b3d931f1f101f9e6e587e03a8ca85ee0df1578072f0cbe4b454894f3d678fdd6

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
Size

344KB
MD5

1d0889fdec2627168a01900f77a7d641
SHA1

5f36c59d0c09849f4e41b850d5b048cfe03be67f
SHA256

b3d931f1f101f9e6e587e03a8ca85ee0df1578072f0cbe4b454894f3d678fdd6
SHA512

6311488f934b0a7bc77b6540d9405567dd7f3c2bce8ee13b7425b61a9b47abd4ee61e93e2eff2712d9affb3989eba9f0587c8215e6a25d1872e831d53dc57756
SSDEEP

3072:mEGh0o7lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG1lqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}\stubpath = "C:\\Windows\\{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe"	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}	{665C871B-30C0-4620-BE16-54BA94261D74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33C21100-BE19-495d-A7C6-6DDF3B10B6C5}	{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33C21100-BE19-495d-A7C6-6DDF3B10B6C5}\stubpath = "C:\\Windows\\{33C21100-BE19-495d-A7C6-6DDF3B10B6C5}.exe"	{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}\stubpath = "C:\\Windows\\{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe"	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6CDE8A2-B450-494d-870C-94FE24A89C3B}	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6CDE8A2-B450-494d-870C-94FE24A89C3B}\stubpath = "C:\\Windows\\{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe"	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{665C871B-30C0-4620-BE16-54BA94261D74}\stubpath = "C:\\Windows\\{665C871B-30C0-4620-BE16-54BA94261D74}.exe"	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE876DD2-F2E8-4183-BDAE-6638C3648954}	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE876DD2-F2E8-4183-BDAE-6638C3648954}\stubpath = "C:\\Windows\\{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe"	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}\stubpath = "C:\\Windows\\{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe"	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{665C871B-30C0-4620-BE16-54BA94261D74}	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}\stubpath = "C:\\Windows\\{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}.exe"	{665C871B-30C0-4620-BE16-54BA94261D74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}\stubpath = "C:\\Windows\\{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe"	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}\stubpath = "C:\\Windows\\{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe"	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}\stubpath = "C:\\Windows\\{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe"	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}\stubpath = "C:\\Windows\\{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe"	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe

Executes dropped EXE 12 IoCs

pid	Process
388	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe
2404	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe
3908	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe
4140	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe
5092	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe
1944	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe
4388	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe
2104	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe
1940	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe
5100	{665C871B-30C0-4620-BE16-54BA94261D74}.exe
1976	{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}.exe
2264	{33C21100-BE19-495d-A7C6-6DDF3B10B6C5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe
File created	C:\Windows\{665C871B-30C0-4620-BE16-54BA94261D74}.exe	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe
File created	C:\Windows\{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}.exe	{665C871B-30C0-4620-BE16-54BA94261D74}.exe
File created	C:\Windows\{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
File created	C:\Windows\{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe
File created	C:\Windows\{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe
File created	C:\Windows\{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe
File created	C:\Windows\{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe
File created	C:\Windows\{33C21100-BE19-495d-A7C6-6DDF3B10B6C5}.exe	{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}.exe
File created	C:\Windows\{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe
File created	C:\Windows\{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe
File created	C:\Windows\{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{665C871B-30C0-4620-BE16-54BA94261D74}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{33C21100-BE19-495d-A7C6-6DDF3B10B6C5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3420	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
Token: SeIncBasePriorityPrivilege	388	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe
Token: SeIncBasePriorityPrivilege	2404	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe
Token: SeIncBasePriorityPrivilege	3908	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe
Token: SeIncBasePriorityPrivilege	4140	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe
Token: SeIncBasePriorityPrivilege	5092	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe
Token: SeIncBasePriorityPrivilege	1944	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe
Token: SeIncBasePriorityPrivilege	4388	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe
Token: SeIncBasePriorityPrivilege	2104	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe
Token: SeIncBasePriorityPrivilege	1940	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe
Token: SeIncBasePriorityPrivilege	5100	{665C871B-30C0-4620-BE16-54BA94261D74}.exe
Token: SeIncBasePriorityPrivilege	1976	{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 388	3420	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	86
PID 3420 wrote to memory of 388	3420	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	86
PID 3420 wrote to memory of 388	3420	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	86
PID 3420 wrote to memory of 2928	3420	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	87
PID 3420 wrote to memory of 2928	3420	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	87
PID 3420 wrote to memory of 2928	3420	2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe	87
PID 388 wrote to memory of 2404	388	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe	88
PID 388 wrote to memory of 2404	388	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe	88
PID 388 wrote to memory of 2404	388	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe	88
PID 388 wrote to memory of 4008	388	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe	89
PID 388 wrote to memory of 4008	388	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe	89
PID 388 wrote to memory of 4008	388	{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe	89
PID 2404 wrote to memory of 3908	2404	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe	94
PID 2404 wrote to memory of 3908	2404	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe	94
PID 2404 wrote to memory of 3908	2404	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe	94
PID 2404 wrote to memory of 3988	2404	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe	95
PID 2404 wrote to memory of 3988	2404	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe	95
PID 2404 wrote to memory of 3988	2404	{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe	95
PID 3908 wrote to memory of 4140	3908	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe	96
PID 3908 wrote to memory of 4140	3908	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe	96
PID 3908 wrote to memory of 4140	3908	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe	96
PID 3908 wrote to memory of 2636	3908	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe	97
PID 3908 wrote to memory of 2636	3908	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe	97
PID 3908 wrote to memory of 2636	3908	{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe	97
PID 4140 wrote to memory of 5092	4140	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe	99
PID 4140 wrote to memory of 5092	4140	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe	99
PID 4140 wrote to memory of 5092	4140	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe	99
PID 4140 wrote to memory of 1104	4140	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe	100
PID 4140 wrote to memory of 1104	4140	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe	100
PID 4140 wrote to memory of 1104	4140	{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe	100
PID 5092 wrote to memory of 1944	5092	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe	101
PID 5092 wrote to memory of 1944	5092	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe	101
PID 5092 wrote to memory of 1944	5092	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe	101
PID 5092 wrote to memory of 1964	5092	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe	102
PID 5092 wrote to memory of 1964	5092	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe	102
PID 5092 wrote to memory of 1964	5092	{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe	102
PID 1944 wrote to memory of 4388	1944	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe	103
PID 1944 wrote to memory of 4388	1944	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe	103
PID 1944 wrote to memory of 4388	1944	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe	103
PID 1944 wrote to memory of 2100	1944	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe	104
PID 1944 wrote to memory of 2100	1944	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe	104
PID 1944 wrote to memory of 2100	1944	{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe	104
PID 4388 wrote to memory of 2104	4388	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe	105
PID 4388 wrote to memory of 2104	4388	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe	105
PID 4388 wrote to memory of 2104	4388	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe	105
PID 4388 wrote to memory of 2624	4388	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe	106
PID 4388 wrote to memory of 2624	4388	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe	106
PID 4388 wrote to memory of 2624	4388	{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe	106
PID 2104 wrote to memory of 1940	2104	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe	107
PID 2104 wrote to memory of 1940	2104	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe	107
PID 2104 wrote to memory of 1940	2104	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe	107
PID 2104 wrote to memory of 3048	2104	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe	108
PID 2104 wrote to memory of 3048	2104	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe	108
PID 2104 wrote to memory of 3048	2104	{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe	108
PID 1940 wrote to memory of 5100	1940	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe	109
PID 1940 wrote to memory of 5100	1940	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe	109
PID 1940 wrote to memory of 5100	1940	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe	109
PID 1940 wrote to memory of 2840	1940	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe	110
PID 1940 wrote to memory of 2840	1940	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe	110
PID 1940 wrote to memory of 2840	1940	{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe	110
PID 5100 wrote to memory of 1976	5100	{665C871B-30C0-4620-BE16-54BA94261D74}.exe	111
PID 5100 wrote to memory of 1976	5100	{665C871B-30C0-4620-BE16-54BA94261D74}.exe	111
PID 5100 wrote to memory of 1976	5100	{665C871B-30C0-4620-BE16-54BA94261D74}.exe	111
PID 5100 wrote to memory of 3472	5100	{665C871B-30C0-4620-BE16-54BA94261D74}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_1d0889fdec2627168a01900f77a7d641_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe
  C:\Windows\{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe
    C:\Windows\{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe
      C:\Windows\{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe
        
        C:\Windows\{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4140
      - C:\Windows\{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe
        
        C:\Windows\{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe
        
        C:\Windows\{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe
        
        C:\Windows\{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe
        
        C:\Windows\{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe
        
        C:\Windows\{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{665C871B-30C0-4620-BE16-54BA94261D74}.exe
        
        C:\Windows\{665C871B-30C0-4620-BE16-54BA94261D74}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}.exe
        
        C:\Windows\{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\{33C21100-BE19-495d-A7C6-6DDF3B10B6C5}.exe
        
        C:\Windows\{33C21100-BE19-495d-A7C6-6DDF3B10B6C5}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB9F9~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{665C8~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01D4B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB48A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DFBE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6CDE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F97A1~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE876~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96C0D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3002~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A4ACB~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01D4BFE6-8CBF-41cf-9C05-667384FFD50F}.exe

Filesize
344KB

MD5
e82bdc322f9fc3a4e941dfb5868f70a8

SHA1
33011f8f36538d69bc3f25737750bb5d21503d23

SHA256
600253ab9e3e75f884b2b00c8801f42aecbd71ee56710d9739d8cecf017205c1

SHA512
21affd0f984cd985dc7681cc2dd31fa61900ac55740218078b20d660578198b91a23cfe6215d9c7f3bbbbf2914fb00ac087f827ceb745973c910db730d9834d8

Download Submit
C:\Windows\{33C21100-BE19-495d-A7C6-6DDF3B10B6C5}.exe

Filesize
344KB

MD5
f2db4c933b4bef873105a5b6c91c82a3

SHA1
7ab9a5f108dbcb6f0558542d81a4793caa6f87fd

SHA256
44135327defbf6715505bc721001e83dd33dfd593929fcbf5224995da0aa50d1

SHA512
13c80d9816b7d30f602f7d74f7e4419b25db0a98934e9782f8ac88ff642390b34cb8096840b4837fbdce4a22d3694163702642fd2433cc5253992905ebdb29e4

Download Submit
C:\Windows\{4DFBE5F0-1FDD-4c29-BB6F-3DBF1D8C9C5E}.exe

Filesize
344KB

MD5
0bac16120063595cedfd96cd18b60cd0

SHA1
8a31c4d0141f4e731a461c350b4092502d41ae02

SHA256
d9dc472076fe02a8121b87fe3d055c3c6c0f12c7519699f9206ad7792f3cff66

SHA512
f803b5daf0983c101712e661de238648069c5885de388231e5291ea1f64e626f5b0b59553e2b003c2afe447896c93c6bd984eb0aecf63bcb3076718d7bef696f

Download Submit
C:\Windows\{665C871B-30C0-4620-BE16-54BA94261D74}.exe

Filesize
344KB

MD5
c8f39e7f50d990bd6801c7806898e6f5

SHA1
402ca0c02bfbc4d889cb4b43b6ead45dbab9f9c3

SHA256
1971f413c4a6f87ffe9650acb700b99ec72e255e259d399ec9fe872612f1f862

SHA512
5f89272bf7ad64ac5fdc297c7e1843326bad8f99197d8cca168e1d50e35d361d45fa91b1a78508fd37a100085b3dde70bf2293293e93a94fc90d75cd571204dd

Download Submit
C:\Windows\{96C0DE8E-BEF7-48c7-A6CE-335EADBD5CD4}.exe

Filesize
344KB

MD5
3605cf9a8a94c3494f8a87749f5c0a0a

SHA1
8489f4944a83a7d525e56c86db61949ef9a5423d

SHA256
f3c565ea4e7a0de136a42a86c34c14271d7020c419ce6429b4219bff1892f70d

SHA512
5a6343a501d67966102d4a2ba51307415c4de6679587dc463dc90b210dc4be259504aadc6870bab95c4f46b7580ed231b0d3b5b28df1d2b8bd0d914c2d10d840

Download Submit
C:\Windows\{A4ACBC37-37F1-4a48-8C7F-4001AEDA9081}.exe

Filesize
344KB

MD5
6861bcfcb5e788a7303c234ddeef7f89

SHA1
5d27d7d5543bde6d062dfaa2af22d6b6330ad99e

SHA256
6ee61d2298f55257c6336ab028de8d8d701007aa94bc1e1af16f6d2fa0a4dab9

SHA512
82cc9a655d895d2da72579706cd83c0705f54be4b6b972dfc48662c4d1f19be2df61c191067ef7a8cfa075ca17caef6eea14076123bf2b57439737b0375900a0

Download Submit
C:\Windows\{AB48A7CA-93AA-40a4-8F98-FD3BAEFD1DC8}.exe

Filesize
344KB

MD5
688f145434837fc45689a293c59c8e5c

SHA1
f561ff8263ea9398b28faf52a7dc18b7d4421be3

SHA256
474a68285eec7f8d2e2d8e8710ba9dc4c3e6b32f2e74e2936b5e22f7fde04617

SHA512
893497b234fe7d49dfd85c55ab3f49c52a26e04b3185760860cd506109b9f0d3c6171f1bff9f06ae56fa2a8dd1d23f2afb692ba1d3b50f94a27e7a41e4ae18cb

Download Submit
C:\Windows\{B3002C41-D35E-4f3c-A301-3D9D2108AEB6}.exe

Filesize
344KB

MD5
49ddf4b36d5a5cc7944d9cd443dc152b

SHA1
e1a972ff47b16b996b012f3e520d8849c457c344

SHA256
0141ecdd11be064f6a39121f4d16a33cc4461f8e305cd796be1cf3cfa3a9de1d

SHA512
50b2dae6e2e1344f1c32a41bc3eb3e91998fd90cb3004a1273bebca3629172b0eb06ee8b8477c214b8784ca6aab478a3a47202cb71b0427168843dd3bd994604

Download Submit
C:\Windows\{B6CDE8A2-B450-494d-870C-94FE24A89C3B}.exe

Filesize
344KB

MD5
1f2ae64305d8732e7955174edba2507b

SHA1
39300f40036f010c3a3ca9569bd6f145f86e46b7

SHA256
9deb6b654ac2b5b48d3282db2685cfbe0983623de5edf3928302258a4d662e93

SHA512
4bb788c4af447056f8d7a8453399c890ecd97c562ed183a0b8b821d283c39b9563799e0a74ae903495241331e0da33ba15372f69ec68a81bfeaeb2ca9ee38a74

Download Submit
C:\Windows\{BE876DD2-F2E8-4183-BDAE-6638C3648954}.exe

Filesize
344KB

MD5
8122e74d9e21d4da7d29612d681c7704

SHA1
8df2b7995cbcab84f92dd256702d4f0241ed888d

SHA256
4442916a781785dd0a72aa416dd76c489024ec504655d1d7d317f0abd2b5bc7b

SHA512
231ad74d6c3c8f35a9e199926aad6bfcdf33f10b7a78d3e70e68565de0452da1cc34a4a3001b57d23536c19609df5ef87076d4a8de050e384f4ebd7ba96a8b0f

Download Submit
C:\Windows\{DB9F98D4-FFE5-4fc5-B5E2-7D4AB8943CBB}.exe

Filesize
344KB

MD5
b809da79eb0bad28d60c7467373089b5

SHA1
82688c899c64d4d3aaedb92a35b3a44a2607268f

SHA256
2eb68fa216ac7f34c2e545ae020c22c12f3241b8f835469c99a0c9b108cf4110

SHA512
66e262641077606071afa29b4d5e629125a26c4b6d31fed242ad7b2c3f4dc53b8c07197377c1511c06f9b010fc884e029b7f24ceb5b6cdac6f89461bec7dd7fc

Download Submit
C:\Windows\{F97A1DD3-007C-4f44-BF9D-63E7BB3ACEEE}.exe

Filesize
344KB

MD5
b963c60ffb20da20c92ab047a78ff5f0

SHA1
c4b2b988ed553080317ac8c4c17ba3acdf074f8c

SHA256
660ea651bd7e9e558ed0a674e1732d6681308df7ea4d025fc920d5a0274745a9

SHA512
58b956885ff6c14ea2a5e2e4947a09214f3ec615de6578311e6fab90ba5c414fe71bd9505678df277657994791d953175ff19674b4885b8674c5f03704c1534b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads