934767a8c72aee241f1330d4fbd5ae207cac7f97601ef78fe2d047c47f60dee0

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
Size

344KB
MD5

241f8f0511fdf1319272d1865b2ece06
SHA1

e690affbecc59ab1a3042d3cfc72160f9a70a726
SHA256

934767a8c72aee241f1330d4fbd5ae207cac7f97601ef78fe2d047c47f60dee0
SHA512

910488dffdb476245926c7c4f97638a166683bad1322ddd6d5aa3eb3b1b39c31836933726cdf254bf7ead045ef84d565fea75d34322c0380dd131bb88b52a289
SSDEEP

3072:mEGh0o4lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGulqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D0F3968-8348-4f3a-B7B2-50C0329E7250}\stubpath = "C:\\Windows\\{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe"	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{356A2615-7591-4476-8E7A-D6DDE08F5264}	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{687E726E-0D60-4e4a-B55A-007E74FF1F54}	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29415136-0A89-46a1-920C-6B1CA41300D5}\stubpath = "C:\\Windows\\{29415136-0A89-46a1-920C-6B1CA41300D5}.exe"	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F699BC4E-6346-4bb0-93B1-BEE48FF74261}\stubpath = "C:\\Windows\\{F699BC4E-6346-4bb0-93B1-BEE48FF74261}.exe"	{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29AF187E-C24D-4567-BD6F-FED3690B0BC9}\stubpath = "C:\\Windows\\{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe"	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D0F3968-8348-4f3a-B7B2-50C0329E7250}	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{356A2615-7591-4476-8E7A-D6DDE08F5264}\stubpath = "C:\\Windows\\{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe"	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}\stubpath = "C:\\Windows\\{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe"	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29415136-0A89-46a1-920C-6B1CA41300D5}	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F699BC4E-6346-4bb0-93B1-BEE48FF74261}	{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29AF187E-C24D-4567-BD6F-FED3690B0BC9}	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B159D980-B3DA-4711-8406-2DC8BACC4C5A}\stubpath = "C:\\Windows\\{B159D980-B3DA-4711-8406-2DC8BACC4C5A}.exe"	{F699BC4E-6346-4bb0-93B1-BEE48FF74261}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F5E09C8-615D-48a2-A457-C0FE3921AA67}	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F5E09C8-615D-48a2-A457-C0FE3921AA67}\stubpath = "C:\\Windows\\{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe"	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}\stubpath = "C:\\Windows\\{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe"	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{687E726E-0D60-4e4a-B55A-007E74FF1F54}\stubpath = "C:\\Windows\\{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe"	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}\stubpath = "C:\\Windows\\{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe"	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B159D980-B3DA-4711-8406-2DC8BACC4C5A}	{F699BC4E-6346-4bb0-93B1-BEE48FF74261}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}\stubpath = "C:\\Windows\\{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe"	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe

Executes dropped EXE 12 IoCs

pid	Process
3872	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe
3212	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe
748	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe
4856	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe
1956	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe
516	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe
1808	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe
2784	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe
4492	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe
4336	{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe
596	{F699BC4E-6346-4bb0-93B1-BEE48FF74261}.exe
2028	{B159D980-B3DA-4711-8406-2DC8BACC4C5A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe
File created	C:\Windows\{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe
File created	C:\Windows\{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe
File created	C:\Windows\{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe
File created	C:\Windows\{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe
File created	C:\Windows\{B159D980-B3DA-4711-8406-2DC8BACC4C5A}.exe	{F699BC4E-6346-4bb0-93B1-BEE48FF74261}.exe
File created	C:\Windows\{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
File created	C:\Windows\{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe
File created	C:\Windows\{29415136-0A89-46a1-920C-6B1CA41300D5}.exe	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe
File created	C:\Windows\{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe
File created	C:\Windows\{F699BC4E-6346-4bb0-93B1-BEE48FF74261}.exe	{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe
File created	C:\Windows\{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F699BC4E-6346-4bb0-93B1-BEE48FF74261}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B159D980-B3DA-4711-8406-2DC8BACC4C5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4540	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3872	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe
Token: SeIncBasePriorityPrivilege	3212	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe
Token: SeIncBasePriorityPrivilege	748	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe
Token: SeIncBasePriorityPrivilege	4856	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe
Token: SeIncBasePriorityPrivilege	1956	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe
Token: SeIncBasePriorityPrivilege	516	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe
Token: SeIncBasePriorityPrivilege	1808	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe
Token: SeIncBasePriorityPrivilege	2784	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe
Token: SeIncBasePriorityPrivilege	4492	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe
Token: SeIncBasePriorityPrivilege	4336	{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe
Token: SeIncBasePriorityPrivilege	596	{F699BC4E-6346-4bb0-93B1-BEE48FF74261}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 3872	4540	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	89
PID 4540 wrote to memory of 3872	4540	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	89
PID 4540 wrote to memory of 3872	4540	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	89
PID 4540 wrote to memory of 4020	4540	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	90
PID 4540 wrote to memory of 4020	4540	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	90
PID 4540 wrote to memory of 4020	4540	2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe	90
PID 3872 wrote to memory of 3212	3872	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe	91
PID 3872 wrote to memory of 3212	3872	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe	91
PID 3872 wrote to memory of 3212	3872	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe	91
PID 3872 wrote to memory of 2408	3872	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe	92
PID 3872 wrote to memory of 2408	3872	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe	92
PID 3872 wrote to memory of 2408	3872	{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe	92
PID 3212 wrote to memory of 748	3212	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe	95
PID 3212 wrote to memory of 748	3212	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe	95
PID 3212 wrote to memory of 748	3212	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe	95
PID 3212 wrote to memory of 3696	3212	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe	96
PID 3212 wrote to memory of 3696	3212	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe	96
PID 3212 wrote to memory of 3696	3212	{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe	96
PID 748 wrote to memory of 4856	748	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe	97
PID 748 wrote to memory of 4856	748	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe	97
PID 748 wrote to memory of 4856	748	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe	97
PID 748 wrote to memory of 1928	748	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe	98
PID 748 wrote to memory of 1928	748	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe	98
PID 748 wrote to memory of 1928	748	{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe	98
PID 4856 wrote to memory of 1956	4856	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe	99
PID 4856 wrote to memory of 1956	4856	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe	99
PID 4856 wrote to memory of 1956	4856	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe	99
PID 4856 wrote to memory of 3524	4856	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe	100
PID 4856 wrote to memory of 3524	4856	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe	100
PID 4856 wrote to memory of 3524	4856	{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe	100
PID 1956 wrote to memory of 516	1956	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe	101
PID 1956 wrote to memory of 516	1956	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe	101
PID 1956 wrote to memory of 516	1956	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe	101
PID 1956 wrote to memory of 3496	1956	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe	102
PID 1956 wrote to memory of 3496	1956	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe	102
PID 1956 wrote to memory of 3496	1956	{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe	102
PID 516 wrote to memory of 1808	516	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe	103
PID 516 wrote to memory of 1808	516	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe	103
PID 516 wrote to memory of 1808	516	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe	103
PID 516 wrote to memory of 3732	516	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe	104
PID 516 wrote to memory of 3732	516	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe	104
PID 516 wrote to memory of 3732	516	{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe	104
PID 1808 wrote to memory of 2784	1808	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe	105
PID 1808 wrote to memory of 2784	1808	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe	105
PID 1808 wrote to memory of 2784	1808	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe	105
PID 1808 wrote to memory of 3620	1808	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe	106
PID 1808 wrote to memory of 3620	1808	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe	106
PID 1808 wrote to memory of 3620	1808	{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe	106
PID 2784 wrote to memory of 4492	2784	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe	107
PID 2784 wrote to memory of 4492	2784	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe	107
PID 2784 wrote to memory of 4492	2784	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe	107
PID 2784 wrote to memory of 3176	2784	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe	108
PID 2784 wrote to memory of 3176	2784	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe	108
PID 2784 wrote to memory of 3176	2784	{29415136-0A89-46a1-920C-6B1CA41300D5}.exe	108
PID 4492 wrote to memory of 4336	4492	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe	109
PID 4492 wrote to memory of 4336	4492	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe	109
PID 4492 wrote to memory of 4336	4492	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe	109
PID 4492 wrote to memory of 4320	4492	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe	110
PID 4492 wrote to memory of 4320	4492	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe	110
PID 4492 wrote to memory of 4320	4492	{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe	110
PID 4336 wrote to memory of 596	4336	{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe	111
PID 4336 wrote to memory of 596	4336	{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe	111
PID 4336 wrote to memory of 596	4336	{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe	111
PID 4336 wrote to memory of 1528	4336	{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_241f8f0511fdf1319272d1865b2ece06_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe
  C:\Windows\{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe
    C:\Windows\{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Windows\{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe
      C:\Windows\{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe
        
        C:\Windows\{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe
        
        C:\Windows\{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe
        
        C:\Windows\{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe
        
        C:\Windows\{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{29415136-0A89-46a1-920C-6B1CA41300D5}.exe
        
        C:\Windows\{29415136-0A89-46a1-920C-6B1CA41300D5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe
        
        C:\Windows\{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe
        
        C:\Windows\{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{F699BC4E-6346-4bb0-93B1-BEE48FF74261}.exe
        
        C:\Windows\{F699BC4E-6346-4bb0-93B1-BEE48FF74261}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Windows\{B159D980-B3DA-4711-8406-2DC8BACC4C5A}.exe
        
        C:\Windows\{B159D980-B3DA-4711-8406-2DC8BACC4C5A}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F699B~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{286B8~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F5E0~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29415~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D40CC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{687E7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADFEC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2E1B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{356A2~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4D0F3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{29AF1~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F5E09C8-615D-48a2-A457-C0FE3921AA67}.exe

Filesize
344KB

MD5
1a7b202fd1425a1a20c37c7e66da8672

SHA1
b5dbcbb538ca061554f5281abe680669fa2992d9

SHA256
3737f6d3f3c4665f1c436c8b61ce3696563a22124066bdfc885fa134ac5892e5

SHA512
396e3873628ebf7ca3df2ba8a526fc4a4d3ad698017901475e6521d0295ee9b6ff11e1154d8f93fe3ef12b8ac380c7f79759ef69b4e48fa5d3267e0220f8df9e

Download Submit
C:\Windows\{286B8F4D-C9BF-40a4-9D6A-ACC4061D73D3}.exe

Filesize
344KB

MD5
fb6d00b8bd9ca9856a33b51b0f7998cd

SHA1
c0ff59d37aebc7ce9abc534a14627442e8d6e924

SHA256
bc8dac1f7ab83580cef161598e359f1a6ff5111635f83263e298ddfbef6d5638

SHA512
cfe4508ee19939c2a9861e9a51fab960153abedf05268e6a4bd92f20cd67ce5b56badff389e0d5be0917a90e9892e1d62228ef08f564210df8a0e39002f75fdf

Download Submit
C:\Windows\{29415136-0A89-46a1-920C-6B1CA41300D5}.exe

Filesize
344KB

MD5
588f9515b1a16bb00a3d2fa340b93931

SHA1
41cb53780843f1b4449d5ea43eeee3a0cdcd4702

SHA256
bd7a6291df7e57aca22e72465ede55f810871b4e2f4b5623592ee39d6ecb656c

SHA512
8cdf705a11bce60e68374435818a3cb8f0cc05f16f6b8e224e0b8f3ddcf53ed4910542d3dee23e755c7cce276a1175445c34b9d479815c4b93d6a283d58dd654

Download Submit
C:\Windows\{29AF187E-C24D-4567-BD6F-FED3690B0BC9}.exe

Filesize
344KB

MD5
95f68d2f6000451fd70ed9917d998e30

SHA1
4337dcc18199997468abad2fbb65a1112e30c421

SHA256
601a8c2f0f9e45c4db94071f837614236865f5da34a0c5ae3d64462be49698aa

SHA512
94dfbde34978f704636667a64581dcdff7fd3740643e38512772f53388d9874a9a4872b59ed102f8fe4ce3912a9550e8039c7623ce9d0b8890c3e62549f1ddc0

Download Submit
C:\Windows\{356A2615-7591-4476-8E7A-D6DDE08F5264}.exe

Filesize
344KB

MD5
04fc57ea3857975e1aacdc58965d6373

SHA1
5df7db749a27e13de80a1bdf769506d671421595

SHA256
33339ff6ffcdf75eadebb39e1789d6420af88aa9dd68b7a00314fea666ceae31

SHA512
e381ca3dc4db60e270e1e6c1bd4d7650c1a7bb71bac7a057f3d779643a6969e1e5b6d1aac1bdf404323d0555c4083694012757c512cbf0626f508426356f1504

Download Submit
C:\Windows\{4D0F3968-8348-4f3a-B7B2-50C0329E7250}.exe

Filesize
344KB

MD5
551d6641ac29b2447ecf5bd43a8292e7

SHA1
f17b8dcd53431a2699c91dbc98cee8c5d9e71479

SHA256
5d5e8469670ce70aaaa5c0ea232df6e3bd74d462f241b74ded42dbb79d173749

SHA512
428e7071b6f52161dee03804a2fbe4d58c360e8e2deb3865c332b4474f41dcbfd8bf7d40f3786f58abc132fb37981a262460e41f141787b108547c0406073ada

Download Submit
C:\Windows\{687E726E-0D60-4e4a-B55A-007E74FF1F54}.exe

Filesize
344KB

MD5
fd4f8f79bfb07ad37ef20077d98fcdbd

SHA1
211d3c9ddab3f0b1e7d174db627b84465f0752cd

SHA256
46d6865ba50666214cda261bcd72ea58fc960eb34aa97a3c66a8da4e2e06315a

SHA512
f8c4d24cd8deda83a59279fc3d26858847d298c2ffbc0ec95c0ce4a71fa9067d6234146dc9d625c45b927d6279ff00102697d573d0637e984d7bdab1aec62a75

Download Submit
C:\Windows\{ADFEC2EC-1BD6-44bd-A872-6ABB2CB09272}.exe

Filesize
344KB

MD5
ccfa41e3671c0fde6288645f1cce1c00

SHA1
a1b613640e85e949fd46248ea5c0ac5f5d102b2c

SHA256
91e2ba66bd1780925c7275000e16c75924b23274eb2b1fc9cb364fb3a157470a

SHA512
e8104b22b565e2ec9a085a70585865631921f0a4240daf6395d89747902db461f15d921af810e969f13ce1d7ed3c10dc753af3247d1ecda09065992a13d0dec7

Download Submit
C:\Windows\{B159D980-B3DA-4711-8406-2DC8BACC4C5A}.exe

Filesize
344KB

MD5
0c372897acac048e985633cbdc3c4ecd

SHA1
fcc6d1aa4f75430db52c794614e93d47a6f0b738

SHA256
09aaa638e6b97ea106eafd75d75f4a852c10632063e799ee9763b667cf4770a6

SHA512
f8aff7800661eb26b42f123c761e66912b5ff15a86fa9a64685c31f15a442ffe7c88bc4a175a59e72c33d606a5e58e404719bd59bd60d97d4a4b19736df658a3

Download Submit
C:\Windows\{B2E1B076-B536-4fe0-B0BE-DA22B7755D81}.exe

Filesize
344KB

MD5
7d11352bfed1429280fc858271ce0104

SHA1
3386ea37389b0f99f7128ad8e868aa983c2a9e15

SHA256
86788bade24305d69b462f7fa4a13b31c18c19b87f84573b3b2cef675791bd46

SHA512
b24baf49d70e999bc1d78a452d49bf0898efca47a8ddcfcf45732dd19fa9cbe765ba67cf04afe961f31ab4e913f4b960d8b2fba42162ace39f909772f59ccccc

Download Submit
C:\Windows\{D40CCDF7-2AF8-4d1f-8D90-5854AD959E01}.exe

Filesize
344KB

MD5
1ae589761491d463b34b15a20a79bd25

SHA1
9e626144acb67c5d2672f85555cadf6ac932ca4f

SHA256
6c8cbed7e5d6eabcab26a5cba535a2ab71b94ea425b65c98722131f4153bd41e

SHA512
8f4877584f65df503372b4eca09916b6715693b7a05a378657e424903325ab43c616015c78f3a616c28d79c1d0a85c4e02507ec594c11eca9199c76f9dc4df28

Download Submit
C:\Windows\{F699BC4E-6346-4bb0-93B1-BEE48FF74261}.exe

Filesize
344KB

MD5
aceacfff5629aa1a1d3792526dca61cf

SHA1
226c33dc25918c9a0df704975d58c7d9d54c58e9

SHA256
7cb90b669c6f8be4227f8a2dd77b75a41769f34044f69f173f88db7dac5c66aa

SHA512
3163c73b44e2743ee1bdbd3762085da1eae51760bc30a3f54c04dc2eb07acffbf3d2d8512469794de874590e898348c23906103ddd8dcaef1fccd8969cb136a9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads