de2a00b71bacb015bc38112a3988987fbda6fe9da3053898d75b0d3d9375733e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe
Size

408KB
MD5

3eead2881c1f747f622951ab207e3d6c
SHA1

a59f7b499a2c52bc944bc1c640b79c5910ab598c
SHA256

de2a00b71bacb015bc38112a3988987fbda6fe9da3053898d75b0d3d9375733e
SHA512

8e9f12d8a704ec08ef52d69e93697e7333a06114b6d38419937a74f83cd0e9803c89232d8376482b152521a657d5745916804ad30bd6c5cb2561b4a678a7ad8e
SSDEEP

3072:CEGh0o5l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGHldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6379381-3DA1-414c-98CF-8A9EF3DFB998}\stubpath = "C:\\Windows\\{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe"	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5E246C-6B0D-4d44-90FC-A2981025159D}	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9834912-2CBC-4f05-B931-F608FD8C7895}\stubpath = "C:\\Windows\\{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe"	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}\stubpath = "C:\\Windows\\{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe"	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}	2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBE275C3-8108-4691-A3F5-4826C9A8A37F}\stubpath = "C:\\Windows\\{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe"	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD1A681A-281B-4046-AB0D-0F49CE35C118}	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD1A681A-281B-4046-AB0D-0F49CE35C118}\stubpath = "C:\\Windows\\{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe"	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F08FFB48-E50E-432e-847E-E6AD62C484EE}\stubpath = "C:\\Windows\\{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe"	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}	{062CF1E8-06B7-4bc3-9354-FA5F3EC38404}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}\stubpath = "C:\\Windows\\{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe"	2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5E246C-6B0D-4d44-90FC-A2981025159D}\stubpath = "C:\\Windows\\{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe"	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9834912-2CBC-4f05-B931-F608FD8C7895}	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA5675F9-310A-448b-A628-25FD670B293F}	{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA5675F9-310A-448b-A628-25FD670B293F}\stubpath = "C:\\Windows\\{FA5675F9-310A-448b-A628-25FD670B293F}.exe"	{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBE275C3-8108-4691-A3F5-4826C9A8A37F}	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6379381-3DA1-414c-98CF-8A9EF3DFB998}	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}\stubpath = "C:\\Windows\\{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe"	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F08FFB48-E50E-432e-847E-E6AD62C484EE}	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{062CF1E8-06B7-4bc3-9354-FA5F3EC38404}	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{062CF1E8-06B7-4bc3-9354-FA5F3EC38404}\stubpath = "C:\\Windows\\{062CF1E8-06B7-4bc3-9354-FA5F3EC38404}.exe"	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}\stubpath = "C:\\Windows\\{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe"	{062CF1E8-06B7-4bc3-9354-FA5F3EC38404}.exe

Executes dropped EXE 11 IoCs

pid	Process
1836	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe
2936	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe
3612	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe
4148	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe
3416	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe
2568	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe
4368	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe
4040	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe
1312	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe
1376	{062CF1E8-06B7-4bc3-9354-FA5F3EC38404}.exe
3596	{FA5675F9-310A-448b-A628-25FD670B293F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe
File created	C:\Windows\{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe
File created	C:\Windows\{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe
File created	C:\Windows\{062CF1E8-06B7-4bc3-9354-FA5F3EC38404}.exe	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe
File created	C:\Windows\{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe
File created	C:\Windows\{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe
File created	C:\Windows\{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe
File created	C:\Windows\{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe
File created	C:\Windows\{FA5675F9-310A-448b-A628-25FD670B293F}.exe	{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe
File created	C:\Windows\{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe	2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe
File created	C:\Windows\{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA5675F9-310A-448b-A628-25FD670B293F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{062CF1E8-06B7-4bc3-9354-FA5F3EC38404}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4444	2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1836	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe
Token: SeIncBasePriorityPrivilege	2936	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe
Token: SeIncBasePriorityPrivilege	3612	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe
Token: SeIncBasePriorityPrivilege	4148	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe
Token: SeIncBasePriorityPrivilege	3416	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe
Token: SeIncBasePriorityPrivilege	2568	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe
Token: SeIncBasePriorityPrivilege	4368	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe
Token: SeIncBasePriorityPrivilege	4040	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe
Token: SeIncBasePriorityPrivilege	1312	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe
Token: SeIncBasePriorityPrivilege	4796	{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 1836	4444	2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe	86
PID 4444 wrote to memory of 1836	4444	2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe	86
PID 4444 wrote to memory of 1836	4444	2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe	86
PID 4444 wrote to memory of 2360	4444	2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe	87
PID 4444 wrote to memory of 2360	4444	2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe	87
PID 4444 wrote to memory of 2360	4444	2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe	87
PID 1836 wrote to memory of 2936	1836	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe	88
PID 1836 wrote to memory of 2936	1836	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe	88
PID 1836 wrote to memory of 2936	1836	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe	88
PID 1836 wrote to memory of 3472	1836	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe	89
PID 1836 wrote to memory of 3472	1836	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe	89
PID 1836 wrote to memory of 3472	1836	{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe	89
PID 2936 wrote to memory of 3612	2936	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe	93
PID 2936 wrote to memory of 3612	2936	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe	93
PID 2936 wrote to memory of 3612	2936	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe	93
PID 2936 wrote to memory of 4448	2936	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe	94
PID 2936 wrote to memory of 4448	2936	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe	94
PID 2936 wrote to memory of 4448	2936	{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe	94
PID 3612 wrote to memory of 4148	3612	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe	96
PID 3612 wrote to memory of 4148	3612	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe	96
PID 3612 wrote to memory of 4148	3612	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe	96
PID 3612 wrote to memory of 4020	3612	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe	97
PID 3612 wrote to memory of 4020	3612	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe	97
PID 3612 wrote to memory of 4020	3612	{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe	97
PID 4148 wrote to memory of 3416	4148	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe	98
PID 4148 wrote to memory of 3416	4148	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe	98
PID 4148 wrote to memory of 3416	4148	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe	98
PID 4148 wrote to memory of 116	4148	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe	99
PID 4148 wrote to memory of 116	4148	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe	99
PID 4148 wrote to memory of 116	4148	{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe	99
PID 3416 wrote to memory of 2568	3416	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe	100
PID 3416 wrote to memory of 2568	3416	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe	100
PID 3416 wrote to memory of 2568	3416	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe	100
PID 3416 wrote to memory of 2844	3416	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe	101
PID 3416 wrote to memory of 2844	3416	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe	101
PID 3416 wrote to memory of 2844	3416	{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe	101
PID 2568 wrote to memory of 4368	2568	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe	102
PID 2568 wrote to memory of 4368	2568	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe	102
PID 2568 wrote to memory of 4368	2568	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe	102
PID 2568 wrote to memory of 4680	2568	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe	103
PID 2568 wrote to memory of 4680	2568	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe	103
PID 2568 wrote to memory of 4680	2568	{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe	103
PID 4368 wrote to memory of 4040	4368	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe	104
PID 4368 wrote to memory of 4040	4368	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe	104
PID 4368 wrote to memory of 4040	4368	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe	104
PID 4368 wrote to memory of 1820	4368	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe	105
PID 4368 wrote to memory of 1820	4368	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe	105
PID 4368 wrote to memory of 1820	4368	{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe	105
PID 4040 wrote to memory of 1312	4040	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe	106
PID 4040 wrote to memory of 1312	4040	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe	106
PID 4040 wrote to memory of 1312	4040	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe	106
PID 4040 wrote to memory of 3860	4040	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe	107
PID 4040 wrote to memory of 3860	4040	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe	107
PID 4040 wrote to memory of 3860	4040	{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe	107
PID 1312 wrote to memory of 1376	1312	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe	108
PID 1312 wrote to memory of 1376	1312	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe	108
PID 1312 wrote to memory of 1376	1312	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe	108
PID 1312 wrote to memory of 4344	1312	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe	109
PID 1312 wrote to memory of 4344	1312	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe	109
PID 1312 wrote to memory of 4344	1312	{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe	109
PID 4796 wrote to memory of 3596	4796	{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe	112
PID 4796 wrote to memory of 3596	4796	{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe	112
PID 4796 wrote to memory of 3596	4796	{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe	112
PID 4796 wrote to memory of 3604	4796	{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_3eead2881c1f747f622951ab207e3d6c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe
  C:\Windows\{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe
    C:\Windows\{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe
      C:\Windows\{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe
        
        C:\Windows\{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
      - C:\Windows\{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe
        
        C:\Windows\{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe
        
        C:\Windows\{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe
        
        C:\Windows\{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe
        
        C:\Windows\{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe
        
        C:\Windows\{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\{062CF1E8-06B7-4bc3-9354-FA5F3EC38404}.exe
        
        C:\Windows\{062CF1E8-06B7-4bc3-9354-FA5F3EC38404}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe
        
        C:\Windows\{44C29EAC-7322-4354-9E66-AB79CCE1A6F7}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\{FA5675F9-310A-448b-A628-25FD670B293F}.exe
        
        C:\Windows\{FA5675F9-310A-448b-A628-25FD670B293F}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44C29~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{062CF~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4216C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F08FF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9834~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD1A6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE5E2~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CC27~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6379~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FBE27~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0DA4B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{062CF1E8-06B7-4bc3-9354-FA5F3EC38404}.exe

Filesize
408KB

MD5
a2ec669325257297576cc1e78e325ebf

SHA1
34af8985e913106262bec2699903d2983e1ba761

SHA256
2d962bd82707b22ee26aa4913bd6ef8b74b9417a76e64b4462c6e30250650c2d

SHA512
02895a7784bc2d92fe80c7678883f96913ab6a355b2b188e484dddd7dbd3f93833e1672515317ddceefaae1c00aa0220c01403930cf999fbd6a884717a2159fb

Download Submit
C:\Windows\{0DA4BF67-1205-4e4d-88DD-16C8F4A9A381}.exe

Filesize
408KB

MD5
379509e07324d667c9ebc76303565104

SHA1
f28534b134ab349f4ff7d28799b238988951047b

SHA256
cf306b312908aa8fefb4a56e8039b055fbdbe941bea9d196886fc0dff06f7f99

SHA512
3f337ae8764be917c08f44c0a1c623aad7d43b1e330cf96306fdada245d4e0b215029b73efc06c5de8740e28bce8ab564fa6001cfc78ca49125efcc540bdba20

Download Submit
C:\Windows\{1CC2790B-F4E0-4c1a-8B90-24D8FAB7D4AC}.exe

Filesize
408KB

MD5
c84ce700a7cc116a15e2cdf556bfd94e

SHA1
43b732a27e5cac854c98fe1713f35be483e2004f

SHA256
ac3ca017b1600bc09875c249b4bcf3709be3e0846170ae2551cb34d04a2a2da9

SHA512
9c2a1c00ed31689b2581fbe783f90ecf7f5f9c9f9f4446284e05095084da74f35af3f0189b52b37f028f9f142969c1bacea3d52fcde3a22264dda39f2c2930ee

Download Submit
C:\Windows\{4216C00C-04C2-41f9-B6F4-75D1C440AAAE}.exe

Filesize
408KB

MD5
00edb9d577a17864a1b508439edb14f8

SHA1
d28a696a5535816e162e16ee6851ad6c2bec797c

SHA256
6cf85c6973f797cdde6791af530b2c0fc1f8f3db2f5a712f8d311d577926ab8f

SHA512
5871de864b1d87f1ec0f01ce42ad4d416a01f160d6a8faebe1e8f28fedd1598b3ba4092c303cc86903e6866f63d67646321823c160f1f3ef611fe05419718904

Download Submit
C:\Windows\{BE5E246C-6B0D-4d44-90FC-A2981025159D}.exe

Filesize
408KB

MD5
b33491fc1e824d82455e74535b684ca4

SHA1
f59c12b85b215125ccb857d1a62f952cbeacf63c

SHA256
10e57da023c350d7b4c1ade19ab279a4386bf7620ab3fdd82879687d79191788

SHA512
55d23f3c78be55e484c79cc3fc8210ee81f383a1e172eb6670e308e061e91a3f54b812623d95adc40ed80956bcd8f25d550c8383b3300de0d2fe8ef1b36866c7

Download Submit
C:\Windows\{C9834912-2CBC-4f05-B931-F608FD8C7895}.exe

Filesize
408KB

MD5
dc62f4361c148bc1be542c977bcae5c1

SHA1
c1e9355efeda84d61a5b5363e33ade40edb61b51

SHA256
caae3912165f1955faf66de3aff83df64f5a2b796c4404bc6fae0605cb501bbd

SHA512
44c0fcfda51db46b14467000d41a10f4094abcf6ac9de9739a0805df1e303702bf3658ec6e4f676163c0e8c082b7564a01a10119494cffd3549ec7e5ccd4af0b

Download Submit
C:\Windows\{F08FFB48-E50E-432e-847E-E6AD62C484EE}.exe

Filesize
408KB

MD5
63e21cb1f7bc1da5f324625c729be029

SHA1
a7e2594b901a06f4193ca6c393c498e7fb2b1f44

SHA256
08cd8231b80d464ae189d8a81202fe3a59bacebca42c63a111732462a96d4bea

SHA512
88fa69e8197d796fddfacab46fc4bdfd1f180b83f1c50f1887dfcaf7d2db2f333301d05e78f78546c56dafbad54e0caa3a8e0a6c437fe00500b6d1456d5d8d11

Download Submit
C:\Windows\{F6379381-3DA1-414c-98CF-8A9EF3DFB998}.exe

Filesize
408KB

MD5
5b401c1f3eed734b29b1923b75d5ad95

SHA1
4fb02d890c780a4bbb97f93e1e81087d5cabbe88

SHA256
9dbd2c6a03356dee9845fdb7b844b97e5c019b8c10626162bfd9128a0eaac989

SHA512
91d13dc10e465dee1e37ffac3ba372acbe14208b00841ac19846117a811164620a9bdf42aeab62af1c5bbd4a8fef5ee83c0420de038b755518a2e777014d945d

Download Submit
C:\Windows\{FA5675F9-310A-448b-A628-25FD670B293F}.exe

Filesize
408KB

MD5
00bacab7f98c8adc4fcc05dfccfa7afe

SHA1
1ce2a236e5eb9c8de6b66091fddfaa0e547dc944

SHA256
4d0172ed6961113fa2b88757a714a17cae0837cd50ed69d821e9e6ad9c270ca2

SHA512
5d1dfeeba85eb9766884cc114a6c58ad2661bbd6e82c0f3044612e584d74314814f65c4c1d0f0f5b5da0548bfb4903aafd373221b52d95c3cb0dd813e65dbbdd

Download Submit
C:\Windows\{FBE275C3-8108-4691-A3F5-4826C9A8A37F}.exe

Filesize
408KB

MD5
d9e7ec91803ad0cff02b84a957b4f3c8

SHA1
dcad154e4f7553f945f1b1d9074b7b01d369b543

SHA256
9b6d9567ace8d0644fb437fd8333adb4c4ddfd1732ff030f842c31f330678121

SHA512
5cd55d44273dea9a231a2815ce39e9d6b67d9367104991a9bd40cf7f009d058e6997dfac83824674183482ab634630772a27a40f1070f9e83997b3207d75180a

Download Submit
C:\Windows\{FD1A681A-281B-4046-AB0D-0F49CE35C118}.exe

Filesize
408KB

MD5
f3412254d920fc65191b1cfaf785cce0

SHA1
96072d354bd64ac3578f25b69718ec5ac646f8b3

SHA256
473a96b2114fb68833102b8fa91b9a7cd4a96e00b6e1e743bef5172de6cc37bd

SHA512
26d2cd4572eaa5ac392e0ab73fb63d1f7c1998e5453aaf5aff002139253a62577aac04a6e9132961ef771a5adfcd31c908d0fcf4e40467321726246ef89e931e

Download Submit
memory/1376-39-0x0000000003A70000-0x0000000003B4B000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads