a1a98a70923dfb2a7ca3a214231913d684a716866ffa8c2651401e960fcac586

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
Size

180KB
MD5

b9a05f4b65bc36c319367b726f012c8e
SHA1

75a1e3e877c5f03873ce504aa326d0d90cd5dce3
SHA256

a1a98a70923dfb2a7ca3a214231913d684a716866ffa8c2651401e960fcac586
SHA512

8021774a4e0e480c7b35018752f7928b6c54199f31cd559df20a24241c69e1d4743a14839abfe4fd4f4e268de66c4fcdc914948e4a555fd4100db44f84d17062
SSDEEP

3072:jEGh0o7lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB885DEA-F401-4c99-A7D6-D20EA50AD642}	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB885DEA-F401-4c99-A7D6-D20EA50AD642}\stubpath = "C:\\Windows\\{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe"	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CAF15AC-6662-45a6-8628-45961E85C2A0}\stubpath = "C:\\Windows\\{5CAF15AC-6662-45a6-8628-45961E85C2A0}.exe"	{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}\stubpath = "C:\\Windows\\{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe"	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}\stubpath = "C:\\Windows\\{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe"	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}\stubpath = "C:\\Windows\\{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe"	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA564FA6-9901-4789-95A9-839E26EF4597}	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}\stubpath = "C:\\Windows\\{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe"	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}\stubpath = "C:\\Windows\\{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe"	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7735A719-639F-4010-9E48-A7D6D9E4FC82}\stubpath = "C:\\Windows\\{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe"	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B90D2EF2-077C-4e44-A9E8-84CC796F919A}\stubpath = "C:\\Windows\\{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe"	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}\stubpath = "C:\\Windows\\{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe"	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CAF15AC-6662-45a6-8628-45961E85C2A0}	{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CFEC2E7-82B3-4ee8-9B22-AF5DDB69D21B}	{5CAF15AC-6662-45a6-8628-45961E85C2A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CFEC2E7-82B3-4ee8-9B22-AF5DDB69D21B}\stubpath = "C:\\Windows\\{8CFEC2E7-82B3-4ee8-9B22-AF5DDB69D21B}.exe"	{5CAF15AC-6662-45a6-8628-45961E85C2A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7735A719-639F-4010-9E48-A7D6D9E4FC82}	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B90D2EF2-077C-4e44-A9E8-84CC796F919A}	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA564FA6-9901-4789-95A9-839E26EF4597}\stubpath = "C:\\Windows\\{FA564FA6-9901-4789-95A9-839E26EF4597}.exe"	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe

Executes dropped EXE 12 IoCs

pid	Process
4084	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe
2020	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe
1428	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe
1524	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe
1504	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe
4952	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe
1600	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe
1820	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe
3420	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe
3396	{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe
4940	{5CAF15AC-6662-45a6-8628-45961E85C2A0}.exe
1224	{8CFEC2E7-82B3-4ee8-9B22-AF5DDB69D21B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe
File created	C:\Windows\{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe
File created	C:\Windows\{FA564FA6-9901-4789-95A9-839E26EF4597}.exe	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe
File created	C:\Windows\{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe
File created	C:\Windows\{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe
File created	C:\Windows\{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe
File created	C:\Windows\{5CAF15AC-6662-45a6-8628-45961E85C2A0}.exe	{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe
File created	C:\Windows\{8CFEC2E7-82B3-4ee8-9B22-AF5DDB69D21B}.exe	{5CAF15AC-6662-45a6-8628-45961E85C2A0}.exe
File created	C:\Windows\{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
File created	C:\Windows\{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe
File created	C:\Windows\{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe
File created	C:\Windows\{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5CAF15AC-6662-45a6-8628-45961E85C2A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CFEC2E7-82B3-4ee8-9B22-AF5DDB69D21B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4508	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4084	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe
Token: SeIncBasePriorityPrivilege	2020	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe
Token: SeIncBasePriorityPrivilege	1428	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe
Token: SeIncBasePriorityPrivilege	1524	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe
Token: SeIncBasePriorityPrivilege	1504	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe
Token: SeIncBasePriorityPrivilege	4952	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe
Token: SeIncBasePriorityPrivilege	1600	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe
Token: SeIncBasePriorityPrivilege	1820	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe
Token: SeIncBasePriorityPrivilege	3420	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe
Token: SeIncBasePriorityPrivilege	3396	{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe
Token: SeIncBasePriorityPrivilege	4940	{5CAF15AC-6662-45a6-8628-45961E85C2A0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4084	4508	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	94
PID 4508 wrote to memory of 4084	4508	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	94
PID 4508 wrote to memory of 4084	4508	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	94
PID 4508 wrote to memory of 336	4508	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	95
PID 4508 wrote to memory of 336	4508	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	95
PID 4508 wrote to memory of 336	4508	2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe	95
PID 4084 wrote to memory of 2020	4084	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe	96
PID 4084 wrote to memory of 2020	4084	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe	96
PID 4084 wrote to memory of 2020	4084	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe	96
PID 4084 wrote to memory of 4696	4084	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe	97
PID 4084 wrote to memory of 4696	4084	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe	97
PID 4084 wrote to memory of 4696	4084	{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe	97
PID 2020 wrote to memory of 1428	2020	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe	101
PID 2020 wrote to memory of 1428	2020	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe	101
PID 2020 wrote to memory of 1428	2020	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe	101
PID 2020 wrote to memory of 1772	2020	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe	102
PID 2020 wrote to memory of 1772	2020	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe	102
PID 2020 wrote to memory of 1772	2020	{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe	102
PID 1428 wrote to memory of 1524	1428	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe	103
PID 1428 wrote to memory of 1524	1428	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe	103
PID 1428 wrote to memory of 1524	1428	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe	103
PID 1428 wrote to memory of 3036	1428	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe	104
PID 1428 wrote to memory of 3036	1428	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe	104
PID 1428 wrote to memory of 3036	1428	{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe	104
PID 1524 wrote to memory of 1504	1524	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe	105
PID 1524 wrote to memory of 1504	1524	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe	105
PID 1524 wrote to memory of 1504	1524	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe	105
PID 1524 wrote to memory of 5064	1524	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe	106
PID 1524 wrote to memory of 5064	1524	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe	106
PID 1524 wrote to memory of 5064	1524	{FA564FA6-9901-4789-95A9-839E26EF4597}.exe	106
PID 1504 wrote to memory of 4952	1504	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe	108
PID 1504 wrote to memory of 4952	1504	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe	108
PID 1504 wrote to memory of 4952	1504	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe	108
PID 1504 wrote to memory of 1440	1504	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe	109
PID 1504 wrote to memory of 1440	1504	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe	109
PID 1504 wrote to memory of 1440	1504	{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe	109
PID 4952 wrote to memory of 1600	4952	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe	110
PID 4952 wrote to memory of 1600	4952	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe	110
PID 4952 wrote to memory of 1600	4952	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe	110
PID 4952 wrote to memory of 412	4952	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe	111
PID 4952 wrote to memory of 412	4952	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe	111
PID 4952 wrote to memory of 412	4952	{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe	111
PID 1600 wrote to memory of 1820	1600	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe	113
PID 1600 wrote to memory of 1820	1600	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe	113
PID 1600 wrote to memory of 1820	1600	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe	113
PID 1600 wrote to memory of 3508	1600	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe	114
PID 1600 wrote to memory of 3508	1600	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe	114
PID 1600 wrote to memory of 3508	1600	{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe	114
PID 1820 wrote to memory of 3420	1820	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe	122
PID 1820 wrote to memory of 3420	1820	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe	122
PID 1820 wrote to memory of 3420	1820	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe	122
PID 1820 wrote to memory of 4732	1820	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe	123
PID 1820 wrote to memory of 4732	1820	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe	123
PID 1820 wrote to memory of 4732	1820	{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe	123
PID 3420 wrote to memory of 3396	3420	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe	124
PID 3420 wrote to memory of 3396	3420	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe	124
PID 3420 wrote to memory of 3396	3420	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe	124
PID 3420 wrote to memory of 5032	3420	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe	125
PID 3420 wrote to memory of 5032	3420	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe	125
PID 3420 wrote to memory of 5032	3420	{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe	125
PID 3396 wrote to memory of 4940	3396	{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe	126
PID 3396 wrote to memory of 4940	3396	{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe	126
PID 3396 wrote to memory of 4940	3396	{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe	126
PID 3396 wrote to memory of 1172	3396	{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-17_b9a05f4b65bc36c319367b726f012c8e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe
  C:\Windows\{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe
    C:\Windows\{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe
      C:\Windows\{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\{FA564FA6-9901-4789-95A9-839E26EF4597}.exe
        
        C:\Windows\{FA564FA6-9901-4789-95A9-839E26EF4597}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe
        
        C:\Windows\{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe
        
        C:\Windows\{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe
        
        C:\Windows\{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe
        
        C:\Windows\{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe
        
        C:\Windows\{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe
        
        C:\Windows\{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\{5CAF15AC-6662-45a6-8628-45961E85C2A0}.exe
        
        C:\Windows\{5CAF15AC-6662-45a6-8628-45961E85C2A0}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Windows\{8CFEC2E7-82B3-4ee8-9B22-AF5DDB69D21B}.exe
        
        C:\Windows\{8CFEC2E7-82B3-4ee8-9B22-AF5DDB69D21B}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CAF1~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7BE7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB885~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B8A8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B50B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7943B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA8DE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA564~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3AE0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B90D2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7735A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B8A8FE5-286E-4a8f-9C7B-0620786C347A}.exe

Filesize
180KB

MD5
13c12c761164f15c304631574d7d5763

SHA1
3e2481706e68dd006d533ba67b33d352125e3a8c

SHA256
7fe073f4e3dc9d918c040afa03b1ef3973b5d1448d888a95730635f7aaa54979

SHA512
a5a06b26d6b920ff64d63db695fa7ab004c61903b1e0cc58aaed6d8d567a76ea26b788ac110ad4c99a70efe53cfc374b42a09d29719ac3cd7fac2bbcf08ed228

Download Submit
C:\Windows\{3B50BB36-EA45-40b3-9B12-E266A3F94AC7}.exe

Filesize
180KB

MD5
5188c1a7bc324c348ff12e0961d66152

SHA1
2a01d9e41e543e03ee0855893f07e8ac086a1f09

SHA256
751c78f4c32ee3f68dcc041e78448aca0efc1d614fce5eef5e55c046bb30ad88

SHA512
3c20de868318eaa936389c783a0851e1b3127f5291372311017a353b2091af75a0b63cbc481577659992e0a4690b2f31c6e2d09038ee6dc06f0214ad17c12c2a

Download Submit
C:\Windows\{5CAF15AC-6662-45a6-8628-45961E85C2A0}.exe

Filesize
180KB

MD5
d8075a0e0808a8109756ef50f7405dbc

SHA1
3c8894d583af82324e88676ea16d551b6db79f17

SHA256
fe4b4c3fde5e0c52b4d63d1bcb62463288868448f9f99784decde6f3d297ba37

SHA512
16a8a3c0cb465b4e81cb92c242de954e073acf9fd8f3384bda4c177e04d70132d4494f63a76a7de82f6c77beb295c43fd15c1cedafaaf8d01260b08c5ef9c244

Download Submit
C:\Windows\{7735A719-639F-4010-9E48-A7D6D9E4FC82}.exe

Filesize
180KB

MD5
bdf6cd5a2d838e7ae7f3dc21911aaa25

SHA1
e89db4a1af16ada854f9cd35e82c002be317f0ec

SHA256
3d66c9a247ee22332be2c75be436bdb203113fc259182129ccabdd67562b4531

SHA512
43eb2d8b5ce861e9805d9b152cd08a6cdfa9d04eadb559026338c131e635c009143bf566679a5e9d0fe98aa50c9c7e5c6cbc254351f7db846763de168d5bd2ee

Download Submit
C:\Windows\{7943B0A5-885D-4866-ADBC-EFCE8C3072D3}.exe

Filesize
180KB

MD5
c70d891d73129759d61e059726a7e49a

SHA1
9ece1bceac03ffdc1b92cc3976c90e6eea5601c9

SHA256
c40fc77b31d82eba1fd637d1e4f337904edb1c835a8ff7bd2dace6bb12aef6c9

SHA512
8cd42cb69e50ecbe34fba5de7dbcaf0b5c059d7a1d7e0c9b9330b1af99821d1d82cefabdff443461acf120012d47701692e8071b7cddbe03d0e3e388b415c1f5

Download Submit
C:\Windows\{8CFEC2E7-82B3-4ee8-9B22-AF5DDB69D21B}.exe

Filesize
180KB

MD5
aeec6e1112f9b16aee1511144d0a62a5

SHA1
382ce68835b0b55cc17e49be10f49f1274e0784b

SHA256
c69d9c5c41d2c1c9807ef535738dcde6a6577bf14329f877103a16b1cc14489d

SHA512
b37389bdf14b6febbe04cbbd64a59bb683b241981b66fb61919316c20f04a7af9b0aa9adbc1db8bc3302dec01d99ae8f37adc97dcd2b999ece8b8951459e7a4a

Download Submit
C:\Windows\{B90D2EF2-077C-4e44-A9E8-84CC796F919A}.exe

Filesize
180KB

MD5
2e455a4a543f145b5ba79d6f8156e1b7

SHA1
c79a714307a61ad7b4ad4a281154fdf736dd19be

SHA256
c466253be33ea603be602416526cd40f579133060c016e1b5609019dcd06c6ff

SHA512
f07981dd259694321ba5607f4b62a7143ff5220e41a4366271b0e607d099dc34acfca52bdf34888312902b4b29a03b24af3e0c1057b92ccf2529be3c6a881603

Download Submit
C:\Windows\{CB885DEA-F401-4c99-A7D6-D20EA50AD642}.exe

Filesize
180KB

MD5
7a8ce4a4c436dd17380948889c8d04f8

SHA1
a049c93aad76bcb6260685c83db39c39639b17bb

SHA256
5892b903a7e02c50423c96cbff6332589504c41566c460b7e6720c93231c18df

SHA512
bfd4057720de7d1ade04f735c3477e3756ceb81e34f24adcc02f969b6811b40bda9c98baed12d74377d4f0c57aae8afb3e77af4cd83fa5c492d360946e30b760

Download Submit
C:\Windows\{D3AE0B43-7604-405b-A7FE-1E5C237AA5F9}.exe

Filesize
180KB

MD5
f0baaf468b5f7e2704e7e2a3f178c232

SHA1
a4cd8c697fe7be9656dc32d4d14cc06864472888

SHA256
9e38e9af235d1fcb6ae4458b0a29e62a36037ad580d5d53984e57c55e8df6442

SHA512
6109ee0dce62588f5de6e465909e5feb6992dd97ecdd14e7aa63f7b49c41ccc77b76486c0f7f1648c617b00b9826048f5c4546f1256a5789d430ac0820ea5759

Download Submit
C:\Windows\{EA8DEF7F-8553-4dde-988B-36CB5EFAC51A}.exe

Filesize
180KB

MD5
abe33735915b5e3d70d0fc41c299a74f

SHA1
beac192a4441fb9b27162d2e54a496aaf66fcb56

SHA256
3b59931e0017a32064fad26ac149b8b333fac31270a10c4740a87c7f48685f9a

SHA512
71afbe59a0bda56b3464fe77c5fdad9bb02fd82fe38cf7e5ee2f34c9a2cad2d0fe7d9e24dabb2bada5711123696f2ec2313e7445687071354c6ac975e6aeae2f

Download Submit
C:\Windows\{F7BE7093-331B-4e1b-A41E-5A04BC7A514F}.exe

Filesize
180KB

MD5
8d30452a227c9687d67dec3c1759badb

SHA1
23fd0116f3505b2f9c6827046f12b28fc2f73a5c

SHA256
d6815588e5112d4b2f53234cd5b2bbf217ca8350fbc16ebe017c9235f686ff5e

SHA512
843b242f2b2a417ea1c515be9da6c52e974f866420cad734a35a605354081ea94b1b7a10fa7c7a84db843b529d8cd4607d16569a4d281dc4260309ecfeb2b833

Download Submit
C:\Windows\{FA564FA6-9901-4789-95A9-839E26EF4597}.exe

Filesize
180KB

MD5
ae467255db9daa5e76455b26008c55d1

SHA1
acbee633f5d1c74eba0757acf96364ef9f1d2cc3

SHA256
7d4fc86211f4fe4caa21da9a36269fa55857d3fbf6fbed1ed2bd1f92dc97007f

SHA512
d62210dd49619bfe3e5c10502424560f7a54e18aa6b895a51dc37efef5a2da08276dbb5b05c06501264ccf5d0b32af5f4e3d9f34f541dd319fcbf83f6c5f2870

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads