ea7827590023928c5d6272e4a27c096cc9ed011be90e37fca00a31ff6cfdd1e1

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 08:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe
Size

372KB
MD5

2da0afdbca6400b88f842fab2d1babc1
SHA1

120ae016323963c21bb81137587f89a3fec174a6
SHA256

ea7827590023928c5d6272e4a27c096cc9ed011be90e37fca00a31ff6cfdd1e1
SHA512

3e41e1042dde5ce1bee813ddf30ea107de157fe392c01998764e070ea71338e4f099e64b71023a622d8457de569fcbae8dc96425f8fd9d78366fc13e6f80dae7
SSDEEP

3072:CEGh0oAlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGulkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD366409-1575-4e57-9EB7-837DB4B3B600}\stubpath = "C:\\Windows\\{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe"	2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D96DCC4-9C7D-4dfe-965B-B0838932524B}\stubpath = "C:\\Windows\\{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe"	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FA9CE2E-4329-4564-84BF-595262BC7D5B}	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68480E4A-11F3-465e-A933-40DC91689629}\stubpath = "C:\\Windows\\{68480E4A-11F3-465e-A933-40DC91689629}.exe"	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}	{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08685A58-1DD8-4a9b-8A00-DB118AA739A8}	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F41B46A-7AA0-40df-AD4B-951FD39B513F}	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8DB39AB-75A9-456c-B11F-6A371A5EC380}\stubpath = "C:\\Windows\\{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe"	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68480E4A-11F3-465e-A933-40DC91689629}	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}\stubpath = "C:\\Windows\\{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}.exe"	{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FF9CA9E-41F9-4c65-BDAD-67E376136653}	{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FF9CA9E-41F9-4c65-BDAD-67E376136653}\stubpath = "C:\\Windows\\{1FF9CA9E-41F9-4c65-BDAD-67E376136653}.exe"	{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD366409-1575-4e57-9EB7-837DB4B3B600}	2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08685A58-1DD8-4a9b-8A00-DB118AA739A8}\stubpath = "C:\\Windows\\{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe"	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}\stubpath = "C:\\Windows\\{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe"	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F41B46A-7AA0-40df-AD4B-951FD39B513F}\stubpath = "C:\\Windows\\{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe"	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66E38471-F0DD-41d1-B38B-99F5C6E400D5}\stubpath = "C:\\Windows\\{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe"	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46C102FA-D3B0-4159-8C93-C66D9647C501}	{68480E4A-11F3-465e-A933-40DC91689629}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D96DCC4-9C7D-4dfe-965B-B0838932524B}	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8DB39AB-75A9-456c-B11F-6A371A5EC380}	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66E38471-F0DD-41d1-B38B-99F5C6E400D5}	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FA9CE2E-4329-4564-84BF-595262BC7D5B}\stubpath = "C:\\Windows\\{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe"	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46C102FA-D3B0-4159-8C93-C66D9647C501}\stubpath = "C:\\Windows\\{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe"	{68480E4A-11F3-465e-A933-40DC91689629}.exe

Executes dropped EXE 12 IoCs

pid	Process
4768	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe
2656	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe
1156	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe
4712	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe
912	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe
4996	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe
3600	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe
4696	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe
4948	{68480E4A-11F3-465e-A933-40DC91689629}.exe
3472	{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe
3348	{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}.exe
1436	{1FF9CA9E-41F9-4c65-BDAD-67E376136653}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe	2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe
File created	C:\Windows\{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe
File created	C:\Windows\{68480E4A-11F3-465e-A933-40DC91689629}.exe	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe
File created	C:\Windows\{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe	{68480E4A-11F3-465e-A933-40DC91689629}.exe
File created	C:\Windows\{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}.exe	{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe
File created	C:\Windows\{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe
File created	C:\Windows\{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe
File created	C:\Windows\{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe
File created	C:\Windows\{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe
File created	C:\Windows\{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe
File created	C:\Windows\{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe
File created	C:\Windows\{1FF9CA9E-41F9-4c65-BDAD-67E376136653}.exe	{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1FF9CA9E-41F9-4c65-BDAD-67E376136653}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{68480E4A-11F3-465e-A933-40DC91689629}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1672	2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4768	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe
Token: SeIncBasePriorityPrivilege	2656	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe
Token: SeIncBasePriorityPrivilege	1156	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe
Token: SeIncBasePriorityPrivilege	4712	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe
Token: SeIncBasePriorityPrivilege	912	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe
Token: SeIncBasePriorityPrivilege	4996	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe
Token: SeIncBasePriorityPrivilege	3600	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe
Token: SeIncBasePriorityPrivilege	4696	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe
Token: SeIncBasePriorityPrivilege	4948	{68480E4A-11F3-465e-A933-40DC91689629}.exe
Token: SeIncBasePriorityPrivilege	3472	{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe
Token: SeIncBasePriorityPrivilege	3348	{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4768	1672	2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe	83
PID 1672 wrote to memory of 4768	1672	2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe	83
PID 1672 wrote to memory of 4768	1672	2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe	83
PID 1672 wrote to memory of 2920	1672	2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe	84
PID 1672 wrote to memory of 2920	1672	2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe	84
PID 1672 wrote to memory of 2920	1672	2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe	84
PID 4768 wrote to memory of 2656	4768	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe	92
PID 4768 wrote to memory of 2656	4768	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe	92
PID 4768 wrote to memory of 2656	4768	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe	92
PID 4768 wrote to memory of 3948	4768	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe	93
PID 4768 wrote to memory of 3948	4768	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe	93
PID 4768 wrote to memory of 3948	4768	{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe	93
PID 2656 wrote to memory of 1156	2656	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe	96
PID 2656 wrote to memory of 1156	2656	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe	96
PID 2656 wrote to memory of 1156	2656	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe	96
PID 2656 wrote to memory of 1864	2656	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe	97
PID 2656 wrote to memory of 1864	2656	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe	97
PID 2656 wrote to memory of 1864	2656	{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe	97
PID 1156 wrote to memory of 4712	1156	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe	98
PID 1156 wrote to memory of 4712	1156	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe	98
PID 1156 wrote to memory of 4712	1156	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe	98
PID 1156 wrote to memory of 1000	1156	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe	99
PID 1156 wrote to memory of 1000	1156	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe	99
PID 1156 wrote to memory of 1000	1156	{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe	99
PID 4712 wrote to memory of 912	4712	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe	100
PID 4712 wrote to memory of 912	4712	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe	100
PID 4712 wrote to memory of 912	4712	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe	100
PID 4712 wrote to memory of 5016	4712	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe	101
PID 4712 wrote to memory of 5016	4712	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe	101
PID 4712 wrote to memory of 5016	4712	{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe	101
PID 912 wrote to memory of 4996	912	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe	102
PID 912 wrote to memory of 4996	912	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe	102
PID 912 wrote to memory of 4996	912	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe	102
PID 912 wrote to memory of 1948	912	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe	103
PID 912 wrote to memory of 1948	912	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe	103
PID 912 wrote to memory of 1948	912	{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe	103
PID 4996 wrote to memory of 3600	4996	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe	104
PID 4996 wrote to memory of 3600	4996	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe	104
PID 4996 wrote to memory of 3600	4996	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe	104
PID 4996 wrote to memory of 4036	4996	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe	105
PID 4996 wrote to memory of 4036	4996	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe	105
PID 4996 wrote to memory of 4036	4996	{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe	105
PID 3600 wrote to memory of 4696	3600	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe	106
PID 3600 wrote to memory of 4696	3600	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe	106
PID 3600 wrote to memory of 4696	3600	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe	106
PID 3600 wrote to memory of 816	3600	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe	107
PID 3600 wrote to memory of 816	3600	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe	107
PID 3600 wrote to memory of 816	3600	{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe	107
PID 4696 wrote to memory of 4948	4696	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe	108
PID 4696 wrote to memory of 4948	4696	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe	108
PID 4696 wrote to memory of 4948	4696	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe	108
PID 4696 wrote to memory of 3116	4696	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe	109
PID 4696 wrote to memory of 3116	4696	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe	109
PID 4696 wrote to memory of 3116	4696	{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe	109
PID 4948 wrote to memory of 3472	4948	{68480E4A-11F3-465e-A933-40DC91689629}.exe	110
PID 4948 wrote to memory of 3472	4948	{68480E4A-11F3-465e-A933-40DC91689629}.exe	110
PID 4948 wrote to memory of 3472	4948	{68480E4A-11F3-465e-A933-40DC91689629}.exe	110
PID 4948 wrote to memory of 2904	4948	{68480E4A-11F3-465e-A933-40DC91689629}.exe	111
PID 4948 wrote to memory of 2904	4948	{68480E4A-11F3-465e-A933-40DC91689629}.exe	111
PID 4948 wrote to memory of 2904	4948	{68480E4A-11F3-465e-A933-40DC91689629}.exe	111
PID 3472 wrote to memory of 3348	3472	{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe	112
PID 3472 wrote to memory of 3348	3472	{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe	112
PID 3472 wrote to memory of 3348	3472	{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe	112
PID 3472 wrote to memory of 4484	3472	{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_2da0afdbca6400b88f842fab2d1babc1_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe
  C:\Windows\{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe
    C:\Windows\{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe
      C:\Windows\{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe
        
        C:\Windows\{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe
        
        C:\Windows\{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe
        
        C:\Windows\{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe
        
        C:\Windows\{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe
        
        C:\Windows\{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{68480E4A-11F3-465e-A933-40DC91689629}.exe
        
        C:\Windows\{68480E4A-11F3-465e-A933-40DC91689629}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe
        
        C:\Windows\{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}.exe
        
        C:\Windows\{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Windows\{1FF9CA9E-41F9-4c65-BDAD-67E376136653}.exe
        
        C:\Windows\{1FF9CA9E-41F9-4c65-BDAD-67E376136653}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA0C3~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46C10~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68480~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FA9C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66E38~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8DB3~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D96D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F41B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7B18~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08685~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BD366~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08685A58-1DD8-4a9b-8A00-DB118AA739A8}.exe

Filesize
372KB

MD5
1f7823ecd20bb5b6985246af109d0154

SHA1
8b7ebd3b09d72940d711f6e0ab0eec848be04fca

SHA256
14a47b003b9f1e1a279c4d46b9cf6302ec46eacc3cbd519792a1001cb99795c0

SHA512
1312146cf3f756145e7f686be6d7e7230637ee4a1a450485eae4a0d3d9c2539f8464da880c4fc1716ded4a232018f56706aa1b2e531d958c5bb481c9fd563c9f

Download Submit
C:\Windows\{1FF9CA9E-41F9-4c65-BDAD-67E376136653}.exe

Filesize
372KB

MD5
93a17a35aee03ef125a9517aff76b7c7

SHA1
9aac7dafc936da5f6af39814593b54260b6145e0

SHA256
855168524b9e83738d4edf7ade9ccda084bf5cfbe8bad4c00b36d30dfc27fbba

SHA512
c298ac6995cb0464af072eaf1f9dc5e544f3af9e803dd876168ff50a959d05c85bba548707d3f328c9bad3bc562e8904fdc77fd12f9726e32934aa9414e8973c

Download Submit
C:\Windows\{46C102FA-D3B0-4159-8C93-C66D9647C501}.exe

Filesize
372KB

MD5
8410989cbcf603e4ad65037e4d7cb492

SHA1
ccb47b5d80489a39ca4fe749afdcb76e81223e1a

SHA256
d60720322426d0a5b9e1629a975a2f3236c7fbedd45509844448955b31bc7c9d

SHA512
533f69deb1900bed6375fde151814538084a1086b0f2ab3cf0c851541facb5253cd89cc15ea601a8e467fe9b709191f45ba954958dfa3c15ea43b44c602191de

Download Submit
C:\Windows\{4FA9CE2E-4329-4564-84BF-595262BC7D5B}.exe

Filesize
372KB

MD5
f09b3354fad48f651611252494970165

SHA1
d5342cb63eb6929ea64ccc754922135b0c5abafe

SHA256
f14ff978ad77103e30814f9b74b41e913102433db3b34c76ac99cd7a11a2aeb4

SHA512
a36333145e823967d79f664877b5bf095a03e50a9d75df9398f22c48fa8228fcb815c95d4ad868aa269af102d429fbb8f815d1971dd9ac814f8064829fb0b359

Download Submit
C:\Windows\{66E38471-F0DD-41d1-B38B-99F5C6E400D5}.exe

Filesize
372KB

MD5
e99194989677d263488f2ab900e91582

SHA1
145be216519e8acbe12f6015e40c55313162df22

SHA256
8977eaf38e2af6af941d68c7aa945bf74ca1e84d0134aea35bcf74921970bd65

SHA512
d55cbcbedf2454b8f6c84510fd66bd8ed5c5747cf46b944c035cbe0bb5ef2ec04f5afb50c4ae7a8f4f6127ee6b6db8bae5e41f03f9d4a401a2f0d81467d2129d

Download Submit
C:\Windows\{68480E4A-11F3-465e-A933-40DC91689629}.exe

Filesize
372KB

MD5
27721cb95a15d4972c80c3f8b36c4692

SHA1
a05d9c0ca21500c25c1afa8ad7778896e3806533

SHA256
4b863b888f3d35a225f3c38a0889ee05a6f514cf55f796d49d096b50da0a83a6

SHA512
4e61113c1885b3ff2a767d49a26eb59ee614085c466ab592d0fa17124ee6cb143e044bad4450c62dc69924835c5dddf76b5017669e99758bcd02fc7bbad92af8

Download Submit
C:\Windows\{9D96DCC4-9C7D-4dfe-965B-B0838932524B}.exe

Filesize
372KB

MD5
ec17cfe619b6fa5c7ae5d81ad9a8b70b

SHA1
9d76fbdbcbb8b619f0004dca5bf9cdfe9e80de22

SHA256
c2bf95ce8c2196fc8907ef11b1c79fc529d68607d0d7547b715b46342a634698

SHA512
7f78c66a082e1c9b49147b06f8f52442810fe8da8a1b61dd49207e3bfd134cd93456b920ba5b93668dfbc3d338613f163d81a872928b1ab39c1895bcfe3f061e

Download Submit
C:\Windows\{9F41B46A-7AA0-40df-AD4B-951FD39B513F}.exe

Filesize
372KB

MD5
219a84fb3a56ba1eb7778bf264123447

SHA1
0808222a708274bde6957b3d41d286b8420a8d6e

SHA256
33033cc139d5da621f093d81e6562bb72412b4e2d0d39e3f2b3ccca888543c3a

SHA512
ddca9c2287b8c6fc881ad1f19f7ec3ff0395163233df6a8da5476ae94381e3cc08bfcc0bc4304fee7b29cfe46e7f68a808664f056ab52997531144b83f12bbdb

Download Submit
C:\Windows\{BD366409-1575-4e57-9EB7-837DB4B3B600}.exe

Filesize
372KB

MD5
50baa282021aabe5138f34e8652a75bb

SHA1
0aab0f13cb20a760bbb49614bc672a8c66fb8731

SHA256
0767d21a1255b35d6e21a7967f04d224edb059edea27cd14b748c0f66a6632d5

SHA512
11b6985dcbf7cd6e7a95b837a2f214fc43a663af871d00118a027076a4c3dfddea3cfc8d466344c17c3472d2497a69460b76c016c2002f62e2eebc5be8053a05

Download Submit
C:\Windows\{C7B186B8-02F0-4f9f-8926-B324C1DAF00A}.exe

Filesize
372KB

MD5
99da72fe639db01a4b8de75d8688b871

SHA1
b73fb6768fd9c32c10c7616ca5b18d1e3b8b5b96

SHA256
86ad5c896d9eff98e9a2dcaa071904620f56f1fe8f0519d33121b2a2827eff4f

SHA512
0788137d8d5d870a87c5371799ac711c3d11ffc761eef6108c91a927e48750a2c76d6b161861498877cba8c15cabf29e92359587f2c708c8a90b632165a5514b

Download Submit
C:\Windows\{C8DB39AB-75A9-456c-B11F-6A371A5EC380}.exe

Filesize
372KB

MD5
37cb5ba34f673049341b9e1fafd8e3ba

SHA1
b29ad0150ba6f6b4057997f46da131fd99300138

SHA256
0aa675eead81bc92e5550562fdb33efceea8fa4cc20fae0a293f622d9b421633

SHA512
1df18b21fbd8649a05135a0a2cc6a4b47c9d0f9ccec972f777a87303fa567d8b97b4fb1fae500379166adf88125cd528ee4b3ffd2c23f1569c59287e8826a342

Download Submit
C:\Windows\{DA0C3A12-D724-4ed7-8B52-7F0018AAEFFD}.exe

Filesize
372KB

MD5
c7e8810c523eea3b91b0363893bfffe6

SHA1
589c6d7bb0378345e76fbf5b6184b0f4e498a2d5

SHA256
2d8bf591178130a48b5d9528b625f67df2fe4d77f2c073b38f77a589162d923a

SHA512
95f04a98dac2cfd5ea8457fc31c9c8754fa4f72a9fcc7a2e18471d7e8fad5c879a9702a3e466559d2354afc31fa7bf782ee478c7290b888ad0bc431125ba994b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads