bc40de42f21116925de31b5be765772fd934bd7d23ff0079db5a5280bdf0afeb

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe
Size

372KB
MD5

f2de1dcc1aa5d57624473e92a6bbcab7
SHA1

05277f83e4f261c7df9e7860d873c4df64b18584
SHA256

bc40de42f21116925de31b5be765772fd934bd7d23ff0079db5a5280bdf0afeb
SHA512

cd02c43830105e68a6931ea094ee81774cd827eecd793f4c93fb9887e394ba5409cb5973a163b6134c1d371dcdd9cfe3e36e903877c327dda963ff24ec1e29e7
SSDEEP

3072:CEGh0o/mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGMl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B447D66F-D33C-4431-BE90-DFEB1FB22568}	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B447D66F-D33C-4431-BE90-DFEB1FB22568}\stubpath = "C:\\Windows\\{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe"	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}\stubpath = "C:\\Windows\\{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe"	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F34BA8EA-83F1-4e29-8481-ABB920106B14}\stubpath = "C:\\Windows\\{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe"	{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D91E5FCE-E886-4755-B9F6-84C444F15ADF}	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}\stubpath = "C:\\Windows\\{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe"	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F34BA8EA-83F1-4e29-8481-ABB920106B14}	{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D91E5FCE-E886-4755-B9F6-84C444F15ADF}\stubpath = "C:\\Windows\\{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe"	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D52A866-826E-48ad-AF37-13F49613114A}\stubpath = "C:\\Windows\\{2D52A866-826E-48ad-AF37-13F49613114A}.exe"	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4869E633-154F-4cbb-9DF8-15E85A48849B}	{2D52A866-826E-48ad-AF37-13F49613114A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C347CEAF-F6DB-49d0-B283-579487BD957D}	{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9197C033-4A0E-4d5c-931D-324D3DBD41CC}	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D52A866-826E-48ad-AF37-13F49613114A}	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9197C033-4A0E-4d5c-931D-324D3DBD41CC}\stubpath = "C:\\Windows\\{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe"	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4869E633-154F-4cbb-9DF8-15E85A48849B}\stubpath = "C:\\Windows\\{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe"	{2D52A866-826E-48ad-AF37-13F49613114A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}\stubpath = "C:\\Windows\\{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe"	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}\stubpath = "C:\\Windows\\{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe"	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A270A22-1235-46d3-B295-79174ADDD63E}	2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A270A22-1235-46d3-B295-79174ADDD63E}\stubpath = "C:\\Windows\\{6A270A22-1235-46d3-B295-79174ADDD63E}.exe"	2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C347CEAF-F6DB-49d0-B283-579487BD957D}\stubpath = "C:\\Windows\\{C347CEAF-F6DB-49d0-B283-579487BD957D}.exe"	{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe

Executes dropped EXE 12 IoCs

pid	Process
4344	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe
4000	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe
3560	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe
2692	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe
3848	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe
3088	{2D52A866-826E-48ad-AF37-13F49613114A}.exe
1568	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe
4168	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe
2144	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe
1140	{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe
1824	{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe
1400	{C347CEAF-F6DB-49d0-B283-579487BD957D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6A270A22-1235-46d3-B295-79174ADDD63E}.exe	2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe
File created	C:\Windows\{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe
File created	C:\Windows\{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe
File created	C:\Windows\{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe
File created	C:\Windows\{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe	{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe
File created	C:\Windows\{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe
File created	C:\Windows\{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe
File created	C:\Windows\{2D52A866-826E-48ad-AF37-13F49613114A}.exe	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe
File created	C:\Windows\{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe	{2D52A866-826E-48ad-AF37-13F49613114A}.exe
File created	C:\Windows\{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe
File created	C:\Windows\{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe
File created	C:\Windows\{C347CEAF-F6DB-49d0-B283-579487BD957D}.exe	{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C347CEAF-F6DB-49d0-B283-579487BD957D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D52A866-826E-48ad-AF37-13F49613114A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4604	2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4344	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe
Token: SeIncBasePriorityPrivilege	4000	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe
Token: SeIncBasePriorityPrivilege	3560	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe
Token: SeIncBasePriorityPrivilege	2692	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe
Token: SeIncBasePriorityPrivilege	3848	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe
Token: SeIncBasePriorityPrivilege	3088	{2D52A866-826E-48ad-AF37-13F49613114A}.exe
Token: SeIncBasePriorityPrivilege	1568	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe
Token: SeIncBasePriorityPrivilege	4168	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe
Token: SeIncBasePriorityPrivilege	2144	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe
Token: SeIncBasePriorityPrivilege	1140	{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe
Token: SeIncBasePriorityPrivilege	1824	{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4344	4604	2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe	86
PID 4604 wrote to memory of 4344	4604	2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe	86
PID 4604 wrote to memory of 4344	4604	2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe	86
PID 4604 wrote to memory of 1400	4604	2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe	87
PID 4604 wrote to memory of 1400	4604	2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe	87
PID 4604 wrote to memory of 1400	4604	2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe	87
PID 4344 wrote to memory of 4000	4344	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe	88
PID 4344 wrote to memory of 4000	4344	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe	88
PID 4344 wrote to memory of 4000	4344	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe	88
PID 4344 wrote to memory of 3228	4344	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe	89
PID 4344 wrote to memory of 3228	4344	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe	89
PID 4344 wrote to memory of 3228	4344	{6A270A22-1235-46d3-B295-79174ADDD63E}.exe	89
PID 4000 wrote to memory of 3560	4000	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe	92
PID 4000 wrote to memory of 3560	4000	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe	92
PID 4000 wrote to memory of 3560	4000	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe	92
PID 4000 wrote to memory of 3260	4000	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe	93
PID 4000 wrote to memory of 3260	4000	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe	93
PID 4000 wrote to memory of 3260	4000	{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe	93
PID 3560 wrote to memory of 2692	3560	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe	95
PID 3560 wrote to memory of 2692	3560	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe	95
PID 3560 wrote to memory of 2692	3560	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe	95
PID 3560 wrote to memory of 4036	3560	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe	96
PID 3560 wrote to memory of 4036	3560	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe	96
PID 3560 wrote to memory of 4036	3560	{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe	96
PID 2692 wrote to memory of 3848	2692	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe	97
PID 2692 wrote to memory of 3848	2692	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe	97
PID 2692 wrote to memory of 3848	2692	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe	97
PID 2692 wrote to memory of 4712	2692	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe	98
PID 2692 wrote to memory of 4712	2692	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe	98
PID 2692 wrote to memory of 4712	2692	{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe	98
PID 3848 wrote to memory of 3088	3848	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe	99
PID 3848 wrote to memory of 3088	3848	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe	99
PID 3848 wrote to memory of 3088	3848	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe	99
PID 3848 wrote to memory of 1216	3848	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe	100
PID 3848 wrote to memory of 1216	3848	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe	100
PID 3848 wrote to memory of 1216	3848	{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe	100
PID 3088 wrote to memory of 1568	3088	{2D52A866-826E-48ad-AF37-13F49613114A}.exe	101
PID 3088 wrote to memory of 1568	3088	{2D52A866-826E-48ad-AF37-13F49613114A}.exe	101
PID 3088 wrote to memory of 1568	3088	{2D52A866-826E-48ad-AF37-13F49613114A}.exe	101
PID 3088 wrote to memory of 3580	3088	{2D52A866-826E-48ad-AF37-13F49613114A}.exe	102
PID 3088 wrote to memory of 3580	3088	{2D52A866-826E-48ad-AF37-13F49613114A}.exe	102
PID 3088 wrote to memory of 3580	3088	{2D52A866-826E-48ad-AF37-13F49613114A}.exe	102
PID 1568 wrote to memory of 4168	1568	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe	103
PID 1568 wrote to memory of 4168	1568	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe	103
PID 1568 wrote to memory of 4168	1568	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe	103
PID 1568 wrote to memory of 4064	1568	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe	104
PID 1568 wrote to memory of 4064	1568	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe	104
PID 1568 wrote to memory of 4064	1568	{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe	104
PID 4168 wrote to memory of 2144	4168	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe	105
PID 4168 wrote to memory of 2144	4168	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe	105
PID 4168 wrote to memory of 2144	4168	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe	105
PID 4168 wrote to memory of 2984	4168	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe	106
PID 4168 wrote to memory of 2984	4168	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe	106
PID 4168 wrote to memory of 2984	4168	{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe	106
PID 2144 wrote to memory of 1140	2144	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe	107
PID 2144 wrote to memory of 1140	2144	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe	107
PID 2144 wrote to memory of 1140	2144	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe	107
PID 2144 wrote to memory of 1328	2144	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe	108
PID 2144 wrote to memory of 1328	2144	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe	108
PID 2144 wrote to memory of 1328	2144	{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe	108
PID 1140 wrote to memory of 1824	1140	{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe	109
PID 1140 wrote to memory of 1824	1140	{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe	109
PID 1140 wrote to memory of 1824	1140	{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe	109
PID 1140 wrote to memory of 5048	1140	{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_f2de1dcc1aa5d57624473e92a6bbcab7_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\{6A270A22-1235-46d3-B295-79174ADDD63E}.exe
  C:\Windows\{6A270A22-1235-46d3-B295-79174ADDD63E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe
    C:\Windows\{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe
      C:\Windows\{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe
        
        C:\Windows\{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe
        
        C:\Windows\{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\{2D52A866-826E-48ad-AF37-13F49613114A}.exe
        
        C:\Windows\{2D52A866-826E-48ad-AF37-13F49613114A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe
        
        C:\Windows\{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe
        
        C:\Windows\{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe
        
        C:\Windows\{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe
        
        C:\Windows\{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe
        
        C:\Windows\{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\{C347CEAF-F6DB-49d0-B283-579487BD957D}.exe
        
        C:\Windows\{C347CEAF-F6DB-49d0-B283-579487BD957D}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F34BA~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37066~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{287F1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39F3B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4869E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D52A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9197C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B447D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6541B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D91E5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6A270~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{287F1CF4-5D2D-4ab4-A299-D3948E2797E5}.exe

Filesize
372KB

MD5
759f141cd70eccc4c473ac005676ec9c

SHA1
313138a32cd1855c48a1a2defc4f79ec1b171dbf

SHA256
683dcaa2d3f6396bb3abc1aba95e52f2ff503fcd788795230089f93c37fd36c2

SHA512
e5b76d2e163619d1fbdf1249d44581741a61830a926cadc6f4730e50b10d2bead7479a5c6fa5e2f9a5ac8c0db7f201dc2652195e0d557ab053ae1f62b488db6c

Download Submit
C:\Windows\{2D52A866-826E-48ad-AF37-13F49613114A}.exe

Filesize
372KB

MD5
7307b43ab61226958a3389e074d81417

SHA1
6c5aa9d51aebdc88d68332a1e360d7360d8cb868

SHA256
4f86ccd462e321553f25c11bcec2be376449c59774eea3193f038b96bebc1833

SHA512
a5140caebb0f376d6dcd4dbda905f68c1be3394362353fd0590f4d97ff126d62a1558492f24b1df0897e592c370f9d3de77a0c7056e979d96656c4b9fbdeac2c

Download Submit
C:\Windows\{37066AA0-E6AA-4dd0-AFC9-B0D35CF5AA02}.exe

Filesize
372KB

MD5
83c04406f0f25f420bb6a1a662a84729

SHA1
b44ba3e6b062c8965e1f974bf0d4b0f266f8db66

SHA256
3ae3088e9da53c22e1b5f9574c0c8c7e06c9024d8a92dc8ebb0b896352568b46

SHA512
08919d58a637aa8b7d8674f843cccd2b19fd15d25fe8d9850cc6dbfe787aae00972dc27a0e9a9de8b3a255d033c0045fd8b2cc97fcb32575271902744733e35e

Download Submit
C:\Windows\{39F3B8DA-1DA7-4942-BF18-E9CA0F24BDA6}.exe

Filesize
372KB

MD5
388a821824a9376ca40fad76c2fd29a0

SHA1
0e7074c08b9363ac989c100f60eddf736005e3b8

SHA256
6be0ddbe1162fd12774c6291c3425679ce07cc7ef279850095077b9cfa3d1d7a

SHA512
b1a7a991d80d27d0c5bb8487e531604fb854dd5fc0c22ac7250e5dd4e3d245883edcf09e9053b77d9c90decf43d5ad690292f5b947a54e08f343b9fa0fc96cef

Download Submit
C:\Windows\{4869E633-154F-4cbb-9DF8-15E85A48849B}.exe

Filesize
372KB

MD5
0808bbbe5e66c389a9d69c8a486c1db6

SHA1
f31eabb7d4f296c1b857354245bdaaec2ef9eb4c

SHA256
87c904dbcf25929721cd39b72c197a7500b03f16374304b779948b99ef8dc733

SHA512
2f2d92fb24bfa34ad3eb0864d94340810b9128a68ba5441922c40f71c02a43a2f5172e908ac15eb022b0128c073112739fc4fe445fa99e91a5fa5517c46205ee

Download Submit
C:\Windows\{6541BDD2-389D-43b0-B70B-9BA34B99FF2A}.exe

Filesize
372KB

MD5
b483a7009ffa6f767370b6be39f1d353

SHA1
f4f0b72378dd069c76abd814e2887af205c477bf

SHA256
02f8fb4bee5c0e57518e39970f79e24a6e106f8b2733c2bfe739583d6e24309c

SHA512
03620696c534f85e47faeac54c168f1e53d8e49e4c23fe3567183878c321b80240a87bfdf99e33cd6722ac41587a5885efde9949b96c4077d6d803c89cac21e4

Download Submit
C:\Windows\{6A270A22-1235-46d3-B295-79174ADDD63E}.exe

Filesize
372KB

MD5
26c97afaa51a010dd75932b772236280

SHA1
1396315b988bebecede803380502242f0bfb27f3

SHA256
dd3772aea7d022d1a45f1e894c031fb73530ac28b20cb210a321739364887332

SHA512
a13f36927607d3a0929cd00af337bc25ece0b2ccda3e8c3a9648a1f5675ca3a2e6b7f0beb04feb96465e9e41ba708913414cf6c8ff2c086423f0d9953837f086

Download Submit
C:\Windows\{9197C033-4A0E-4d5c-931D-324D3DBD41CC}.exe

Filesize
372KB

MD5
3c0c87d8ef5ac244d4d43dcdd4394426

SHA1
91487e4c169a311580cbc3a32bcfbe6c7efd809b

SHA256
58bf85870e56529ea4bd3a167d604ec69ba3d575eacb5a7bbb67742791ae4455

SHA512
d76f71fef3d86d42bce4b9a1edb9ac9f20693c8cd6cd5ad2904afe856812a3b106fb0dcd2172b6c592b38711f81d9c0079bee8b5cda692838234baac4cfe550b

Download Submit
C:\Windows\{B447D66F-D33C-4431-BE90-DFEB1FB22568}.exe

Filesize
372KB

MD5
2527dfbabf42b07cecc866f0a0976bc4

SHA1
eb3e0188dccb872ca3d6e8bb4aa860de79561d92

SHA256
b1aa5d3dac610e77ecb8d772d117c4c46f699449cfc3b749bdfb5f649115474a

SHA512
d8ac125329f810f6fab6dd9efeed236ba8d3f61ff778be07073fda82be92d7e32de591344cdc97a53c399913531080fed537f4e63c8fbcc851a40d13b02aa24b

Download Submit
C:\Windows\{C347CEAF-F6DB-49d0-B283-579487BD957D}.exe

Filesize
372KB

MD5
2277eb4a313b502e28570e0cd1b27054

SHA1
ed7df26185acb0c35b60e54df9173244504ff627

SHA256
544ce81fc10878568272d3f139fe3eea7563a933a01318bcf689171b38b0af86

SHA512
af995c496fa3ba74342facf2d966be87ec738b7a9b3d23df4b5616c90c43aa3cfb48f3e04356c8190513aad2059b20b25e12bce9e7e028987e2444f4cae6ad4d

Download Submit
C:\Windows\{D91E5FCE-E886-4755-B9F6-84C444F15ADF}.exe

Filesize
372KB

MD5
b8476b7234392ae6e66d68c5aed8a357

SHA1
37ad16ceec6109ef8c6fdb2672866678d6ddee04

SHA256
0a37e6721952f53455d43b4e5a533f21d33054d7145da440174f6257839a897e

SHA512
a814108319f1a608a77e128006d1301726ff98ce9bf078f649d2b8a0155deddf947eab638cb1802b7829fbea5661040e5d4c6ae0509b835967f352302599782b

Download Submit
C:\Windows\{F34BA8EA-83F1-4e29-8481-ABB920106B14}.exe

Filesize
372KB

MD5
768c58a8772ecb8e24b1d316de8a7501

SHA1
eead42dea362314c6efc36d6289bb80af97bf1a4

SHA256
8586f3b954366b861423e61230d0f09cdb873307555f3a7f236cda77ee5fbf65

SHA512
1d5e37399ad00825f55954d799c12ed6b373d9416832c7825d3661218bee6e9077c697c6dd42b003650fc0cd26109c0a70e332aa8eb4f058e3b6916d2451faa4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads