870d6fd0d5e131d5de4ebe994cc4640bf45a8f0eb3a459ecdae4e23d2ff2abd1

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe
Size

180KB
MD5

ac700a3a5cc2562081a61dea9474b9a0
SHA1

d18e846922169c64fda7818b63bcc5dec8f562c2
SHA256

870d6fd0d5e131d5de4ebe994cc4640bf45a8f0eb3a459ecdae4e23d2ff2abd1
SHA512

18b14da78da5b87f50e8d5097208b8f0280e8fce4d4004728397c71d2d88f41acfa5b002eec9720026a18bb1f709a99a4674405abd50cb8e966792747a813029
SSDEEP

3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}	{DA62E438-9BE2-4279-A329-433F06F73738}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{872E3E81-3557-4611-A9A2-7B1343DE6E6F}\stubpath = "C:\\Windows\\{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe"	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22F5E378-ADF6-4464-99F1-0B460F2254E4}	2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18960EC7-6117-4fda-81D8-061B3217DCBA}	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE005283-58AB-43f1-80E3-43B477A66687}\stubpath = "C:\\Windows\\{AE005283-58AB-43f1-80E3-43B477A66687}.exe"	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA62E438-9BE2-4279-A329-433F06F73738}	{AE005283-58AB-43f1-80E3-43B477A66687}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA62E438-9BE2-4279-A329-433F06F73738}\stubpath = "C:\\Windows\\{DA62E438-9BE2-4279-A329-433F06F73738}.exe"	{AE005283-58AB-43f1-80E3-43B477A66687}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21F0E764-A459-4934-B170-239EB4D2A20D}	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}\stubpath = "C:\\Windows\\{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe"	{DA62E438-9BE2-4279-A329-433F06F73738}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C06408F-98EB-475e-A307-81B715BDBE53}\stubpath = "C:\\Windows\\{4C06408F-98EB-475e-A307-81B715BDBE53}.exe"	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21F0E764-A459-4934-B170-239EB4D2A20D}\stubpath = "C:\\Windows\\{21F0E764-A459-4934-B170-239EB4D2A20D}.exe"	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D576FAF8-F631-4d5b-822F-D6E8CA94B358}	{21F0E764-A459-4934-B170-239EB4D2A20D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B04D871C-908F-461c-A24C-0F5A0A3B7DAA}	{D576FAF8-F631-4d5b-822F-D6E8CA94B358}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22F5E378-ADF6-4464-99F1-0B460F2254E4}\stubpath = "C:\\Windows\\{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe"	2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE005283-58AB-43f1-80E3-43B477A66687}	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B04D871C-908F-461c-A24C-0F5A0A3B7DAA}\stubpath = "C:\\Windows\\{B04D871C-908F-461c-A24C-0F5A0A3B7DAA}.exe"	{D576FAF8-F631-4d5b-822F-D6E8CA94B358}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}\stubpath = "C:\\Windows\\{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe"	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18960EC7-6117-4fda-81D8-061B3217DCBA}\stubpath = "C:\\Windows\\{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe"	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}\stubpath = "C:\\Windows\\{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe"	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C06408F-98EB-475e-A307-81B715BDBE53}	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{872E3E81-3557-4611-A9A2-7B1343DE6E6F}	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D576FAF8-F631-4d5b-822F-D6E8CA94B358}\stubpath = "C:\\Windows\\{D576FAF8-F631-4d5b-822F-D6E8CA94B358}.exe"	{21F0E764-A459-4934-B170-239EB4D2A20D}.exe

Executes dropped EXE 12 IoCs

pid	Process
2516	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe
1080	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe
1240	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe
4504	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe
2324	{AE005283-58AB-43f1-80E3-43B477A66687}.exe
1704	{DA62E438-9BE2-4279-A329-433F06F73738}.exe
2956	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe
4032	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe
3132	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe
3556	{21F0E764-A459-4934-B170-239EB4D2A20D}.exe
3808	{D576FAF8-F631-4d5b-822F-D6E8CA94B358}.exe
3400	{B04D871C-908F-461c-A24C-0F5A0A3B7DAA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D576FAF8-F631-4d5b-822F-D6E8CA94B358}.exe	{21F0E764-A459-4934-B170-239EB4D2A20D}.exe
File created	C:\Windows\{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe
File created	C:\Windows\{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe
File created	C:\Windows\{AE005283-58AB-43f1-80E3-43B477A66687}.exe	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe
File created	C:\Windows\{DA62E438-9BE2-4279-A329-433F06F73738}.exe	{AE005283-58AB-43f1-80E3-43B477A66687}.exe
File created	C:\Windows\{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe	{DA62E438-9BE2-4279-A329-433F06F73738}.exe
File created	C:\Windows\{B04D871C-908F-461c-A24C-0F5A0A3B7DAA}.exe	{D576FAF8-F631-4d5b-822F-D6E8CA94B358}.exe
File created	C:\Windows\{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe	2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe
File created	C:\Windows\{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe
File created	C:\Windows\{4C06408F-98EB-475e-A307-81B715BDBE53}.exe	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe
File created	C:\Windows\{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe
File created	C:\Windows\{21F0E764-A459-4934-B170-239EB4D2A20D}.exe	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B04D871C-908F-461c-A24C-0F5A0A3B7DAA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE005283-58AB-43f1-80E3-43B477A66687}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA62E438-9BE2-4279-A329-433F06F73738}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21F0E764-A459-4934-B170-239EB4D2A20D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D576FAF8-F631-4d5b-822F-D6E8CA94B358}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1444	2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2516	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe
Token: SeIncBasePriorityPrivilege	1080	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe
Token: SeIncBasePriorityPrivilege	1240	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe
Token: SeIncBasePriorityPrivilege	4504	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe
Token: SeIncBasePriorityPrivilege	2324	{AE005283-58AB-43f1-80E3-43B477A66687}.exe
Token: SeIncBasePriorityPrivilege	1704	{DA62E438-9BE2-4279-A329-433F06F73738}.exe
Token: SeIncBasePriorityPrivilege	2956	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe
Token: SeIncBasePriorityPrivilege	4032	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe
Token: SeIncBasePriorityPrivilege	3132	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe
Token: SeIncBasePriorityPrivilege	3556	{21F0E764-A459-4934-B170-239EB4D2A20D}.exe
Token: SeIncBasePriorityPrivilege	3808	{D576FAF8-F631-4d5b-822F-D6E8CA94B358}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2516	1444	2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe	87
PID 1444 wrote to memory of 2516	1444	2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe	87
PID 1444 wrote to memory of 2516	1444	2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe	87
PID 1444 wrote to memory of 2700	1444	2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe	88
PID 1444 wrote to memory of 2700	1444	2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe	88
PID 1444 wrote to memory of 2700	1444	2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe	88
PID 2516 wrote to memory of 1080	2516	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe	92
PID 2516 wrote to memory of 1080	2516	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe	92
PID 2516 wrote to memory of 1080	2516	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe	92
PID 2516 wrote to memory of 4520	2516	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe	93
PID 2516 wrote to memory of 4520	2516	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe	93
PID 2516 wrote to memory of 4520	2516	{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe	93
PID 1080 wrote to memory of 1240	1080	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe	96
PID 1080 wrote to memory of 1240	1080	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe	96
PID 1080 wrote to memory of 1240	1080	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe	96
PID 1080 wrote to memory of 636	1080	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe	97
PID 1080 wrote to memory of 636	1080	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe	97
PID 1080 wrote to memory of 636	1080	{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe	97
PID 1240 wrote to memory of 4504	1240	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe	98
PID 1240 wrote to memory of 4504	1240	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe	98
PID 1240 wrote to memory of 4504	1240	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe	98
PID 1240 wrote to memory of 1724	1240	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe	99
PID 1240 wrote to memory of 1724	1240	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe	99
PID 1240 wrote to memory of 1724	1240	{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe	99
PID 4504 wrote to memory of 2324	4504	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe	100
PID 4504 wrote to memory of 2324	4504	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe	100
PID 4504 wrote to memory of 2324	4504	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe	100
PID 4504 wrote to memory of 2008	4504	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe	101
PID 4504 wrote to memory of 2008	4504	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe	101
PID 4504 wrote to memory of 2008	4504	{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe	101
PID 2324 wrote to memory of 1704	2324	{AE005283-58AB-43f1-80E3-43B477A66687}.exe	102
PID 2324 wrote to memory of 1704	2324	{AE005283-58AB-43f1-80E3-43B477A66687}.exe	102
PID 2324 wrote to memory of 1704	2324	{AE005283-58AB-43f1-80E3-43B477A66687}.exe	102
PID 2324 wrote to memory of 4328	2324	{AE005283-58AB-43f1-80E3-43B477A66687}.exe	103
PID 2324 wrote to memory of 4328	2324	{AE005283-58AB-43f1-80E3-43B477A66687}.exe	103
PID 2324 wrote to memory of 4328	2324	{AE005283-58AB-43f1-80E3-43B477A66687}.exe	103
PID 1704 wrote to memory of 2956	1704	{DA62E438-9BE2-4279-A329-433F06F73738}.exe	104
PID 1704 wrote to memory of 2956	1704	{DA62E438-9BE2-4279-A329-433F06F73738}.exe	104
PID 1704 wrote to memory of 2956	1704	{DA62E438-9BE2-4279-A329-433F06F73738}.exe	104
PID 1704 wrote to memory of 4344	1704	{DA62E438-9BE2-4279-A329-433F06F73738}.exe	105
PID 1704 wrote to memory of 4344	1704	{DA62E438-9BE2-4279-A329-433F06F73738}.exe	105
PID 1704 wrote to memory of 4344	1704	{DA62E438-9BE2-4279-A329-433F06F73738}.exe	105
PID 2956 wrote to memory of 4032	2956	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe	106
PID 2956 wrote to memory of 4032	2956	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe	106
PID 2956 wrote to memory of 4032	2956	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe	106
PID 2956 wrote to memory of 4536	2956	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe	107
PID 2956 wrote to memory of 4536	2956	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe	107
PID 2956 wrote to memory of 4536	2956	{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe	107
PID 4032 wrote to memory of 3132	4032	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe	108
PID 4032 wrote to memory of 3132	4032	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe	108
PID 4032 wrote to memory of 3132	4032	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe	108
PID 4032 wrote to memory of 1716	4032	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe	109
PID 4032 wrote to memory of 1716	4032	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe	109
PID 4032 wrote to memory of 1716	4032	{4C06408F-98EB-475e-A307-81B715BDBE53}.exe	109
PID 3132 wrote to memory of 3556	3132	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe	110
PID 3132 wrote to memory of 3556	3132	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe	110
PID 3132 wrote to memory of 3556	3132	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe	110
PID 3132 wrote to memory of 3404	3132	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe	111
PID 3132 wrote to memory of 3404	3132	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe	111
PID 3132 wrote to memory of 3404	3132	{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe	111
PID 3556 wrote to memory of 3808	3556	{21F0E764-A459-4934-B170-239EB4D2A20D}.exe	112
PID 3556 wrote to memory of 3808	3556	{21F0E764-A459-4934-B170-239EB4D2A20D}.exe	112
PID 3556 wrote to memory of 3808	3556	{21F0E764-A459-4934-B170-239EB4D2A20D}.exe	112
PID 3556 wrote to memory of 2704	3556	{21F0E764-A459-4934-B170-239EB4D2A20D}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-06_ac700a3a5cc2562081a61dea9474b9a0_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe
  C:\Windows\{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe
    C:\Windows\{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe
      C:\Windows\{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1240
    - - C:\Windows\{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe
        
        C:\Windows\{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Windows\{AE005283-58AB-43f1-80E3-43B477A66687}.exe
        
        C:\Windows\{AE005283-58AB-43f1-80E3-43B477A66687}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{DA62E438-9BE2-4279-A329-433F06F73738}.exe
        
        C:\Windows\{DA62E438-9BE2-4279-A329-433F06F73738}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe
        
        C:\Windows\{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{4C06408F-98EB-475e-A307-81B715BDBE53}.exe
        
        C:\Windows\{4C06408F-98EB-475e-A307-81B715BDBE53}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe
        
        C:\Windows\{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\{21F0E764-A459-4934-B170-239EB4D2A20D}.exe
        
        C:\Windows\{21F0E764-A459-4934-B170-239EB4D2A20D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\{D576FAF8-F631-4d5b-822F-D6E8CA94B358}.exe
        
        C:\Windows\{D576FAF8-F631-4d5b-822F-D6E8CA94B358}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
        
        C:\Windows\{B04D871C-908F-461c-A24C-0F5A0A3B7DAA}.exe
        
        C:\Windows\{B04D871C-908F-461c-A24C-0F5A0A3B7DAA}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D576F~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21F0E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{872E3~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C064~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF58F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA62E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE005~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66C1C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18960~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8849D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{22F5E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18960EC7-6117-4fda-81D8-061B3217DCBA}.exe

Filesize
180KB

MD5
3dae5f935d1315f3b151f0c1b401b516

SHA1
243eaaecb36c1cc1ec3a7c0886a0410a03184459

SHA256
6c4738336ae86067094ebec6753adcf592da1759c4fba1e7a886e58585bd9e33

SHA512
46edd36667b66ddbcae7bd836b660269724741e9d92dccabf6ffe3c76d6e6f9f3d6c4d1bc3318e7d06bfb43dc2aa66848051de2614eb2d32b844b68e2fb90e00

Download Submit
C:\Windows\{21F0E764-A459-4934-B170-239EB4D2A20D}.exe

Filesize
180KB

MD5
b88245eed5107d9e4116f176491004a4

SHA1
e728a92b2391b6a1a7e170b47ff79d6120c4b158

SHA256
465f72151ec6b80edc447ef55d8cdc38725a5b054df279027e22acd84cbc10fd

SHA512
9815e35ac16362a816c369f05b5dcf6b4648d888ec2c8f721a48ad1e0349eb316c6e323e7702f5b16289b8d643fdd560aafd830275f75013362545cb4ee3efbd

Download Submit
C:\Windows\{22F5E378-ADF6-4464-99F1-0B460F2254E4}.exe

Filesize
180KB

MD5
5876a18ed08e21627f24fc4e93be8fbd

SHA1
6f913b9f0ef9781dece5dd15acb91dd42beac0d7

SHA256
a163b92fac6e7ad15f6809e73329183364fbb0d8c6925f0cfdb019df128fa018

SHA512
dd3f5fd2080f689a53f91d7a7175d44601878a1c3cf7b4c5c3ea4d7c45dc4698e0bce5325e47303c94c67f111358545227dc45dcb4c84f41c12ad0a2a0a1f4dc

Download Submit
C:\Windows\{4C06408F-98EB-475e-A307-81B715BDBE53}.exe

Filesize
180KB

MD5
5c9e39ab81de44f9b1eaa8f43fd44d52

SHA1
8cc02c681ac9607523091bd0d56158f3f9260df0

SHA256
d5836743833fe0cc4c59d13b8e96822460256b16121103f6aca87cee7f326090

SHA512
1c73bc1154f481a3a6ff67a6bcc47b11c4cfc0ad7a9578df4c4afe625ffd47ab7cf00e62f848d53797cb7324b873431103b18f62d13b1fbcfd57431d66b80d2c

Download Submit
C:\Windows\{66C1C9BF-5D7B-4fab-BEA9-AAE8BA3C511A}.exe

Filesize
180KB

MD5
db5f61ab4163443a71a9d32b918a23a4

SHA1
3beb68ae830278996e5e95672680bd0f5f76804c

SHA256
249e6096fe007130afe27507ad3497978ebe2ed47a684bea3f0e31f4f7f77cd7

SHA512
8b50cd66b23432ebab1907f4a71ec05c032a1fbf54d55f6f8ec3663a4fb4fb317773eea7aa087125442d9e3eb03c1ac84cd1e6eef57603ea1505d125a62a1271

Download Submit
C:\Windows\{872E3E81-3557-4611-A9A2-7B1343DE6E6F}.exe

Filesize
180KB

MD5
5dd8aecc2deff273f7b2c57acc8627da

SHA1
3fcd9f4d8275813f36b95814bab74fbe461ae7cd

SHA256
677bd3a6d2f867b1c1b9a1c8c2a2e19cb4badd700506ed5ea6a7ce1a66f71cd4

SHA512
77e986c6207eceae39bf03022746757687a78685488ae577a5b400b23b31baa57c31e3460203e93fd023120a926d1eb29b58bdb5af20132936e3470607069b95

Download Submit
C:\Windows\{8849D9CD-E4D3-4afa-B924-4DD8AEFF627C}.exe

Filesize
180KB

MD5
a1f03428ee48b071a8ec3c91646a6933

SHA1
f38dc10e518c2103bef057ca2e9758f690f1346b

SHA256
619f707bd4b5972bdcc5fbeb0956be5f254c5820d02e670674cf2bef28de8d8c

SHA512
5d4d4278c94b288701c82e67efbf3ec8c4ca294237577b9cfedc73b4e7b86780c0bf6c0a8940fce29bcf17a8fbde4e825c7675fb1f8283668a49788054aab20a

Download Submit
C:\Windows\{AE005283-58AB-43f1-80E3-43B477A66687}.exe

Filesize
180KB

MD5
9ce8c54eb82e9126adc58b18bbe82e84

SHA1
d7d6f797d3f6298db0093b78f9ecd227247af7a5

SHA256
3bbe941cf6ec9170bb511e3843e6a705840982e6f067bbd8337959ee8b7ca3bc

SHA512
17395d703eb5fd4af452dfe6500211bb67d5bb4da86911c927f39142207a97eec1a0122b7711328cda805f941838a2c0a76ff3476fa7b0ad6ded0d605724b80d

Download Submit
C:\Windows\{B04D871C-908F-461c-A24C-0F5A0A3B7DAA}.exe

Filesize
180KB

MD5
0ced56278bff789c3adb4b3dd0cb0bba

SHA1
85b02fec54840bbfdc0397465e02123edc503b32

SHA256
a1508cc544b19b57bc5bea3584b9f5024a6bfbba2c3f74d4a81af63d194711cb

SHA512
17ccc3b4d7396b0b31d41905b2b3f6eb32436a73f7c679054fe4e73c9e0c3bf2f461c9448d0644ee6992dbf3b083e0574ce0e3082d1ac0568c5f02d64cd53b8e

Download Submit
C:\Windows\{D576FAF8-F631-4d5b-822F-D6E8CA94B358}.exe

Filesize
180KB

MD5
1094304d36ec361fa2f50b2c4f56dd1d

SHA1
92c7d736fb70fec84ef5556031be8446e10c2340

SHA256
e9819edddb530fd604655819a6890c0b30d078da681f03fd5e099851297cc367

SHA512
bcaea11ca2f3ffaf17710c912dc16a4b5f9c540b65a51ca45f07a1c0a1b57300ae10485dac600c11d02d3df0cd6ddba8e8e8ecbbdd414263c7be2022c1aefb31

Download Submit
C:\Windows\{DA62E438-9BE2-4279-A329-433F06F73738}.exe

Filesize
180KB

MD5
b1a6609c40e83d12ab911dde27c0a92e

SHA1
9a65fa2db81fc79f456ade41d1b50582cd697be4

SHA256
098f012fb1b78e662866cd5f5ff4b56e12c57eff76c246c08dc3e2b4e584b48f

SHA512
65e1b404bf8a432a9a98a546652cc8c64bc874adee4ebcdd0c1b30400bbc910449ddb9136b11977f96444fbc53b56069f8ebaefaa91651bd37b63dfd59368a54

Download Submit
C:\Windows\{EF58FF0F-8FE7-4778-AFB8-3CD7298FE5F4}.exe

Filesize
180KB

MD5
49d274bce348e882291a4d2b2aa1c489

SHA1
218d87149ef97086dfe7f0e92c2b3c7a6f01b683

SHA256
fe668defa92078ddf88bac7770f05bfa30206dfc088db2d426856227a512eb3f

SHA512
30dcb2f6ad6a48ce3830e2fabd175f8910270dc1501799cf3580c51f41c385fa03b1a078fc44a6f865fc488cada666b5fa45e31426b0f89b8acd82b653cea105

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads