2d680038b4818f4fbcee04167d9957ba75580e138b0f598d918a2311db0bc08e

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
Size

372KB
MD5

3ffab5f973f165980ae605dbbdea6808
SHA1

d4f64fd733444410af331a00a7caa39a1d8fbb07
SHA256

2d680038b4818f4fbcee04167d9957ba75580e138b0f598d918a2311db0bc08e
SHA512

927c61075c17c16d94852859d4c32dc8d184e05b1ccbafd5794ee73080855e260022cbd809b59d925537e9adeeac77dad22770755788cb4370a0facb50e0198d
SSDEEP

3072:CEGh0oMlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGelkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB65F36A-8347-4329-8157-36EC751B6D61}\stubpath = "C:\\Windows\\{EB65F36A-8347-4329-8157-36EC751B6D61}.exe"	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{241AD8D3-3784-4883-B171-D75473C6A87D}\stubpath = "C:\\Windows\\{241AD8D3-3784-4883-B171-D75473C6A87D}.exe"	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7719BEDD-917F-4d6f-96B5-E703C954B595}	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EBC9E0E-F948-455d-B61E-F4669A399EE5}	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}\stubpath = "C:\\Windows\\{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe"	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCD4756E-20F8-4779-BDE3-0014767ED638}\stubpath = "C:\\Windows\\{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe"	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{189A6889-1AF4-4c62-AAFE-7C1CD59BA7B4}	{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}\stubpath = "C:\\Windows\\{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}.exe"	{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{189A6889-1AF4-4c62-AAFE-7C1CD59BA7B4}\stubpath = "C:\\Windows\\{189A6889-1AF4-4c62-AAFE-7C1CD59BA7B4}.exe"	{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EBC9E0E-F948-455d-B61E-F4669A399EE5}\stubpath = "C:\\Windows\\{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe"	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}\stubpath = "C:\\Windows\\{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe"	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D64392B1-F048-4415-A8C7-4FF1B32A41EF}	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCD4756E-20F8-4779-BDE3-0014767ED638}	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7719BEDD-917F-4d6f-96B5-E703C954B595}\stubpath = "C:\\Windows\\{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe"	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0B1646-B1F9-483e-810C-3F7755F1E629}	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}	{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB65F36A-8347-4329-8157-36EC751B6D61}	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D64392B1-F048-4415-A8C7-4FF1B32A41EF}\stubpath = "C:\\Windows\\{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe"	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{241AD8D3-3784-4883-B171-D75473C6A87D}	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E0076EC-F438-43e5-B40F-86566EC0C2E3}	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E0076EC-F438-43e5-B40F-86566EC0C2E3}\stubpath = "C:\\Windows\\{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe"	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0B1646-B1F9-483e-810C-3F7755F1E629}\stubpath = "C:\\Windows\\{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe"	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe

Executes dropped EXE 12 IoCs

pid	Process
3696	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe
1164	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe
2864	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe
2624	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe
512	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe
2800	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe
4012	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe
2740	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe
3556	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe
1192	{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe
3324	{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}.exe
3264	{189A6889-1AF4-4c62-AAFE-7C1CD59BA7B4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe
File created	C:\Windows\{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe
File created	C:\Windows\{189A6889-1AF4-4c62-AAFE-7C1CD59BA7B4}.exe	{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}.exe
File created	C:\Windows\{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
File created	C:\Windows\{EB65F36A-8347-4329-8157-36EC751B6D61}.exe	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe
File created	C:\Windows\{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe
File created	C:\Windows\{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe
File created	C:\Windows\{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe
File created	C:\Windows\{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}.exe	{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe
File created	C:\Windows\{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe
File created	C:\Windows\{241AD8D3-3784-4883-B171-D75473C6A87D}.exe	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe
File created	C:\Windows\{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{189A6889-1AF4-4c62-AAFE-7C1CD59BA7B4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1720	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3696	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe
Token: SeIncBasePriorityPrivilege	1164	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe
Token: SeIncBasePriorityPrivilege	2864	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe
Token: SeIncBasePriorityPrivilege	2624	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe
Token: SeIncBasePriorityPrivilege	512	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe
Token: SeIncBasePriorityPrivilege	2800	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe
Token: SeIncBasePriorityPrivilege	4012	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe
Token: SeIncBasePriorityPrivilege	2740	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe
Token: SeIncBasePriorityPrivilege	3556	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe
Token: SeIncBasePriorityPrivilege	1192	{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe
Token: SeIncBasePriorityPrivilege	3324	{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 3696	1720	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	86
PID 1720 wrote to memory of 3696	1720	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	86
PID 1720 wrote to memory of 3696	1720	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	86
PID 1720 wrote to memory of 3932	1720	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	87
PID 1720 wrote to memory of 3932	1720	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	87
PID 1720 wrote to memory of 3932	1720	2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe	87
PID 3696 wrote to memory of 1164	3696	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe	88
PID 3696 wrote to memory of 1164	3696	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe	88
PID 3696 wrote to memory of 1164	3696	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe	88
PID 3696 wrote to memory of 4788	3696	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe	89
PID 3696 wrote to memory of 4788	3696	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe	89
PID 3696 wrote to memory of 4788	3696	{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe	89
PID 1164 wrote to memory of 2864	1164	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe	95
PID 1164 wrote to memory of 2864	1164	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe	95
PID 1164 wrote to memory of 2864	1164	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe	95
PID 1164 wrote to memory of 3032	1164	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe	96
PID 1164 wrote to memory of 3032	1164	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe	96
PID 1164 wrote to memory of 3032	1164	{EB65F36A-8347-4329-8157-36EC751B6D61}.exe	96
PID 2864 wrote to memory of 2624	2864	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe	97
PID 2864 wrote to memory of 2624	2864	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe	97
PID 2864 wrote to memory of 2624	2864	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe	97
PID 2864 wrote to memory of 4680	2864	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe	98
PID 2864 wrote to memory of 4680	2864	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe	98
PID 2864 wrote to memory of 4680	2864	{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe	98
PID 2624 wrote to memory of 512	2624	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe	100
PID 2624 wrote to memory of 512	2624	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe	100
PID 2624 wrote to memory of 512	2624	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe	100
PID 2624 wrote to memory of 2724	2624	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe	101
PID 2624 wrote to memory of 2724	2624	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe	101
PID 2624 wrote to memory of 2724	2624	{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe	101
PID 512 wrote to memory of 2800	512	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe	102
PID 512 wrote to memory of 2800	512	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe	102
PID 512 wrote to memory of 2800	512	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe	102
PID 512 wrote to memory of 3632	512	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe	103
PID 512 wrote to memory of 3632	512	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe	103
PID 512 wrote to memory of 3632	512	{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe	103
PID 2800 wrote to memory of 4012	2800	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe	104
PID 2800 wrote to memory of 4012	2800	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe	104
PID 2800 wrote to memory of 4012	2800	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe	104
PID 2800 wrote to memory of 904	2800	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe	105
PID 2800 wrote to memory of 904	2800	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe	105
PID 2800 wrote to memory of 904	2800	{241AD8D3-3784-4883-B171-D75473C6A87D}.exe	105
PID 4012 wrote to memory of 2740	4012	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe	106
PID 4012 wrote to memory of 2740	4012	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe	106
PID 4012 wrote to memory of 2740	4012	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe	106
PID 4012 wrote to memory of 2260	4012	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe	107
PID 4012 wrote to memory of 2260	4012	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe	107
PID 4012 wrote to memory of 2260	4012	{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe	107
PID 2740 wrote to memory of 3556	2740	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe	108
PID 2740 wrote to memory of 3556	2740	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe	108
PID 2740 wrote to memory of 3556	2740	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe	108
PID 2740 wrote to memory of 1836	2740	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe	109
PID 2740 wrote to memory of 1836	2740	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe	109
PID 2740 wrote to memory of 1836	2740	{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe	109
PID 3556 wrote to memory of 1192	3556	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe	110
PID 3556 wrote to memory of 1192	3556	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe	110
PID 3556 wrote to memory of 1192	3556	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe	110
PID 3556 wrote to memory of 1564	3556	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe	111
PID 3556 wrote to memory of 1564	3556	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe	111
PID 3556 wrote to memory of 1564	3556	{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe	111
PID 1192 wrote to memory of 3324	1192	{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe	112
PID 1192 wrote to memory of 3324	1192	{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe	112
PID 1192 wrote to memory of 3324	1192	{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe	112
PID 1192 wrote to memory of 664	1192	{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_3ffab5f973f165980ae605dbbdea6808_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe
  C:\Windows\{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\{EB65F36A-8347-4329-8157-36EC751B6D61}.exe
    C:\Windows\{EB65F36A-8347-4329-8157-36EC751B6D61}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe
      C:\Windows\{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe
        
        C:\Windows\{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe
        
        C:\Windows\{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\{241AD8D3-3784-4883-B171-D75473C6A87D}.exe
        
        C:\Windows\{241AD8D3-3784-4883-B171-D75473C6A87D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe
        
        C:\Windows\{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe
        
        C:\Windows\{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe
        
        C:\Windows\{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe
        
        C:\Windows\{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}.exe
        
        C:\Windows\{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
        
        C:\Windows\{189A6889-1AF4-4c62-AAFE-7C1CD59BA7B4}.exe
        
        C:\Windows\{189A6889-1AF4-4c62-AAFE-7C1CD59BA7B4}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAE8B~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E0B1~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7719B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E007~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCD47~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{241AD~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6439~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD2B3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EC42~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB65F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0EBC9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EBC9E0E-F948-455d-B61E-F4669A399EE5}.exe

Filesize
372KB

MD5
1206700ef197259c82cb8abb5c520828

SHA1
0f811f6a1194a44371d236eec594f335cabf3b23

SHA256
efffd3fa92033a511b4d56165210757ec1fd462e3bfbba400db642fb11cabbb6

SHA512
0409e24a2beb638ead46a05b68389cd76b9766d529dd32d1b27f195860f511da4c52c1f07431b1a79db973dc1f62c8626b5136c6bf3858b846013bd53f48acaa

Download Submit
C:\Windows\{189A6889-1AF4-4c62-AAFE-7C1CD59BA7B4}.exe

Filesize
372KB

MD5
2d88119f9949660b3900e9f4f6caff30

SHA1
172ffc1a61ab4e274b540d13948e1453879d23fe

SHA256
0fb4e41ff9e7ccfff85ec18176c96c96c6f8a6326cf172d8da30b29a109509e9

SHA512
2213754dee4a7021137e0b9149b5d8f6b6ade11c718fbc69daad1c76d0b23c7e131dcea14bf2c605217ef8f75a79273912d46b0bf4abd531032a7e43080d6d4c

Download Submit
C:\Windows\{241AD8D3-3784-4883-B171-D75473C6A87D}.exe

Filesize
372KB

MD5
f750a47680da40f4b6c3603959a151fd

SHA1
4d47075b38d4de078c723f26bad6b8903ed70b75

SHA256
27e48beac7c275848c27559a089e3188696eac41cf777c113fd05e5486081822

SHA512
666801ab629eed9966ae3718bdc942768b7a2809b55f464f24d9a52703f6dccad13b0f7a830592a6cb8b8078065592d463014ca2c111b9bfb8e46fc267ddf8e2

Download Submit
C:\Windows\{4EC42797-CCEB-49a0-95C3-7FFB24E1B777}.exe

Filesize
372KB

MD5
f0f36abf188170173cead37dafd345cb

SHA1
08c6d8992c6192767470876a76b747ae89b5da17

SHA256
c435593f967a21cc7b4b83b598436ce310ccdad4903f4a39ce3831777232d839

SHA512
9a1a7d07dbfbff1a940c359cbdbd6e5846e50a0dfb672bbcecfa03ea138ece94620ea413c65d18f9c3010b07625d3dd8c5e6192a21069a60fd1fa9a1e7ae28cc

Download Submit
C:\Windows\{5E0B1646-B1F9-483e-810C-3F7755F1E629}.exe

Filesize
372KB

MD5
0a1c63c1e3c21855ba92b4dca3e5284c

SHA1
8246492bbd3f4e11d5ed091998436f6d0a3db3e3

SHA256
67f3eeac66d1af8b59f7218abe5f00cd96cde954c7ef4e3d7da9c11f9ecd1aeb

SHA512
7ba2e8acc26a64b0cadfbfee7846e343bd717a1a2f8d7ee1629db18d0f68047191bfe7d8b77f66c9078959e4c4dde4f5ea3b3021f2d4caf7445dd667b1f81153

Download Submit
C:\Windows\{6E0076EC-F438-43e5-B40F-86566EC0C2E3}.exe

Filesize
372KB

MD5
68f409224429a41f50b8b2b0894f8d1a

SHA1
4697bcb6ec41dfc06e8ab62aaa0f9f7426c685b9

SHA256
5743dfb507a37bc55516e95f735141bb827454b30828d1189946f3b2a9914097

SHA512
d9f5f96e16e2a9ab06493ad5ebf665db2b311df827532a4d8f59423e7d73e1976711932f064d7044487de6129ca0e0d7b2ab2b04675bddb572b26348c26c98cc

Download Submit
C:\Windows\{7719BEDD-917F-4d6f-96B5-E703C954B595}.exe

Filesize
372KB

MD5
6858f0f63689eb2d231c9abbdb092b89

SHA1
db56f7ce97f21ef213f7647dde14922125c02d96

SHA256
5f98a79b777622dbd7ec8fb6e6c268afab7ab8a81b1c4bc75822a28803796b3c

SHA512
2203b4eb32250ec7e55f0699807e673d1ff6363bb4a39a4f11f32bd11a18e96e23d71126fa66fc553bde994b25d826ef686fc83364cc84909940bc468b76f6d9

Download Submit
C:\Windows\{BAE8BC5B-0803-4d9c-B37C-FE43C77CC60F}.exe

Filesize
372KB

MD5
ceeaa18806b680cb291d6b9267983c88

SHA1
21d1ac0ec63721ea624f7456da324efb526db5e3

SHA256
5dbeecacc5e7a1c2c0b9485ec2a5928325d0cf6f45f09ed538133f16a5a35c5c

SHA512
cbc4760ae7813f312de2303c9aee9797b58b4e8528c10a159ccb997918370441f84489dc4f43a0709387cd6766f510f4c306d52d3e6ab68d6de8158a9d2e7908

Download Submit
C:\Windows\{BCD4756E-20F8-4779-BDE3-0014767ED638}.exe

Filesize
372KB

MD5
41dba5011b60a8f26696273e3e2416c9

SHA1
eb45affdf81af26549d00825c6d91b2664f0bdb4

SHA256
a2978b8dd1bacb7306bab46af369b146843694eeeeef04d317d1d6b0373e06d6

SHA512
e32f1013fd73247832bae82c3bd7ec00125b25238c784b4d281df5477ce3586bbd28756d588530ea49107178eb644b35e6e01c19b3649a1dccfca6da9eaa88da

Download Submit
C:\Windows\{D64392B1-F048-4415-A8C7-4FF1B32A41EF}.exe

Filesize
372KB

MD5
4c18385046c69b27a1706ee32916286b

SHA1
334bf1a61ad4aa49b8daca38ebd44c369542a230

SHA256
1be188f4c85ece74d3ea9bbd707c14e2844963666b1bbb41a3a3ca3fc608db5f

SHA512
4aa3b10772305dcfea0072ef2e7dcfe0e573fdbc26cc845e04b482479056d92d2920224623f31c3517b17fb05cba46d4c120beba1bce8c7383af893771c86e1e

Download Submit
C:\Windows\{EB65F36A-8347-4329-8157-36EC751B6D61}.exe

Filesize
372KB

MD5
55e550baaaf0a176935b9250ca1d9727

SHA1
4902b2cea3888968567bd81fc3f260e3d0438274

SHA256
f7415df51a0232f4565a5bb3f609465cf4ff4526ad66aaf69a532b2211d6604c

SHA512
f20bb1b242ced71ae08a5187ace5474f903351aaba4ac252b6da48ba870c3a91092bd2af610d523d387467f37e018f51ed704b393d8fafe861696c5ecee18ea4

Download Submit
C:\Windows\{FD2B37F3-6284-4b87-BE3F-E50A14E4DB6A}.exe

Filesize
372KB

MD5
a707b16fd50935d1521769a5ebe2ad56

SHA1
0dc3b6b6fc52dbe05e6f24b62388bbceea0f9022

SHA256
3ba0c6f9366932ac7c10d5f83803545efc647d916a3d5b49fb0d72df96609de3

SHA512
245e06029e9d658aa3f3fdc18b53421be3d23a16cdca67009f1858dabddf6522fb15648d29b4025c73b33b4962128e9f7dc24b61e36bac83e4cb72b5f608fe96

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads