42c97d82a71a401bc044959e56482759c4b0940cd385f1dead1d6bbea090c5e5

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe
Size

192KB
MD5

37a0fcd357b01b4ebdc94c9aeeee405b
SHA1

78db0a73c660da946ad6b3b9f766bae29d6c201c
SHA256

42c97d82a71a401bc044959e56482759c4b0940cd385f1dead1d6bbea090c5e5
SHA512

79d079048674962250fff77286802f6e8861b881463456a4a860f9477344450afb40b10c8cb25ec04d95634bce0de4ebe0aa971d183d4e11233ca060b61b8181
SSDEEP

1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ojl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1134F32-87F8-4e66-8E95-5BE81D26B21C}	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03AEB212-7A15-4993-945E-C4426B1B645B}\stubpath = "C:\\Windows\\{03AEB212-7A15-4993-945E-C4426B1B645B}.exe"	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}\stubpath = "C:\\Windows\\{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe"	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19306AAA-58ED-42a3-9517-8BEF70D48A33}\stubpath = "C:\\Windows\\{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe"	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7DCC709-A719-4c1c-854D-F5CB2250C58E}\stubpath = "C:\\Windows\\{A7DCC709-A719-4c1c-854D-F5CB2250C58E}.exe"	{DE102220-1F17-4e68-8CA8-DB1A89FCD368}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{224B3AE6-24CB-43b6-A80A-9442B0252E70}\stubpath = "C:\\Windows\\{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe"	2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}\stubpath = "C:\\Windows\\{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe"	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76E69702-77F6-4bf2-9A17-1CCECE18107F}\stubpath = "C:\\Windows\\{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe"	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19306AAA-58ED-42a3-9517-8BEF70D48A33}	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE102220-1F17-4e68-8CA8-DB1A89FCD368}	{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7DCC709-A719-4c1c-854D-F5CB2250C58E}	{DE102220-1F17-4e68-8CA8-DB1A89FCD368}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0061C2E6-FCCA-46a9-9700-105F13D50CBE}	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1134F32-87F8-4e66-8E95-5BE81D26B21C}\stubpath = "C:\\Windows\\{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe"	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A01994-3124-44bd-90CD-BC48FC149F8E}	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03AEB212-7A15-4993-945E-C4426B1B645B}	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}\stubpath = "C:\\Windows\\{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe"	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76E69702-77F6-4bf2-9A17-1CCECE18107F}	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{224B3AE6-24CB-43b6-A80A-9442B0252E70}	2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0061C2E6-FCCA-46a9-9700-105F13D50CBE}\stubpath = "C:\\Windows\\{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe"	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE102220-1F17-4e68-8CA8-DB1A89FCD368}\stubpath = "C:\\Windows\\{DE102220-1F17-4e68-8CA8-DB1A89FCD368}.exe"	{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A01994-3124-44bd-90CD-BC48FC149F8E}\stubpath = "C:\\Windows\\{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe"	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1648	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe
1096	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe
3632	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe
828	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe
2512	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe
1200	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe
4720	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe
1204	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe
724	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe
3456	{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe
2356	{DE102220-1F17-4e68-8CA8-DB1A89FCD368}.exe
2392	{A7DCC709-A719-4c1c-854D-F5CB2250C58E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{03AEB212-7A15-4993-945E-C4426B1B645B}.exe	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe
File created	C:\Windows\{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe
File created	C:\Windows\{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe
File created	C:\Windows\{DE102220-1F17-4e68-8CA8-DB1A89FCD368}.exe	{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe
File created	C:\Windows\{A7DCC709-A719-4c1c-854D-F5CB2250C58E}.exe	{DE102220-1F17-4e68-8CA8-DB1A89FCD368}.exe
File created	C:\Windows\{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe	2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe
File created	C:\Windows\{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe
File created	C:\Windows\{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe
File created	C:\Windows\{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe
File created	C:\Windows\{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe
File created	C:\Windows\{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe
File created	C:\Windows\{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7DCC709-A719-4c1c-854D-F5CB2250C58E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE102220-1F17-4e68-8CA8-DB1A89FCD368}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3592	2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1648	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe
Token: SeIncBasePriorityPrivilege	1096	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe
Token: SeIncBasePriorityPrivilege	3632	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe
Token: SeIncBasePriorityPrivilege	828	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe
Token: SeIncBasePriorityPrivilege	2512	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe
Token: SeIncBasePriorityPrivilege	1200	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe
Token: SeIncBasePriorityPrivilege	4720	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe
Token: SeIncBasePriorityPrivilege	1204	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe
Token: SeIncBasePriorityPrivilege	724	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe
Token: SeIncBasePriorityPrivilege	3456	{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe
Token: SeIncBasePriorityPrivilege	2356	{DE102220-1F17-4e68-8CA8-DB1A89FCD368}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 1648	3592	2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe	84
PID 3592 wrote to memory of 1648	3592	2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe	84
PID 3592 wrote to memory of 1648	3592	2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe	84
PID 3592 wrote to memory of 452	3592	2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe	85
PID 3592 wrote to memory of 452	3592	2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe	85
PID 3592 wrote to memory of 452	3592	2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe	85
PID 1648 wrote to memory of 1096	1648	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe	91
PID 1648 wrote to memory of 1096	1648	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe	91
PID 1648 wrote to memory of 1096	1648	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe	91
PID 1648 wrote to memory of 4592	1648	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe	92
PID 1648 wrote to memory of 4592	1648	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe	92
PID 1648 wrote to memory of 4592	1648	{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe	92
PID 1096 wrote to memory of 3632	1096	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe	95
PID 1096 wrote to memory of 3632	1096	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe	95
PID 1096 wrote to memory of 3632	1096	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe	95
PID 1096 wrote to memory of 244	1096	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe	96
PID 1096 wrote to memory of 244	1096	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe	96
PID 1096 wrote to memory of 244	1096	{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe	96
PID 3632 wrote to memory of 828	3632	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe	97
PID 3632 wrote to memory of 828	3632	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe	97
PID 3632 wrote to memory of 828	3632	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe	97
PID 3632 wrote to memory of 4088	3632	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe	98
PID 3632 wrote to memory of 4088	3632	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe	98
PID 3632 wrote to memory of 4088	3632	{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe	98
PID 828 wrote to memory of 2512	828	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe	99
PID 828 wrote to memory of 2512	828	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe	99
PID 828 wrote to memory of 2512	828	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe	99
PID 828 wrote to memory of 3684	828	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe	100
PID 828 wrote to memory of 3684	828	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe	100
PID 828 wrote to memory of 3684	828	{03AEB212-7A15-4993-945E-C4426B1B645B}.exe	100
PID 2512 wrote to memory of 1200	2512	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe	101
PID 2512 wrote to memory of 1200	2512	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe	101
PID 2512 wrote to memory of 1200	2512	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe	101
PID 2512 wrote to memory of 2684	2512	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe	102
PID 2512 wrote to memory of 2684	2512	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe	102
PID 2512 wrote to memory of 2684	2512	{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe	102
PID 1200 wrote to memory of 4720	1200	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe	103
PID 1200 wrote to memory of 4720	1200	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe	103
PID 1200 wrote to memory of 4720	1200	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe	103
PID 1200 wrote to memory of 3968	1200	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe	104
PID 1200 wrote to memory of 3968	1200	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe	104
PID 1200 wrote to memory of 3968	1200	{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe	104
PID 4720 wrote to memory of 1204	4720	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe	105
PID 4720 wrote to memory of 1204	4720	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe	105
PID 4720 wrote to memory of 1204	4720	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe	105
PID 4720 wrote to memory of 4940	4720	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe	106
PID 4720 wrote to memory of 4940	4720	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe	106
PID 4720 wrote to memory of 4940	4720	{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe	106
PID 1204 wrote to memory of 724	1204	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe	107
PID 1204 wrote to memory of 724	1204	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe	107
PID 1204 wrote to memory of 724	1204	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe	107
PID 1204 wrote to memory of 1280	1204	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe	108
PID 1204 wrote to memory of 1280	1204	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe	108
PID 1204 wrote to memory of 1280	1204	{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe	108
PID 724 wrote to memory of 3456	724	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe	109
PID 724 wrote to memory of 3456	724	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe	109
PID 724 wrote to memory of 3456	724	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe	109
PID 724 wrote to memory of 3900	724	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe	110
PID 724 wrote to memory of 3900	724	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe	110
PID 724 wrote to memory of 3900	724	{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe	110
PID 3456 wrote to memory of 2356	3456	{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe	111
PID 3456 wrote to memory of 2356	3456	{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe	111
PID 3456 wrote to memory of 2356	3456	{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe	111
PID 3456 wrote to memory of 3940	3456	{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_37a0fcd357b01b4ebdc94c9aeeee405b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe
  C:\Windows\{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe
    C:\Windows\{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe
      C:\Windows\{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3632
    - - C:\Windows\{03AEB212-7A15-4993-945E-C4426B1B645B}.exe
        
        C:\Windows\{03AEB212-7A15-4993-945E-C4426B1B645B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Windows\{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe
        
        C:\Windows\{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe
        
        C:\Windows\{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe
        
        C:\Windows\{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe
        
        C:\Windows\{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe
        
        C:\Windows\{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe
        
        C:\Windows\{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\{DE102220-1F17-4e68-8CA8-DB1A89FCD368}.exe
        
        C:\Windows\{DE102220-1F17-4e68-8CA8-DB1A89FCD368}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\{A7DCC709-A719-4c1c-854D-F5CB2250C58E}.exe
        
        C:\Windows\{A7DCC709-A719-4c1c-854D-F5CB2250C58E}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE102~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19306~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76E69~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50D5B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3452~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5BD0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0061C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03AEB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61A01~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B1134~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{224B3~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0061C2E6-FCCA-46a9-9700-105F13D50CBE}.exe

Filesize
192KB

MD5
d7f376f5de64d19a424e25d649d4199e

SHA1
6aca17f790785bbf418aa8775e81463699294e8d

SHA256
840b04885bf724d9a0de7fdbcbc46e8fd1159282b2257af41a554aacde07f25c

SHA512
a03f253b0a4a5e7552bf1bbd286adfc4dd220b465bfaa4cfb5e048e4596dbdc2c5c591cadca532f062d444341c39ad899263919c37f01d5ead77f299d89cf057

Download Submit
C:\Windows\{03AEB212-7A15-4993-945E-C4426B1B645B}.exe

Filesize
192KB

MD5
ea02f9e83171377169decf320c4585a4

SHA1
b77ac268d58ab256ae8f7d620ff66f4446e516ee

SHA256
26fb71543103324bad81df7b004cd8534816e429fbe4db258b9424ca5321901f

SHA512
4ce2242e0ded2ddf60a2a40dd23fa2bbcb62b7cdd4cde32bf8189adb62a7523237d6fe7f15d0e403791d4c686417372ba41468b77a4134ae69b6fc0278c9150a

Download Submit
C:\Windows\{19306AAA-58ED-42a3-9517-8BEF70D48A33}.exe

Filesize
192KB

MD5
96b22c2f11b71556fb6ed5a32f3fc54d

SHA1
97f04d40fed6ceb64c3faf9ef49ddfd037a81d69

SHA256
351154a36128c57bfe8779769cedaa0ce800d41d87118d4d1359eb0c4bbc8a39

SHA512
b6aca75c60129403c5c44a99e6655e2878b323ebaa246fada91e724fbc6c8ad0a26f27a640032a2997413e3ce054709e4d2a5be87830175ff95ce6764f30c14e

Download Submit
C:\Windows\{224B3AE6-24CB-43b6-A80A-9442B0252E70}.exe

Filesize
192KB

MD5
abe88e86600be3ca65ea725dc868cbd8

SHA1
10b2490dc928978b55301f1289303b6158df506d

SHA256
ce599c34900546fdeabb546994da3e5acb87f62549f08a3d338e3dcd9bfadd67

SHA512
80beb04cbbdea077f613c7421577257a241427b08d9b13549cb5b9d43b73f576116b6d7ee71b6c3e84509f28b7d32c2cfc70db92799d3483979b6dc0c1c95fb1

Download Submit
C:\Windows\{50D5B699-C01D-4020-BEF5-6E9C24BE0EE1}.exe

Filesize
192KB

MD5
0a7c4cae2f13403a588525a9c5cc66cc

SHA1
5f5927b107b209910d83f0840256ece6a7ad4385

SHA256
a92a0ca1e705bb9c7d9dc6612200e222e60cdf250a1056c2e45526deddd61266

SHA512
c4c54ecefa5bba4fa57f3367002cc241a38b64ddc68ea0aa99ad46dde319f721faffd2eb9c36f3378ea7e810c7182c073f122b2e7711b651d086e61ba8745407

Download Submit
C:\Windows\{61A01994-3124-44bd-90CD-BC48FC149F8E}.exe

Filesize
192KB

MD5
f6c63438911bcc02f5d239f8094ab4fd

SHA1
e80e660df001cb0d25383251f42d12b3d5477a8b

SHA256
e116662ade0dacaa9023e973c91a3fb7563e19448de817942408fa1c3da177f1

SHA512
11e8cbe1c6182e0f87b2d85885a86e3cd434a20708d2d39d29eb4a3c22cdf66980174faf721847cbb3ac16af234897d53dc0719cc81fa0f065d748248175863b

Download Submit
C:\Windows\{76E69702-77F6-4bf2-9A17-1CCECE18107F}.exe

Filesize
192KB

MD5
5cd40388348755ee49e29013d4997997

SHA1
52b4aa727fe099dd804915fef2c20bbaf1386766

SHA256
bbb037e8278854aa974075077c27568e50140465fa0baf936caee5b9ca3d5081

SHA512
5fed11b76075f417f68a3b1892c1942c3b01597c781e451780b0152a2edd120d27a0bffa1f370b1faf0fa1309afe45207e15992bdfbcfdce833d7131b1545a8d

Download Submit
C:\Windows\{A34527D0-C1C9-46eb-97F8-0EE24E0DC763}.exe

Filesize
192KB

MD5
3f12075789f744c46e17ee64ce5efd57

SHA1
049594268bad96ffc9c4679948ddad7d033c5c1b

SHA256
ae6e120df4210f0b92f003b6791c951d4d865d186afa0d1ca6005bec1fb6c894

SHA512
512aa8f65b32ef9e8c02a0c235f059f04b91468267121b4d3b66e3951590ee24f7d1ad077d773eeb6368c901266a5df78442301cd123eb37c49654055e9a40b7

Download Submit
C:\Windows\{A7DCC709-A719-4c1c-854D-F5CB2250C58E}.exe

Filesize
192KB

MD5
3468d4d5205682c6febee0bee14dfc47

SHA1
04392e5d5ce91fed792c0c3dd410e7c2ecb263ef

SHA256
60470107c230f076dcd308d1f72213c5c061fce3006585e6c3325c0914914fd7

SHA512
e5e6ce42b74e4e831f0828ac2a9e41ebb8b14183e04e77e85092504143a4946cea6001fea919d832ca02e732afdadc2b8679b97b020eaa90ecac026159b727ce

Download Submit
C:\Windows\{B1134F32-87F8-4e66-8E95-5BE81D26B21C}.exe

Filesize
192KB

MD5
41c7f305b5fa508e78342211dbbe25a2

SHA1
bd839e9280984cdc3c8403b9104e99d86920b3db

SHA256
6004310b8d1dfaa208e698c4e3e1236f57a4a56c26781aa72d00d0c82ba64ff6

SHA512
a9eeab1d83edde70c4003dcea98bf9f9b5561384580422fb3a88043353d518a2875f7560c1482e1fe527ab33ffa004b1610260241e7fa8af49306be29b17070b

Download Submit
C:\Windows\{D5BD0460-5F1C-4e0e-B130-0721AE6FF59B}.exe

Filesize
192KB

MD5
c48fa7b12517d3901d2e65a51b89538e

SHA1
cbc833db05772a9fb81dc4c8a4ab21824e5b73f7

SHA256
9cd0b2dd0f19c7d5805cd97edb22a9461e88e46a0469d221f3fe4ad9be572432

SHA512
349ce8d906d664a770d25b607d62234144374cd12d23de1f72d7ff558592949f5ca919dfa40d34cbee886167cdbb60b665df40a96be8adfac3886f06c8757772

Download Submit
C:\Windows\{DE102220-1F17-4e68-8CA8-DB1A89FCD368}.exe

Filesize
192KB

MD5
8359be5c9abe29298b6550717b48a464

SHA1
58260d8922667a2bfacdde7dd8de83662faa5c98

SHA256
16f10ff32c7ba023d28236dc2784601082cf77c1da116aee263911a55e15e9da

SHA512
58143ee42a83e8e55284b5e5bfa445749ce816aafd3eb4a2acb374499dbbac052e03cddf51df44e0116d9e0032d941fd1ec772f86fb8c1d11c47926be6f8a7a9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads