562b0fa87403e752d7216721bcb2f54e96fb42b061b51cdbab7defa313ec5e9b

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
Size

372KB
MD5

8e05d8885ed3eccea509bc0119bb559b
SHA1

c8a5cf2e6828b25c151952acc70b4fd1a68bfb0e
SHA256

562b0fa87403e752d7216721bcb2f54e96fb42b061b51cdbab7defa313ec5e9b
SHA512

907b13e4eae0aaf9275a7928255ce810a8330d7fcac80cb5b005e4e9bf70cdbcbef9abc58913a00b371657d6a3b26174fd54ffa2d7a1f77547c80f3eede534a7
SSDEEP

3072:CEGh0o0lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGqlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A13C81E6-CEBE-4b43-A37F-54401B329408}	{506F4170-C1FD-4053-82DC-24038810B905}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9778760-D1C8-475e-A706-833F94662155}\stubpath = "C:\\Windows\\{B9778760-D1C8-475e-A706-833F94662155}.exe"	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C37B7185-A79E-484a-A4EE-7B56B312A50B}\stubpath = "C:\\Windows\\{C37B7185-A79E-484a-A4EE-7B56B312A50B}.exe"	{B9778760-D1C8-475e-A706-833F94662155}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}\stubpath = "C:\\Windows\\{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe"	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}\stubpath = "C:\\Windows\\{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe"	{562206DC-AD02-40fe-8643-0812902AB68C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}\stubpath = "C:\\Windows\\{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe"	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A13C81E6-CEBE-4b43-A37F-54401B329408}\stubpath = "C:\\Windows\\{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe"	{506F4170-C1FD-4053-82DC-24038810B905}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B837608-42B7-4d0e-9FF4-B7A85167127C}	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B837608-42B7-4d0e-9FF4-B7A85167127C}\stubpath = "C:\\Windows\\{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe"	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{998764EB-731B-4ea2-B681-E5A446868719}	{C37B7185-A79E-484a-A4EE-7B56B312A50B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{998764EB-731B-4ea2-B681-E5A446868719}\stubpath = "C:\\Windows\\{998764EB-731B-4ea2-B681-E5A446868719}.exe"	{C37B7185-A79E-484a-A4EE-7B56B312A50B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}	{562206DC-AD02-40fe-8643-0812902AB68C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562206DC-AD02-40fe-8643-0812902AB68C}	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562206DC-AD02-40fe-8643-0812902AB68C}\stubpath = "C:\\Windows\\{562206DC-AD02-40fe-8643-0812902AB68C}.exe"	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{506F4170-C1FD-4053-82DC-24038810B905}\stubpath = "C:\\Windows\\{506F4170-C1FD-4053-82DC-24038810B905}.exe"	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36B333F6-43F6-4558-81C2-DF9780590F20}	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58772494-D94C-4016-9E03-C49A19B4AACD}	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58772494-D94C-4016-9E03-C49A19B4AACD}\stubpath = "C:\\Windows\\{58772494-D94C-4016-9E03-C49A19B4AACD}.exe"	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{506F4170-C1FD-4053-82DC-24038810B905}	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36B333F6-43F6-4558-81C2-DF9780590F20}\stubpath = "C:\\Windows\\{36B333F6-43F6-4558-81C2-DF9780590F20}.exe"	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9778760-D1C8-475e-A706-833F94662155}	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C37B7185-A79E-484a-A4EE-7B56B312A50B}	{B9778760-D1C8-475e-A706-833F94662155}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe

Executes dropped EXE 12 IoCs

pid	Process
3280	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe
2660	{562206DC-AD02-40fe-8643-0812902AB68C}.exe
2624	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe
2332	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe
4608	{506F4170-C1FD-4053-82DC-24038810B905}.exe
1160	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe
700	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe
696	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe
3484	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe
508	{B9778760-D1C8-475e-A706-833F94662155}.exe
4580	{C37B7185-A79E-484a-A4EE-7B56B312A50B}.exe
4596	{998764EB-731B-4ea2-B681-E5A446868719}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe	{562206DC-AD02-40fe-8643-0812902AB68C}.exe
File created	C:\Windows\{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe	{506F4170-C1FD-4053-82DC-24038810B905}.exe
File created	C:\Windows\{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe
File created	C:\Windows\{58772494-D94C-4016-9E03-C49A19B4AACD}.exe	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe
File created	C:\Windows\{B9778760-D1C8-475e-A706-833F94662155}.exe	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe
File created	C:\Windows\{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
File created	C:\Windows\{562206DC-AD02-40fe-8643-0812902AB68C}.exe	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe
File created	C:\Windows\{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe
File created	C:\Windows\{506F4170-C1FD-4053-82DC-24038810B905}.exe	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe
File created	C:\Windows\{36B333F6-43F6-4558-81C2-DF9780590F20}.exe	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe
File created	C:\Windows\{C37B7185-A79E-484a-A4EE-7B56B312A50B}.exe	{B9778760-D1C8-475e-A706-833F94662155}.exe
File created	C:\Windows\{998764EB-731B-4ea2-B681-E5A446868719}.exe	{C37B7185-A79E-484a-A4EE-7B56B312A50B}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{998764EB-731B-4ea2-B681-E5A446868719}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{562206DC-AD02-40fe-8643-0812902AB68C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{506F4170-C1FD-4053-82DC-24038810B905}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C37B7185-A79E-484a-A4EE-7B56B312A50B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9778760-D1C8-475e-A706-833F94662155}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1836	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3280	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe
Token: SeIncBasePriorityPrivilege	2660	{562206DC-AD02-40fe-8643-0812902AB68C}.exe
Token: SeIncBasePriorityPrivilege	2624	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe
Token: SeIncBasePriorityPrivilege	2332	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe
Token: SeIncBasePriorityPrivilege	4608	{506F4170-C1FD-4053-82DC-24038810B905}.exe
Token: SeIncBasePriorityPrivilege	1160	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe
Token: SeIncBasePriorityPrivilege	700	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe
Token: SeIncBasePriorityPrivilege	696	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe
Token: SeIncBasePriorityPrivilege	3484	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe
Token: SeIncBasePriorityPrivilege	508	{B9778760-D1C8-475e-A706-833F94662155}.exe
Token: SeIncBasePriorityPrivilege	4580	{C37B7185-A79E-484a-A4EE-7B56B312A50B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 3280	1836	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	86
PID 1836 wrote to memory of 3280	1836	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	86
PID 1836 wrote to memory of 3280	1836	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	86
PID 1836 wrote to memory of 3016	1836	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	87
PID 1836 wrote to memory of 3016	1836	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	87
PID 1836 wrote to memory of 3016	1836	2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe	87
PID 3280 wrote to memory of 2660	3280	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe	88
PID 3280 wrote to memory of 2660	3280	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe	88
PID 3280 wrote to memory of 2660	3280	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe	88
PID 3280 wrote to memory of 1352	3280	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe	89
PID 3280 wrote to memory of 1352	3280	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe	89
PID 3280 wrote to memory of 1352	3280	{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe	89
PID 2660 wrote to memory of 2624	2660	{562206DC-AD02-40fe-8643-0812902AB68C}.exe	94
PID 2660 wrote to memory of 2624	2660	{562206DC-AD02-40fe-8643-0812902AB68C}.exe	94
PID 2660 wrote to memory of 2624	2660	{562206DC-AD02-40fe-8643-0812902AB68C}.exe	94
PID 2660 wrote to memory of 2400	2660	{562206DC-AD02-40fe-8643-0812902AB68C}.exe	95
PID 2660 wrote to memory of 2400	2660	{562206DC-AD02-40fe-8643-0812902AB68C}.exe	95
PID 2660 wrote to memory of 2400	2660	{562206DC-AD02-40fe-8643-0812902AB68C}.exe	95
PID 2624 wrote to memory of 2332	2624	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe	96
PID 2624 wrote to memory of 2332	2624	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe	96
PID 2624 wrote to memory of 2332	2624	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe	96
PID 2624 wrote to memory of 4228	2624	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe	97
PID 2624 wrote to memory of 4228	2624	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe	97
PID 2624 wrote to memory of 4228	2624	{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe	97
PID 2332 wrote to memory of 4608	2332	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe	98
PID 2332 wrote to memory of 4608	2332	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe	98
PID 2332 wrote to memory of 4608	2332	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe	98
PID 2332 wrote to memory of 4188	2332	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe	99
PID 2332 wrote to memory of 4188	2332	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe	99
PID 2332 wrote to memory of 4188	2332	{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe	99
PID 4608 wrote to memory of 1160	4608	{506F4170-C1FD-4053-82DC-24038810B905}.exe	100
PID 4608 wrote to memory of 1160	4608	{506F4170-C1FD-4053-82DC-24038810B905}.exe	100
PID 4608 wrote to memory of 1160	4608	{506F4170-C1FD-4053-82DC-24038810B905}.exe	100
PID 4608 wrote to memory of 4060	4608	{506F4170-C1FD-4053-82DC-24038810B905}.exe	101
PID 4608 wrote to memory of 4060	4608	{506F4170-C1FD-4053-82DC-24038810B905}.exe	101
PID 4608 wrote to memory of 4060	4608	{506F4170-C1FD-4053-82DC-24038810B905}.exe	101
PID 1160 wrote to memory of 700	1160	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe	102
PID 1160 wrote to memory of 700	1160	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe	102
PID 1160 wrote to memory of 700	1160	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe	102
PID 1160 wrote to memory of 1644	1160	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe	103
PID 1160 wrote to memory of 1644	1160	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe	103
PID 1160 wrote to memory of 1644	1160	{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe	103
PID 700 wrote to memory of 696	700	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe	104
PID 700 wrote to memory of 696	700	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe	104
PID 700 wrote to memory of 696	700	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe	104
PID 700 wrote to memory of 2096	700	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe	105
PID 700 wrote to memory of 2096	700	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe	105
PID 700 wrote to memory of 2096	700	{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe	105
PID 696 wrote to memory of 3484	696	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe	106
PID 696 wrote to memory of 3484	696	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe	106
PID 696 wrote to memory of 3484	696	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe	106
PID 696 wrote to memory of 4256	696	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe	107
PID 696 wrote to memory of 4256	696	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe	107
PID 696 wrote to memory of 4256	696	{36B333F6-43F6-4558-81C2-DF9780590F20}.exe	107
PID 3484 wrote to memory of 508	3484	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe	108
PID 3484 wrote to memory of 508	3484	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe	108
PID 3484 wrote to memory of 508	3484	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe	108
PID 3484 wrote to memory of 2976	3484	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe	109
PID 3484 wrote to memory of 2976	3484	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe	109
PID 3484 wrote to memory of 2976	3484	{58772494-D94C-4016-9E03-C49A19B4AACD}.exe	109
PID 508 wrote to memory of 4580	508	{B9778760-D1C8-475e-A706-833F94662155}.exe	110
PID 508 wrote to memory of 4580	508	{B9778760-D1C8-475e-A706-833F94662155}.exe	110
PID 508 wrote to memory of 4580	508	{B9778760-D1C8-475e-A706-833F94662155}.exe	110
PID 508 wrote to memory of 220	508	{B9778760-D1C8-475e-A706-833F94662155}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_8e05d8885ed3eccea509bc0119bb559b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe
  C:\Windows\{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\{562206DC-AD02-40fe-8643-0812902AB68C}.exe
    C:\Windows\{562206DC-AD02-40fe-8643-0812902AB68C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe
      C:\Windows\{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe
        
        C:\Windows\{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\{506F4170-C1FD-4053-82DC-24038810B905}.exe
        
        C:\Windows\{506F4170-C1FD-4053-82DC-24038810B905}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe
        
        C:\Windows\{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe
        
        C:\Windows\{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\{36B333F6-43F6-4558-81C2-DF9780590F20}.exe
        
        C:\Windows\{36B333F6-43F6-4558-81C2-DF9780590F20}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\{58772494-D94C-4016-9E03-C49A19B4AACD}.exe
        
        C:\Windows\{58772494-D94C-4016-9E03-C49A19B4AACD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\{B9778760-D1C8-475e-A706-833F94662155}.exe
        
        C:\Windows\{B9778760-D1C8-475e-A706-833F94662155}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\{C37B7185-A79E-484a-A4EE-7B56B312A50B}.exe
        
        C:\Windows\{C37B7185-A79E-484a-A4EE-7B56B312A50B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\{998764EB-731B-4ea2-B681-E5A446868719}.exe
        
        C:\Windows\{998764EB-731B-4ea2-B681-E5A446868719}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C37B7~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9778~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58772~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36B33~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B837~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A13C8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{506F4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53C12~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9DDE~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{56220~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{98A53~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B837608-42B7-4d0e-9FF4-B7A85167127C}.exe

Filesize
372KB

MD5
af0aca8ae087733f39542c66e049ef08

SHA1
dce4c62b642cb1280be7beb3bbd7d65ee33c8e68

SHA256
583900096c5ea3066c53f76fd8cab359953935a3acfcca619765be85ed78cca5

SHA512
f549a7d9ba2615a7c84da1388397d08c6d23aacd20c19a93582d136cb2027b9b7dc9dc7963572e72c096eeb34d07ee031f1b0b4b3211fd74d06a608f489529f0

Download Submit
C:\Windows\{36B333F6-43F6-4558-81C2-DF9780590F20}.exe

Filesize
372KB

MD5
969ee220c74dc2635e3baad903a19623

SHA1
55287255615062e5f51b290e8dc5110c77a3898c

SHA256
d6fe15d5c0ee8b9e22b96cd0cce1fac5ef43c68f21f2a926abdcecdeff45695e

SHA512
ad1b0a8e216c2e488ce8c26580079deda98e1e5de0435db7fbab65f8c155c748ca8b3adb3388b31e7784d70697fea0ccd5f908a72a7fded358e58c0cf0383df7

Download Submit
C:\Windows\{506F4170-C1FD-4053-82DC-24038810B905}.exe

Filesize
372KB

MD5
841664ff71d03ffeb5827738e9846657

SHA1
f0ffec97b0532116cadb52f8f619f9dd4e282f29

SHA256
545e2ab340b94a3ce5d17d649c917f21936c074f27c9516ead438608f53bf274

SHA512
1d9db430b01cce13cb52063c6057c694654c0ffdfa61558953985e2cfcee17c4195871c69da23b1aaedebeeacfef500f6a89587b459ce238adabccbbd0bbd63c

Download Submit
C:\Windows\{53C12B5B-71F9-41ee-96AC-8C3FA9FF36CB}.exe

Filesize
372KB

MD5
a9df24a54ce7cd9b34918b97f866aa39

SHA1
e5e0b27ee53703ccd30444b006439e00b33a1670

SHA256
28c6264f9240615a6b4f0f72618121ee3766e1a876108e6cd7f3dfbf17e7e9bd

SHA512
2b8c6db64302cae1191a62460f0c06d90c0ab35cceb45219a25c9dad88305f2beb2daed201b7488b60f7870d822c63d9ae7ab97e1c6f9028834a8e1699fb4fff

Download Submit
C:\Windows\{562206DC-AD02-40fe-8643-0812902AB68C}.exe

Filesize
372KB

MD5
d5d6151c49414b0b2f7229f9ea96315e

SHA1
622b3a3606cbbddd3a9639ee1e08384ccc31c894

SHA256
74f770b44935b15c57bfb18650c3b13ad6a1db0b79e46484afe46ae610d0dcf8

SHA512
16d3e66c7030f6d9555bb482e5f4bd5288ce01d61783c2531d63a5bd4a4f843f99929ae3f91d68744e9b1955470e6089ba01e8793139d5ac1b676cdeac1e6c47

Download Submit
C:\Windows\{58772494-D94C-4016-9E03-C49A19B4AACD}.exe

Filesize
372KB

MD5
2e58df4fdf97b78aeff60a1c3f79a08a

SHA1
31c56e638c8fdd194aedbad05a34000fb08673d1

SHA256
bf9341b9a11b414366c89bf344af8d13b067342221fc92635c2b605a79555935

SHA512
1b92f26d1d405e9b404d5d62848504a27b3985b083b8b879132c78e9d50b4653baeac3f335334720959a257584069f1344e50499574f2ec2fa47223a1b2265cd

Download Submit
C:\Windows\{98A53EA9-4C4A-4904-BD5E-2CF74755FFFD}.exe

Filesize
372KB

MD5
a947bc0a513f224a0e01bc546758c6f1

SHA1
798454c5a529c47a980f8d9ae99d149fa95f10fc

SHA256
573842893fbbb3163fe0b36f430f3f8cf859dd22026546f59d84ab8a31ea7e11

SHA512
3a46a5b8b5d1e11087651c0c7ba53df9a30d664aba633d43f16dd2589f9ad1f6be740ef43c0a4b8c9e894420abca4a8e18e44eb5cd8a1968f8ee2a078d697049

Download Submit
C:\Windows\{998764EB-731B-4ea2-B681-E5A446868719}.exe

Filesize
372KB

MD5
162a3317dee150db73fa4dd0f26b682e

SHA1
f05cff306ff3430eea6a520a1d89c86899a8f230

SHA256
09624e420c8b4277bc8c0974e6c1b0dd4d2dce0350b1051a7fb0c06419624a9d

SHA512
b95c20864c9916c1c258b329b1fcc862b1647000d8f62972495859bc45c3a549a07467af8fa1612555f3beb6c1ea7797375b5c0f7195e10325f3655bb0bec3ad

Download Submit
C:\Windows\{A13C81E6-CEBE-4b43-A37F-54401B329408}.exe

Filesize
372KB

MD5
82c6288efe34e225806146a41f1c0652

SHA1
bc74cd2ff7a1656da5e26cab04e05ae78ffb7561

SHA256
bf4887c5d7cdeb2dd1209263f1340f56173c14218a57122043f81d24a074bfe3

SHA512
ae0aad7dff0e443f7322888a13fe2b18b359c8aea5ce2149216eb7661c1a297eada8fc2b75f5b9d54b99256692eda07358966129409c9a0678a2c1764b0e14dc

Download Submit
C:\Windows\{B9778760-D1C8-475e-A706-833F94662155}.exe

Filesize
372KB

MD5
d2f20cd676f938960ffa7d75ee1a80f7

SHA1
1cc9250ff6494a4af02a4680486d29e8002a3bdc

SHA256
60b234cf3463f4bd7a7ef120f3273855aac7e2d7c853f063579b801a3662ed0b

SHA512
9facd6be2a123b0acd82d90611ce2b1bbd873f99458e319e3cb6de81408f7799dab3d944bc4625ab84f39eadc4cb386de432d790481ab47f91d6075d459a8cd6

Download Submit
C:\Windows\{B9DDE1A9-05BA-4850-BF20-8AF2814C94CA}.exe

Filesize
372KB

MD5
39f84c50a62a2883779327f19fec26c7

SHA1
50b83b9617d9394e494b72da10e0b2ed16c45f10

SHA256
910019c5e4c7d1708f2d7caffd692b2e302cf1de2d76242ee4c10bf43c412f49

SHA512
81296cee854ed2ef5b7ff5dfe2dc322f5664ad3e02383e0b5729ce59932853b0d571ec914c89dfd9c72d28cf6430fa49bd46be3a805a8efda549d931e8cdd032

Download Submit
C:\Windows\{C37B7185-A79E-484a-A4EE-7B56B312A50B}.exe

Filesize
372KB

MD5
e17b0c432e11218e38056cae0aee7138

SHA1
5a4cda85a4b2bf5b5ae2feb87fb64aedf589096d

SHA256
acd45e105b51a25ba528d944319a45b56e642ba89425d5f313267bb47b83803e

SHA512
d62ec43752a187785e464b2c0400e3ac907f637d3a75e9b5bba601e10b74c9ec39c30f48b92a65090724f710407b74f822ba7405aab6d24960b472a958255188

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads