602db61942f52039edaf00d9a65f0b45451a82120b3b2c61d198e58549fc7a83

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 07:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe
Size

192KB
MD5

7ff66f983a0fe51c215403be9d9ec41b
SHA1

fdb05f8b349bdad6c8b5bcf442808fe6c4c4e3f4
SHA256

602db61942f52039edaf00d9a65f0b45451a82120b3b2c61d198e58549fc7a83
SHA512

749c9041bf4fa09e4145e85b15262f1b55757382d4e2d6d41b2a3aca538e2b1dd724dbe0f48a28f25c13e82c5662890066637ab515690c8d1d2359a7351d644f
SSDEEP

1536:1EGh0o/Ll15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ozl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}\stubpath = "C:\\Windows\\{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe"	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{108D03EB-7E28-43b0-810D-857525E96E2E}\stubpath = "C:\\Windows\\{108D03EB-7E28-43b0-810D-857525E96E2E}.exe"	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71C6A02B-985F-4a91-8DFE-0055C7185964}	{108D03EB-7E28-43b0-810D-857525E96E2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}\stubpath = "C:\\Windows\\{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe"	2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB790C41-8BD5-44ee-A750-135A2DB5FC46}\stubpath = "C:\\Windows\\{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe"	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B92C266-795E-4157-948F-30CA34F6E79C}	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A2D4076-1A49-49bb-8FD0-D8C681C7299B}	{71C6A02B-985F-4a91-8DFE-0055C7185964}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71C6A02B-985F-4a91-8DFE-0055C7185964}\stubpath = "C:\\Windows\\{71C6A02B-985F-4a91-8DFE-0055C7185964}.exe"	{108D03EB-7E28-43b0-810D-857525E96E2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A2D4076-1A49-49bb-8FD0-D8C681C7299B}\stubpath = "C:\\Windows\\{1A2D4076-1A49-49bb-8FD0-D8C681C7299B}.exe"	{71C6A02B-985F-4a91-8DFE-0055C7185964}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}\stubpath = "C:\\Windows\\{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe"	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B92C266-795E-4157-948F-30CA34F6E79C}\stubpath = "C:\\Windows\\{4B92C266-795E-4157-948F-30CA34F6E79C}.exe"	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{108D03EB-7E28-43b0-810D-857525E96E2E}	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}\stubpath = "C:\\Windows\\{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe"	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}\stubpath = "C:\\Windows\\{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe"	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D24B0D92-2045-4c9b-8B33-59F291A86A21}	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D24B0D92-2045-4c9b-8B33-59F291A86A21}\stubpath = "C:\\Windows\\{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe"	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}	2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB790C41-8BD5-44ee-A750-135A2DB5FC46}	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}\stubpath = "C:\\Windows\\{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe"	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe

Executes dropped EXE 12 IoCs

pid	Process
3844	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe
1292	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe
3412	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe
3964	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe
1224	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe
4556	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe
4080	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe
4452	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe
924	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe
2692	{108D03EB-7E28-43b0-810D-857525E96E2E}.exe
2608	{71C6A02B-985F-4a91-8DFE-0055C7185964}.exe
4324	{1A2D4076-1A49-49bb-8FD0-D8C681C7299B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe
File created	C:\Windows\{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe
File created	C:\Windows\{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe
File created	C:\Windows\{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe
File created	C:\Windows\{108D03EB-7E28-43b0-810D-857525E96E2E}.exe	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe
File created	C:\Windows\{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe	2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe
File created	C:\Windows\{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe
File created	C:\Windows\{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe
File created	C:\Windows\{4B92C266-795E-4157-948F-30CA34F6E79C}.exe	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe
File created	C:\Windows\{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe
File created	C:\Windows\{71C6A02B-985F-4a91-8DFE-0055C7185964}.exe	{108D03EB-7E28-43b0-810D-857525E96E2E}.exe
File created	C:\Windows\{1A2D4076-1A49-49bb-8FD0-D8C681C7299B}.exe	{71C6A02B-985F-4a91-8DFE-0055C7185964}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A2D4076-1A49-49bb-8FD0-D8C681C7299B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71C6A02B-985F-4a91-8DFE-0055C7185964}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{108D03EB-7E28-43b0-810D-857525E96E2E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2536	2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3844	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe
Token: SeIncBasePriorityPrivilege	1292	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe
Token: SeIncBasePriorityPrivilege	3412	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe
Token: SeIncBasePriorityPrivilege	3964	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe
Token: SeIncBasePriorityPrivilege	1224	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe
Token: SeIncBasePriorityPrivilege	4556	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe
Token: SeIncBasePriorityPrivilege	4080	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe
Token: SeIncBasePriorityPrivilege	4452	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe
Token: SeIncBasePriorityPrivilege	924	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe
Token: SeIncBasePriorityPrivilege	2692	{108D03EB-7E28-43b0-810D-857525E96E2E}.exe
Token: SeIncBasePriorityPrivilege	2608	{71C6A02B-985F-4a91-8DFE-0055C7185964}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 3844	2536	2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe	89
PID 2536 wrote to memory of 3844	2536	2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe	89
PID 2536 wrote to memory of 3844	2536	2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe	89
PID 2536 wrote to memory of 4960	2536	2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe	90
PID 2536 wrote to memory of 4960	2536	2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe	90
PID 2536 wrote to memory of 4960	2536	2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe	90
PID 3844 wrote to memory of 1292	3844	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe	91
PID 3844 wrote to memory of 1292	3844	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe	91
PID 3844 wrote to memory of 1292	3844	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe	91
PID 3844 wrote to memory of 2508	3844	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe	92
PID 3844 wrote to memory of 2508	3844	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe	92
PID 3844 wrote to memory of 2508	3844	{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe	92
PID 1292 wrote to memory of 3412	1292	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe	95
PID 1292 wrote to memory of 3412	1292	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe	95
PID 1292 wrote to memory of 3412	1292	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe	95
PID 1292 wrote to memory of 376	1292	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe	96
PID 1292 wrote to memory of 376	1292	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe	96
PID 1292 wrote to memory of 376	1292	{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe	96
PID 3412 wrote to memory of 3964	3412	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe	97
PID 3412 wrote to memory of 3964	3412	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe	97
PID 3412 wrote to memory of 3964	3412	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe	97
PID 3412 wrote to memory of 4952	3412	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe	98
PID 3412 wrote to memory of 4952	3412	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe	98
PID 3412 wrote to memory of 4952	3412	{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe	98
PID 3964 wrote to memory of 1224	3964	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe	99
PID 3964 wrote to memory of 1224	3964	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe	99
PID 3964 wrote to memory of 1224	3964	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe	99
PID 3964 wrote to memory of 1472	3964	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe	100
PID 3964 wrote to memory of 1472	3964	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe	100
PID 3964 wrote to memory of 1472	3964	{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe	100
PID 1224 wrote to memory of 4556	1224	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe	101
PID 1224 wrote to memory of 4556	1224	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe	101
PID 1224 wrote to memory of 4556	1224	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe	101
PID 1224 wrote to memory of 2240	1224	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe	102
PID 1224 wrote to memory of 2240	1224	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe	102
PID 1224 wrote to memory of 2240	1224	{4B92C266-795E-4157-948F-30CA34F6E79C}.exe	102
PID 4556 wrote to memory of 4080	4556	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe	103
PID 4556 wrote to memory of 4080	4556	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe	103
PID 4556 wrote to memory of 4080	4556	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe	103
PID 4556 wrote to memory of 3776	4556	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe	104
PID 4556 wrote to memory of 3776	4556	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe	104
PID 4556 wrote to memory of 3776	4556	{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe	104
PID 4080 wrote to memory of 4452	4080	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe	105
PID 4080 wrote to memory of 4452	4080	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe	105
PID 4080 wrote to memory of 4452	4080	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe	105
PID 4080 wrote to memory of 1888	4080	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe	106
PID 4080 wrote to memory of 1888	4080	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe	106
PID 4080 wrote to memory of 1888	4080	{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe	106
PID 4452 wrote to memory of 924	4452	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe	107
PID 4452 wrote to memory of 924	4452	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe	107
PID 4452 wrote to memory of 924	4452	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe	107
PID 4452 wrote to memory of 1256	4452	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe	108
PID 4452 wrote to memory of 1256	4452	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe	108
PID 4452 wrote to memory of 1256	4452	{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe	108
PID 924 wrote to memory of 2692	924	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe	109
PID 924 wrote to memory of 2692	924	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe	109
PID 924 wrote to memory of 2692	924	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe	109
PID 924 wrote to memory of 2596	924	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe	110
PID 924 wrote to memory of 2596	924	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe	110
PID 924 wrote to memory of 2596	924	{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe	110
PID 2692 wrote to memory of 2608	2692	{108D03EB-7E28-43b0-810D-857525E96E2E}.exe	111
PID 2692 wrote to memory of 2608	2692	{108D03EB-7E28-43b0-810D-857525E96E2E}.exe	111
PID 2692 wrote to memory of 2608	2692	{108D03EB-7E28-43b0-810D-857525E96E2E}.exe	111
PID 2692 wrote to memory of 1032	2692	{108D03EB-7E28-43b0-810D-857525E96E2E}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_7ff66f983a0fe51c215403be9d9ec41b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe
  C:\Windows\{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe
    C:\Windows\{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe
      C:\Windows\{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe
        
        C:\Windows\{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
      - C:\Windows\{4B92C266-795E-4157-948F-30CA34F6E79C}.exe
        
        C:\Windows\{4B92C266-795E-4157-948F-30CA34F6E79C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe
        
        C:\Windows\{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe
        
        C:\Windows\{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe
        
        C:\Windows\{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe
        
        C:\Windows\{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\{108D03EB-7E28-43b0-810D-857525E96E2E}.exe
        
        C:\Windows\{108D03EB-7E28-43b0-810D-857525E96E2E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{71C6A02B-985F-4a91-8DFE-0055C7185964}.exe
        
        C:\Windows\{71C6A02B-985F-4a91-8DFE-0055C7185964}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\{1A2D4076-1A49-49bb-8FD0-D8C681C7299B}.exe
        
        C:\Windows\{1A2D4076-1A49-49bb-8FD0-D8C681C7299B}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71C6A~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{108D0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D24B0~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F157~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D20F1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C39CF~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B92C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB790~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF5C1~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{21B8C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3C0B5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F15718A-B6AA-4147-B6DF-FE82AFB61AE1}.exe

Filesize
192KB

MD5
d99e06b908db05b942ba80437f8a8c34

SHA1
3f98d6bb91cdb9090ae18f13d205596be5572950

SHA256
4c961af5d7a0a571bb6bd1b6aefc0b25e8091595fdb8fc19959c4ddc0c43abbc

SHA512
c70225b040bf6c2f98ea8dd84758e0029ac4d0c71a91b220bec46161faee0a4cb00513e66828767860ae1b8378d18d8b5b9fc130d8915d1e637d62e916decf99

Download Submit
C:\Windows\{108D03EB-7E28-43b0-810D-857525E96E2E}.exe

Filesize
192KB

MD5
6663995a6cb509adc974d832ed05dbb5

SHA1
1505e9065b6612f55a8b8e1bf4db541580b3acf2

SHA256
88b81adef5868bfaf07707a65737524f400d3a7784f626bde301f8161bf7edcf

SHA512
3dac3dab6c7e93cbf384ba99fde08af61a428b562ab154d07ec5c6f174eb0a6174ffffedf7bf9a07a8372de6a351287f07abcfbfae7298bf245a1e176f941ac3

Download Submit
C:\Windows\{1A2D4076-1A49-49bb-8FD0-D8C681C7299B}.exe

Filesize
192KB

MD5
3996c0e0571c2d50311b62aed29168e8

SHA1
09ce01df253abb6dedb77ee9e39e7d9b32f2fd49

SHA256
797b39c4d048c280a1706e6059d219c22f84ebdf6aa1427c8b25caec01a60ddf

SHA512
a890b30ed22d7aadba27f38ac1c92bdf5ba6d9419a41749f5819ad64a6e8eb003824fcb7719fb3e31bfb63091d646d881dc0158db98ad4eada29c3657eec484a

Download Submit
C:\Windows\{21B8C4C2-EE51-4923-ACC1-4CE15F5A4DC5}.exe

Filesize
192KB

MD5
23e40cb7cc5a72bea77dd9e6d534d1ce

SHA1
0e5ce363745d28cd429b01b019b93ae498889d0c

SHA256
4cb322c331903a3239e0d6c0c6a2c20e94c9a75cbfcad9537fd44cb54990539e

SHA512
df286ce9856eeafb621ee23c1b5981c317e401d730b3242c620d12831e914123df0f23463db5a4c3d031de9ad8ec2d24ecaa42ba8ca2b38d7427696049890d8f

Download Submit
C:\Windows\{3C0B5C0C-AEB4-4b0c-B1A3-B6122844B39A}.exe

Filesize
192KB

MD5
4d5441df847161e9594f1d5ba9355476

SHA1
1a33b81c08764ea64767804ae6f37e5d3e091d39

SHA256
2f4e7b49250f944dd75347431d7dec69d6fe87bc0e41da8cf77d2d1bfa3a5187

SHA512
a0ba90ec95886403c4fe3ab39694375b4e6a73fd4cca373d16413219fc44b8ccdb0fc004b94ad426c9b86516cd96e6c398962e3db4bae26a48c456974135aeba

Download Submit
C:\Windows\{4B92C266-795E-4157-948F-30CA34F6E79C}.exe

Filesize
192KB

MD5
f2ef46a0387eac2ec30a9430310d5356

SHA1
47d52695f6451dd5da1df6b98f9b331441c11e70

SHA256
5fa94fe10ad152e5d937bd0b8008a0568f9616ab7e32e0afcaaa08de4b887e8b

SHA512
e33d10033eb7b59a7d1d87e49f8dee3e42010bbe5930298a94f2f83b84b45477f7a0afee2be5013a113292e85ef4a78e9588180f56e264b0a5093fd09175864e

Download Submit
C:\Windows\{71C6A02B-985F-4a91-8DFE-0055C7185964}.exe

Filesize
192KB

MD5
f456c85f3fcccd69dd7663f549ae81bf

SHA1
901ca57a17d1f50905852a0b81d8055521163d5a

SHA256
90b58f9bf1067a6f7e9d9abf85f80f51eaa783c3d2ebc45e77f1526c7c427e20

SHA512
8c9cba6da6606f21134214dcd8fcaee18916907e7e9ad81d09ca7056c21ee2c8cfa7cb42a85286c0a37cd1b31b38c3229531490bafa7cd33c82a997ed2718dc8

Download Submit
C:\Windows\{BB790C41-8BD5-44ee-A750-135A2DB5FC46}.exe

Filesize
192KB

MD5
a3b2d74e2c4d2bebea7b9f7072f582bb

SHA1
66af26d766572b24b4787c5ab7312a1250d14a19

SHA256
887d040c3dc07aa62468da101aeef68f180c0da5da8b5a20412fd650cfdc88dd

SHA512
209cc7c8c0e4f06eae6d97dd1dd7ea6c957deb0aad9dd95aa2ae4b4b32d6d59a5f3fd836875187dc795258485119070e38a89749b503dae1c3c5e2c269157139

Download Submit
C:\Windows\{C39CFB98-0A78-46a4-AE3B-A2BF0700E39C}.exe

Filesize
192KB

MD5
23df256c62942b2568cf02d4cf59fbe7

SHA1
08d0cdb3a4ccb319a689fb9c4f8f3a66a9c0063d

SHA256
96e2cf3518c7d020e241db724b3d2cd25e0e4e29207e32320621dc9afea8fc4d

SHA512
d74c3be732eb88b9eb3a8cfeaade5fe440740fceeb7367cd34945ba7c83667bf420a61f7a2725d8e4a109e75d358e7a1282311f4354f3b397e5444eeaf0eb66f

Download Submit
C:\Windows\{CF5C16EA-08BB-4f7d-BB2A-9C4ED8A60BB5}.exe

Filesize
192KB

MD5
5616c3b00499e8e450a5a4ee651ddac8

SHA1
778eb39df4866b5cbd69821fca5d1ed50d758f07

SHA256
cee4c3f28b46d75dbe0cbdfb92460b59adb99a26df1c6805729d47e37746a7fe

SHA512
e1a8c2545c0155a7125f0a9e891bf4b192c6b9f5548da983dfb160a2965d06de023c27fdb0b81f7aeb84661a3e9a3ebc56161d499aede5ebcd622404c9e6f6a3

Download Submit
C:\Windows\{D20F15EE-CCD7-4303-9D27-6CF23E6961C6}.exe

Filesize
192KB

MD5
40feb904b7836e1fa3bb4e945a87415d

SHA1
8dd09ff573eb06bdce2d82afff19ed0f07e56ab0

SHA256
f71d3581cbbf54dcde17d89b644c2d06e0878e5a1d79dc6a7b233f4f9c5b3853

SHA512
c467a1e5a6316d1bb009b9164f95b3ac5b462a6ebb727943dd0f488114a1fb1ab7490ed0fb5b3c5654fe979e38b90128fd60ba24767fb24926e34e42f11b63cf

Download Submit
C:\Windows\{D24B0D92-2045-4c9b-8B33-59F291A86A21}.exe

Filesize
192KB

MD5
abccf5a82ee59474f75b5ac4edd6a8f3

SHA1
ee17ba07ed17af67c2c3a5022d1b8b5d1e46ce01

SHA256
48b6cd1b5cde2688e2ddfcc2296e14dc197fd4b3305acb3ec3eb25123579e111

SHA512
2b97e4b409708907d05dc34347691e0cb693483cbf3551cee6c0ae7e03869841e83cb2de80954ad7ebeaf58ac8ddd300df6d6bacba85b5827824814da03e6112

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads