5bb7440516e3b3731f369d1f59ca931ed70b5b39046be256c9f580ec3fc47687

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
Size

197KB
MD5

b02982e3a826bf6946efc2eb03968696
SHA1

dfda6caca85bef49937bfb2a00535d3fe49a4390
SHA256

5bb7440516e3b3731f369d1f59ca931ed70b5b39046be256c9f580ec3fc47687
SHA512

54af5a1c71dbfccbf5b710459a69cc121dec6398509e69b52b1f1fdb6f39b5f1dd76446ddd599b595bdedc80512763a2e0ec4643c88af9e01fd48e773523e7e9
SSDEEP

3072:jEGh0oql+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGElEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E725F8F0-DC09-4769-96C0-DBBDE9194431}	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}\stubpath = "C:\\Windows\\{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe"	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}\stubpath = "C:\\Windows\\{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe"	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{669B3D3A-5F1B-4d18-AACD-C192ACE7BB1A}\stubpath = "C:\\Windows\\{669B3D3A-5F1B-4d18-AACD-C192ACE7BB1A}.exe"	{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E725F8F0-DC09-4769-96C0-DBBDE9194431}\stubpath = "C:\\Windows\\{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe"	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}\stubpath = "C:\\Windows\\{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe"	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D56D6C4-1782-46a5-B066-A248A2CBCC67}	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D56D6C4-1782-46a5-B066-A248A2CBCC67}\stubpath = "C:\\Windows\\{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe"	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}\stubpath = "C:\\Windows\\{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe"	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33208843-79D1-4ae4-AFCA-E6D6799642E5}\stubpath = "C:\\Windows\\{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe"	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E687C646-5B7D-45ca-AD87-96C7358E2D3B}	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E687C646-5B7D-45ca-AD87-96C7358E2D3B}\stubpath = "C:\\Windows\\{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe"	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90E4589D-517D-4125-85FA-A0D65100CCA6}	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}\stubpath = "C:\\Windows\\{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}.exe"	{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{262B8CD3-E358-4673-8D17-7E13F29FAE27}	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{262B8CD3-E358-4673-8D17-7E13F29FAE27}\stubpath = "C:\\Windows\\{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe"	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33208843-79D1-4ae4-AFCA-E6D6799642E5}	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90E4589D-517D-4125-85FA-A0D65100CCA6}\stubpath = "C:\\Windows\\{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe"	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}	{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{669B3D3A-5F1B-4d18-AACD-C192ACE7BB1A}	{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}.exe

Executes dropped EXE 12 IoCs

pid	Process
4580	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe
2000	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe
3424	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe
428	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe
1032	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe
1544	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe
2688	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe
1152	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe
4400	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe
4372	{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe
3740	{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}.exe
3412	{669B3D3A-5F1B-4d18-AACD-C192ACE7BB1A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
File created	C:\Windows\{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe
File created	C:\Windows\{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe
File created	C:\Windows\{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}.exe	{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe
File created	C:\Windows\{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe
File created	C:\Windows\{669B3D3A-5F1B-4d18-AACD-C192ACE7BB1A}.exe	{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}.exe
File created	C:\Windows\{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe
File created	C:\Windows\{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe
File created	C:\Windows\{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe
File created	C:\Windows\{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe
File created	C:\Windows\{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe
File created	C:\Windows\{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{669B3D3A-5F1B-4d18-AACD-C192ACE7BB1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2320	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4580	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe
Token: SeIncBasePriorityPrivilege	2000	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe
Token: SeIncBasePriorityPrivilege	3424	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe
Token: SeIncBasePriorityPrivilege	428	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe
Token: SeIncBasePriorityPrivilege	1032	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe
Token: SeIncBasePriorityPrivilege	1544	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe
Token: SeIncBasePriorityPrivilege	2688	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe
Token: SeIncBasePriorityPrivilege	1152	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe
Token: SeIncBasePriorityPrivilege	4400	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe
Token: SeIncBasePriorityPrivilege	4372	{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe
Token: SeIncBasePriorityPrivilege	3740	{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4580	2320	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	86
PID 2320 wrote to memory of 4580	2320	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	86
PID 2320 wrote to memory of 4580	2320	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	86
PID 2320 wrote to memory of 320	2320	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	87
PID 2320 wrote to memory of 320	2320	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	87
PID 2320 wrote to memory of 320	2320	2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe	87
PID 4580 wrote to memory of 2000	4580	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe	88
PID 4580 wrote to memory of 2000	4580	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe	88
PID 4580 wrote to memory of 2000	4580	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe	88
PID 4580 wrote to memory of 4876	4580	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe	89
PID 4580 wrote to memory of 4876	4580	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe	89
PID 4580 wrote to memory of 4876	4580	{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe	89
PID 2000 wrote to memory of 3424	2000	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe	92
PID 2000 wrote to memory of 3424	2000	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe	92
PID 2000 wrote to memory of 3424	2000	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe	92
PID 2000 wrote to memory of 2204	2000	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe	93
PID 2000 wrote to memory of 2204	2000	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe	93
PID 2000 wrote to memory of 2204	2000	{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe	93
PID 3424 wrote to memory of 428	3424	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe	96
PID 3424 wrote to memory of 428	3424	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe	96
PID 3424 wrote to memory of 428	3424	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe	96
PID 3424 wrote to memory of 1552	3424	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe	97
PID 3424 wrote to memory of 1552	3424	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe	97
PID 3424 wrote to memory of 1552	3424	{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe	97
PID 428 wrote to memory of 1032	428	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe	98
PID 428 wrote to memory of 1032	428	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe	98
PID 428 wrote to memory of 1032	428	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe	98
PID 428 wrote to memory of 4496	428	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe	99
PID 428 wrote to memory of 4496	428	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe	99
PID 428 wrote to memory of 4496	428	{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe	99
PID 1032 wrote to memory of 1544	1032	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe	100
PID 1032 wrote to memory of 1544	1032	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe	100
PID 1032 wrote to memory of 1544	1032	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe	100
PID 1032 wrote to memory of 1124	1032	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe	101
PID 1032 wrote to memory of 1124	1032	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe	101
PID 1032 wrote to memory of 1124	1032	{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe	101
PID 1544 wrote to memory of 2688	1544	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe	102
PID 1544 wrote to memory of 2688	1544	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe	102
PID 1544 wrote to memory of 2688	1544	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe	102
PID 1544 wrote to memory of 1080	1544	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe	103
PID 1544 wrote to memory of 1080	1544	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe	103
PID 1544 wrote to memory of 1080	1544	{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe	103
PID 2688 wrote to memory of 1152	2688	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe	104
PID 2688 wrote to memory of 1152	2688	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe	104
PID 2688 wrote to memory of 1152	2688	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe	104
PID 2688 wrote to memory of 4428	2688	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe	105
PID 2688 wrote to memory of 4428	2688	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe	105
PID 2688 wrote to memory of 4428	2688	{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe	105
PID 1152 wrote to memory of 4400	1152	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe	106
PID 1152 wrote to memory of 4400	1152	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe	106
PID 1152 wrote to memory of 4400	1152	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe	106
PID 1152 wrote to memory of 2084	1152	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe	107
PID 1152 wrote to memory of 2084	1152	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe	107
PID 1152 wrote to memory of 2084	1152	{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe	107
PID 4400 wrote to memory of 4372	4400	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe	108
PID 4400 wrote to memory of 4372	4400	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe	108
PID 4400 wrote to memory of 4372	4400	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe	108
PID 4400 wrote to memory of 1096	4400	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe	109
PID 4400 wrote to memory of 1096	4400	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe	109
PID 4400 wrote to memory of 1096	4400	{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe	109
PID 4372 wrote to memory of 3740	4372	{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe	110
PID 4372 wrote to memory of 3740	4372	{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe	110
PID 4372 wrote to memory of 3740	4372	{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe	110
PID 4372 wrote to memory of 8	4372	{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b02982e3a826bf6946efc2eb03968696_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe
  C:\Windows\{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe
    C:\Windows\{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe
      C:\Windows\{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3424
    - - C:\Windows\{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe
        
        C:\Windows\{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:428
      - C:\Windows\{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe
        
        C:\Windows\{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe
        
        C:\Windows\{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe
        
        C:\Windows\{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe
        
        C:\Windows\{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe
        
        C:\Windows\{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe
        
        C:\Windows\{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}.exe
        
        C:\Windows\{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        C:\Windows\{669B3D3A-5F1B-4d18-AACD-C192ACE7BB1A}.exe
        
        C:\Windows\{669B3D3A-5F1B-4d18-AACD-C192ACE7BB1A}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2AE3~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B8B0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90E45~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF6F4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E687C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D56D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BCE0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33208~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1F1A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{262B8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E725F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{262B8CD3-E358-4673-8D17-7E13F29FAE27}.exe

Filesize
197KB

MD5
ee52ff8377f0ecc84f4a4692a5532e6b

SHA1
67bb812ce988c3e1b2c2ad32ca79e520dd2570b2

SHA256
c4d35ce36568be5e3ea4e784c1859def400fff2a689d191e689f5c164c5be82c

SHA512
29e059130377045254307b747cc12b2d2dba9236383849135cd50489141d3777fd1904490b2b6a48cc7326ab9d2e543c9e2da5648adc31009bccbddb5385b73b

Download Submit
C:\Windows\{2D56D6C4-1782-46a5-B066-A248A2CBCC67}.exe

Filesize
197KB

MD5
9c4b6114bb5d28f0e216a00c73528cf1

SHA1
bb7fb8f6c45c75362746c8dcb68d27a77e3f4a57

SHA256
4c97c1a08ca289a45a6d6ff6e202f5e5b4d8ebed47270280a9b05231fab0c8fb

SHA512
672ea085ddbb729587bbcebc2de28d92ed9dd07fcafe558bc952d226180e497e60808e5e1b77c80191089fc97d29c023e0928848b04c6de8657e861f1683c4a1

Download Submit
C:\Windows\{33208843-79D1-4ae4-AFCA-E6D6799642E5}.exe

Filesize
197KB

MD5
cb5f5eb28be3035ddd09dd09d6bfefea

SHA1
923312597a43535bc9c51a8fc05012654a687595

SHA256
b4d44be86a65ef2953ac9242a0d07afa6446a760a6558101191b2b00836194de

SHA512
5d802e050c93eca6427c582de8bae0756eebe1589e87cc6985d696345a65336f68e7f934bc4897295d47c33ba33fda294eb379b92f09572ba807aa3d8b36d94f

Download Submit
C:\Windows\{3BCE0726-F586-41cd-B2CC-74C92E8D0D55}.exe

Filesize
197KB

MD5
9df132a52b9c07b6aff9788f803dde91

SHA1
fb0cb436927aed2563a67cd4d82ca5edc4afdc43

SHA256
38d033ffe7edda9df878461706a114f0f73937d29af26a8ce7d00152a0f17efe

SHA512
86532dd2a352b1b641c4105f76b0ddd25da113ecb6040691b4328a11ff2c0df34cb89a8e2c7eac7a1a34b35682f5b2b1a5c20b7da27a26249df9b0e9ee8ae1d6

Download Submit
C:\Windows\{669B3D3A-5F1B-4d18-AACD-C192ACE7BB1A}.exe

Filesize
197KB

MD5
1307464a9602284dde81d5999132e756

SHA1
8f47a099dd460f310aac246bae02ee10ff7a816b

SHA256
e397d5e8b18f472e4c234fd959cf1c7b7d6958bfb932201f8144e0641aa90460

SHA512
de987fdd18b3e448196cc84b573374f0fbdd618321905c05596f1145c6997d490fd90c539e0a89b58ddc4a422138eb8d817ba593bb5bd5353b782c869d582a93

Download Submit
C:\Windows\{6B8B05E5-2C64-4e22-B3E4-39C900F60CDD}.exe

Filesize
197KB

MD5
11f760f1b8f45ded9d79b5bf1933ec57

SHA1
0a10ec68a1381e7e12281cf186758f41d189ffd3

SHA256
d8576d263f6895bbab8c879fb93bf32d5738fdda7c780bd171f626c7fcffc09e

SHA512
36b02b8c484d69dc2b23fd7e1695f8b98bbdd42c494181c2e4ea1fd0a9b51bb93355eadd066179bd90ccb0f8af6ae9879a2e2494705e5dd11df5ca2316afd055

Download Submit
C:\Windows\{90E4589D-517D-4125-85FA-A0D65100CCA6}.exe

Filesize
197KB

MD5
6548483c18ff0836dcd15321ecd49004

SHA1
aeebd83f46cb812dfe529e69898cc2c7539446af

SHA256
4b9a5497ca5b21ee3c73fcacba45147bc851c89233798fdacc39ecb626bec47f

SHA512
507b8618bdcb23fc6d250be84fc01fe92177425cbbfc7fa52140fd64a36f89e139eb89e5f6ab17241b5d2ae05f8b19f91e02c85c4d6730dbc716502b1fc4b25e

Download Submit
C:\Windows\{E1F1ADE5-E612-4d68-9373-4CDBBEC5C843}.exe

Filesize
197KB

MD5
09f34a1c2469e5eed8bd212949c97f9d

SHA1
4244f756b9ca6ac4b3fe9d42d5335fab92e81c21

SHA256
e6be5d82007b70a215e2f9d728be7a52d0de750b2bc93855df4dfb0dd3cc477a

SHA512
1ca6e223f3e749689031f0d2989f43e67e6dd9207358b06d1a7abf6bac4f09a9b31de59320a9da7d436ccfe4fc1b78dfda0992abfb3a01789ccef59c3f49b053

Download Submit
C:\Windows\{E2AE35F4-2A6C-485d-92A3-FCB1C8F406B3}.exe

Filesize
197KB

MD5
25dcacd2c655a5fc4d6f76ad7c74cd57

SHA1
2e5bacf84033974eba753630650efb402440e5bd

SHA256
5a8dffe006864aec4d3cd3684c5f598aeb63e75bbb161584b5523fc20c7705ec

SHA512
6cd36273221f86069b338e674803d6fe0414a7ce72b834b568ac4ec7fcc7719ac39ff56b3fd61c5a5ca0f3c9ac13db5fe5ef9725a27b8fcf7e5755a8b86e9089

Download Submit
C:\Windows\{E687C646-5B7D-45ca-AD87-96C7358E2D3B}.exe

Filesize
197KB

MD5
3c1cabfbb2f71e3f92411366bb7cc338

SHA1
0ab2b6c88a006300bbe16b21bd5e74240cb3ec7d

SHA256
0684d1b1a26d4a5bd4eea4c651f1efbb56b4ab601b9d6822152f0a7bbadd322a

SHA512
668b5f0f23cb905d8e81eab26745b672efe2874f22d3581c9080c12b2d5aef99839368b990ccaff9ff502faf9e6a7fd1f48ecdbb2167cfe98b3d3f93c376d134

Download Submit
C:\Windows\{E725F8F0-DC09-4769-96C0-DBBDE9194431}.exe

Filesize
197KB

MD5
7cf3c6907ca8e7cc53665e86cc55d8a4

SHA1
09f4d934661e92fea714a55ccfe04ca700da4abf

SHA256
6aea2cd8d580f216c685b8ee22aa53cf2c233f0636c314fed6a721a211f4fc12

SHA512
00a0cb275f0bc3efb70eb87d26b7bd62419dd479cf4381c3c0872a041581b2ddd29971e85bcbbfef69f294e493a7ce3215fe47e3354d59f3acbe83609dd19424

Download Submit
C:\Windows\{FF6F4E88-F999-4726-A5C1-1BDB01C71F1A}.exe

Filesize
197KB

MD5
b3c2010f5e9ccd946d86535d2debcbae

SHA1
e9a80901d630d8757fd92f673617b7efa2b435c7

SHA256
9b20b13595bb8370b34e5b373513b714ab73769e849efcdfac9123480f5cb940

SHA512
698a2a1ce0b7e99c5df12667abdffac23d1f781bf13228af18f124c3bd32510313dcfafcedbab95ae11f1c1a489ab3fa2ed8174f84ee4301fa9331c6b8e2bbc2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads