B094-E8459044D364}.exe	95
PID 1576 wrote to memory of 4748	1576	{F0DE8612-13D3-416a-B094-E8459044D364}.exe	95
PID 1576 wrote to memory of 4688	1576	{F0DE8612-13D3-416a-B094-E8459044D364}.exe	96
PID 1576 wrote to memory of 4688	1576	{F0DE8612-13D3-416a-B094-E8459044D364}.exe	96
PID 1576 wrote to memory of 4688	1576	{F0DE8612-13D3-416a-B094-E8459044D364}.exe	96
PID 4748 wrote to memory of 5052	4748	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe	97
PID 4748 wrote to memory of 5052	4748	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe	97
PID 4748 wrote to memory of 5052	4748	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe	97
PID 4748 wrote to memory of 4764	4748	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe	98
PID 4748 wrote to memory of 4764	4748	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe	98
PID 4748 wrote to memory of 4764	4748	{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe	98
PID 5052 wrote to memory of 2148	5052	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe	99
PID 5052 wrote to memory of 2148	5052	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe	99
PID 5052 wrote to memory of 2148	5052	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe	99
PID 5052 wrote to memory of 4420	5052	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe	100
PID 5052 wrote to memory of 4420	5052	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe	100
PID 5052 wrote to memory of 4420	5052	{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe	100
PID 2148 wrote to memory of 3176	2148	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe	101
PID 2148 wrote to memory of 3176	2148	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe	101
PID 2148 wrote to memory of 3176	2148	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe	101
PID 2148 wrote to memory of 1212	2148	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe	102
PID 2148 wrote to memory of 1212	2148	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe	102
PID 2148 wrote to memory of 1212	2148	{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe	102
PID 3176 wrote to memory of 4832	3176	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe	103
PID 3176 wrote to memory of 4832	3176	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe	103
PID 3176 wrote to memory of 4832	3176	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe	103
PID 3176 wrote to memory of 2516	3176	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe	104
PID 3176 wrote to memory of 2516	3176	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe	104
PID 3176 wrote to memory of 2516	3176	{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe	104
PID 4832 wrote to memory of 3672	4832	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe	105
PID 4832 wrote to memory of 3672	4832	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe	105
PID 4832 wrote to memory of 3672	4832	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe	105
PID 4832 wrote to memory of 2360	4832	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe	106
PID 4832 wrote to memory of 2360	4832	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe	106
PID 4832 wrote to memory of 2360	4832	{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe	106
PID 3672 wrote to memory of 4280	3672	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe	107
PID 3672 wrote to memory of 4280	3672	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe	107
PID 3672 wrote to memory of 4280	3672	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe	107
PID 3672 wrote to memory of 4316	3672	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe	108
PID 3672 wrote to memory of 4316	3672	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe	108
PID 3672 wrote to memory of 4316	3672	{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe	108
PID 4280 wrote to memory of 3200	4280	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe	109
PID 4280 wrote to memory of 3200	4280	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe	109
PID 4280 wrote to memory of 3200	4280	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe	109
PID 4280 wrote to memory of 576	4280	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe	110
PID 4280 wrote to memory of 576	4280	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe	110
PID 4280 wrote to memory of 576	4280	{2F88F299-0D44-4e32-864A-AB775A860E54}.exe	110
PID 3200 wrote to memory of 4512	3200	{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe	111
PID 3200 wrote to memory of 4512	3200	{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe	111
PID 3200 wrote to memory of 4512	3200	{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe	111
PID 3200 wrote to memory of 2356	3200	{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_f54b76f3d9f7bc9fa7e92abe1a84dc5f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\{F0751AD4-7277-4118-A745-A044F55098EB}.exe
  C:\Windows\{F0751AD4-7277-4118-A745-A044F55098EB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\{F0DE8612-13D3-416a-B094-E8459044D364}.exe
    C:\Windows\{F0DE8612-13D3-416a-B094-E8459044D364}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe
      C:\Windows\{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Windows\{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe
        
        C:\Windows\{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
      - C:\Windows\{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe
        
        C:\Windows\{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe
        
        C:\Windows\{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe
        
        C:\Windows\{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe
        
        C:\Windows\{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\{2F88F299-0D44-4e32-864A-AB775A860E54}.exe
        
        C:\Windows\{2F88F299-0D44-4e32-864A-AB775A860E54}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe
        
        C:\Windows\{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}.exe
        
        C:\Windows\{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
        
        C:\Windows\{370571BC-C874-4b60-BA9C-FBB071F4A6B8}.exe
        
        C:\Windows\{370571BC-C874-4b60-BA9C-FBB071F4A6B8}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{299D4~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2E72~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F88F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82000~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94F54~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A209~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9C62~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{204F8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{153FB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F0DE8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F0751~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:528

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

No results found

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

13.227.111.52.in-addr.arpa

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{153FBB36-7FC3-43b5-95B8-5E79FAE30FBA}.exe

Filesize
372KB

MD5
c3be1e8aee5fcc2ea48e41777cf3b60b

SHA1
808f538c69bc7aa09d47f07676771b8bea33bd2b

SHA256
a7ecb11e4e44ef0768abc0f81888e24b893796863f7ec25642a30c4701f8f83d

SHA512
5e3f7a3ace19e06e128e6f07ce19d1eb3ad9b9febfa8ce36790714b08e9dde1afb82d4eb272d98ca5a6fc3d4f27fe25b0071c55fc656209e6c7c44300254fbfd

Download Submit
C:\Windows\{204F8F35-8368-4e3e-9EBD-C715ECAA29CD}.exe

Filesize
372KB

MD5
ea241ddf6441912779cc1d5d6bd8c3ed

SHA1
cdfb67d47aa7ec0fe53546a04f038c79ec76d581

SHA256
13a35d5e19ccf5bef18dcb8bf71f49fe700c1045fd8fa73335290abac66866e5

SHA512
7eebed28f74915f88c23268a4755769e0fc1321b2c3c3111a9643df8bf3c14e5b81b95d83f3fb16c5bd2f63c7fce85115e248e247ae54f8d588e997cc1c91e0b

Download Submit
C:\Windows\{299D4570-1EF9-4d43-9D44-AC33F9D00AC9}.exe

Filesize
372KB

MD5
3aeadec451abec388d484dbfb2b661bb

SHA1
b741d2017f4b454d1e2287e9915ddca01c8ed567

SHA256
4ea6bfce558bc6bad57bbc4fc8a45ca0f22698310cd60f25044c74fc44c5f87f

SHA512
692c564a989445e58e015fe14f8d657e2e2e38b9435f1db616a6712fa213aeb9bcd646f3bf0631fcae831c4d1dbc6bbc356e4feb93003115cbbb858c41bacd1a

Download Submit
C:\Windows\{2F88F299-0D44-4e32-864A-AB775A860E54}.exe

Filesize
372KB

MD5
7068038e19c63e6c9af9a819bc6013bb

SHA1
09deee13d2aaf71dfa1a4e3858d69d9f66849fa7

SHA256
e52385de068c42d7a578f48a54c6aae378cdebfd3042ddf506e921a50cca2e9a

SHA512
129d2b9fdc812a44969768e655fe90e2816278641bf049a72e880b65ba30ba780d121b9fac5821d0a5fbf0806af1c4a5850ab6c11db9c5adcc1ff1f3ada8cb62

Download Submit
C:\Windows\{370571BC-C874-4b60-BA9C-FBB071F4A6B8}.exe

Filesize
372KB

MD5
8c79b0e43bb5bd23aba98ce34a5ba0f0

SHA1
dbdf4d5d7e8ad7bc3591f00f60255175404e063e

SHA256
d3af405a667a3da9f6aeb14fceedd022935a67b0ef4b5c582d4de0215d495096

SHA512
2995d87accb75774e7dad8b86f35bb4a89e3dc2caf1af73c1ca4b8fedccee3bc65d4e3d7f20f96a8f85ef4c2d6e5408014daeed40f5a98fc21d464bd46d6c35e

Download Submit
C:\Windows\{82000894-404B-4a46-85C4-EC5A7B8E785E}.exe

Filesize
372KB

MD5
1255e7ba57816e57e8efcb73c13fd9a7

SHA1
e7ab31a76ade78c8d2e77d15cc6d32cc591d5d97

SHA256
238f378f51c572d24c4f7b2c2ead2033cfdb6ee258ed3ace98c63813fb843831

SHA512
e59936073e4c3a5ddf36504b585c3bd85f27ecefc3075af9f4c2b936e5c0f9500bb8c8e84792702fda539a9adcf1667c34806bddceb5e4edc4a513ec230f3b48

Download Submit
C:\Windows\{94F54999-B56A-4b30-A22B-08E886DD9F33}.exe

Filesize
372KB

MD5
5fa3e2352b8564ad5cf95abf537001d7

SHA1
d474f33a9bafd264d4f578cbd2ec1087c09a6372

SHA256
3c0e193f0c86272273e96cfbe1a77380a143739d3984225786f333cd04e6b7d2

SHA512
770662a4989c12b41f26db8d1374ff0e78eb04e12c1100f21423933992f5d38ef874e8e7e96d76aaa08c6554a5a86490adc99133fc92cea58100a4a975f0b672

Download Submit
C:\Windows\{9A209EB2-F97D-4b6d-BD72-BA404D0122EF}.exe

Filesize
372KB

MD5
99221b7fd09fd1deda41db0f9f973dc3

SHA1
2ed4ddc71a731981438a730eacbf8869969cc64b

SHA256
a29bbd6a2bb43103fc83f854762e516dbdedf3d97154c72e7026ac16058a637b

SHA512
2511c509f48e9cd6584ae3620824586c668a123f6d63efef3b0f2711b908ee33ed3627ebed3580dc71c6cdf3f4b2b8428798bd69e4ede633ef53cd9ec0a2c374

Download Submit
C:\Windows\{B9C62C3F-146B-4310-82A3-CC2CDC4A142A}.exe

Filesize
372KB

MD5
961fb8db8af366de4d0c1db15081c431

SHA1
03e142b0c8677520474f82ef1ab762af856ea67d

SHA256
17c7899c0af18e9bc147067400fdfb8281a1f1d1ecadde042ab0dc8a15f28d77

SHA512
53fde85ac135a47496a1eea43e4ee54358d4ac4e2185b960ecda84224c19bf09dbd41c2f8b2f69e412df0f505802b66f1039d9a2bb764cdfa68b5314d73bf67c

Download Submit
C:\Windows\{E2E725D2-A065-4a4c-91DB-6C87EB8616DA}.exe

Filesize
372KB

MD5
3c0a07f33042a336234a86d09f4a930e

SHA1
fd08e9b2e36f0ab08170cbb737591fd8cfd063d0

SHA256
83e9641d425a8363cc1aa05910812261d575e5b2c847ade616074d04b0d4bf58

SHA512
9b822713e5417bfe619aeeb503f683def4320d7c4879e9dd1c48346c5f37b0feb13d4f9ba0503348dcdf78c9a6bb10f26e6a52b21042571c77b4c1929111fcc1

Download Submit
C:\Windows\{F0751AD4-7277-4118-A745-A044F55098EB}.exe

Filesize
372KB

MD5
e023cbc38aeaee312525fa9f9c3d7f00

SHA1
f8a368d7ecbf59610e7691f1a0e4b6fb398c7904

SHA256
5a81a0ee9d415949d79a90c3a6ecd2ec8dd4760e7e934f0a4585db3a6a8f63cd

SHA512
8ee124697183ec0abe6899abd2ed22c185f35126079ffb2f3cecb34644ec3906aa6f6736d13753ff589e3456e3f8c6ee7d7bde7e50c91bee93fd47212e72e441

Download Submit
C:\Windows\{F0DE8612-13D3-416a-B094-E8459044D364}.exe

Filesize
372KB

MD5
4a73b343854d5458e91481207dcba66a

SHA1
23d4543c611271e301aea7433b01b26cd28e7188

SHA256
284e921834c4d005adb5b02e544c33b9df949f40cefdcb6beeb54a709e642deb

SHA512
28a87f6f7be823f218d4265974fe8eec064afe458c3729823c109c2eacfd267b4c55fa2f56603e786e3a29b1e09bf60930a437a4516c34369b150517f575380a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.