522d4e6b498b8cd30f9b296a24452e294290984e1bf4c0c7b65049aa01379c22

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe
Size

380KB
MD5

87bac5dd08a1f47d4e728bdf2054f2c7
SHA1

0a9fecad09865bed5dec342efdc9aaf6be17aee3
SHA256

522d4e6b498b8cd30f9b296a24452e294290984e1bf4c0c7b65049aa01379c22
SHA512

748142e483ff92aec8a0c4d82af0ea4ca83043ba179fbcbbb783b5af023417c5ad7a476921c9d13d510eae121ab9d359795ef51676ac36b77d96f43cc5199eed
SSDEEP

3072:mEGh0onlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGNl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{449CCA21-E993-4836-8674-0659F9665916}\stubpath = "C:\\Windows\\{449CCA21-E993-4836-8674-0659F9665916}.exe"	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32710123-3BF8-461a-903C-92FFFBECE12E}	{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32710123-3BF8-461a-903C-92FFFBECE12E}\stubpath = "C:\\Windows\\{32710123-3BF8-461a-903C-92FFFBECE12E}.exe"	{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}\stubpath = "C:\\Windows\\{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe"	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12DE3923-5923-422d-94BE-94D6AB78793B}\stubpath = "C:\\Windows\\{12DE3923-5923-422d-94BE-94D6AB78793B}.exe"	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{449CCA21-E993-4836-8674-0659F9665916}	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25EE3D75-1B4C-44a9-8377-6475CC6EA574}\stubpath = "C:\\Windows\\{25EE3D75-1B4C-44a9-8377-6475CC6EA574}.exe"	{32710123-3BF8-461a-903C-92FFFBECE12E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25EE3D75-1B4C-44a9-8377-6475CC6EA574}	{32710123-3BF8-461a-903C-92FFFBECE12E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74F32D2E-C9DD-4824-A165-D22B096F790A}\stubpath = "C:\\Windows\\{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe"	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A836EE5-A837-4268-AC58-DF948557BFF1}\stubpath = "C:\\Windows\\{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe"	{449CCA21-E993-4836-8674-0659F9665916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7156C611-4B9E-42c9-8212-A08E0B2191D9}	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7156C611-4B9E-42c9-8212-A08E0B2191D9}\stubpath = "C:\\Windows\\{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe"	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12DE3923-5923-422d-94BE-94D6AB78793B}	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A836EE5-A837-4268-AC58-DF948557BFF1}	{449CCA21-E993-4836-8674-0659F9665916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74F32D2E-C9DD-4824-A165-D22B096F790A}	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}\stubpath = "C:\\Windows\\{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe"	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}\stubpath = "C:\\Windows\\{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe"	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F26AD43D-B8E4-4a4a-B528-775520548AB9}	2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F26AD43D-B8E4-4a4a-B528-775520548AB9}\stubpath = "C:\\Windows\\{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe"	2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4692CDE9-4FE0-4b70-B816-C7678C0F033A}	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4692CDE9-4FE0-4b70-B816-C7678C0F033A}\stubpath = "C:\\Windows\\{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe"	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4668	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe
1468	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe
844	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe
1204	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe
1840	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe
1528	{449CCA21-E993-4836-8674-0659F9665916}.exe
3744	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe
1940	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe
5080	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe
5100	{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe
1116	{32710123-3BF8-461a-903C-92FFFBECE12E}.exe
4132	{25EE3D75-1B4C-44a9-8377-6475CC6EA574}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe	2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe
File created	C:\Windows\{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe
File created	C:\Windows\{12DE3923-5923-422d-94BE-94D6AB78793B}.exe	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe
File created	C:\Windows\{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe
File created	C:\Windows\{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe
File created	C:\Windows\{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe	{449CCA21-E993-4836-8674-0659F9665916}.exe
File created	C:\Windows\{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe
File created	C:\Windows\{449CCA21-E993-4836-8674-0659F9665916}.exe	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe
File created	C:\Windows\{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe
File created	C:\Windows\{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe
File created	C:\Windows\{32710123-3BF8-461a-903C-92FFFBECE12E}.exe	{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe
File created	C:\Windows\{25EE3D75-1B4C-44a9-8377-6475CC6EA574}.exe	{32710123-3BF8-461a-903C-92FFFBECE12E}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{449CCA21-E993-4836-8674-0659F9665916}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{25EE3D75-1B4C-44a9-8377-6475CC6EA574}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32710123-3BF8-461a-903C-92FFFBECE12E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3032	2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4668	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe
Token: SeIncBasePriorityPrivilege	1468	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe
Token: SeIncBasePriorityPrivilege	844	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe
Token: SeIncBasePriorityPrivilege	1204	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe
Token: SeIncBasePriorityPrivilege	1840	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe
Token: SeIncBasePriorityPrivilege	1528	{449CCA21-E993-4836-8674-0659F9665916}.exe
Token: SeIncBasePriorityPrivilege	3744	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe
Token: SeIncBasePriorityPrivilege	1940	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe
Token: SeIncBasePriorityPrivilege	5080	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe
Token: SeIncBasePriorityPrivilege	5100	{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe
Token: SeIncBasePriorityPrivilege	1116	{32710123-3BF8-461a-903C-92FFFBECE12E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 4668	3032	2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe	82
PID 3032 wrote to memory of 4668	3032	2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe	82
PID 3032 wrote to memory of 4668	3032	2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe	82
PID 3032 wrote to memory of 4176	3032	2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe	83
PID 3032 wrote to memory of 4176	3032	2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe	83
PID 3032 wrote to memory of 4176	3032	2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe	83
PID 4668 wrote to memory of 1468	4668	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe	89
PID 4668 wrote to memory of 1468	4668	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe	89
PID 4668 wrote to memory of 1468	4668	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe	89
PID 4668 wrote to memory of 2596	4668	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe	90
PID 4668 wrote to memory of 2596	4668	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe	90
PID 4668 wrote to memory of 2596	4668	{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe	90
PID 1468 wrote to memory of 844	1468	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe	95
PID 1468 wrote to memory of 844	1468	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe	95
PID 1468 wrote to memory of 844	1468	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe	95
PID 1468 wrote to memory of 2136	1468	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe	96
PID 1468 wrote to memory of 2136	1468	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe	96
PID 1468 wrote to memory of 2136	1468	{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe	96
PID 844 wrote to memory of 1204	844	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe	97
PID 844 wrote to memory of 1204	844	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe	97
PID 844 wrote to memory of 1204	844	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe	97
PID 844 wrote to memory of 4948	844	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe	98
PID 844 wrote to memory of 4948	844	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe	98
PID 844 wrote to memory of 4948	844	{12DE3923-5923-422d-94BE-94D6AB78793B}.exe	98
PID 1204 wrote to memory of 1840	1204	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe	99
PID 1204 wrote to memory of 1840	1204	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe	99
PID 1204 wrote to memory of 1840	1204	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe	99
PID 1204 wrote to memory of 3568	1204	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe	100
PID 1204 wrote to memory of 3568	1204	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe	100
PID 1204 wrote to memory of 3568	1204	{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe	100
PID 1840 wrote to memory of 1528	1840	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe	101
PID 1840 wrote to memory of 1528	1840	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe	101
PID 1840 wrote to memory of 1528	1840	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe	101
PID 1840 wrote to memory of 3776	1840	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe	102
PID 1840 wrote to memory of 3776	1840	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe	102
PID 1840 wrote to memory of 3776	1840	{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe	102
PID 1528 wrote to memory of 3744	1528	{449CCA21-E993-4836-8674-0659F9665916}.exe	103
PID 1528 wrote to memory of 3744	1528	{449CCA21-E993-4836-8674-0659F9665916}.exe	103
PID 1528 wrote to memory of 3744	1528	{449CCA21-E993-4836-8674-0659F9665916}.exe	103
PID 1528 wrote to memory of 2316	1528	{449CCA21-E993-4836-8674-0659F9665916}.exe	104
PID 1528 wrote to memory of 2316	1528	{449CCA21-E993-4836-8674-0659F9665916}.exe	104
PID 1528 wrote to memory of 2316	1528	{449CCA21-E993-4836-8674-0659F9665916}.exe	104
PID 3744 wrote to memory of 1940	3744	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe	105
PID 3744 wrote to memory of 1940	3744	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe	105
PID 3744 wrote to memory of 1940	3744	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe	105
PID 3744 wrote to memory of 536	3744	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe	106
PID 3744 wrote to memory of 536	3744	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe	106
PID 3744 wrote to memory of 536	3744	{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe	106
PID 1940 wrote to memory of 5080	1940	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe	107
PID 1940 wrote to memory of 5080	1940	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe	107
PID 1940 wrote to memory of 5080	1940	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe	107
PID 1940 wrote to memory of 3788	1940	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe	108
PID 1940 wrote to memory of 3788	1940	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe	108
PID 1940 wrote to memory of 3788	1940	{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe	108
PID 5080 wrote to memory of 5100	5080	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe	109
PID 5080 wrote to memory of 5100	5080	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe	109
PID 5080 wrote to memory of 5100	5080	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe	109
PID 5080 wrote to memory of 640	5080	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe	110
PID 5080 wrote to memory of 640	5080	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe	110
PID 5080 wrote to memory of 640	5080	{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe	110
PID 5100 wrote to memory of 1116	5100	{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe	111
PID 5100 wrote to memory of 1116	5100	{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe	111
PID 5100 wrote to memory of 1116	5100	{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe	111
PID 5100 wrote to memory of 1288	5100	{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-04_87bac5dd08a1f47d4e728bdf2054f2c7_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe
  C:\Windows\{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe
    C:\Windows\{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\{12DE3923-5923-422d-94BE-94D6AB78793B}.exe
      C:\Windows\{12DE3923-5923-422d-94BE-94D6AB78793B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe
        
        C:\Windows\{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
      - C:\Windows\{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe
        
        C:\Windows\{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\{449CCA21-E993-4836-8674-0659F9665916}.exe
        
        C:\Windows\{449CCA21-E993-4836-8674-0659F9665916}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe
        
        C:\Windows\{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe
        
        C:\Windows\{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe
        
        C:\Windows\{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe
        
        C:\Windows\{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{32710123-3BF8-461a-903C-92FFFBECE12E}.exe
        
        C:\Windows\{32710123-3BF8-461a-903C-92FFFBECE12E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\{25EE3D75-1B4C-44a9-8377-6475CC6EA574}.exe
        
        C:\Windows\{25EE3D75-1B4C-44a9-8377-6475CC6EA574}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32710~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7156C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{465A1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA4FB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A836~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{449CC~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74F32~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4692C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12DE3~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B09E4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F26AD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12DE3923-5923-422d-94BE-94D6AB78793B}.exe

Filesize
380KB

MD5
c65fb9e4bb4732dd706010f2576debf8

SHA1
124e331a9d293c3763dd620f437f590bcb6c4ccf

SHA256
69f96618b6866265a582c515e1129fe2112e321d3d511a4c4f7ab854cf7653ec

SHA512
94d4303beb1794a5f61b652b9cb94e58b869099ab9815eb41f7ee01d9ec7aec22c2eaf3240cb3a5bd87475b2bbd74835f6a0ddae4df27c72d6c81c8913e053e1

Download Submit
C:\Windows\{25EE3D75-1B4C-44a9-8377-6475CC6EA574}.exe

Filesize
380KB

MD5
6e28ed5aed46b9dd7e6c7c6a96241b0c

SHA1
07ec34a795c709c114631f4402ecdb84a3728a09

SHA256
2f3e427e020d108397c2a9908633105ac280399ae8a080e80cf5e3e81d009e39

SHA512
6cdc68c8f6bf05d077da2823fcd1112bc438881e9fa969cfffba8eaab324b2cea1ef9c10ef67be84b9ad3aa9464298bca305ee3ded273a4cd3c2dbd2f01fe915

Download Submit
C:\Windows\{32710123-3BF8-461a-903C-92FFFBECE12E}.exe

Filesize
380KB

MD5
cf1986a6e7040e8f162ab2b2a26022ab

SHA1
f89458965a1a1aea8da57ecdbebe93855657dd4c

SHA256
da6ce28a262e06c81be6874c1b1fc595f48019aae4ccd5c4c90f481a3a2d6804

SHA512
d8e0d0ea02cb2ce250ae30025a3454c9fe035e502ec9091db94ab8fccea3bf90d8a618f164b2bdcc718d12ef91e52d31b3a07ce98278180f65d4d00fdf9ba542

Download Submit
C:\Windows\{449CCA21-E993-4836-8674-0659F9665916}.exe

Filesize
380KB

MD5
542be00b92bbe98800ffb9a018c3b213

SHA1
f2a37f6311f1db444728455f1f72bb3284d7ead3

SHA256
a384acf435a5cf4c7ac214ae0d380a9c248f8fb389838c89cc7b80b18530d69e

SHA512
486c666e493b7a88ca338be43c3d0b9d7f3e12197d01cbcdc673990e62b7eed9aae6e9d4ea35a54f69990289d5f1f8b32e5be431f9942fba2ea3a6e0802b7893

Download Submit
C:\Windows\{465A1EC3-DF41-4c7c-A7E7-DF84EC827186}.exe

Filesize
380KB

MD5
0c3f3f65d7c0a33dd0d9385e6398ecac

SHA1
884add16bfe90f98490ee135637d7e7b81b63a9b

SHA256
f7418f4dbf20a7d232751b0ddb3a755b51aa3c00b6e778d24891d2c8a062d150

SHA512
f9868cc2808a0f6e69d64afdaf7a44119409da5d07a9c314a3fbf62cc1fc245d139379c2c84f2fc33f04a12b07b9d23cf7bdb0f3fa2ad8595efea38751c6ade8

Download Submit
C:\Windows\{4692CDE9-4FE0-4b70-B816-C7678C0F033A}.exe

Filesize
380KB

MD5
c01b2e628c08618cd6d931a23a82b5b4

SHA1
0cc9f072c0792e97eec53a1b7ca3ad23a0bbe5ac

SHA256
a5412569dbe6084920eba302b9f6e54db4a04854bc474818deb2df5c79f6bec7

SHA512
983a6a65c43c480a065d2fe92a2c6a54b0495540e8113d4eec939d1489e4710c5ef65761148e4cf22bb9e0b2fe6b0674f97b01f1431d2d189296cd698d6ea54d

Download Submit
C:\Windows\{6A836EE5-A837-4268-AC58-DF948557BFF1}.exe

Filesize
380KB

MD5
691289f04024156c503744f816b205f0

SHA1
f722e132853f9a27c9946cbdf5f81f897de9e8cf

SHA256
9daa4e9e3c200314de8480fb6506a9020d00541264d8862f8bb18129be31b898

SHA512
f1d469c174f3b9bb702c3ed284631f0027d7ee246fd4b1886ca4db90fb0df9a7bfe7411271011b8d9cdfd1e226f3a1c70fb6901b212fc43f610037ce18862e75

Download Submit
C:\Windows\{7156C611-4B9E-42c9-8212-A08E0B2191D9}.exe

Filesize
380KB

MD5
b3f281459e1edb29b79754e9b8f43deb

SHA1
0aed0f2304be3cccc5f9c8957517dd4520f211a8

SHA256
9f88e114bedbd0d846344d23c68b9cff57b0edc67b41473e7afe6cfbd838bd0e

SHA512
743523cf5ef8bbecb1d24b6e2c6ed70eb7758d208e7ef64f779b644eb26bc49e259ae028399e39c760d175fb514530885c54e1e42b9cdca5f15003af2bac8742

Download Submit
C:\Windows\{74F32D2E-C9DD-4824-A165-D22B096F790A}.exe

Filesize
380KB

MD5
64f85dd73415800a5eccfe9130b09ac8

SHA1
0cf49b024e9d6957f80060e47d560a176304fd8d

SHA256
bb78d485ce7c374e3b4a3c9f3a863e5f13922236f67f67e3febf4d6f4ade84cc

SHA512
cad912176c63d1b3b105508a119ba77c5945f965f159c1f40be9ad8acd043eab133f590b283b846e42990f244dfe16b00a0d245c3fa760cd7d1399e9881014f2

Download Submit
C:\Windows\{B09E4400-AADC-4284-A24D-CD03C9D7ACE7}.exe

Filesize
380KB

MD5
90737c80322305be1db4d104016590cd

SHA1
67f00ecb89c8e2c396409f06b4ef13cf3ebb464f

SHA256
d223bee0ef50c165c1d616643b3719c2f607be9d211726cae68b9ea48504fddc

SHA512
20a444812f6de5bbd0babc28bccdbc90b85646c2f3093406b88c17a990fcbe9da604807e04bcd319aafeaee5483d436bf35ff2ef3147b00c1f8b40d1b2abd3ae

Download Submit
C:\Windows\{BA4FBA05-B11C-4c8f-8F9B-A3A272B8FB4D}.exe

Filesize
380KB

MD5
40a0f9efc72c5ccba151fae3b95b1463

SHA1
87ee14ffd0435df0471ca06383b54d657a6f61fd

SHA256
30a9d5e09eadacf009da2df3b31323ff3f59c551d8605822598728585f8509a0

SHA512
df7530025015079fdd4ae6407eead7be16c21c68c12996ac3663d9b4b0f0c67bde08948849595a654f5bec47613bf29c0c2fdb137119035fe02252bb3fe9b0d9

Download Submit
C:\Windows\{F26AD43D-B8E4-4a4a-B528-775520548AB9}.exe

Filesize
380KB

MD5
7064465b83afdf1789a0a3842f0d7adb

SHA1
4784823e7d0c08fd80a7bda4d18574b03de587ff

SHA256
b57d2d9c43340d563bb66e226b39598b644384d47d625ebc8f4149ec52cac7e5

SHA512
adb110567df071e58651ab7c90925d4968527c356503b47dc0a3ab04062649bba620ff3aff6df05c507b85d6e6d76346e8a1b8146a08247b649858847de6babc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads