e3afb9ec599eb162c996476a09a867f729d07f82ee9da8ce668fc9943c711cbf

Analysis

max time kernel
150s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe
Size

372KB
MD5

4ccdcefc233217c4d34cdbd0f7567ccb
SHA1

18693c3290fc74093044a849864a98a496897c50
SHA256

e3afb9ec599eb162c996476a09a867f729d07f82ee9da8ce668fc9943c711cbf
SHA512

e7608a91d589656883ab498451651fef56139ae13079acb5e44eb6f3daba931ddc045bcf6e99f6901ff540471730da37399317a74e1beed05919dc1194d94fa1
SSDEEP

3072:CEGh0oPmlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGZmlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}\stubpath = "C:\\Windows\\{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe"	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91B26E7F-0516-4c63-855E-FD1FB77511ED}\stubpath = "C:\\Windows\\{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe"	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15F4F5AC-E208-4fdb-A574-59AE81C25A94}\stubpath = "C:\\Windows\\{15F4F5AC-E208-4fdb-A574-59AE81C25A94}.exe"	{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{631DC3C6-6583-4c47-9413-06B3D02668BC}	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18B1E071-81B9-4c6d-9A07-99BB9639E120}\stubpath = "C:\\Windows\\{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe"	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91B26E7F-0516-4c63-855E-FD1FB77511ED}	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0316D6EA-43B6-446e-82FB-07228472E1E0}\stubpath = "C:\\Windows\\{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe"	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}\stubpath = "C:\\Windows\\{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe"	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15F4F5AC-E208-4fdb-A574-59AE81C25A94}	{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F701377D-2E22-4f32-A482-6A87DA2D9661}\stubpath = "C:\\Windows\\{F701377D-2E22-4f32-A482-6A87DA2D9661}.exe"	{15F4F5AC-E208-4fdb-A574-59AE81C25A94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{456D0D5D-A258-42dc-95D3-6805BA69300E}	2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{533A83E0-3251-4105-B03C-4BBBFA836D69}	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{533A83E0-3251-4105-B03C-4BBBFA836D69}\stubpath = "C:\\Windows\\{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe"	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18B1E071-81B9-4c6d-9A07-99BB9639E120}	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0316D6EA-43B6-446e-82FB-07228472E1E0}	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C823928-DE16-42f1-ACC7-47CF59499830}\stubpath = "C:\\Windows\\{2C823928-DE16-42f1-ACC7-47CF59499830}.exe"	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{456D0D5D-A258-42dc-95D3-6805BA69300E}\stubpath = "C:\\Windows\\{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe"	2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{631DC3C6-6583-4c47-9413-06B3D02668BC}\stubpath = "C:\\Windows\\{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe"	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C823928-DE16-42f1-ACC7-47CF59499830}	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}\stubpath = "C:\\Windows\\{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe"	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F701377D-2E22-4f32-A482-6A87DA2D9661}	{15F4F5AC-E208-4fdb-A574-59AE81C25A94}.exe

Executes dropped EXE 12 IoCs

pid	Process
400	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe
2996	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe
2748	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe
2592	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe
4248	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe
2216	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe
2388	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe
2244	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe
4904	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe
3156	{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe
4520	{15F4F5AC-E208-4fdb-A574-59AE81C25A94}.exe
4864	{F701377D-2E22-4f32-A482-6A87DA2D9661}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{15F4F5AC-E208-4fdb-A574-59AE81C25A94}.exe	{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe
File created	C:\Windows\{F701377D-2E22-4f32-A482-6A87DA2D9661}.exe	{15F4F5AC-E208-4fdb-A574-59AE81C25A94}.exe
File created	C:\Windows\{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe	2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe
File created	C:\Windows\{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe
File created	C:\Windows\{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe
File created	C:\Windows\{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe
File created	C:\Windows\{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe
File created	C:\Windows\{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe
File created	C:\Windows\{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe
File created	C:\Windows\{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe
File created	C:\Windows\{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe
File created	C:\Windows\{2C823928-DE16-42f1-ACC7-47CF59499830}.exe	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15F4F5AC-E208-4fdb-A574-59AE81C25A94}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F701377D-2E22-4f32-A482-6A87DA2D9661}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4952	2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	400	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe
Token: SeIncBasePriorityPrivilege	2996	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe
Token: SeIncBasePriorityPrivilege	2748	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe
Token: SeIncBasePriorityPrivilege	2592	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe
Token: SeIncBasePriorityPrivilege	4248	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe
Token: SeIncBasePriorityPrivilege	2216	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe
Token: SeIncBasePriorityPrivilege	2388	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe
Token: SeIncBasePriorityPrivilege	2244	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe
Token: SeIncBasePriorityPrivilege	4904	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe
Token: SeIncBasePriorityPrivilege	3156	{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe
Token: SeIncBasePriorityPrivilege	4520	{15F4F5AC-E208-4fdb-A574-59AE81C25A94}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 400	4952	2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe	86
PID 4952 wrote to memory of 400	4952	2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe	86
PID 4952 wrote to memory of 400	4952	2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe	86
PID 4952 wrote to memory of 112	4952	2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe	87
PID 4952 wrote to memory of 112	4952	2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe	87
PID 4952 wrote to memory of 112	4952	2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe	87
PID 400 wrote to memory of 2996	400	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe	88
PID 400 wrote to memory of 2996	400	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe	88
PID 400 wrote to memory of 2996	400	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe	88
PID 400 wrote to memory of 4068	400	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe	89
PID 400 wrote to memory of 4068	400	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe	89
PID 400 wrote to memory of 4068	400	{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe	89
PID 2996 wrote to memory of 2748	2996	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe	92
PID 2996 wrote to memory of 2748	2996	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe	92
PID 2996 wrote to memory of 2748	2996	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe	92
PID 2996 wrote to memory of 2204	2996	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe	93
PID 2996 wrote to memory of 2204	2996	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe	93
PID 2996 wrote to memory of 2204	2996	{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe	93
PID 2748 wrote to memory of 2592	2748	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe	96
PID 2748 wrote to memory of 2592	2748	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe	96
PID 2748 wrote to memory of 2592	2748	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe	96
PID 2748 wrote to memory of 2092	2748	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe	97
PID 2748 wrote to memory of 2092	2748	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe	97
PID 2748 wrote to memory of 2092	2748	{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe	97
PID 2592 wrote to memory of 4248	2592	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe	98
PID 2592 wrote to memory of 4248	2592	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe	98
PID 2592 wrote to memory of 4248	2592	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe	98
PID 2592 wrote to memory of 1648	2592	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe	99
PID 2592 wrote to memory of 1648	2592	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe	99
PID 2592 wrote to memory of 1648	2592	{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe	99
PID 4248 wrote to memory of 2216	4248	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe	100
PID 4248 wrote to memory of 2216	4248	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe	100
PID 4248 wrote to memory of 2216	4248	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe	100
PID 4248 wrote to memory of 2060	4248	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe	101
PID 4248 wrote to memory of 2060	4248	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe	101
PID 4248 wrote to memory of 2060	4248	{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe	101
PID 2216 wrote to memory of 2388	2216	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe	102
PID 2216 wrote to memory of 2388	2216	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe	102
PID 2216 wrote to memory of 2388	2216	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe	102
PID 2216 wrote to memory of 3624	2216	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe	103
PID 2216 wrote to memory of 3624	2216	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe	103
PID 2216 wrote to memory of 3624	2216	{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe	103
PID 2388 wrote to memory of 2244	2388	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe	104
PID 2388 wrote to memory of 2244	2388	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe	104
PID 2388 wrote to memory of 2244	2388	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe	104
PID 2388 wrote to memory of 4844	2388	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe	105
PID 2388 wrote to memory of 4844	2388	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe	105
PID 2388 wrote to memory of 4844	2388	{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe	105
PID 2244 wrote to memory of 4904	2244	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe	106
PID 2244 wrote to memory of 4904	2244	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe	106
PID 2244 wrote to memory of 4904	2244	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe	106
PID 2244 wrote to memory of 2400	2244	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe	107
PID 2244 wrote to memory of 2400	2244	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe	107
PID 2244 wrote to memory of 2400	2244	{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe	107
PID 4904 wrote to memory of 3156	4904	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe	108
PID 4904 wrote to memory of 3156	4904	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe	108
PID 4904 wrote to memory of 3156	4904	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe	108
PID 4904 wrote to memory of 3764	4904	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe	109
PID 4904 wrote to memory of 3764	4904	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe	109
PID 4904 wrote to memory of 3764	4904	{2C823928-DE16-42f1-ACC7-47CF59499830}.exe	109
PID 3156 wrote to memory of 4520	3156	{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe	110
PID 3156 wrote to memory of 4520	3156	{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe	110
PID 3156 wrote to memory of 4520	3156	{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe	110
PID 3156 wrote to memory of 4468	3156	{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-09_4ccdcefc233217c4d34cdbd0f7567ccb_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe
  C:\Windows\{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe
    C:\Windows\{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe
      C:\Windows\{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe
        
        C:\Windows\{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe
        
        C:\Windows\{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe
        
        C:\Windows\{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe
        
        C:\Windows\{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe
        
        C:\Windows\{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{2C823928-DE16-42f1-ACC7-47CF59499830}.exe
        
        C:\Windows\{2C823928-DE16-42f1-ACC7-47CF59499830}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe
        
        C:\Windows\{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\{15F4F5AC-E208-4fdb-A574-59AE81C25A94}.exe
        
        C:\Windows\{15F4F5AC-E208-4fdb-A574-59AE81C25A94}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Windows\{F701377D-2E22-4f32-A482-6A87DA2D9661}.exe
        
        C:\Windows\{F701377D-2E22-4f32-A482-6A87DA2D9661}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15F4F~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CACB0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C823~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F54DB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0316D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91B26~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD3B6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18B1E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{533A8~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{631DC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{456D0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0316D6EA-43B6-446e-82FB-07228472E1E0}.exe

Filesize
372KB

MD5
9f7e7943a6f3a7cefeff9831dccd9113

SHA1
85cf9c06b7fe8b1192a7e29d26c72d1d66cd04f0

SHA256
3b6886f36d91fb99f3a80a897ddfce03d7c1e9f5b9a944a28aede07999df9461

SHA512
b8fe8d8ae01def3bdff14a21dd9409d9ee605230a13ce77cff9ea9fe12a8a2344bbb33238a1b85d4516680bdf975d581aa4c1ea3da045d644f49a075e6bb71e3

Download Submit
C:\Windows\{15F4F5AC-E208-4fdb-A574-59AE81C25A94}.exe

Filesize
372KB

MD5
9564749db8919626130736bd27c89299

SHA1
aa3b88db7830df47ed7d751df9ff177008d50f72

SHA256
6e409bf00bb86c99c8821f22f15b2a458b429cb1874a6cb1ffead072b27b6633

SHA512
97e91052fbe1d435b9a582129a7cb2efaf95c962647c417b25be449e28b6a285a5d524781d4c120f1693ecd24d5b36322873fae8747667898d92671e35875490

Download Submit
C:\Windows\{18B1E071-81B9-4c6d-9A07-99BB9639E120}.exe

Filesize
372KB

MD5
5f2e40118ea69508e7280dc541bc654a

SHA1
79bde075f5fe9387f9fbf7015b2b1d3a12716657

SHA256
0023b96d8699a4c80d1494e3aa033d51bb203a33b9ee2f2fb6371edfc7ba7494

SHA512
96d00654d46c48f8ccce3045d25fe962febf43844630e3acc499f87f3636499e65f3587669ac61386b41b16162ac1f2960ca4c88fdde0413cf0657679c4201ca

Download Submit
C:\Windows\{2C823928-DE16-42f1-ACC7-47CF59499830}.exe

Filesize
372KB

MD5
d2c6d199dd09bc637e95b95298244ce7

SHA1
bb42f8f507b7d1ae707f8eca6110b506bfd054f9

SHA256
31177445559fadea83b4507ed00592a0e74428ef7b46afe3f2c2eb83207604bd

SHA512
92ede446f52657f82890faa11d4e7a4053359ab8fefe601f38422c886caf5630d2cc9e139c4f1b8b9ed69bfa56bff36ba41a9dc3b7edd0d20435128aa01614e1

Download Submit
C:\Windows\{456D0D5D-A258-42dc-95D3-6805BA69300E}.exe

Filesize
372KB

MD5
d8be7a3efa5732c9da1a5d9ea18fecc1

SHA1
98fd4cb94de786f40943a8eb100180f277c5d4be

SHA256
755033f87afd2032227223bd496cb66d10f38bdb7bd10df94f1b4bf00e2fe2a2

SHA512
d83cbfe09f9490873c33a5484d5fb4c4fb5ed6fd9714a4ea523d29c6e6eb224cc6cad7798768f07b3ad4d6b377373a343d8610ab5662a266367c9a37c0720d1e

Download Submit
C:\Windows\{533A83E0-3251-4105-B03C-4BBBFA836D69}.exe

Filesize
372KB

MD5
0275a1ca082e4cfaf9a4c4ef204e996e

SHA1
227ef367bcd3d790fb1334ae6c2389e6d251e813

SHA256
64dd7b66236c0582bd4bfeb4580fefb1973bcf2a2aa4458b55ec16cf4a386b3f

SHA512
5b91735c4b56b1a8695c46cfedf5375a16bc90e150f415e74c5d741ca9318e33bcf34cf92de3eb16eafeffe31d331ebc537800616c423c8aa4a8268d023fd2ae

Download Submit
C:\Windows\{631DC3C6-6583-4c47-9413-06B3D02668BC}.exe

Filesize
372KB

MD5
d22a7cad7086f01ee97b5f743c3f04b0

SHA1
a2ca2070de5b5cb04851b69d9ea45d427f6e5cc0

SHA256
b47639455ded8193c3f66c9dd3dc80d753edcdeee984b6d43f4df60ab3882bce

SHA512
9b0af4a1fc7fe4c1e34d3f9af22f063dc51ee41ab0d53b794e060695da5c048be1dfd68a5ea560afc91f2691328eda3aa511ec2741d93b0ab36c68cdb4d4ae71

Download Submit
C:\Windows\{91B26E7F-0516-4c63-855E-FD1FB77511ED}.exe

Filesize
372KB

MD5
8bd81137a7c48389d0467871142e0936

SHA1
fef34702d1ae79cca790240092239c76f945411c

SHA256
b053292c4f9c45c662e2b5ecbbde8ef5097c5ed99152ab119a2693d01fe1a6ce

SHA512
c41a97cda798666b82210af275e58549d20cc93734da192151d74a675025aacc1fb317b56167902db255e93a92c7a6676b16b0f44063f6c7e4a13c253e5c18eb

Download Submit
C:\Windows\{CACB0E4D-9775-4bea-B5A6-5DE968A0504B}.exe

Filesize
372KB

MD5
a07630aa926ef08ab32157768b5eee05

SHA1
d1c435d5f521e0dc6e3e55f6db510ad275c1d6e8

SHA256
cddcc2e2f41e7dfd82201fad691c0e209db1bf89e203e2e3af18ae5d26e10ef9

SHA512
222dda3219d60210d5615aea3cab9955a1f474bcd8827bd474a0b847eddedebb77598cbecf919bcfe4be9a90bf2cecfca8713ab2eaa05cc09c3010f7dc5455c5

Download Submit
C:\Windows\{F54DBB07-C3B7-482a-BDBE-F45BBC796DDD}.exe

Filesize
372KB

MD5
b9590d16318313a09614c62270941cdf

SHA1
208d480fb3b7f3960094f0809b5071701f027bdf

SHA256
8effa60ec406effdcd90b2a12ad88debb4072f3e276bcd22227d70aae1889eaa

SHA512
e960719c4d8494908dfbbdfbeba89bd85a6411471523f5505a91d94f963400255ecf08dbb8b2d64e4cea6846b2e6a7bcf14d89d0ea6b24eb7963857486707ee3

Download Submit
C:\Windows\{F701377D-2E22-4f32-A482-6A87DA2D9661}.exe

Filesize
372KB

MD5
598a6eaa315c6c466f662ed71d697696

SHA1
f565f62ff3bad482ca9705596947662d127c9c56

SHA256
c867717f7f70d46123da899e50114016a5693592d0ad805993151cde3bfb0d74

SHA512
319ed693b480bbd85f28fef8b40cd201f510a94806c68fd315faeadbe911a024a54a9e97f2fd4097f6963256ff60590f89b0866ab73958ea4b022a6f72ce6673

Download Submit
C:\Windows\{FD3B67C4-CE33-49b6-9DC5-777A5A0AC1EE}.exe

Filesize
372KB

MD5
f934e19062d5f36b12e3fb34b207e181

SHA1
5746e1469e7439833eff79363bc14ef945f62dc9

SHA256
6b4637233bc738d172f42d652929db497cac57aeb679aed2e842c180bf3973c0

SHA512
96b8c59431088ed62298fdb52b742216af272ebe58b764b59177337b6e7408ad7c72826b78cefbaf6880ef9e35888e3e72c40b1437ad8518420eec238c2ab72e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads