a17e3734052e4d62b38e0376b77b71ff2e4fa643690591f5c19397980c3f443d

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
Size

192KB
MD5

2ae9b11857c6480bcb0a2a9eace2457b
SHA1

185b1cd59a5eb3d0463a4b9380d8e52df3c93705
SHA256

a17e3734052e4d62b38e0376b77b71ff2e4fa643690591f5c19397980c3f443d
SHA512

e4620fb362b653af7e7fea5e6c415b36b10e36f098b996e1dbd8beefcd15e562bdb9fbc179e576425327a69ae95d5f97f69473d00ff573015df80a861d8a5968
SSDEEP

1536:1EGh0oGl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oGl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1947B64-DCDB-4d2e-AE5D-A009019226BC}\stubpath = "C:\\Windows\\{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe"	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0627A4B-1232-48ad-891C-E54D94A6CFA9}	{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CA12206-7097-467f-BB88-FE5494EBBE71}	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5BE3102-4CF9-443e-B00B-33F5DF79A764}	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5429366-2257-4172-9397-D7413C7240B2}	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}	{E5429366-2257-4172-9397-D7413C7240B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}\stubpath = "C:\\Windows\\{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe"	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}\stubpath = "C:\\Windows\\{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe"	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}\stubpath = "C:\\Windows\\{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe"	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}\stubpath = "C:\\Windows\\{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe"	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1947B64-DCDB-4d2e-AE5D-A009019226BC}	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE72A6E4-FE97-4c72-AA4E-A01664994B0C}	{B0627A4B-1232-48ad-891C-E54D94A6CFA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}\stubpath = "C:\\Windows\\{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe"	{E5429366-2257-4172-9397-D7413C7240B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE72A6E4-FE97-4c72-AA4E-A01664994B0C}\stubpath = "C:\\Windows\\{CE72A6E4-FE97-4c72-AA4E-A01664994B0C}.exe"	{B0627A4B-1232-48ad-891C-E54D94A6CFA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A688A446-EE98-48b8-B8F3-7FD94960461A}	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A688A446-EE98-48b8-B8F3-7FD94960461A}\stubpath = "C:\\Windows\\{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe"	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CA12206-7097-467f-BB88-FE5494EBBE71}\stubpath = "C:\\Windows\\{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe"	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5BE3102-4CF9-443e-B00B-33F5DF79A764}\stubpath = "C:\\Windows\\{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe"	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5429366-2257-4172-9397-D7413C7240B2}\stubpath = "C:\\Windows\\{E5429366-2257-4172-9397-D7413C7240B2}.exe"	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0627A4B-1232-48ad-891C-E54D94A6CFA9}\stubpath = "C:\\Windows\\{B0627A4B-1232-48ad-891C-E54D94A6CFA9}.exe"	{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe

Executes dropped EXE 12 IoCs

pid	Process
3520	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe
3992	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe
4820	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe
4748	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe
2412	{E5429366-2257-4172-9397-D7413C7240B2}.exe
1832	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe
1864	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe
2868	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe
3368	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe
948	{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe
536	{B0627A4B-1232-48ad-891C-E54D94A6CFA9}.exe
3268	{CE72A6E4-FE97-4c72-AA4E-A01664994B0C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe
File created	C:\Windows\{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
File created	C:\Windows\{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe
File created	C:\Windows\{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe	{E5429366-2257-4172-9397-D7413C7240B2}.exe
File created	C:\Windows\{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe
File created	C:\Windows\{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe
File created	C:\Windows\{B0627A4B-1232-48ad-891C-E54D94A6CFA9}.exe	{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe
File created	C:\Windows\{CE72A6E4-FE97-4c72-AA4E-A01664994B0C}.exe	{B0627A4B-1232-48ad-891C-E54D94A6CFA9}.exe
File created	C:\Windows\{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe
File created	C:\Windows\{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe
File created	C:\Windows\{E5429366-2257-4172-9397-D7413C7240B2}.exe	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe
File created	C:\Windows\{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5429366-2257-4172-9397-D7413C7240B2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B0627A4B-1232-48ad-891C-E54D94A6CFA9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE72A6E4-FE97-4c72-AA4E-A01664994B0C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	872	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3520	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe
Token: SeIncBasePriorityPrivilege	3992	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe
Token: SeIncBasePriorityPrivilege	4820	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe
Token: SeIncBasePriorityPrivilege	4748	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe
Token: SeIncBasePriorityPrivilege	2412	{E5429366-2257-4172-9397-D7413C7240B2}.exe
Token: SeIncBasePriorityPrivilege	1832	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe
Token: SeIncBasePriorityPrivilege	1864	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe
Token: SeIncBasePriorityPrivilege	2868	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe
Token: SeIncBasePriorityPrivilege	3368	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe
Token: SeIncBasePriorityPrivilege	948	{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe
Token: SeIncBasePriorityPrivilege	536	{B0627A4B-1232-48ad-891C-E54D94A6CFA9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 3520	872	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	86
PID 872 wrote to memory of 3520	872	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	86
PID 872 wrote to memory of 3520	872	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	86
PID 872 wrote to memory of 1508	872	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	87
PID 872 wrote to memory of 1508	872	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	87
PID 872 wrote to memory of 1508	872	2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe	87
PID 3520 wrote to memory of 3992	3520	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe	88
PID 3520 wrote to memory of 3992	3520	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe	88
PID 3520 wrote to memory of 3992	3520	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe	88
PID 3520 wrote to memory of 792	3520	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe	89
PID 3520 wrote to memory of 792	3520	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe	89
PID 3520 wrote to memory of 792	3520	{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe	89
PID 3992 wrote to memory of 4820	3992	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe	92
PID 3992 wrote to memory of 4820	3992	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe	92
PID 3992 wrote to memory of 4820	3992	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe	92
PID 3992 wrote to memory of 4124	3992	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe	93
PID 3992 wrote to memory of 4124	3992	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe	93
PID 3992 wrote to memory of 4124	3992	{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe	93
PID 4820 wrote to memory of 4748	4820	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe	95
PID 4820 wrote to memory of 4748	4820	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe	95
PID 4820 wrote to memory of 4748	4820	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe	95
PID 4820 wrote to memory of 2524	4820	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe	96
PID 4820 wrote to memory of 2524	4820	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe	96
PID 4820 wrote to memory of 2524	4820	{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe	96
PID 4748 wrote to memory of 2412	4748	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe	97
PID 4748 wrote to memory of 2412	4748	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe	97
PID 4748 wrote to memory of 2412	4748	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe	97
PID 4748 wrote to memory of 4616	4748	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe	98
PID 4748 wrote to memory of 4616	4748	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe	98
PID 4748 wrote to memory of 4616	4748	{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe	98
PID 2412 wrote to memory of 1832	2412	{E5429366-2257-4172-9397-D7413C7240B2}.exe	99
PID 2412 wrote to memory of 1832	2412	{E5429366-2257-4172-9397-D7413C7240B2}.exe	99
PID 2412 wrote to memory of 1832	2412	{E5429366-2257-4172-9397-D7413C7240B2}.exe	99
PID 2412 wrote to memory of 5116	2412	{E5429366-2257-4172-9397-D7413C7240B2}.exe	100
PID 2412 wrote to memory of 5116	2412	{E5429366-2257-4172-9397-D7413C7240B2}.exe	100
PID 2412 wrote to memory of 5116	2412	{E5429366-2257-4172-9397-D7413C7240B2}.exe	100
PID 1832 wrote to memory of 1864	1832	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe	101
PID 1832 wrote to memory of 1864	1832	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe	101
PID 1832 wrote to memory of 1864	1832	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe	101
PID 1832 wrote to memory of 2328	1832	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe	102
PID 1832 wrote to memory of 2328	1832	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe	102
PID 1832 wrote to memory of 2328	1832	{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe	102
PID 1864 wrote to memory of 2868	1864	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe	103
PID 1864 wrote to memory of 2868	1864	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe	103
PID 1864 wrote to memory of 2868	1864	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe	103
PID 1864 wrote to memory of 4216	1864	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe	104
PID 1864 wrote to memory of 4216	1864	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe	104
PID 1864 wrote to memory of 4216	1864	{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe	104
PID 2868 wrote to memory of 3368	2868	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe	105
PID 2868 wrote to memory of 3368	2868	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe	105
PID 2868 wrote to memory of 3368	2868	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe	105
PID 2868 wrote to memory of 5100	2868	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe	106
PID 2868 wrote to memory of 5100	2868	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe	106
PID 2868 wrote to memory of 5100	2868	{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe	106
PID 3368 wrote to memory of 948	3368	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe	107
PID 3368 wrote to memory of 948	3368	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe	107
PID 3368 wrote to memory of 948	3368	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe	107
PID 3368 wrote to memory of 1636	3368	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe	108
PID 3368 wrote to memory of 1636	3368	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe	108
PID 3368 wrote to memory of 1636	3368	{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe	108
PID 948 wrote to memory of 536	948	{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe	109
PID 948 wrote to memory of 536	948	{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe	109
PID 948 wrote to memory of 536	948	{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe	109
PID 948 wrote to memory of 516	948	{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_2ae9b11857c6480bcb0a2a9eace2457b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe
  C:\Windows\{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe
    C:\Windows\{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe
      C:\Windows\{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe
        
        C:\Windows\{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4748
      - C:\Windows\{E5429366-2257-4172-9397-D7413C7240B2}.exe
        
        C:\Windows\{E5429366-2257-4172-9397-D7413C7240B2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe
        
        C:\Windows\{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe
        
        C:\Windows\{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe
        
        C:\Windows\{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe
        
        C:\Windows\{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe
        
        C:\Windows\{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\{B0627A4B-1232-48ad-891C-E54D94A6CFA9}.exe
        
        C:\Windows\{B0627A4B-1232-48ad-891C-E54D94A6CFA9}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\{CE72A6E4-FE97-4c72-AA4E-A01664994B0C}.exe
        
        C:\Windows\{CE72A6E4-FE97-4c72-AA4E-A01664994B0C}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0627~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1947~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1000A~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D72D8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5F08~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86C5C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5429~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5BE3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CA12~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{01B80~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A688A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01B804CA-DB69-474b-AF4F-A9DE1EA5EE46}.exe

Filesize
192KB

MD5
109a7e775051af137198028c80e121b5

SHA1
d9ef6f96984699b4b43064d3b12cfeb085fd78c1

SHA256
9f6cac31f79c476ae3ce405d6cd8a2206aa8422507a3d4ef102296805ec71282

SHA512
42b1853322884d3aa39e42d1c2872bc3a57723077864f34a96269ded7cda041d5d5df5fd157aef5cbeafcbce18e72940fcc8924a52e7463353ae0bad0dd53173

Download Submit
C:\Windows\{1000AB95-1A9D-450f-94CD-5A87B0B86AC2}.exe

Filesize
192KB

MD5
98add0b7a17cae71457c3d0249df6d82

SHA1
5f4b37ad639af99bf4be596375c673cf53a607d2

SHA256
edf586c19a058eecc576a70585c4f538897c953a2d3680a3d9184f8c2a19dad9

SHA512
7489b9b73e2a991e68def8c3888df337e72976190b0f3be9025efcc3672031cc69068d571b695b0c1459657884c975ea2d164035dde8cf903baa224d25d7bbb7

Download Submit
C:\Windows\{2CA12206-7097-467f-BB88-FE5494EBBE71}.exe

Filesize
192KB

MD5
db2cffb32a9d8be9f999149382371629

SHA1
9151d376e81470849d77e946596083d09955363a

SHA256
096d264421f14bbad60ae5203f1e990cbaf7d9e5ffcbe77bf4b881fd00dbde9b

SHA512
2e208c79ab5a4e7a4382ae55384e493332b6542b4f48f6b05c083e3952b1b4d465a8f6ee5a7f5c78a87050fded6571d0b6833fd151cd8b5ba9375edef79090fd

Download Submit
C:\Windows\{86C5C632-2F4B-4c19-8FA9-85DADE3C308D}.exe

Filesize
192KB

MD5
4564fd623c5bf0538b34075a5f959dc2

SHA1
ba10ee5d3c26495e26219093301c7a8ac728008b

SHA256
3c301e26d10b9215761e2dc5bdda72aa01c5a3a6a2da03db148287c6d83b63b4

SHA512
13a46d4c09e02d695ae37efcf185aec4a865b72d68d3344b856e864d15281e76c095baa233a2da8a4f6324c488a2a2776fa60ea40a3a89cfe2bd85aa6d2f8328

Download Submit
C:\Windows\{A1947B64-DCDB-4d2e-AE5D-A009019226BC}.exe

Filesize
192KB

MD5
2b0d04d5cf5fa15b247a7e5a50a43a4b

SHA1
5d3070cceecb683f00d67810a38e1530bd5d5120

SHA256
8a62b0233b4a244b9fa3720fb660555442530a04bb87b0518c972e3080a49dc3

SHA512
1715926b3285a3a07c3db39d7fd35a6cd01aa4e3840c414a1788fc695b512ffc1d43f06fbfa0876d8b3ba73d4c9de8da71ad1647fec8b7a7ddac563ccdc26443

Download Submit
C:\Windows\{A5F0873D-9485-40cf-BD1E-E36433BDBDBD}.exe

Filesize
192KB

MD5
5f3c0e4ff3ea56a836b432f329486278

SHA1
26c1670cfcecb2a091280c7d5ece2b8d12edcda8

SHA256
1e36e679625fc77752a63d9a8186392140f99a643582aed72be5eecb705f5705

SHA512
73d33024cb8e293a8f7091cbf5a5887767b1dd74dcf5b4f20a28a6a1cf03634d17e6d784c16a522b74d3b3a6f21dd3d212ec72b92642e47d88e128b403ac4467

Download Submit
C:\Windows\{A688A446-EE98-48b8-B8F3-7FD94960461A}.exe

Filesize
192KB

MD5
feeb3a7af13be7736a39f4fa4758cdce

SHA1
8f22ca43ddefd13c60564ec03f9a8118f042efb8

SHA256
274de81a6e6097f0d8c67f66a28fadb4e496c2a3310a0ac226d0b20a4e83a02a

SHA512
0205322e3f15ae7f5ea96f7fa8606433bb3cb9f8e39cd4649c5c691c546bdfea5812860644569f86586baca9250df89853d34340f89d0fc79a039be9272069dd

Download Submit
C:\Windows\{B0627A4B-1232-48ad-891C-E54D94A6CFA9}.exe

Filesize
192KB

MD5
0e5cdb53cf1cdfd009d870516c5caed2

SHA1
944aff91a6a45b0898616c7325e7ea104ff0b85a

SHA256
915df0af58de53201ede1e9228e7c1c5d65500845cb250fed19078fb0dcf310d

SHA512
e2480d5ca6fee5cdadc3e90ca874be49aa377a8441f8a88e8b425cc77affed87d00850ad7ae7a46962185881eb2b818f22a17b3b19effd95bad2330ae2467d3b

Download Submit
C:\Windows\{CE72A6E4-FE97-4c72-AA4E-A01664994B0C}.exe

Filesize
192KB

MD5
f1131c094bb4296db80bc0e8043e77fa

SHA1
8879832b43da732b84dcd74d908eb1c255fc9599

SHA256
2e7302d947b1baa8ae46a4c7c984c134feb11f9904c6da4fa9329885585ae554

SHA512
bf78451b32fc705eec31820605b392fe50c46d9a537ef671a80f4905b766e24ed7a42e917230282dda7bd23bf0ad8d6c9096fb695e36b07c59966e83053ab2ac

Download Submit
C:\Windows\{D72D8D54-0D61-45e9-BC70-AAB76BC7B44A}.exe

Filesize
192KB

MD5
5e66db88911fe2310403adcb8e493959

SHA1
854f743e1ff3c175c6627274f81f8a684a9d599c

SHA256
9d2f1c2dcfedb2d5548671628e495bf6047c9bd9f1d303de0c64e739a541ec7b

SHA512
9b509fbbf0a61e962761456769e76f70eb3c66ab328e4739ea35d94cb182f32e2e887ca55e725a15182d57a1fba6cd07714ba8e72c23b0961fe0b7b3846c3272

Download Submit
C:\Windows\{E5429366-2257-4172-9397-D7413C7240B2}.exe

Filesize
192KB

MD5
bedd3f0bebf3ffc23b3234eae05c34d7

SHA1
59632eccb92ef196aeed289159ee0b8806cd6c2c

SHA256
1855f2bc4d71a553447e97a423714913629c301084f4b8afeb10486039618ede

SHA512
9f7d58679ef0b36d456f4a84ea05b37fc6ae23262e6b66500f725a4ef2df0f1052d62b58f07efd55bce5b4e12c76c06aa5c7da8400f7b98faed9663d75870e20

Download Submit
C:\Windows\{E5BE3102-4CF9-443e-B00B-33F5DF79A764}.exe

Filesize
192KB

MD5
e46976300b3d5a29ed6a52ce7c4c81b1

SHA1
f2e6a26db17b75deec7585e17091644275a474b7

SHA256
c3256a9e5b086b62cbb1404316696668f3c082d1acd1e205908164826a56a21e

SHA512
46b42272f9637b927a6db0322620d17c8875bc2f884e97a38e0e70db614823ab695b722c96137b32702f0f8d790ca4c88062420485859c72cd187df44eabc418

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads