18b37c2c5d30841b549e8064c0c28c50de0499f2b761623a11659d8312b2366b

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
Size

380KB
MD5

721fca74f2e8c5cf7b81857b84573a0a
SHA1

1097da9102d0cbd1fb92b51378b3920a8d0741ae
SHA256

18b37c2c5d30841b549e8064c0c28c50de0499f2b761623a11659d8312b2366b
SHA512

454a25f61724b4f4c4b4ae79400efb253ac290782dd6bc436f3f64308db0d2edb00f8ddf274b594b992f8fa27647f2244c38d8c55334ea33c4f729eab84736a8
SSDEEP

3072:mEGh0oalPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGcl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F2D8431-0324-44de-8C76-31B5D960DE06}	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EE9161E-4879-4c22-9272-5C86963EA1F2}	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{324C4627-5F3E-4205-9C95-C1E245EA1DE5}	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9694B79F-121D-47a2-8B69-9D84C55DA0C2}	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C15B581-45F3-4cc8-A304-13FCA0589509}	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F2D8431-0324-44de-8C76-31B5D960DE06}\stubpath = "C:\\Windows\\{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe"	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDA96549-278A-42ad-91DF-7A6DDEF0B9AE}	{185C060A-D1A7-429e-B868-5CD2301A4924}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F58C14F-DEFC-47a2-91A3-B57F60569466}	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{324C4627-5F3E-4205-9C95-C1E245EA1DE5}\stubpath = "C:\\Windows\\{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe"	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79433E7B-AEF4-4bf8-B663-9F98CA713D41}	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79433E7B-AEF4-4bf8-B663-9F98CA713D41}\stubpath = "C:\\Windows\\{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe"	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}\stubpath = "C:\\Windows\\{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe"	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{185C060A-D1A7-429e-B868-5CD2301A4924}\stubpath = "C:\\Windows\\{185C060A-D1A7-429e-B868-5CD2301A4924}.exe"	{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDA96549-278A-42ad-91DF-7A6DDEF0B9AE}\stubpath = "C:\\Windows\\{DDA96549-278A-42ad-91DF-7A6DDEF0B9AE}.exe"	{185C060A-D1A7-429e-B868-5CD2301A4924}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F58C14F-DEFC-47a2-91A3-B57F60569466}\stubpath = "C:\\Windows\\{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe"	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2288F2F7-E650-4217-B3F7-025E6A17975C}\stubpath = "C:\\Windows\\{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe"	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C15B581-45F3-4cc8-A304-13FCA0589509}\stubpath = "C:\\Windows\\{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe"	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{185C060A-D1A7-429e-B868-5CD2301A4924}	{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EE9161E-4879-4c22-9272-5C86963EA1F2}\stubpath = "C:\\Windows\\{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe"	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2288F2F7-E650-4217-B3F7-025E6A17975C}	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9694B79F-121D-47a2-8B69-9D84C55DA0C2}\stubpath = "C:\\Windows\\{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe"	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}\stubpath = "C:\\Windows\\{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe"	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe

Executes dropped EXE 12 IoCs

pid	Process
4576	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe
4476	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe
4052	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe
1692	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe
1636	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe
3772	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe
1616	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe
3248	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe
3088	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe
956	{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe
1004	{185C060A-D1A7-429e-B868-5CD2301A4924}.exe
4912	{DDA96549-278A-42ad-91DF-7A6DDEF0B9AE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
File created	C:\Windows\{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe
File created	C:\Windows\{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe
File created	C:\Windows\{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe
File created	C:\Windows\{DDA96549-278A-42ad-91DF-7A6DDEF0B9AE}.exe	{185C060A-D1A7-429e-B868-5CD2301A4924}.exe
File created	C:\Windows\{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe
File created	C:\Windows\{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe
File created	C:\Windows\{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe
File created	C:\Windows\{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe
File created	C:\Windows\{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe
File created	C:\Windows\{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe
File created	C:\Windows\{185C060A-D1A7-429e-B868-5CD2301A4924}.exe	{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{185C060A-D1A7-429e-B868-5CD2301A4924}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DDA96549-278A-42ad-91DF-7A6DDEF0B9AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3932	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4576	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe
Token: SeIncBasePriorityPrivilege	4476	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe
Token: SeIncBasePriorityPrivilege	4052	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe
Token: SeIncBasePriorityPrivilege	1692	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe
Token: SeIncBasePriorityPrivilege	1636	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe
Token: SeIncBasePriorityPrivilege	3772	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe
Token: SeIncBasePriorityPrivilege	1616	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe
Token: SeIncBasePriorityPrivilege	3248	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe
Token: SeIncBasePriorityPrivilege	3088	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe
Token: SeIncBasePriorityPrivilege	956	{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe
Token: SeIncBasePriorityPrivilege	1004	{185C060A-D1A7-429e-B868-5CD2301A4924}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 4576	3932	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	86
PID 3932 wrote to memory of 4576	3932	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	86
PID 3932 wrote to memory of 4576	3932	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	86
PID 3932 wrote to memory of 2904	3932	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	87
PID 3932 wrote to memory of 2904	3932	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	87
PID 3932 wrote to memory of 2904	3932	2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe	87
PID 4576 wrote to memory of 4476	4576	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe	88
PID 4576 wrote to memory of 4476	4576	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe	88
PID 4576 wrote to memory of 4476	4576	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe	88
PID 4576 wrote to memory of 4416	4576	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe	89
PID 4576 wrote to memory of 4416	4576	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe	89
PID 4576 wrote to memory of 4416	4576	{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe	89
PID 4476 wrote to memory of 4052	4476	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe	94
PID 4476 wrote to memory of 4052	4476	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe	94
PID 4476 wrote to memory of 4052	4476	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe	94
PID 4476 wrote to memory of 2012	4476	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe	95
PID 4476 wrote to memory of 2012	4476	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe	95
PID 4476 wrote to memory of 2012	4476	{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe	95
PID 4052 wrote to memory of 1692	4052	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe	96
PID 4052 wrote to memory of 1692	4052	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe	96
PID 4052 wrote to memory of 1692	4052	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe	96
PID 4052 wrote to memory of 3224	4052	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe	97
PID 4052 wrote to memory of 3224	4052	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe	97
PID 4052 wrote to memory of 3224	4052	{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe	97
PID 1692 wrote to memory of 1636	1692	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe	100
PID 1692 wrote to memory of 1636	1692	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe	100
PID 1692 wrote to memory of 1636	1692	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe	100
PID 1692 wrote to memory of 1252	1692	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe	101
PID 1692 wrote to memory of 1252	1692	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe	101
PID 1692 wrote to memory of 1252	1692	{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe	101
PID 1636 wrote to memory of 3772	1636	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe	102
PID 1636 wrote to memory of 3772	1636	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe	102
PID 1636 wrote to memory of 3772	1636	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe	102
PID 1636 wrote to memory of 3968	1636	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe	103
PID 1636 wrote to memory of 3968	1636	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe	103
PID 1636 wrote to memory of 3968	1636	{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe	103
PID 3772 wrote to memory of 1616	3772	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe	104
PID 3772 wrote to memory of 1616	3772	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe	104
PID 3772 wrote to memory of 1616	3772	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe	104
PID 3772 wrote to memory of 3928	3772	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe	105
PID 3772 wrote to memory of 3928	3772	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe	105
PID 3772 wrote to memory of 3928	3772	{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe	105
PID 1616 wrote to memory of 3248	1616	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe	106
PID 1616 wrote to memory of 3248	1616	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe	106
PID 1616 wrote to memory of 3248	1616	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe	106
PID 1616 wrote to memory of 4564	1616	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe	107
PID 1616 wrote to memory of 4564	1616	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe	107
PID 1616 wrote to memory of 4564	1616	{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe	107
PID 3248 wrote to memory of 3088	3248	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe	108
PID 3248 wrote to memory of 3088	3248	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe	108
PID 3248 wrote to memory of 3088	3248	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe	108
PID 3248 wrote to memory of 3532	3248	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe	109
PID 3248 wrote to memory of 3532	3248	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe	109
PID 3248 wrote to memory of 3532	3248	{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe	109
PID 3088 wrote to memory of 956	3088	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe	110
PID 3088 wrote to memory of 956	3088	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe	110
PID 3088 wrote to memory of 956	3088	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe	110
PID 3088 wrote to memory of 3140	3088	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe	111
PID 3088 wrote to memory of 3140	3088	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe	111
PID 3088 wrote to memory of 3140	3088	{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe	111
PID 956 wrote to memory of 1004	956	{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe	112
PID 956 wrote to memory of 1004	956	{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe	112
PID 956 wrote to memory of 1004	956	{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe	112
PID 956 wrote to memory of 2492	956	{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_721fca74f2e8c5cf7b81857b84573a0a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe
  C:\Windows\{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe
    C:\Windows\{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe
      C:\Windows\{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Windows\{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe
        
        C:\Windows\{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe
        
        C:\Windows\{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe
        
        C:\Windows\{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe
        
        C:\Windows\{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe
        
        C:\Windows\{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe
        
        C:\Windows\{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe
        
        C:\Windows\{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\{185C060A-D1A7-429e-B868-5CD2301A4924}.exe
        
        C:\Windows\{185C060A-D1A7-429e-B868-5CD2301A4924}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\{DDA96549-278A-42ad-91DF-7A6DDEF0B9AE}.exe
        
        C:\Windows\{DDA96549-278A-42ad-91DF-7A6DDEF0B9AE}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{185C0~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F2D8~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD1CC~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B52BF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C15B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9694B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2288F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79433~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{324C4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2F58C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6EE91~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{185C060A-D1A7-429e-B868-5CD2301A4924}.exe

Filesize
380KB

MD5
de8432bc6059a78158cf1f43656ea5aa

SHA1
75c37c71181a98fb3154809c2e94ab40ea46e7a0

SHA256
bfec7cac9c3ccef836b091eceb47f9d1a8cada126a6de6b4314b3cbf5d3a4210

SHA512
3366bff907d127f7a879d952452000e3883cfdfa2d6d1c66094c2c6e73250bb169eb64849fdea9fe201ef4b4ed7c3abbfa0a7eeffd62e2e5e18e56888c5dec81

Download Submit
C:\Windows\{2288F2F7-E650-4217-B3F7-025E6A17975C}.exe

Filesize
380KB

MD5
b08beff7bc654aace8979c981bde9d87

SHA1
103fec034817f478b7ec75d94cb586d832263651

SHA256
3c0acecc8ba448e90336ef651759544feab3dea2d448ccb672bc418e36f7263a

SHA512
cc4064c18b69343519a84f75bdc615d071a5ba4694230ed4feeed6d28146f66533be27f0ac67a8dda3fc9e2951b0ae4e8300be80d47f285e1f6dcb0cb4a99b10

Download Submit
C:\Windows\{2F58C14F-DEFC-47a2-91A3-B57F60569466}.exe

Filesize
380KB

MD5
ab6d681d02b6b6a3762e787f143141de

SHA1
24c538872be8c9408cb75496fb8f61150a6cdfe4

SHA256
c276c92d99ced843d3b2f3470d362955427eaa3a01ffb55279723a864505b835

SHA512
f60fe55b629dfbd893bd56407883a448b7195902395c0df7a99bf5e09ff8a64cb09d3455524cd0dfbaeed05f2864d8ebd84c6c2207b26eb2bbc8b34fc75f5e0a

Download Submit
C:\Windows\{324C4627-5F3E-4205-9C95-C1E245EA1DE5}.exe

Filesize
380KB

MD5
23edc998f311bd8d8e2f2a3cd75f99ec

SHA1
b764d421d631392f70763ed2bc2856d2a2495f52

SHA256
50c8f59d9f514a7619fd52113e245196e95ab27920ba2b9450ffee1348e8bccd

SHA512
d70db46ba09738c2360eb09a200d6a62aa76593b60aafbcf283d93e20acc78c860f649d3f73dfaf702dc00de23e9b9f9db4e5349f1ab7a8506523e6ce885fefa

Download Submit
C:\Windows\{6EE9161E-4879-4c22-9272-5C86963EA1F2}.exe

Filesize
380KB

MD5
2f1e87be479c32ef636d4113140775a4

SHA1
9dd3304ee0bc716226c4e49b078a781c11f812cc

SHA256
164c617cef0d00aa094bd04afbc778f2ea3649ec04106c97407d2b4e4ca8b22f

SHA512
20c0a86a3d55b31a1bdfee9d2503944991ffdc8ded9a6f6d7029109e1bf343db14834c2baf61f4d4c2636ecdb2faade23fe6e50fe840ad180d37191f4d222b9b

Download Submit
C:\Windows\{79433E7B-AEF4-4bf8-B663-9F98CA713D41}.exe

Filesize
380KB

MD5
04c0cccabad851451c18af4a48d684c2

SHA1
73e443398687e2c3e0f6e9c50a0dc94b3bdfa81a

SHA256
cd92a4aa268625e82a4f7d3b3f9c88dba4ce18d6fafe9fcd98d0d03daccf4f73

SHA512
4fdd6e6695d050c820db5965cb1b8ad1e87a70fda9d391ed506c6b00997f3ac99112305f103149fcf22be6c5a40b6d3bc2d34e400016d38e6504185a468359b4

Download Submit
C:\Windows\{8C15B581-45F3-4cc8-A304-13FCA0589509}.exe

Filesize
380KB

MD5
e13dd754d2c7a3c31e2213ababac634c

SHA1
f01a6392e60ef14f25de052b17cdf5f14f1449e0

SHA256
5fd9f073a1b7b3cf74cc2b80fcba29195a5df51c6adec027c544e0cb3298aaf5

SHA512
54967b4ee966cd7ace2b4611a4a8559d23c9001015156e8749c3296295a34685e76acf4c7113ea63ce004bc51ecf06df9d59739c07ce51a890ff29e30df9fcc1

Download Submit
C:\Windows\{8F2D8431-0324-44de-8C76-31B5D960DE06}.exe

Filesize
380KB

MD5
ce657f70999ca1aa73482c3a7b0c1fa1

SHA1
61bce455fd0e0ec7f0626700b2d55afd300bc8ce

SHA256
825d50dd3d34b8ce40c5e3285f9a2ff50cddce90567b5cd4092a2f79cd32c6e4

SHA512
3baeb3cea1bda140cf2301f2a119f6683a599de2f80a82bffcbfbe4c27cd4b2cfc0eddc661621c63f870849943d00cce5b5c0cb53bff189d978a43a6f329d3ff

Download Submit
C:\Windows\{9694B79F-121D-47a2-8B69-9D84C55DA0C2}.exe

Filesize
380KB

MD5
0cee28772d9ceb3d6fe19ac39692632d

SHA1
77ccd97c1eeae8d1e67a9a50734b8bbd8dae2135

SHA256
78a1702c2b9f6880850f5a91fc7b6ad91b59072df18bbbb6f729691db6afad83

SHA512
b576480f4559262b88c7148c62360f747357180f5f2051417975f3e0125ca8f2e4b69de70724d6104d1836cbeedd9349416e6e556901d3c999ded9d99e8dd267

Download Submit
C:\Windows\{B52BF6DB-8A96-4431-8C3E-1288917A0C9D}.exe

Filesize
380KB

MD5
4707414e2b2b0b07e3925c0d469cb283

SHA1
17e3f997d38b25e54edd9844ab1b9396ac9595a4

SHA256
284db84bb63e0ea25c64543747b634ddfd6ef9a71276f87f155251cfe2d59ae8

SHA512
90dd7c13239dd89bf0a1e052b2cd4201efe8c2211c25e6fd4add594e6031c71994ba6ad4c7c2249bd504f5a4ac87090f22fd41ff697c08d5c3baee37c3205976

Download Submit
C:\Windows\{DD1CCA7D-680D-41fe-8DDA-56F068B12F67}.exe

Filesize
380KB

MD5
4d81bf4392f6cce2c9c7edf1e66213ea

SHA1
e617bdee3600668bfc4fc9670e062ead13a2e6ff

SHA256
3a7fedbb8ce7415e6f27b87411de65148bff498823ec779fc04c3a185a9edf6f

SHA512
ca795bbe05d979b755fede90528f25e7d3e4a8dc142cb81f80dfcf74493cd39e2df571c73cb30da216f9a201be06d815e3587735b91add7d9755612148297e7d

Download Submit
C:\Windows\{DDA96549-278A-42ad-91DF-7A6DDEF0B9AE}.exe

Filesize
380KB

MD5
c9ea4631b301df70f5b478ceecf63d3e

SHA1
02339305995f23404c721f92299fd0279935979f

SHA256
694e6f1407dee0a2bd9b51ddfeaafa656e6e67823a94964ee55a575792766bc5

SHA512
f12e3146e4f444ef4981b17aae44ce669fa3abcc5c90e667ddf22f678e730a970db2eba480f4e5aa34acecc37723a9b32be95308b55c4f525f92b689788187c9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads