4cc86034834d8a5135e9bb3db26101dd80995daa2d7905682ea5368f442605d7

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe
Size

372KB
MD5

39f47a0cdd0e0510196f4855cbd22ada
SHA1

2b3db4be9655783f5a22e8d1bcff37cf01adce52
SHA256

4cc86034834d8a5135e9bb3db26101dd80995daa2d7905682ea5368f442605d7
SHA512

108c28eac210c54dcd1f05f1a8063c2ea66faae97733a514e12ab197b3ba86ff20a04a9e018fc672f7acc8d75c70e7da9bc22b44918ca7f4d5b90eea3cb2561f
SSDEEP

3072:CEGh0onmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGkl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C3EA105-99E9-493b-B44F-35681881660D}\stubpath = "C:\\Windows\\{0C3EA105-99E9-493b-B44F-35681881660D}.exe"	2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27540A0B-820E-47d0-9FCF-51CB2456DFC2}\stubpath = "C:\\Windows\\{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe"	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}\stubpath = "C:\\Windows\\{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe"	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873E7B03-9F00-408f-9B22-901A0A850440}\stubpath = "C:\\Windows\\{873E7B03-9F00-408f-9B22-901A0A850440}.exe"	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}\stubpath = "C:\\Windows\\{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}.exe"	{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AABFA21-C996-472c-BF5D-4FFF42F68C9C}\stubpath = "C:\\Windows\\{2AABFA21-C996-472c-BF5D-4FFF42F68C9C}.exe"	{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}	{0C3EA105-99E9-493b-B44F-35681881660D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}\stubpath = "C:\\Windows\\{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe"	{0C3EA105-99E9-493b-B44F-35681881660D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06EDBA28-F518-4186-83CB-D2E644A0CC05}\stubpath = "C:\\Windows\\{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe"	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}	{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AABFA21-C996-472c-BF5D-4FFF42F68C9C}	{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C3EA105-99E9-493b-B44F-35681881660D}	2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27540A0B-820E-47d0-9FCF-51CB2456DFC2}	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDCED105-5BD8-4f22-8847-7213EA181F15}\stubpath = "C:\\Windows\\{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe"	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3F613D-296A-4531-BAAF-CE73A3566E52}	{873E7B03-9F00-408f-9B22-901A0A850440}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}\stubpath = "C:\\Windows\\{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe"	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDCED105-5BD8-4f22-8847-7213EA181F15}	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06EDBA28-F518-4186-83CB-D2E644A0CC05}	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873E7B03-9F00-408f-9B22-901A0A850440}	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3F613D-296A-4531-BAAF-CE73A3566E52}\stubpath = "C:\\Windows\\{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe"	{873E7B03-9F00-408f-9B22-901A0A850440}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9522D870-6ECC-40bf-9ECE-908C819C4F10}	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9522D870-6ECC-40bf-9ECE-908C819C4F10}\stubpath = "C:\\Windows\\{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe"	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe

Executes dropped EXE 12 IoCs

pid	Process
860	{0C3EA105-99E9-493b-B44F-35681881660D}.exe
4416	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe
3980	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe
2632	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe
2292	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe
1632	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe
4888	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe
5088	{873E7B03-9F00-408f-9B22-901A0A850440}.exe
1324	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe
4400	{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe
1444	{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}.exe
2412	{2AABFA21-C996-472c-BF5D-4FFF42F68C9C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{873E7B03-9F00-408f-9B22-901A0A850440}.exe	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe
File created	C:\Windows\{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe
File created	C:\Windows\{2AABFA21-C996-472c-BF5D-4FFF42F68C9C}.exe	{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}.exe
File created	C:\Windows\{0C3EA105-99E9-493b-B44F-35681881660D}.exe	2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe
File created	C:\Windows\{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe	{0C3EA105-99E9-493b-B44F-35681881660D}.exe
File created	C:\Windows\{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe
File created	C:\Windows\{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe
File created	C:\Windows\{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe
File created	C:\Windows\{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe
File created	C:\Windows\{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe
File created	C:\Windows\{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe	{873E7B03-9F00-408f-9B22-901A0A850440}.exe
File created	C:\Windows\{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}.exe	{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0C3EA105-99E9-493b-B44F-35681881660D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{873E7B03-9F00-408f-9B22-901A0A850440}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2AABFA21-C996-472c-BF5D-4FFF42F68C9C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3792	2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe
Token: SeIncBasePriorityPrivilege	860	{0C3EA105-99E9-493b-B44F-35681881660D}.exe
Token: SeIncBasePriorityPrivilege	4416	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe
Token: SeIncBasePriorityPrivilege	3980	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe
Token: SeIncBasePriorityPrivilege	2632	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe
Token: SeIncBasePriorityPrivilege	2292	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe
Token: SeIncBasePriorityPrivilege	1632	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe
Token: SeIncBasePriorityPrivilege	4888	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe
Token: SeIncBasePriorityPrivilege	5088	{873E7B03-9F00-408f-9B22-901A0A850440}.exe
Token: SeIncBasePriorityPrivilege	1324	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe
Token: SeIncBasePriorityPrivilege	4400	{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe
Token: SeIncBasePriorityPrivilege	1444	{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 860	3792	2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe	84
PID 3792 wrote to memory of 860	3792	2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe	84
PID 3792 wrote to memory of 860	3792	2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe	84
PID 3792 wrote to memory of 2556	3792	2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe	85
PID 3792 wrote to memory of 2556	3792	2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe	85
PID 3792 wrote to memory of 2556	3792	2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe	85
PID 860 wrote to memory of 4416	860	{0C3EA105-99E9-493b-B44F-35681881660D}.exe	86
PID 860 wrote to memory of 4416	860	{0C3EA105-99E9-493b-B44F-35681881660D}.exe	86
PID 860 wrote to memory of 4416	860	{0C3EA105-99E9-493b-B44F-35681881660D}.exe	86
PID 860 wrote to memory of 4308	860	{0C3EA105-99E9-493b-B44F-35681881660D}.exe	87
PID 860 wrote to memory of 4308	860	{0C3EA105-99E9-493b-B44F-35681881660D}.exe	87
PID 860 wrote to memory of 4308	860	{0C3EA105-99E9-493b-B44F-35681881660D}.exe	87
PID 4416 wrote to memory of 3980	4416	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe	94
PID 4416 wrote to memory of 3980	4416	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe	94
PID 4416 wrote to memory of 3980	4416	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe	94
PID 4416 wrote to memory of 1376	4416	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe	95
PID 4416 wrote to memory of 1376	4416	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe	95
PID 4416 wrote to memory of 1376	4416	{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe	95
PID 3980 wrote to memory of 2632	3980	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe	98
PID 3980 wrote to memory of 2632	3980	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe	98
PID 3980 wrote to memory of 2632	3980	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe	98
PID 3980 wrote to memory of 3936	3980	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe	99
PID 3980 wrote to memory of 3936	3980	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe	99
PID 3980 wrote to memory of 3936	3980	{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe	99
PID 2632 wrote to memory of 2292	2632	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe	100
PID 2632 wrote to memory of 2292	2632	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe	100
PID 2632 wrote to memory of 2292	2632	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe	100
PID 2632 wrote to memory of 3248	2632	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe	101
PID 2632 wrote to memory of 3248	2632	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe	101
PID 2632 wrote to memory of 3248	2632	{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe	101
PID 2292 wrote to memory of 1632	2292	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe	102
PID 2292 wrote to memory of 1632	2292	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe	102
PID 2292 wrote to memory of 1632	2292	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe	102
PID 2292 wrote to memory of 3172	2292	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe	103
PID 2292 wrote to memory of 3172	2292	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe	103
PID 2292 wrote to memory of 3172	2292	{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe	103
PID 1632 wrote to memory of 4888	1632	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe	104
PID 1632 wrote to memory of 4888	1632	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe	104
PID 1632 wrote to memory of 4888	1632	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe	104
PID 1632 wrote to memory of 2232	1632	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe	105
PID 1632 wrote to memory of 2232	1632	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe	105
PID 1632 wrote to memory of 2232	1632	{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe	105
PID 4888 wrote to memory of 5088	4888	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe	106
PID 4888 wrote to memory of 5088	4888	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe	106
PID 4888 wrote to memory of 5088	4888	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe	106
PID 4888 wrote to memory of 32	4888	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe	107
PID 4888 wrote to memory of 32	4888	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe	107
PID 4888 wrote to memory of 32	4888	{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe	107
PID 5088 wrote to memory of 1324	5088	{873E7B03-9F00-408f-9B22-901A0A850440}.exe	108
PID 5088 wrote to memory of 1324	5088	{873E7B03-9F00-408f-9B22-901A0A850440}.exe	108
PID 5088 wrote to memory of 1324	5088	{873E7B03-9F00-408f-9B22-901A0A850440}.exe	108
PID 5088 wrote to memory of 2184	5088	{873E7B03-9F00-408f-9B22-901A0A850440}.exe	109
PID 5088 wrote to memory of 2184	5088	{873E7B03-9F00-408f-9B22-901A0A850440}.exe	109
PID 5088 wrote to memory of 2184	5088	{873E7B03-9F00-408f-9B22-901A0A850440}.exe	109
PID 1324 wrote to memory of 4400	1324	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe	110
PID 1324 wrote to memory of 4400	1324	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe	110
PID 1324 wrote to memory of 4400	1324	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe	110
PID 1324 wrote to memory of 4316	1324	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe	111
PID 1324 wrote to memory of 4316	1324	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe	111
PID 1324 wrote to memory of 4316	1324	{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe	111
PID 4400 wrote to memory of 1444	4400	{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe	112
PID 4400 wrote to memory of 1444	4400	{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe	112
PID 4400 wrote to memory of 1444	4400	{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe	112
PID 4400 wrote to memory of 932	4400	{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-06_39f47a0cdd0e0510196f4855cbd22ada_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\{0C3EA105-99E9-493b-B44F-35681881660D}.exe
  C:\Windows\{0C3EA105-99E9-493b-B44F-35681881660D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe
    C:\Windows\{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe
      C:\Windows\{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe
        
        C:\Windows\{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe
        
        C:\Windows\{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe
        
        C:\Windows\{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe
        
        C:\Windows\{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\{873E7B03-9F00-408f-9B22-901A0A850440}.exe
        
        C:\Windows\{873E7B03-9F00-408f-9B22-901A0A850440}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe
        
        C:\Windows\{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe
        
        C:\Windows\{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}.exe
        
        C:\Windows\{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\{2AABFA21-C996-472c-BF5D-4FFF42F68C9C}.exe
        
        C:\Windows\{2AABFA21-C996-472c-BF5D-4FFF42F68C9C}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E390C~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9522D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB3F6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{873E7~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06EDB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDCED~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3EA7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8C42~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27540~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AC3EE~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0C3EA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06EDBA28-F518-4186-83CB-D2E644A0CC05}.exe

Filesize
372KB

MD5
23422c4dcfcacc884640f02badfe4570

SHA1
a855d1365093fc9abdae84380632a0ef3906c4be

SHA256
19bf1e6acfd0dff5f909ee6c16ac33977d3192fa00fe510228f298ae93f89526

SHA512
1d5183ffb60939be0c0eafc77e280779afbc6fd3d796806dda572e7e89bd936c8bf3a81f6708eeeb223510b5a0f4d826387fccd747ef7dd37640de203ef99c56

Download Submit
C:\Windows\{0C3EA105-99E9-493b-B44F-35681881660D}.exe

Filesize
372KB

MD5
b96ffd4313c87a94a5160b8be3de5e5f

SHA1
bb9120660a976950f4cb959f7e4a3b6eb7aef740

SHA256
8e995b392276f6b443ee15a0454e9f44a651cf7a77f26e2d8cae0ee4caef7a67

SHA512
47a3f4f7beaf82800e4e8db9706fee99b885216843c9cb059c5e05c658ceb153c99d3781a1813ce853b027c352cb94ab3b2d8bd984a6b071049c29d755e788d1

Download Submit
C:\Windows\{27540A0B-820E-47d0-9FCF-51CB2456DFC2}.exe

Filesize
372KB

MD5
e569af79a45c49964bfdfa67bfe9f1bc

SHA1
5a9663dbd7a9a646b05244c7eaafa2e31257e62f

SHA256
33753d96c43fec520065059f876f028d56b26cd18ce757100983f0f0d652510b

SHA512
6a74f7773ecdacda8da9b820727d0c8c4b26492a28f8bfeef69c18e0675f46b5906bf6bbc5a9fdce196a467fe005d2cb6064ef40baa5ead1ae3add1956a14d1e

Download Submit
C:\Windows\{2AABFA21-C996-472c-BF5D-4FFF42F68C9C}.exe

Filesize
372KB

MD5
c70cb97127fcb04d49dbbbf46fdd6889

SHA1
19030c6f9b86f9ad794ddd2ef0b9dc05a6189fdb

SHA256
967de675a74df023b57e2b9f62b18a9038af9e587514e3321a2c9707193ce35e

SHA512
e394bfe77aa065fcdeb8497bd2757a97b440f825de11ecaa9e8f9f679eac89922c64c681f11abbaff197e1e2eaa285215fb5934e147cab5557afe884d26bccd4

Download Submit
C:\Windows\{873E7B03-9F00-408f-9B22-901A0A850440}.exe

Filesize
372KB

MD5
cff07f55b82de9029d969ae8f1074f14

SHA1
f3f38e7a8319f1f2cb539bc8e727e689106cf203

SHA256
39bfa3ab539dcdd51b1e15a35dc37e1a0c4204ce8e39ba69288dfb5542f15897

SHA512
8a2c17b77714de1936d5ba05305e838e9f20e3c2ef8627aea7a8d197846951567416a0b2bd61d71baa97c46b66e1d9cf810a31914ee1a5cdf5030a76c2b8b498

Download Submit
C:\Windows\{9522D870-6ECC-40bf-9ECE-908C819C4F10}.exe

Filesize
372KB

MD5
5955731f9d3c9be51be672b9e7fd5a1f

SHA1
8c999b52b50a22a54ddaa8e0227678e240a9f9af

SHA256
0db623b5ab1cd976d9c3a2e733c7399175b12fd65c35f859c0033aeba7a64661

SHA512
d5db9594c5f676100023d2243a55f7cfbb92a07b32ae551f16d1665f7704d203e248ce47962943ed306742adba17fe84b91ddbdb8098d7528a581994d7f8ff8b

Download Submit
C:\Windows\{AB3F613D-296A-4531-BAAF-CE73A3566E52}.exe

Filesize
372KB

MD5
97b68bf5c32aa42c6e88ceb49441880a

SHA1
1a61739fa97538f0324854f5a772daae84bb4eff

SHA256
6a1ef0b141b46b1942836fa39396ca5d7a94c77b2f232a92d876b694a32dbcf6

SHA512
9a033f47c482d031fd8b2273816baf908169a03d5dbbfc46660536f24c11af609a6baff02ee3524dda494bd55795522e97dafa03385c1196179f247ff2d6cb56

Download Submit
C:\Windows\{AC3EE634-52A0-4fd5-B946-C33E9663F0DB}.exe

Filesize
372KB

MD5
3c46072d104c3b2be812da61742d0956

SHA1
b85d4c7fa1d6db77c9a25d14d842392197cfd6a5

SHA256
0aeb9058373c1fd681082ca554f0ddba6094954a993a6a74c467af4788a91bbb

SHA512
d41cf9c96efb9eeb405b8383533ccd0135dd157ddde5a1fd915125cdd18ac9dcb9efc4e84dff409af65ac42108e5b133947e7fe2087b9ba42bf7daa9ee71e446

Download Submit
C:\Windows\{BDCED105-5BD8-4f22-8847-7213EA181F15}.exe

Filesize
372KB

MD5
501a699fe2daac2a8ca153ec3a3d6e6f

SHA1
50892ea4e9c157db0751ff00a92189ae0e92b9bc

SHA256
f65cee0957f23441d6834ff2b46893e5474074b0099449bb6d48f21e0177251c

SHA512
2d91fcd782f05b7d9f5aceb3000ed366c2dda367bad55259dfca0db7bcc2a96f496d17847cb54cd555dc38b4682986d4e3af5458b29f9917920905330a0320e3

Download Submit
C:\Windows\{D8C42FE6-8C56-41f5-AC7F-0A14E2C0AF78}.exe

Filesize
372KB

MD5
7ba27b8d93c925625da078c832ac3fa0

SHA1
9eefb494595a04da4009e726e283dadc277e3ad7

SHA256
d23e5aa72d3590fab77a7e48d227f5f8d700ebe051317f36f86b91a975fc21e7

SHA512
9a5fe135d7c038b80a2b33114259953ebac1790d52987062e7bea0342cbaf90745cf0d747226c91ebdf10939873ff4b30a41beca7bf07c7a3ed60373f6dcd5c2

Download Submit
C:\Windows\{E390CDC6-FC15-4cc5-B313-2FA42725B4F6}.exe

Filesize
372KB

MD5
993df23aff35402d5e6a03de5db19cc7

SHA1
0f67aac8d3c23a2b10a08210022e7f4bcf503828

SHA256
24f41ec646e17f93cadfca4ae7113959d584fc491608ad11a7444cebd90fee53

SHA512
bec46ac402f50542c45139c93934c6f088ce30bb2d8d81197e081452fe8551ec0a9007d4995c8a451919d4b76e41b8d17260eda6bfe046322ad777f472efc3e8

Download Submit
C:\Windows\{F3EA7EE4-1A68-4fff-B1B6-13239A32C007}.exe

Filesize
372KB

MD5
03e364e7708d2490d4f447b22fde80e8

SHA1
898852475bc92aa9398e02d81a1469785e987183

SHA256
315699dbe4ade2de9106d42d27679547e7089e44647906bccf5f548d3d9efe37

SHA512
c2be53af7f0ca6c4e49e5e02d1a5c0d71f3ed7b06ffc818e225530c5a720003d1c5252e169ae32df635be0faf62eef021ef21a0f28e39d15a9c9ca693fffe9a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads