a4a7c3e8c12a14daccd364d993129287e42624d10be9e2d2a118a9b31d605ce0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
Size

372KB
MD5

29e33d1018a51c797dd2558a73257718
SHA1

71e289a51a4c299fb0bfd318f2ff899dd04550cd
SHA256

a4a7c3e8c12a14daccd364d993129287e42624d10be9e2d2a118a9b31d605ce0
SHA512

adaa41d1111bd8009333f340b470a127da64bd24f8c23347c491adc8cbcb87fbbd09d8ab1306ab1df38a36292219cdf81e1ff51d8eb533f3d744900eac4e7bee
SSDEEP

3072:CEGh0oBmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGal/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}\stubpath = "C:\\Windows\\{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe"	{49697217-31F5-4509-B55B-E2EE271D084E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8597F63D-CC40-4aef-A288-E316CDCC2F19}\stubpath = "C:\\Windows\\{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe"	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C5646F6-96D5-4da4-8167-CEB25437AE67}	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C5646F6-96D5-4da4-8167-CEB25437AE67}\stubpath = "C:\\Windows\\{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe"	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60EC8A1C-52DB-4dc2-A814-F1872344F240}\stubpath = "C:\\Windows\\{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe"	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E17A73A-5EEE-416c-865B-F33866EC6A4E}\stubpath = "C:\\Windows\\{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe"	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49D16094-4C8C-4b38-BF91-5C706DF19A44}\stubpath = "C:\\Windows\\{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe"	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}\stubpath = "C:\\Windows\\{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe"	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49697217-31F5-4509-B55B-E2EE271D084E}\stubpath = "C:\\Windows\\{49697217-31F5-4509-B55B-E2EE271D084E}.exe"	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}	{49697217-31F5-4509-B55B-E2EE271D084E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}	{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49697217-31F5-4509-B55B-E2EE271D084E}	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60EC8A1C-52DB-4dc2-A814-F1872344F240}	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}\stubpath = "C:\\Windows\\{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe"	{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49D16094-4C8C-4b38-BF91-5C706DF19A44}	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}\stubpath = "C:\\Windows\\{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe"	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}\stubpath = "C:\\Windows\\{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe"	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C437104-4C83-4af6-AE0C-9439E8DC3132}	{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C437104-4C83-4af6-AE0C-9439E8DC3132}\stubpath = "C:\\Windows\\{8C437104-4C83-4af6-AE0C-9439E8DC3132}.exe"	{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8597F63D-CC40-4aef-A288-E316CDCC2F19}	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E17A73A-5EEE-416c-865B-F33866EC6A4E}	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe

Executes dropped EXE 12 IoCs

pid	Process
4100	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe
3096	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe
1820	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe
4908	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe
1028	{49697217-31F5-4509-B55B-E2EE271D084E}.exe
5040	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe
5084	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe
5080	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe
3908	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe
4244	{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe
4748	{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe
844	{8C437104-4C83-4af6-AE0C-9439E8DC3132}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe
File created	C:\Windows\{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
File created	C:\Windows\{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe
File created	C:\Windows\{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe
File created	C:\Windows\{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe	{49697217-31F5-4509-B55B-E2EE271D084E}.exe
File created	C:\Windows\{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe
File created	C:\Windows\{8C437104-4C83-4af6-AE0C-9439E8DC3132}.exe	{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe
File created	C:\Windows\{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe
File created	C:\Windows\{49697217-31F5-4509-B55B-E2EE271D084E}.exe	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe
File created	C:\Windows\{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe
File created	C:\Windows\{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe
File created	C:\Windows\{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe	{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49697217-31F5-4509-B55B-E2EE271D084E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C437104-4C83-4af6-AE0C-9439E8DC3132}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	788	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4100	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe
Token: SeIncBasePriorityPrivilege	3096	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe
Token: SeIncBasePriorityPrivilege	1820	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe
Token: SeIncBasePriorityPrivilege	4908	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe
Token: SeIncBasePriorityPrivilege	1028	{49697217-31F5-4509-B55B-E2EE271D084E}.exe
Token: SeIncBasePriorityPrivilege	5040	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe
Token: SeIncBasePriorityPrivilege	5084	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe
Token: SeIncBasePriorityPrivilege	5080	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe
Token: SeIncBasePriorityPrivilege	3908	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe
Token: SeIncBasePriorityPrivilege	4244	{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe
Token: SeIncBasePriorityPrivilege	4748	{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 4100	788	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	97
PID 788 wrote to memory of 4100	788	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	97
PID 788 wrote to memory of 4100	788	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	97
PID 788 wrote to memory of 228	788	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	98
PID 788 wrote to memory of 228	788	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	98
PID 788 wrote to memory of 228	788	2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe	98
PID 4100 wrote to memory of 3096	4100	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe	101
PID 4100 wrote to memory of 3096	4100	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe	101
PID 4100 wrote to memory of 3096	4100	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe	101
PID 4100 wrote to memory of 3780	4100	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe	102
PID 4100 wrote to memory of 3780	4100	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe	102
PID 4100 wrote to memory of 3780	4100	{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe	102
PID 3096 wrote to memory of 1820	3096	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe	107
PID 3096 wrote to memory of 1820	3096	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe	107
PID 3096 wrote to memory of 1820	3096	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe	107
PID 3096 wrote to memory of 2368	3096	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe	108
PID 3096 wrote to memory of 2368	3096	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe	108
PID 3096 wrote to memory of 2368	3096	{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe	108
PID 1820 wrote to memory of 4908	1820	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe	109
PID 1820 wrote to memory of 4908	1820	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe	109
PID 1820 wrote to memory of 4908	1820	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe	109
PID 1820 wrote to memory of 4980	1820	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe	110
PID 1820 wrote to memory of 4980	1820	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe	110
PID 1820 wrote to memory of 4980	1820	{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe	110
PID 4908 wrote to memory of 1028	4908	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe	112
PID 4908 wrote to memory of 1028	4908	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe	112
PID 4908 wrote to memory of 1028	4908	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe	112
PID 4908 wrote to memory of 4368	4908	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe	113
PID 4908 wrote to memory of 4368	4908	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe	113
PID 4908 wrote to memory of 4368	4908	{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe	113
PID 1028 wrote to memory of 5040	1028	{49697217-31F5-4509-B55B-E2EE271D084E}.exe	115
PID 1028 wrote to memory of 5040	1028	{49697217-31F5-4509-B55B-E2EE271D084E}.exe	115
PID 1028 wrote to memory of 5040	1028	{49697217-31F5-4509-B55B-E2EE271D084E}.exe	115
PID 1028 wrote to memory of 636	1028	{49697217-31F5-4509-B55B-E2EE271D084E}.exe	116
PID 1028 wrote to memory of 636	1028	{49697217-31F5-4509-B55B-E2EE271D084E}.exe	116
PID 1028 wrote to memory of 636	1028	{49697217-31F5-4509-B55B-E2EE271D084E}.exe	116
PID 5040 wrote to memory of 5084	5040	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe	117
PID 5040 wrote to memory of 5084	5040	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe	117
PID 5040 wrote to memory of 5084	5040	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe	117
PID 5040 wrote to memory of 632	5040	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe	118
PID 5040 wrote to memory of 632	5040	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe	118
PID 5040 wrote to memory of 632	5040	{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe	118
PID 5084 wrote to memory of 5080	5084	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe	121
PID 5084 wrote to memory of 5080	5084	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe	121
PID 5084 wrote to memory of 5080	5084	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe	121
PID 5084 wrote to memory of 2288	5084	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe	122
PID 5084 wrote to memory of 2288	5084	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe	122
PID 5084 wrote to memory of 2288	5084	{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe	122
PID 5080 wrote to memory of 3908	5080	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe	126
PID 5080 wrote to memory of 3908	5080	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe	126
PID 5080 wrote to memory of 3908	5080	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe	126
PID 5080 wrote to memory of 2456	5080	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe	127
PID 5080 wrote to memory of 2456	5080	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe	127
PID 5080 wrote to memory of 2456	5080	{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe	127
PID 3908 wrote to memory of 4244	3908	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe	131
PID 3908 wrote to memory of 4244	3908	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe	131
PID 3908 wrote to memory of 4244	3908	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe	131
PID 3908 wrote to memory of 3436	3908	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe	132
PID 3908 wrote to memory of 3436	3908	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe	132
PID 3908 wrote to memory of 3436	3908	{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe	132
PID 4244 wrote to memory of 4748	4244	{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe	133
PID 4244 wrote to memory of 4748	4244	{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe	133
PID 4244 wrote to memory of 4748	4244	{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe	133
PID 4244 wrote to memory of 1688	4244	{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-18_29e33d1018a51c797dd2558a73257718_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe
  C:\Windows\{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe
    C:\Windows\{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe
      C:\Windows\{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Windows\{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe
        
        C:\Windows\{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\{49697217-31F5-4509-B55B-E2EE271D084E}.exe
        
        C:\Windows\{49697217-31F5-4509-B55B-E2EE271D084E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe
        
        C:\Windows\{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe
        
        C:\Windows\{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe
        
        C:\Windows\{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe
        
        C:\Windows\{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe
        
        C:\Windows\{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe
        
        C:\Windows\{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
        
        C:\Windows\{8C437104-4C83-4af6-AE0C-9439E8DC3132}.exe
        
        C:\Windows\{8C437104-4C83-4af6-AE0C-9439E8DC3132}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FBBB~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E17A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60EC8~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C564~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8597F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BB93~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49697~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D84EC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F7F3~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0E8C2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{49D16~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E8C2352-A099-4027-AE91-C8E2CFDEE0C1}.exe

Filesize
372KB

MD5
baf191d8aa354c990f6d6b2c207fe899

SHA1
862110a5cfd54ba2e82e05379f04e0acfe4987b8

SHA256
8fa4d251ae796cdc486aaaeff37ba71620cb646ffb112f895d4d325582126fb3

SHA512
26b82a4c96be0768c162ac943cb01edf72d86b757e2e76cd89b525131c4d4df462c277e6e001ea37c7a13ec11a9016e781343b0b5b0598b4b54090b7335f0d2c

Download Submit
C:\Windows\{2BB9311F-A976-4a54-97D7-3FFF4CBAC63F}.exe

Filesize
372KB

MD5
d4cc310576f59f4ff7cb9589cf9a267c

SHA1
e763d6a5f80cc35047fd2b87615d0030dfc81898

SHA256
005aa4afe89946201ec85ffc17944294bd78a9fe8198f37bb081af359d37fbcc

SHA512
5df2f6bc69b027390224340b2a975fb406659e80e3ca71e0b6e3b802ee7bb774b586872482815d4813f22a2b7220cd0eeb18b41d2734a1c3bdeb8c9f63c28c6b

Download Submit
C:\Windows\{49697217-31F5-4509-B55B-E2EE271D084E}.exe

Filesize
372KB

MD5
dc6b90c986851ae1d344435f2639c9ec

SHA1
49763132ca4d5f63d65e27bbce1aab42def7223b

SHA256
b0675fde7b25fbc351b9ae2ca1600418a59308164f41136578b31c9d28de9fe4

SHA512
91acaa6bfd74c379b6c1c503a7a27327c2f80a0a1b0d2a98835b65382630c30a60240318f57282ac0a272fbb39f371b5067e213ada8e8bead94610795b62846d

Download Submit
C:\Windows\{49D16094-4C8C-4b38-BF91-5C706DF19A44}.exe

Filesize
372KB

MD5
bb65461dea29ed9cb2064ed3addecca8

SHA1
527c1aa111d277641ffe4c8ea77375a0704b352c

SHA256
07b9805f521eaa0535e0630c5d8963e70957b2a9bbb4d7c35e3055660bcb13e0

SHA512
1092b61e807bfb2f1ea39323f19afd48ca0f3bfa90ab48f31d266ea5df6901a0bfcf14b7256c878c78726114bd26d4d028bfccc22899830fb29bef99a251347e

Download Submit
C:\Windows\{60EC8A1C-52DB-4dc2-A814-F1872344F240}.exe

Filesize
372KB

MD5
445f104c73c77bfcaee521ee8858266f

SHA1
ef561478d3e2a977db1b0f11545f65aa0c3625c3

SHA256
2b3ffdfe10bdf6ef69bba359344f191af40562b87641068036f295471bf302a8

SHA512
9dcb9a3fdd0dea81c5c32d959176639dedb3fa81bb0960fbf6de1751fc909d62704904217c67ceed3433740c5a6fd858aba8260da3687edc47e4068553ba2b8c

Download Submit
C:\Windows\{7E17A73A-5EEE-416c-865B-F33866EC6A4E}.exe

Filesize
372KB

MD5
183c5d30d1c79d5692957103d58ac090

SHA1
17a3de5d602016438fb3cacd6239ca7da008146c

SHA256
416482ab054aaf2c48700784256504fc30de1dd8592e4b08c45ba97b0c086c3c

SHA512
c9a58dcc76838cd32115f2eb5680ae5d7e8e2c2bf1ed23765024334014811e749d280b36e8bcfa03d2ed1f2bd6ca6b61032f0ed7ae8aabd907ca48bc155e486d

Download Submit
C:\Windows\{7F7F32DC-D3E9-4fe8-A644-68EFD6A7829D}.exe

Filesize
372KB

MD5
3e754efa1282ebcdcfcf3a40656d0918

SHA1
e4148cfedac59a71b2c6a18d800b91f88ddaeb27

SHA256
be80f851d688377c40a31b3aa04ad31e0d613253668b01d008e1e48993aaf8ab

SHA512
3c0bb1a0ff8f684508035a5821d8def85cb4dd035ed79c56f8c7d4eda71fa8942497d7b453864b72e5d436023328da3d74e5c17456fda6625d1ee75693f7dd11

Download Submit
C:\Windows\{8597F63D-CC40-4aef-A288-E316CDCC2F19}.exe

Filesize
372KB

MD5
73541af781da2c0955dc834a9da6d876

SHA1
b0c717baebe0be0a1a113b984953992dc7533072

SHA256
a18f0d4f8989c6658d8c10529aa9994ee764da1aa5abd17937108d1257e428dc

SHA512
9e541d0e280e6f558d0b52bf392b55bee640c99e9f24e3123d6b3faed6a44478a05fc837ea37d367c8241bc4e2229a91f93ac140a9fc8c531336c5097826d6f8

Download Submit
C:\Windows\{8C437104-4C83-4af6-AE0C-9439E8DC3132}.exe

Filesize
372KB

MD5
f37b0e2a7bb0cc3dc8ce21ca2ca7deb7

SHA1
8aea99439d49e9ce1e1a700c802c3e80e59db9ef

SHA256
bfa422a81908dc73526e4a454abe12c14da8d141fabf99ab24b6ffbc819d4930

SHA512
fc635eee799f4bfd6c3ee581b28d35573711c0569e2fd0c5f536ade1cfae5b6ca54ae670d949b6fe1b8b9d7cd7ad6f13292b60a51e0e6d6b17cb610820fd8820

Download Submit
C:\Windows\{8C5646F6-96D5-4da4-8167-CEB25437AE67}.exe

Filesize
372KB

MD5
02933f42539db5384ebcdc4ba85dd1f3

SHA1
d5dfc07588061763debd9f4d78167faa68c0bafb

SHA256
5a448ff9c073248f5c4a8c684885433a687d0bb8cfeba8e24d6595ad59c1164c

SHA512
7a290a80cf1d71d5b1ca30741c8bcaf6c5368e6c309cface8c3dcf20e02a5563006b13c3f9bff8f5be208c627489a660a6bc2ed87add1d7c89642b19dc6bb535

Download Submit
C:\Windows\{8FBBB013-3DE9-4509-A4F8-DC4656CD17ED}.exe

Filesize
372KB

MD5
e1739f4c074fd22be242fd06e8c407b2

SHA1
bcd8e746de67c73775424009b38dd6dfaa392829

SHA256
47aaaf0a53745a778ba38135701cf4c285179a66bca31f287cf6b562f866b971

SHA512
c0f68179ed7ba6ae1b30ab799a477db9796c9f6e7d8e4c8211c1abf2a28c02b50166d025d156c586d2d35bf8c920a47c0e4b5a359aa31a8624eeca04dafec7b7

Download Submit
C:\Windows\{D84EC1E4-1BC0-4623-AE69-9D14B2CDD7FE}.exe

Filesize
372KB

MD5
8f634c12933311ce0564c50da168d50e

SHA1
313d8980b73e838eacdaa8db375cc7ca7838f83b

SHA256
c2f8d9cbbf64fac8876b5cee4b636400998c74b1eeb62357ec3d821b6db3304e

SHA512
af1fb6daf1e56ca790e19da8af6e3fdb70d75fefff5ff95fd9fc10104e1549d30c61ef096329cd279409a36ee3f67ce8ced037006d7d0421c0942119b5813867

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads