1f3017ebc849abe639130cf9d65c3ffd8bc52575face57e0047337f39e0ddfc0

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
Size

344KB
MD5

978ab126b431bb83919a3bff477b9433
SHA1

ed385f772ab23bede85e42c8206b378913ba7e89
SHA256

1f3017ebc849abe639130cf9d65c3ffd8bc52575face57e0047337f39e0ddfc0
SHA512

cb6121643e2245a6df7be0c15897a3f91850525f7cd1d0bf7c2b07d6dfed94f38d6c9ce4acf7d12f88fedc4daa4998d22a7fc351da403c5eab91e8e900172830
SSDEEP

3072:mEGh0ohlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGblqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}\stubpath = "C:\\Windows\\{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe"	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89E564A6-72FA-41e4-B4F7-50AABE48F46D}	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89E564A6-72FA-41e4-B4F7-50AABE48F46D}\stubpath = "C:\\Windows\\{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe"	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA76CBF7-8632-4169-A545-4631988ABAF0}	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA4FCEE9-09D5-4410-89B8-ED259453D46E}	{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA4FCEE9-09D5-4410-89B8-ED259453D46E}\stubpath = "C:\\Windows\\{FA4FCEE9-09D5-4410-89B8-ED259453D46E}.exe"	{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F01C05A4-9405-4ff1-81B8-AA617DEF5EB6}	{FA4FCEE9-09D5-4410-89B8-ED259453D46E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F01C05A4-9405-4ff1-81B8-AA617DEF5EB6}\stubpath = "C:\\Windows\\{F01C05A4-9405-4ff1-81B8-AA617DEF5EB6}.exe"	{FA4FCEE9-09D5-4410-89B8-ED259453D46E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}\stubpath = "C:\\Windows\\{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe"	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA76CBF7-8632-4169-A545-4631988ABAF0}\stubpath = "C:\\Windows\\{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe"	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3797B0-C137-4143-85B1-63A4DBA3EA22}	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3797B0-C137-4143-85B1-63A4DBA3EA22}\stubpath = "C:\\Windows\\{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe"	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}\stubpath = "C:\\Windows\\{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe"	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8238357D-5C47-4be8-BF32-354A335752EA}	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}\stubpath = "C:\\Windows\\{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe"	{8238357D-5C47-4be8-BF32-354A335752EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4AAE50-0569-418d-8067-6C9C357FE1C7}	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4AAE50-0569-418d-8067-6C9C357FE1C7}\stubpath = "C:\\Windows\\{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe"	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8238357D-5C47-4be8-BF32-354A335752EA}\stubpath = "C:\\Windows\\{8238357D-5C47-4be8-BF32-354A335752EA}.exe"	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}	{8238357D-5C47-4be8-BF32-354A335752EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}\stubpath = "C:\\Windows\\{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe"	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1428	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe
1216	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe
3680	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe
2480	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe
2904	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe
4688	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe
1832	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe
5084	{8238357D-5C47-4be8-BF32-354A335752EA}.exe
4772	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe
628	{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe
972	{FA4FCEE9-09D5-4410-89B8-ED259453D46E}.exe
3120	{F01C05A4-9405-4ff1-81B8-AA617DEF5EB6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe
File created	C:\Windows\{8238357D-5C47-4be8-BF32-354A335752EA}.exe	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe
File created	C:\Windows\{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe
File created	C:\Windows\{F01C05A4-9405-4ff1-81B8-AA617DEF5EB6}.exe	{FA4FCEE9-09D5-4410-89B8-ED259453D46E}.exe
File created	C:\Windows\{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe
File created	C:\Windows\{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe
File created	C:\Windows\{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe
File created	C:\Windows\{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe	{8238357D-5C47-4be8-BF32-354A335752EA}.exe
File created	C:\Windows\{FA4FCEE9-09D5-4410-89B8-ED259453D46E}.exe	{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe
File created	C:\Windows\{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
File created	C:\Windows\{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe
File created	C:\Windows\{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA4FCEE9-09D5-4410-89B8-ED259453D46E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8238357D-5C47-4be8-BF32-354A335752EA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F01C05A4-9405-4ff1-81B8-AA617DEF5EB6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3292	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1428	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe
Token: SeIncBasePriorityPrivilege	1216	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe
Token: SeIncBasePriorityPrivilege	3680	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe
Token: SeIncBasePriorityPrivilege	2480	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe
Token: SeIncBasePriorityPrivilege	2904	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe
Token: SeIncBasePriorityPrivilege	4688	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe
Token: SeIncBasePriorityPrivilege	1832	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe
Token: SeIncBasePriorityPrivilege	5084	{8238357D-5C47-4be8-BF32-354A335752EA}.exe
Token: SeIncBasePriorityPrivilege	4772	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe
Token: SeIncBasePriorityPrivilege	628	{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe
Token: SeIncBasePriorityPrivilege	972	{FA4FCEE9-09D5-4410-89B8-ED259453D46E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 1428	3292	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	86
PID 3292 wrote to memory of 1428	3292	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	86
PID 3292 wrote to memory of 1428	3292	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	86
PID 3292 wrote to memory of 2800	3292	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	87
PID 3292 wrote to memory of 2800	3292	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	87
PID 3292 wrote to memory of 2800	3292	2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe	87
PID 1428 wrote to memory of 1216	1428	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe	88
PID 1428 wrote to memory of 1216	1428	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe	88
PID 1428 wrote to memory of 1216	1428	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe	88
PID 1428 wrote to memory of 4496	1428	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe	89
PID 1428 wrote to memory of 4496	1428	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe	89
PID 1428 wrote to memory of 4496	1428	{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe	89
PID 1216 wrote to memory of 3680	1216	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe	93
PID 1216 wrote to memory of 3680	1216	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe	93
PID 1216 wrote to memory of 3680	1216	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe	93
PID 1216 wrote to memory of 1512	1216	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe	94
PID 1216 wrote to memory of 1512	1216	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe	94
PID 1216 wrote to memory of 1512	1216	{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe	94
PID 3680 wrote to memory of 2480	3680	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe	95
PID 3680 wrote to memory of 2480	3680	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe	95
PID 3680 wrote to memory of 2480	3680	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe	95
PID 3680 wrote to memory of 4080	3680	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe	96
PID 3680 wrote to memory of 4080	3680	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe	96
PID 3680 wrote to memory of 4080	3680	{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe	96
PID 2480 wrote to memory of 2904	2480	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe	97
PID 2480 wrote to memory of 2904	2480	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe	97
PID 2480 wrote to memory of 2904	2480	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe	97
PID 2480 wrote to memory of 116	2480	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe	98
PID 2480 wrote to memory of 116	2480	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe	98
PID 2480 wrote to memory of 116	2480	{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe	98
PID 2904 wrote to memory of 4688	2904	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe	99
PID 2904 wrote to memory of 4688	2904	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe	99
PID 2904 wrote to memory of 4688	2904	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe	99
PID 2904 wrote to memory of 4024	2904	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe	100
PID 2904 wrote to memory of 4024	2904	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe	100
PID 2904 wrote to memory of 4024	2904	{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe	100
PID 4688 wrote to memory of 1832	4688	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe	101
PID 4688 wrote to memory of 1832	4688	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe	101
PID 4688 wrote to memory of 1832	4688	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe	101
PID 4688 wrote to memory of 1212	4688	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe	102
PID 4688 wrote to memory of 1212	4688	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe	102
PID 4688 wrote to memory of 1212	4688	{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe	102
PID 1832 wrote to memory of 5084	1832	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe	103
PID 1832 wrote to memory of 5084	1832	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe	103
PID 1832 wrote to memory of 5084	1832	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe	103
PID 1832 wrote to memory of 5072	1832	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe	104
PID 1832 wrote to memory of 5072	1832	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe	104
PID 1832 wrote to memory of 5072	1832	{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe	104
PID 5084 wrote to memory of 4772	5084	{8238357D-5C47-4be8-BF32-354A335752EA}.exe	105
PID 5084 wrote to memory of 4772	5084	{8238357D-5C47-4be8-BF32-354A335752EA}.exe	105
PID 5084 wrote to memory of 4772	5084	{8238357D-5C47-4be8-BF32-354A335752EA}.exe	105
PID 5084 wrote to memory of 3488	5084	{8238357D-5C47-4be8-BF32-354A335752EA}.exe	106
PID 5084 wrote to memory of 3488	5084	{8238357D-5C47-4be8-BF32-354A335752EA}.exe	106
PID 5084 wrote to memory of 3488	5084	{8238357D-5C47-4be8-BF32-354A335752EA}.exe	106
PID 4772 wrote to memory of 628	4772	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe	107
PID 4772 wrote to memory of 628	4772	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe	107
PID 4772 wrote to memory of 628	4772	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe	107
PID 4772 wrote to memory of 3112	4772	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe	108
PID 4772 wrote to memory of 3112	4772	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe	108
PID 4772 wrote to memory of 3112	4772	{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe	108
PID 628 wrote to memory of 972	628	{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe	109
PID 628 wrote to memory of 972	628	{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe	109
PID 628 wrote to memory of 972	628	{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe	109
PID 628 wrote to memory of 4880	628	{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_978ab126b431bb83919a3bff477b9433_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe
  C:\Windows\{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe
    C:\Windows\{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe
      C:\Windows\{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Windows\{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe
        
        C:\Windows\{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe
        
        C:\Windows\{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe
        
        C:\Windows\{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe
        
        C:\Windows\{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\{8238357D-5C47-4be8-BF32-354A335752EA}.exe
        
        C:\Windows\{8238357D-5C47-4be8-BF32-354A335752EA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe
        
        C:\Windows\{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe
        
        C:\Windows\{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\{FA4FCEE9-09D5-4410-89B8-ED259453D46E}.exe
        
        C:\Windows\{FA4FCEE9-09D5-4410-89B8-ED259453D46E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\{F01C05A4-9405-4ff1-81B8-AA617DEF5EB6}.exe
        
        C:\Windows\{F01C05A4-9405-4ff1-81B8-AA617DEF5EB6}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA4FC~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AA57~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CD17~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82383~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15DBB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB379~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA76C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89E56~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F452F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{102DF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CE4AA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{102DF3AC-96D6-41aa-9EF3-9A6B9FA87EA5}.exe

Filesize
344KB

MD5
7a37f5d6aa6801b36ed73aa89bd4c8ef

SHA1
a105eda09bc20541897fb3fed65de5db98ba8020

SHA256
c2e5e4af43eac3f90dfd103ef1bdc570ed548eec3942dfd1134e6306a4e375b3

SHA512
f6ebefcd9c5dddc8fc3c5d8d8b2e7d085da597c5bd97e21a8e55aca3b15cfb9ab137fbc1a0757e143e943870f0f73cf274f5c74604fb5abecb792cbccabead13

Download Submit
C:\Windows\{15DBBA29-8FF6-42fd-97CA-58AFE0038C12}.exe

Filesize
344KB

MD5
488422fcd05e004861b02c6475f2ff46

SHA1
9c4003df76e3c4fa029b5b92f1d7a48eee0cf11a

SHA256
851fd5cd9ef03f7696c2a2fc5f6df587bed62bcb912c2df4426d94917d45e41d

SHA512
55f8ce38c7ce51875d6c518aafb198097cf96ce45712c2458a0603d22e2def755c27b1944ee956d47d42fae8e82f460d24a1259a831f0d85d383f3d5d5078707

Download Submit
C:\Windows\{1AA57206-06D8-4a29-BFA3-AF3C577EAC5F}.exe

Filesize
344KB

MD5
cf0aa22e942814149511d9e2c33646fc

SHA1
0e2a37de42e0cb0dccaa11a536cbfcdb1a449d6b

SHA256
9abe8b4c4db6f08d2b3af16a3d824a0e06fe7d4d14066f6786f70b02e4b42383

SHA512
792f00f841f06d02a75ec672bf37bb53a46aef785c61f8bf3accd06b4c4c047311e7bb531362d1021f4a84377132a98afc0740ae7254a80b73ceea35339dd723

Download Submit
C:\Windows\{3CD175B5-1CB4-479b-9C4A-B5496EE1066C}.exe

Filesize
344KB

MD5
3bd000b61fe99400a6d63e4e2e80fb58

SHA1
6cfd79787af088edaddf0b9233ff5ea28e4d2fc0

SHA256
cd090e58e86c48a704faca35e9ec19fd3733458fcb3eb57ecd023236ff3f8b5e

SHA512
f0f0ee30a2c254cb63271b08d6cb04175d09b70d46d2f23ca7155c1665fdad545debd43ea2c8c87f6d547ce7f3803a6aa378ca8ee7be4f2c58473a6b1912b48d

Download Submit
C:\Windows\{8238357D-5C47-4be8-BF32-354A335752EA}.exe

Filesize
344KB

MD5
13faefad8974d9e34cf79ec62826cb60

SHA1
0e1977e982a7bb9db6abf354a543ae8fbb6fa0a2

SHA256
e232a2336b400b6fdcefedba45163b07fbdcfd85f531df8ce266f492b7d1ff47

SHA512
76071a649f7fbedc5f075649be8a338a56bb4ef615065552fd946497de15a15830d23bd83acbce07f9df9ce7a65ac31e1a5556db89a00b3b73ae9fe934a8a208

Download Submit
C:\Windows\{89E564A6-72FA-41e4-B4F7-50AABE48F46D}.exe

Filesize
344KB

MD5
75b8e3261359ff4a930b17a698740539

SHA1
2530bd568b7f25b745edc91f64f706df662c732c

SHA256
5944be7d6cfad974bf16fd9cc122f144beed9f0999a5737c6926b5a7fba7cf33

SHA512
c541897f5075a671fa1edf1f35332cde95eacdb5c94416ab5145ff1c164bd79c25d6c3278e29b394f21c9d2f83354ca60ba2458558e88c9a5d3556e5219c3a76

Download Submit
C:\Windows\{AA76CBF7-8632-4169-A545-4631988ABAF0}.exe

Filesize
344KB

MD5
f889a5e19b8afe982b655a292e4922d5

SHA1
bca58284d65fdc78c0c0c9a316c6cb126f47a786

SHA256
4186ffd608731ddf58a3d9c6c7bf09159cf9f9b0eb877e3b825479dff4a0ed0c

SHA512
4f802cd085b5fd2e95e64cb46bd9b49fe9aee6d465c2a1598ce258f490a5577435f10884ae1496ad4bb2492f5c6e711170ee08ecf09492008a89df9b97966ab5

Download Submit
C:\Windows\{AB3797B0-C137-4143-85B1-63A4DBA3EA22}.exe

Filesize
344KB

MD5
3b9fa7fd8e6c0bcb875681e1c544dfb1

SHA1
d753cb8a030515317a53b2badb29c22d5277f0d3

SHA256
1cfefe5a222c62673348813c80eede3811a4752b8e78983f91e94cff65a27f10

SHA512
6ebbc868f9e5dc3252b66c2bd7d5b5dc0c4a51f0b50180434ca5bbdc482bb2de205facc01eb431611d5df81eb036035f68e1d2bd44bd7dd98b62ff4a6db83da1

Download Submit
C:\Windows\{CE4AAE50-0569-418d-8067-6C9C357FE1C7}.exe

Filesize
344KB

MD5
12491ff226f54d780b9e42a8f20a14a1

SHA1
f28e2ec5801b7c56faccb0224eacc8480ab0855a

SHA256
ad52ff666707a3558743af1fd0f017c5b17063803cf2dba2939bdcffe3669a4f

SHA512
5178611cd02f0cb2512771845ee8c6c5cd1abaf716d8ce89601133c08cb0bf80f740d14f09ce9f7fad84b61222b8103f19f8dfa8bfe3c7b8efdeb59d5f065982

Download Submit
C:\Windows\{F01C05A4-9405-4ff1-81B8-AA617DEF5EB6}.exe

Filesize
344KB

MD5
c8697dbf6aa1abdbd617d172ad876a5b

SHA1
f6acfd39744dc53517b127e8fc65af1788cd4253

SHA256
6682def01c13fae98ab4fa12c186590cea12c4ff7a51c5521c3a9ce2e9aa31a6

SHA512
0d0f5918c6ddb55f094421176f8a71e012016279c88155f7f0879d35ca14340ffc99c185698cd3911009c6a54743367155f4a1f169f1e9f98b09b3f626bc9689

Download Submit
C:\Windows\{F452F9E0-66C4-4bf4-B79C-D6E390B44A94}.exe

Filesize
344KB

MD5
1a2f7257c11180113ef97f7f408b1e47

SHA1
9588bb281cec2902d9cd0052227c922672e2d856

SHA256
6386550a5d980db830fdf943d27b3900ac86be7f82f5553f4ffa27bdb7cf84b3

SHA512
f43eeb5d428cd38310db5743bc2ff05fb61651c7e2f0ddebb8d4cd5294d865ddadb15654234b790fb321538489a45971fa67964b51f74a680cb9d04e20b51702

Download Submit
C:\Windows\{FA4FCEE9-09D5-4410-89B8-ED259453D46E}.exe

Filesize
344KB

MD5
bf827965ceba428b2486057e209fcca4

SHA1
1845115ba799863ef065f3965094dcfbcd228a02

SHA256
b8feacf668c457fde660473d66d29b0b93f94d31a4831aec4a350dcfcedca50a

SHA512
c17b3a520933c4ac6833051ab34d7b36246c65638af6ed9d00e00028197d8f98413060f485a9514583b357177dd8f41ae79b087b97482ad22195d81c7a18bdb8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads