2780164fc677ab6a193f468fe6f47304ca55d62e0e8806d8671c8edabb4a1e66

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe
Size

380KB
MD5

fd3c6a313930318c5efcbfbeb0f36ee2
SHA1

7a615107b99a0ec7ecd710cf118103509ac28523
SHA256

2780164fc677ab6a193f468fe6f47304ca55d62e0e8806d8671c8edabb4a1e66
SHA512

671e56599fad16c3ded6229be4a5de7e1b1f1bea4b93930b62f44cc91d25197eeb94be9c1853521feb7ac84a2420f0b2fcb5dbe27f623e614440bf9258e8c5b6
SSDEEP

3072:mEGh0o9lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGTl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF703C6-F8B3-46fb-BC92-22492590E1ED}	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD224758-9A66-4833-9029-3E10B3025A1A}	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}\stubpath = "C:\\Windows\\{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe"	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A9B396-F40D-4232-9220-6AD8866E0D25}	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55A9B396-F40D-4232-9220-6AD8866E0D25}\stubpath = "C:\\Windows\\{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe"	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43DD3FD1-0736-42cd-8376-2437EF69FCA7}	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C0C167D-1D1F-479a-940F-C06289EFA746}	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C0C167D-1D1F-479a-940F-C06289EFA746}\stubpath = "C:\\Windows\\{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe"	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B94C561-C513-4768-B160-9A22F957C3FC}	{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF703C6-F8B3-46fb-BC92-22492590E1ED}\stubpath = "C:\\Windows\\{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe"	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD224758-9A66-4833-9029-3E10B3025A1A}\stubpath = "C:\\Windows\\{DD224758-9A66-4833-9029-3E10B3025A1A}.exe"	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C1776C0-1084-4497-82FC-30D621BB012D}	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43DD3FD1-0736-42cd-8376-2437EF69FCA7}\stubpath = "C:\\Windows\\{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe"	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}\stubpath = "C:\\Windows\\{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe"	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}\stubpath = "C:\\Windows\\{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}.exe"	{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B94C561-C513-4768-B160-9A22F957C3FC}\stubpath = "C:\\Windows\\{7B94C561-C513-4768-B160-9A22F957C3FC}.exe"	{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E59AA061-EDA5-4283-989F-79BE23A8E374}	2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E59AA061-EDA5-4283-989F-79BE23A8E374}\stubpath = "C:\\Windows\\{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe"	2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C1776C0-1084-4497-82FC-30D621BB012D}\stubpath = "C:\\Windows\\{7C1776C0-1084-4497-82FC-30D621BB012D}.exe"	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}\stubpath = "C:\\Windows\\{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe"	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}	{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1224	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe
4228	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe
1100	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe
3448	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe
3484	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe
1504	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe
4112	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe
3612	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe
1664	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe
4736	{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe
2800	{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}.exe
832	{7B94C561-C513-4768-B160-9A22F957C3FC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe	2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe
File created	C:\Windows\{DD224758-9A66-4833-9029-3E10B3025A1A}.exe	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe
File created	C:\Windows\{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe
File created	C:\Windows\{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe
File created	C:\Windows\{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe
File created	C:\Windows\{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}.exe	{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe
File created	C:\Windows\{7B94C561-C513-4768-B160-9A22F957C3FC}.exe	{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}.exe
File created	C:\Windows\{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe
File created	C:\Windows\{7C1776C0-1084-4497-82FC-30D621BB012D}.exe	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe
File created	C:\Windows\{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe
File created	C:\Windows\{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe
File created	C:\Windows\{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B94C561-C513-4768-B160-9A22F957C3FC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3960	2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1224	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe
Token: SeIncBasePriorityPrivilege	4228	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe
Token: SeIncBasePriorityPrivilege	1100	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe
Token: SeIncBasePriorityPrivilege	3448	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe
Token: SeIncBasePriorityPrivilege	3484	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe
Token: SeIncBasePriorityPrivilege	1504	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe
Token: SeIncBasePriorityPrivilege	4112	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe
Token: SeIncBasePriorityPrivilege	3612	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe
Token: SeIncBasePriorityPrivilege	1664	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe
Token: SeIncBasePriorityPrivilege	4736	{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe
Token: SeIncBasePriorityPrivilege	2800	{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 1224	3960	2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe	95
PID 3960 wrote to memory of 1224	3960	2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe	95
PID 3960 wrote to memory of 1224	3960	2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe	95
PID 3960 wrote to memory of 1400	3960	2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe	96
PID 3960 wrote to memory of 1400	3960	2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe	96
PID 3960 wrote to memory of 1400	3960	2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe	96
PID 1224 wrote to memory of 4228	1224	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe	97
PID 1224 wrote to memory of 4228	1224	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe	97
PID 1224 wrote to memory of 4228	1224	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe	97
PID 1224 wrote to memory of 2984	1224	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe	98
PID 1224 wrote to memory of 2984	1224	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe	98
PID 1224 wrote to memory of 2984	1224	{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe	98
PID 4228 wrote to memory of 1100	4228	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe	104
PID 4228 wrote to memory of 1100	4228	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe	104
PID 4228 wrote to memory of 1100	4228	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe	104
PID 4228 wrote to memory of 3636	4228	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe	105
PID 4228 wrote to memory of 3636	4228	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe	105
PID 4228 wrote to memory of 3636	4228	{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe	105
PID 1100 wrote to memory of 3448	1100	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe	110
PID 1100 wrote to memory of 3448	1100	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe	110
PID 1100 wrote to memory of 3448	1100	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe	110
PID 1100 wrote to memory of 3492	1100	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe	111
PID 1100 wrote to memory of 3492	1100	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe	111
PID 1100 wrote to memory of 3492	1100	{DD224758-9A66-4833-9029-3E10B3025A1A}.exe	111
PID 3448 wrote to memory of 3484	3448	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe	112
PID 3448 wrote to memory of 3484	3448	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe	112
PID 3448 wrote to memory of 3484	3448	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe	112
PID 3448 wrote to memory of 2984	3448	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe	113
PID 3448 wrote to memory of 2984	3448	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe	113
PID 3448 wrote to memory of 2984	3448	{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe	113
PID 3484 wrote to memory of 1504	3484	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe	115
PID 3484 wrote to memory of 1504	3484	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe	115
PID 3484 wrote to memory of 1504	3484	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe	115
PID 3484 wrote to memory of 4616	3484	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe	116
PID 3484 wrote to memory of 4616	3484	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe	116
PID 3484 wrote to memory of 4616	3484	{7C1776C0-1084-4497-82FC-30D621BB012D}.exe	116
PID 1504 wrote to memory of 4112	1504	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe	117
PID 1504 wrote to memory of 4112	1504	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe	117
PID 1504 wrote to memory of 4112	1504	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe	117
PID 1504 wrote to memory of 3776	1504	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe	118
PID 1504 wrote to memory of 3776	1504	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe	118
PID 1504 wrote to memory of 3776	1504	{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe	118
PID 4112 wrote to memory of 3612	4112	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe	119
PID 4112 wrote to memory of 3612	4112	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe	119
PID 4112 wrote to memory of 3612	4112	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe	119
PID 4112 wrote to memory of 3176	4112	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe	120
PID 4112 wrote to memory of 3176	4112	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe	120
PID 4112 wrote to memory of 3176	4112	{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe	120
PID 3612 wrote to memory of 1664	3612	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe	121
PID 3612 wrote to memory of 1664	3612	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe	121
PID 3612 wrote to memory of 1664	3612	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe	121
PID 3612 wrote to memory of 2096	3612	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe	122
PID 3612 wrote to memory of 2096	3612	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe	122
PID 3612 wrote to memory of 2096	3612	{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe	122
PID 1664 wrote to memory of 4736	1664	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe	123
PID 1664 wrote to memory of 4736	1664	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe	123
PID 1664 wrote to memory of 4736	1664	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe	123
PID 1664 wrote to memory of 3872	1664	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe	124
PID 1664 wrote to memory of 3872	1664	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe	124
PID 1664 wrote to memory of 3872	1664	{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe	124
PID 4736 wrote to memory of 2800	4736	{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe	125
PID 4736 wrote to memory of 2800	4736	{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe	125
PID 4736 wrote to memory of 2800	4736	{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe	125
PID 4736 wrote to memory of 2664	4736	{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-26_fd3c6a313930318c5efcbfbeb0f36ee2_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe
  C:\Windows\{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe
    C:\Windows\{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Windows\{DD224758-9A66-4833-9029-3E10B3025A1A}.exe
      C:\Windows\{DD224758-9A66-4833-9029-3E10B3025A1A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe
        
        C:\Windows\{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Windows\{7C1776C0-1084-4497-82FC-30D621BB012D}.exe
        
        C:\Windows\{7C1776C0-1084-4497-82FC-30D621BB012D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe
        
        C:\Windows\{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe
        
        C:\Windows\{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe
        
        C:\Windows\{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe
        
        C:\Windows\{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe
        
        C:\Windows\{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}.exe
        
        C:\Windows\{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\{7B94C561-C513-4768-B160-9A22F957C3FC}.exe
        
        C:\Windows\{7B94C561-C513-4768-B160-9A22F957C3FC}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA2C1~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44CEA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C0C1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43DD3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55A9B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92369~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C177~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC1B3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD224~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DBF70~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E59AA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{43DD3FD1-0736-42cd-8376-2437EF69FCA7}.exe

Filesize
380KB

MD5
6529ad21a69daf5a206aa780e45b0c1d

SHA1
0b1e9cef85eb6f1c99340b9cddab8ca975d7db13

SHA256
2a7956139356e9f644bb4d9e3361f7da4c2b909c9bbc5b41cad113c264f4cd27

SHA512
5116b957994c61d74101452e5fa0d01dda22d3a6d4007f732e6f1b15cbb6f489089685d6d8c0555d2afe342ee80f481251a45070dd0e11d976ccdf38d29dd087

Download Submit
C:\Windows\{44CEA96F-65E8-4e23-9745-F6BC2C52FA2D}.exe

Filesize
380KB

MD5
2daf0efd63f7d43d6e4db557599805ed

SHA1
c1f93a74e69acd58bbf44970fe84b50896aa3d8c

SHA256
4de1b7b1f609b29cc4da3ae023bd6b663b5b997e12c52cfedc285eb8b797e62d

SHA512
4f1ef332badf2181bdef955ef5f3558f7d50c37391e9915b4618216759933166b03ff1681e02472c43249b5cc82d514b5bbc8bfce7a3507443c2191d73290c59

Download Submit
C:\Windows\{55A9B396-F40D-4232-9220-6AD8866E0D25}.exe

Filesize
380KB

MD5
9eda961f45f440a6954109b99786fb22

SHA1
25110352f9db8f480830847a4caf53e58aef6914

SHA256
dc76c66da7e6642c203ebd224b0bae9557cf45f92d304cba7e7f8c4a8908bdaa

SHA512
aa42d5993d2d3cd6dde1bb6c9498de37de7e361c2d4246849ace2f8b5f6c1080990d983eae58880cfeb5e5d7db23f478c29f0683411fe5869dd5b8cfe93bd82c

Download Submit
C:\Windows\{7B94C561-C513-4768-B160-9A22F957C3FC}.exe

Filesize
380KB

MD5
af5b8eff85f11bd5817938c570facda9

SHA1
3aee05038db496cdef459eb47e4da9c8305f8e23

SHA256
c71078ab1be4b6cf225f54d3664fde3a15ed98715ac31c5082233329c3452c6b

SHA512
5714bf4a8c89faab3cf1c15958415dce4840df6d59ad6f208a3205a0beda160fbd6e9aa7d9b71d5c66fc52b823b1b2700f60e4ca41a0197c323cd5d12d7f031b

Download Submit
C:\Windows\{7C0C167D-1D1F-479a-940F-C06289EFA746}.exe

Filesize
380KB

MD5
d6cb3348c13781469b3ee492725fa0bb

SHA1
4795a15800b5c217b57265c2498138699709f839

SHA256
ec017d3cd2f09d1e88064ea846c86cb128bac108e28a48545f28b9c57ef239c4

SHA512
0ab4a351b41bae31e03b93f798d171ba722cfa1718085e13823e70f94fb059978f95060ebf05d7123f9123473ece69d981b965ff0541eff5208d81d6b4a62e9b

Download Submit
C:\Windows\{7C1776C0-1084-4497-82FC-30D621BB012D}.exe

Filesize
380KB

MD5
dba9f82d5e256b520f460ba9415f9617

SHA1
1425f4f16aeee658a92ae8cc7030bdd142ca3de7

SHA256
6d7e8f1ff5f9f4ab125f93ca46209b3b2de873659b307967c96eb33e3edecde9

SHA512
990e7a3088c952987199b7ef35bfe750e74d4053d3845b06f79f0bb50a4350f04f01fe752a9164b25f340264a9490f1467c52d0337373fd87ecd965547c06ac9

Download Submit
C:\Windows\{9236926B-662F-4ff1-B2EB-56BDCB6CF8E1}.exe

Filesize
380KB

MD5
dbaadc2bf0e752a2d36621a851f00418

SHA1
3e1faef7eef50bf2e31e638003b53a9b1d73a711

SHA256
3e34ce4f223c081c9d839572e38ae9b6958a703eb320c9a2f3fee89731570b78

SHA512
a32b042886d3f65c8bc743ad2ac81e7c041299a90389190884ca7765db1cd129992be5b149d5b7038abc88185f19ff81af3c01cb69bbbf025b8f4a3d21ad76bf

Download Submit
C:\Windows\{BA2C1825-A9E1-4d8b-B0C4-01EDED29FCE1}.exe

Filesize
380KB

MD5
d3e2fa5f41b294e708bbb6ceb79d08e5

SHA1
31923bd319239f36ea816aa2d74516cd7d22ad38

SHA256
950db9e93d0a6dabdd1747c582ef9aeb9bfa4fda64630549f56d2146e2b6d3d4

SHA512
363029341a6f7bf0979c2382da142be1e82a712aa5127cf4be4c24fece2a2ec67727fcaf2ed9d99655674a96edd07ed4a1115f34f39680473ad4de5edcdfc3ba

Download Submit
C:\Windows\{DBF703C6-F8B3-46fb-BC92-22492590E1ED}.exe

Filesize
380KB

MD5
2af7efb29ce8a7c9fa478f34557fc579

SHA1
9ec818bedb17000636866f65a421a6c353f608e7

SHA256
12be686a6f2ecdaf3c7d6e0eb820338a892add1af0614f8a173bcc12c23e3822

SHA512
ae0a8d36e448a5553dc0248854f9c6e0ed79c78cd973924d3c0608fd94619b3d480da6edb0c3402e2784e3d3d497534c17feca1132e48ea348a31764a96a6697

Download Submit
C:\Windows\{DD224758-9A66-4833-9029-3E10B3025A1A}.exe

Filesize
380KB

MD5
0ea97693ea21258343cf9adf6b7c33f3

SHA1
7cb415b17b4fc1d1c4d03b673c17c2fdb138b95c

SHA256
fbbc46e8e02b57fd5e0c3772b4f773d7e7d5f1119bec5c81472af01f2b8ecc45

SHA512
d9c77b38aee13de2677c96a7ccccf86878f60e73ddc0ed23b19a562d5b8ba504856e0a50b31528ece5b67e73db3f3d2c886f2cdd575a767155fccae1a118e8ac

Download Submit
C:\Windows\{E59AA061-EDA5-4283-989F-79BE23A8E374}.exe

Filesize
380KB

MD5
9f48243f517eac1790c405f27129c102

SHA1
705e75665a55d78a1e60cfa4acae0b908dc236c9

SHA256
39fa10a3820921f1723efb177ce9270a787670dcc71606b6fe3764774463ef1a

SHA512
4c27eb1f728dd69142c5327187ac3b8f81079b32d69c073fb682e2694cf1ca99d3b9f8c197964ad173c0dcdd6d85864d42c9bac8f2c4717e3d3985753d7f2220

Download Submit
C:\Windows\{FC1B37BC-2E1D-4a44-A1B0-D64B73E9E8EE}.exe

Filesize
380KB

MD5
c6043dc1c544b9c0bd6d1e7ff2e420ce

SHA1
ffd911113ba47dc5427bb44e1ff869b4a0ac7e26

SHA256
39084027f8e54a527281f9a892899242166aad9e0aec4eba74bbfa43292a4bea

SHA512
a79de74b50bf42f8d8ad278ec5562c91a83cb5a31f41d632c97a4772695c7262dc8fe2e065edc745a933d1c3eaae39c76d750b2f4ef78130c692904d8e5d14be

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads