dd06b1a9f879865bea7a4f14174ee254e4e93c97d1e509145a0c720612f8353d

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 10:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
Size

408KB
MD5

cf5f14ba85869ee7333cc6a7922cb1e8
SHA1

b1d273e656d4cb6e9badb33d075fe328734eaa18
SHA256

dd06b1a9f879865bea7a4f14174ee254e4e93c97d1e509145a0c720612f8353d
SHA512

36ad20960d81494faba5d17458f76a2a492bb8d7c7827fedbe0a2872803649eb5ae15d3c09ed7464400c1326c23e78bb46949a7a8387bccc7fb68f20c15722b4
SSDEEP

3072:CEGh0oBl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699E1E2B-5E22-49fe-9A09-E333D6215303}	{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A372B824-029B-40f6-BBA8-09F434C174EB}	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}\stubpath = "C:\\Windows\\{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe"	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38B68E06-BD67-42eb-B970-7556AD6452B5}	{24D94026-1CCF-4868-8AC9-E8AED82D855D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A33EBB43-3A10-4152-909A-A3500D115EE1}	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5161669A-289A-443f-B3BD-303146C80415}	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3D3233F-8388-4ec3-B62E-12DB29EF682F}	{5161669A-289A-443f-B3BD-303146C80415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A895804A-210C-420b-BF08-D5AF9F6F5E8C}\stubpath = "C:\\Windows\\{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe"	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B02D795-C616-4e70-BD9E-F4AA23583DEE}	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DC5427-59FE-4f2f-8A0A-97593BCEE249}	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74DC5427-59FE-4f2f-8A0A-97593BCEE249}\stubpath = "C:\\Windows\\{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe"	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38B68E06-BD67-42eb-B970-7556AD6452B5}\stubpath = "C:\\Windows\\{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe"	{24D94026-1CCF-4868-8AC9-E8AED82D855D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E165269-E924-4d88-9223-1FF466EDAA99}\stubpath = "C:\\Windows\\{1E165269-E924-4d88-9223-1FF466EDAA99}.exe"	{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D94026-1CCF-4868-8AC9-E8AED82D855D}	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A372B824-029B-40f6-BBA8-09F434C174EB}\stubpath = "C:\\Windows\\{A372B824-029B-40f6-BBA8-09F434C174EB}.exe"	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5161669A-289A-443f-B3BD-303146C80415}\stubpath = "C:\\Windows\\{5161669A-289A-443f-B3BD-303146C80415}.exe"	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A895804A-210C-420b-BF08-D5AF9F6F5E8C}	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D94026-1CCF-4868-8AC9-E8AED82D855D}\stubpath = "C:\\Windows\\{24D94026-1CCF-4868-8AC9-E8AED82D855D}.exe"	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699E1E2B-5E22-49fe-9A09-E333D6215303}\stubpath = "C:\\Windows\\{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe"	{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E165269-E924-4d88-9223-1FF466EDAA99}	{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B02D795-C616-4e70-BD9E-F4AA23583DEE}\stubpath = "C:\\Windows\\{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe"	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A33EBB43-3A10-4152-909A-A3500D115EE1}\stubpath = "C:\\Windows\\{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe"	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3D3233F-8388-4ec3-B62E-12DB29EF682F}\stubpath = "C:\\Windows\\{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe"	{5161669A-289A-443f-B3BD-303146C80415}.exe

Executes dropped EXE 11 IoCs

pid	Process
4696	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe
4292	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe
1936	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe
1496	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe
1928	{5161669A-289A-443f-B3BD-303146C80415}.exe
668	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe
4220	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe
3968	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe
3868	{24D94026-1CCF-4868-8AC9-E8AED82D855D}.exe
2060	{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe
3648	{1E165269-E924-4d88-9223-1FF466EDAA99}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe
File created	C:\Windows\{5161669A-289A-443f-B3BD-303146C80415}.exe	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe
File created	C:\Windows\{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe	{5161669A-289A-443f-B3BD-303146C80415}.exe
File created	C:\Windows\{24D94026-1CCF-4868-8AC9-E8AED82D855D}.exe	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe
File created	C:\Windows\{1E165269-E924-4d88-9223-1FF466EDAA99}.exe	{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe
File created	C:\Windows\{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe	{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe
File created	C:\Windows\{A372B824-029B-40f6-BBA8-09F434C174EB}.exe	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
File created	C:\Windows\{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe
File created	C:\Windows\{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe
File created	C:\Windows\{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe
File created	C:\Windows\{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5161669A-289A-443f-B3BD-303146C80415}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{24D94026-1CCF-4868-8AC9-E8AED82D855D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E165269-E924-4d88-9223-1FF466EDAA99}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	728	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4696	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe
Token: SeIncBasePriorityPrivilege	4292	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe
Token: SeIncBasePriorityPrivilege	1936	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe
Token: SeIncBasePriorityPrivilege	1496	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe
Token: SeIncBasePriorityPrivilege	1928	{5161669A-289A-443f-B3BD-303146C80415}.exe
Token: SeIncBasePriorityPrivilege	668	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe
Token: SeIncBasePriorityPrivilege	4220	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe
Token: SeIncBasePriorityPrivilege	3968	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe
Token: SeIncBasePriorityPrivilege	4144	{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe
Token: SeIncBasePriorityPrivilege	2060	{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 4696	728	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	87
PID 728 wrote to memory of 4696	728	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	87
PID 728 wrote to memory of 4696	728	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	87
PID 728 wrote to memory of 1232	728	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	88
PID 728 wrote to memory of 1232	728	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	88
PID 728 wrote to memory of 1232	728	2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe	88
PID 4696 wrote to memory of 4292	4696	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe	91
PID 4696 wrote to memory of 4292	4696	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe	91
PID 4696 wrote to memory of 4292	4696	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe	91
PID 4696 wrote to memory of 4692	4696	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe	92
PID 4696 wrote to memory of 4692	4696	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe	92
PID 4696 wrote to memory of 4692	4696	{A372B824-029B-40f6-BBA8-09F434C174EB}.exe	92
PID 4292 wrote to memory of 1936	4292	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe	95
PID 4292 wrote to memory of 1936	4292	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe	95
PID 4292 wrote to memory of 1936	4292	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe	95
PID 4292 wrote to memory of 3168	4292	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe	96
PID 4292 wrote to memory of 3168	4292	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe	96
PID 4292 wrote to memory of 3168	4292	{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe	96
PID 1936 wrote to memory of 1496	1936	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe	97
PID 1936 wrote to memory of 1496	1936	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe	97
PID 1936 wrote to memory of 1496	1936	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe	97
PID 1936 wrote to memory of 3472	1936	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe	98
PID 1936 wrote to memory of 3472	1936	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe	98
PID 1936 wrote to memory of 3472	1936	{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe	98
PID 1496 wrote to memory of 1928	1496	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe	99
PID 1496 wrote to memory of 1928	1496	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe	99
PID 1496 wrote to memory of 1928	1496	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe	99
PID 1496 wrote to memory of 4284	1496	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe	100
PID 1496 wrote to memory of 4284	1496	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe	100
PID 1496 wrote to memory of 4284	1496	{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe	100
PID 1928 wrote to memory of 668	1928	{5161669A-289A-443f-B3BD-303146C80415}.exe	101
PID 1928 wrote to memory of 668	1928	{5161669A-289A-443f-B3BD-303146C80415}.exe	101
PID 1928 wrote to memory of 668	1928	{5161669A-289A-443f-B3BD-303146C80415}.exe	101
PID 1928 wrote to memory of 1800	1928	{5161669A-289A-443f-B3BD-303146C80415}.exe	102
PID 1928 wrote to memory of 1800	1928	{5161669A-289A-443f-B3BD-303146C80415}.exe	102
PID 1928 wrote to memory of 1800	1928	{5161669A-289A-443f-B3BD-303146C80415}.exe	102
PID 668 wrote to memory of 4220	668	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe	103
PID 668 wrote to memory of 4220	668	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe	103
PID 668 wrote to memory of 4220	668	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe	103
PID 668 wrote to memory of 1840	668	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe	104
PID 668 wrote to memory of 1840	668	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe	104
PID 668 wrote to memory of 1840	668	{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe	104
PID 4220 wrote to memory of 3968	4220	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe	105
PID 4220 wrote to memory of 3968	4220	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe	105
PID 4220 wrote to memory of 3968	4220	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe	105
PID 4220 wrote to memory of 4012	4220	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe	106
PID 4220 wrote to memory of 4012	4220	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe	106
PID 4220 wrote to memory of 4012	4220	{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe	106
PID 3968 wrote to memory of 3868	3968	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe	107
PID 3968 wrote to memory of 3868	3968	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe	107
PID 3968 wrote to memory of 3868	3968	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe	107
PID 3968 wrote to memory of 4340	3968	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe	108
PID 3968 wrote to memory of 4340	3968	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe	108
PID 3968 wrote to memory of 4340	3968	{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe	108
PID 4144 wrote to memory of 2060	4144	{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe	111
PID 4144 wrote to memory of 2060	4144	{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe	111
PID 4144 wrote to memory of 2060	4144	{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe	111
PID 4144 wrote to memory of 4132	4144	{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe	112
PID 4144 wrote to memory of 4132	4144	{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe	112
PID 4144 wrote to memory of 4132	4144	{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe	112
PID 2060 wrote to memory of 3648	2060	{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe	113
PID 2060 wrote to memory of 3648	2060	{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe	113
PID 2060 wrote to memory of 3648	2060	{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe	113
PID 2060 wrote to memory of 2576	2060	{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-06_cf5f14ba85869ee7333cc6a7922cb1e8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\{A372B824-029B-40f6-BBA8-09F434C174EB}.exe
  C:\Windows\{A372B824-029B-40f6-BBA8-09F434C174EB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe
    C:\Windows\{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe
      C:\Windows\{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Windows\{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe
        
        C:\Windows\{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\{5161669A-289A-443f-B3BD-303146C80415}.exe
        
        C:\Windows\{5161669A-289A-443f-B3BD-303146C80415}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe
        
        C:\Windows\{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe
        
        C:\Windows\{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe
        
        C:\Windows\{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\{24D94026-1CCF-4868-8AC9-E8AED82D855D}.exe
        
        C:\Windows\{24D94026-1CCF-4868-8AC9-E8AED82D855D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe
        
        C:\Windows\{38B68E06-BD67-42eb-B970-7556AD6452B5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe
        
        C:\Windows\{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{1E165269-E924-4d88-9223-1FF466EDAA99}.exe
        
        C:\Windows\{1E165269-E924-4d88-9223-1FF466EDAA99}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{699E1~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38B68~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24D94~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AAAA~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8958~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3D32~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51616~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A33EB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74DC5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4B02D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A372B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AAAABC6-7778-4c11-AF53-170BC10DF5E8}.exe

Filesize
408KB

MD5
57cc7697e7d21a4882ef4cd2e5ff3d58

SHA1
d991fe48da923013bb9045fc4cc801a80212eb5b

SHA256
b45fcc903a9eef1be446c25c1699fb2ad342dcdf7b9483a68362af2fd965d7e4

SHA512
857fc3c6aae3526573c6d2d4d0e2a842dae8088db75f390b4cd67bbc8d43ca39f358aaaeed29c98588a639f2f2b9cd869350b09790a12608446b4c1773b9eff5

Download Submit
C:\Windows\{1E165269-E924-4d88-9223-1FF466EDAA99}.exe

Filesize
408KB

MD5
df6bbe43e9a8a2c1418162898ed60aee

SHA1
4a95d2335917b5438c55956976a8cb17bbd1f6ac

SHA256
1770ced36aa6c03070db4bc0635e0b4e1688f5875afd434a97953e6acf6d9512

SHA512
1f54b8c19bf5bf9e876fe8ac183063be29ef729f125cb494a02be7580d5f72127518680ba680c66f1584c4e324351c059f168b203336a3c26f8f79514125890a

Download Submit
C:\Windows\{24D94026-1CCF-4868-8AC9-E8AED82D855D}.exe

Filesize
408KB

MD5
9087c3717bacdf841ea4f5e9090be2ae

SHA1
0578d6f93b5937fa667ab8140c96134957cbae50

SHA256
4dcc291cecf9966d9d49df56fef16b4bb6daa91699eb8cf34e43bb847f41ad98

SHA512
ab15073864981e29a1f5f49c1a78f39231920ac1e11adae52f1b6f175c970d83db1a5efb72d9598bed592ef3c2e5d1aee249e0a0f65ed5875693aefe52c763b4

Download Submit
C:\Windows\{4B02D795-C616-4e70-BD9E-F4AA23583DEE}.exe

Filesize
408KB

MD5
4c6546c43c7186c3cdd8ce986100d40d

SHA1
b4f57ecf37fa30a2c0a4fa8f91b977c563e23b5f

SHA256
59e2a31cfc567e783b64116414eaaf4d803767b077ecb5a9ca234c0eeb12fb2f

SHA512
6cc1db24530a1a948181e6367b4b4fccadde04fdc5344b636bb1b16818e151b54eb0ab899104979af47cf0db70af512f02f07ddf532d3808c37d8445400ff974

Download Submit
C:\Windows\{5161669A-289A-443f-B3BD-303146C80415}.exe

Filesize
408KB

MD5
66acccebf2c79284ed8b0e665bb5565f

SHA1
234b22961431f0e3f5403221856b99d53890f31f

SHA256
6af18d66ed6f28c1e9dd4e6157a12610e27f6d92eae3d181f74b12bf918ffc0d

SHA512
c0d0b6af8edf4a4739d18fc0f85d8e41f7b2ac9f8d9a021a1eaccd748ca26d986ceebfafc08ed480700526beb6f024af4eb0c11fcd03000b7d55be8aece6bac0

Download Submit
C:\Windows\{699E1E2B-5E22-49fe-9A09-E333D6215303}.exe

Filesize
408KB

MD5
8ddf390f67b55e373ad9f4c5550ddd05

SHA1
69246c46480b51fd130779385579539dcdbec85c

SHA256
9ad2bade2c003ff4ea6d408ab72295fb170c6bf20886ce74108efff6d911ead2

SHA512
a64a13a80977ccbaf5ca6aa7bfdb1f415ff1f73f0a1e455116e2c2ae2564db7acf63728b88239a9eb7137cf80bafc834faafbb00e3ecffaee75e3cb6b1da2c21

Download Submit
C:\Windows\{74DC5427-59FE-4f2f-8A0A-97593BCEE249}.exe

Filesize
408KB

MD5
e6b01468e38af9df2699ef111cb3d1b1

SHA1
fdc6611c307fdca62b49e374692a02b8c6e544b6

SHA256
66f8f950659a447760cab78eb7a5314b4013113ad64f4477a963c5e191f2cfe8

SHA512
131b35e9bd1934a46cdb145c6699f89e602aae17d554fac48e5b2415a3f6fc0199e704acb49587e398e26489c615e7d1a927d4ce4b8492861b93c252dc987e3d

Download Submit
C:\Windows\{A33EBB43-3A10-4152-909A-A3500D115EE1}.exe

Filesize
408KB

MD5
4a16d31e2074741110726e6d06efb134

SHA1
899ce53c338832c4967037f4f62d723757e7a9da

SHA256
73ea6f57eb08592ded071640075710c122aa5337aec48f463bdcf5e56f65fa31

SHA512
c102f2e42af42a5dd4d5c8eb528e77cdb98c8a5c6172370939752256cda31e1aad36eaf018569e1bdaaab4d6120336a52d7bc951434f99cf5ff167014ae0e597

Download Submit
C:\Windows\{A372B824-029B-40f6-BBA8-09F434C174EB}.exe

Filesize
408KB

MD5
d382f2e0aa529578f11a5fdd1be1d48d

SHA1
5c0ba6a17ff1c33ae60e78eb5744db52e2f392ef

SHA256
5ed1effca8bbfea3b55b44e13e21dfcb9620b65485b2823735c75d538561dee0

SHA512
129a839ca8b3236bff9deaa66c0a7706784d6a48abd2ceb018bc90a0d1f557d7c042c8dbcca080bb8a8a8bbda0e2a49af7d6a919ea1ca3bb087735470558a124

Download Submit
C:\Windows\{A895804A-210C-420b-BF08-D5AF9F6F5E8C}.exe

Filesize
408KB

MD5
8ec9c86b1333b08bfbdc4fa0f6af7f82

SHA1
a3fb2616afef0d04fff0e97d329986c14cdac28a

SHA256
5b042d3423f3ec76ef1c2abcc88e05cb1704c5a7f504a1f7cae9bb0bffcf1e2b

SHA512
1343740494a753e10652125fcab22843ae86b17cac6dfb50d76880ab9d09ff6270f197b9377bacfe03a43c064b2b93bff3f76a9e61848e37736408d43bf33b5c

Download Submit
C:\Windows\{E3D3233F-8388-4ec3-B62E-12DB29EF682F}.exe

Filesize
408KB

MD5
0950b4afaddbd2c06cbfefb3e9af422d

SHA1
a68da71b8d79cf96179f2b98d7b366f25772654a

SHA256
abfa2c0e12c12a04fbcd9449edcea5cb87dd9c774b8411f08d39fc5a414804e0

SHA512
743690657bae76904a723d8226f0e0101cb8a049f2753891a1018333c542f6164c79cfc6270ec5dc49f8e48ba35d0cbc72ffce9f441fd6be1b810824475cd88b

Download Submit
memory/3868-35-0x0000000003900000-0x00000000039DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads