90a80e974aa001b00076cb2bbe7f8d0fe6a5dbd942aa5f174ebcc62a23d02e3d

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe
Size

408KB
MD5

861ba9e5160627afeb501d4344a8e064
SHA1

50a89d43e608b0da5324c141357e4176f81e925f
SHA256

90a80e974aa001b00076cb2bbe7f8d0fe6a5dbd942aa5f174ebcc62a23d02e3d
SHA512

47a508f0a4697521bcca0d21f7c359b3551461282cfa209a16dbb2ceb441ec0bff3a7f0a5aa47b4ed20ace06bf1626b4b2898d86c0f014daec947494382f56d3
SSDEEP

3072:CEGh0oJl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGjldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A621839C-ABE6-464b-821F-5957868BE18D}\stubpath = "C:\\Windows\\{A621839C-ABE6-464b-821F-5957868BE18D}.exe"	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}	{A621839C-ABE6-464b-821F-5957868BE18D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}\stubpath = "C:\\Windows\\{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe"	{A621839C-ABE6-464b-821F-5957868BE18D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}\stubpath = "C:\\Windows\\{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe"	2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}\stubpath = "C:\\Windows\\{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe"	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}\stubpath = "C:\\Windows\\{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe"	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAF39FDB-9958-444d-951F-0A39653ED4F6}\stubpath = "C:\\Windows\\{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe"	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{327E6DC4-2BFE-46bd-BFD4-10AE17546934}	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{327E6DC4-2BFE-46bd-BFD4-10AE17546934}\stubpath = "C:\\Windows\\{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe"	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}	{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}\stubpath = "C:\\Windows\\{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe"	{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}	2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}	{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}\stubpath = "C:\\Windows\\{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}.exe"	{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9419FF7D-C369-403f-9483-0B6945899AC9}	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9419FF7D-C369-403f-9483-0B6945899AC9}\stubpath = "C:\\Windows\\{9419FF7D-C369-403f-9483-0B6945899AC9}.exe"	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}\stubpath = "C:\\Windows\\{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe"	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}\stubpath = "C:\\Windows\\{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe"	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAF39FDB-9958-444d-951F-0A39653ED4F6}	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A621839C-ABE6-464b-821F-5957868BE18D}	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe

Executes dropped EXE 12 IoCs

pid	Process
1652	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe
220	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe
5036	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe
1012	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe
2388	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe
2536	{A621839C-ABE6-464b-821F-5957868BE18D}.exe
4432	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe
3776	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe
3648	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe
1668	{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe
3400	{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe
3992	{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe
File created	C:\Windows\{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe	2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe
File created	C:\Windows\{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe
File created	C:\Windows\{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe
File created	C:\Windows\{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe
File created	C:\Windows\{A621839C-ABE6-464b-821F-5957868BE18D}.exe	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe
File created	C:\Windows\{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe
File created	C:\Windows\{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe
File created	C:\Windows\{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe	{A621839C-ABE6-464b-821F-5957868BE18D}.exe
File created	C:\Windows\{9419FF7D-C369-403f-9483-0B6945899AC9}.exe	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe
File created	C:\Windows\{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe	{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe
File created	C:\Windows\{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}.exe	{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A621839C-ABE6-464b-821F-5957868BE18D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3988	2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1652	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe
Token: SeIncBasePriorityPrivilege	220	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe
Token: SeIncBasePriorityPrivilege	5036	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe
Token: SeIncBasePriorityPrivilege	1012	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe
Token: SeIncBasePriorityPrivilege	2388	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe
Token: SeIncBasePriorityPrivilege	2536	{A621839C-ABE6-464b-821F-5957868BE18D}.exe
Token: SeIncBasePriorityPrivilege	4432	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe
Token: SeIncBasePriorityPrivilege	3776	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe
Token: SeIncBasePriorityPrivilege	3648	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe
Token: SeIncBasePriorityPrivilege	1668	{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe
Token: SeIncBasePriorityPrivilege	3400	{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 1652	3988	2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe	90
PID 3988 wrote to memory of 1652	3988	2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe	90
PID 3988 wrote to memory of 1652	3988	2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe	90
PID 3988 wrote to memory of 4696	3988	2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe	91
PID 3988 wrote to memory of 4696	3988	2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe	91
PID 3988 wrote to memory of 4696	3988	2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe	91
PID 1652 wrote to memory of 220	1652	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe	92
PID 1652 wrote to memory of 220	1652	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe	92
PID 1652 wrote to memory of 220	1652	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe	92
PID 1652 wrote to memory of 4820	1652	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe	93
PID 1652 wrote to memory of 4820	1652	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe	93
PID 1652 wrote to memory of 4820	1652	{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe	93
PID 220 wrote to memory of 5036	220	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe	98
PID 220 wrote to memory of 5036	220	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe	98
PID 220 wrote to memory of 5036	220	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe	98
PID 220 wrote to memory of 2908	220	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe	99
PID 220 wrote to memory of 2908	220	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe	99
PID 220 wrote to memory of 2908	220	{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe	99
PID 5036 wrote to memory of 1012	5036	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe	100
PID 5036 wrote to memory of 1012	5036	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe	100
PID 5036 wrote to memory of 1012	5036	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe	100
PID 5036 wrote to memory of 1544	5036	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe	101
PID 5036 wrote to memory of 1544	5036	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe	101
PID 5036 wrote to memory of 1544	5036	{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe	101
PID 1012 wrote to memory of 2388	1012	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe	102
PID 1012 wrote to memory of 2388	1012	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe	102
PID 1012 wrote to memory of 2388	1012	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe	102
PID 1012 wrote to memory of 4984	1012	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe	103
PID 1012 wrote to memory of 4984	1012	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe	103
PID 1012 wrote to memory of 4984	1012	{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe	103
PID 2388 wrote to memory of 2536	2388	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe	104
PID 2388 wrote to memory of 2536	2388	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe	104
PID 2388 wrote to memory of 2536	2388	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe	104
PID 2388 wrote to memory of 4412	2388	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe	105
PID 2388 wrote to memory of 4412	2388	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe	105
PID 2388 wrote to memory of 4412	2388	{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe	105
PID 2536 wrote to memory of 4432	2536	{A621839C-ABE6-464b-821F-5957868BE18D}.exe	106
PID 2536 wrote to memory of 4432	2536	{A621839C-ABE6-464b-821F-5957868BE18D}.exe	106
PID 2536 wrote to memory of 4432	2536	{A621839C-ABE6-464b-821F-5957868BE18D}.exe	106
PID 2536 wrote to memory of 412	2536	{A621839C-ABE6-464b-821F-5957868BE18D}.exe	107
PID 2536 wrote to memory of 412	2536	{A621839C-ABE6-464b-821F-5957868BE18D}.exe	107
PID 2536 wrote to memory of 412	2536	{A621839C-ABE6-464b-821F-5957868BE18D}.exe	107
PID 4432 wrote to memory of 3776	4432	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe	108
PID 4432 wrote to memory of 3776	4432	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe	108
PID 4432 wrote to memory of 3776	4432	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe	108
PID 4432 wrote to memory of 2944	4432	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe	109
PID 4432 wrote to memory of 2944	4432	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe	109
PID 4432 wrote to memory of 2944	4432	{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe	109
PID 3776 wrote to memory of 3648	3776	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe	113
PID 3776 wrote to memory of 3648	3776	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe	113
PID 3776 wrote to memory of 3648	3776	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe	113
PID 3776 wrote to memory of 3460	3776	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe	114
PID 3776 wrote to memory of 3460	3776	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe	114
PID 3776 wrote to memory of 3460	3776	{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe	114
PID 3648 wrote to memory of 1668	3648	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe	115
PID 3648 wrote to memory of 1668	3648	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe	115
PID 3648 wrote to memory of 1668	3648	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe	115
PID 3648 wrote to memory of 1888	3648	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe	116
PID 3648 wrote to memory of 1888	3648	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe	116
PID 3648 wrote to memory of 1888	3648	{9419FF7D-C369-403f-9483-0B6945899AC9}.exe	116
PID 1668 wrote to memory of 3400	1668	{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe	117
PID 1668 wrote to memory of 3400	1668	{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe	117
PID 1668 wrote to memory of 3400	1668	{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe	117
PID 1668 wrote to memory of 3632	1668	{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-09_861ba9e5160627afeb501d4344a8e064_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe
  C:\Windows\{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe
    C:\Windows\{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe
      C:\Windows\{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe
        
        C:\Windows\{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
      - C:\Windows\{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe
        
        C:\Windows\{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{A621839C-ABE6-464b-821F-5957868BE18D}.exe
        
        C:\Windows\{A621839C-ABE6-464b-821F-5957868BE18D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe
        
        C:\Windows\{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe
        
        C:\Windows\{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\{9419FF7D-C369-403f-9483-0B6945899AC9}.exe
        
        C:\Windows\{9419FF7D-C369-403f-9483-0B6945899AC9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe
        
        C:\Windows\{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe
        
        C:\Windows\{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Windows\{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}.exe
        
        C:\Windows\{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DCC4~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C077~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9419F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFDBE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8E02~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6218~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{327E6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAF39~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{486B7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E63EF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6D99E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{327E6DC4-2BFE-46bd-BFD4-10AE17546934}.exe

Filesize
408KB

MD5
e2cd1706011ff1e6366542b2c6c973ef

SHA1
e1f92526739ce4fc648a5ae64f0be2941eb81353

SHA256
11647ae3e057bfd9d65edc85929f39b1618320f8452c74c6c9c2b2b3343755bf

SHA512
2a629c60462b0be6b695daddfe8df917b097c99f813169858964587708c027e923d512d5fb9b4fc306530d641c7f8f05d59dce263bbd64db340259e37e98115f

Download Submit
C:\Windows\{3DCC4D96-8F8F-483f-BF4A-4B7873C7B9E7}.exe

Filesize
408KB

MD5
e1529e4e0d9f739e89335e4143ef0df1

SHA1
72c5fc892e9f2cc5863a74c2ccf2f18d9f74c1c0

SHA256
0aa48ab0b3ffab7ed4f1c8b4c1e703b1d8468c577d324a6d403cd311f98b72fb

SHA512
e4dbb397f765c2b453ab2ab2a8d3f74bc35ff8d219ce8192f8ffaa0e351e79daa63b20ef0f8bbd2f9c74df2da90bcd14cee56c071b723369596f3da2c9c2f455

Download Submit
C:\Windows\{486B7C8B-FFB6-4c5a-86D3-6BAF09B754B3}.exe

Filesize
408KB

MD5
895e2590e2e58b47fc13d79897dc83dd

SHA1
f00ceb9428bf78996240867b683370ca96b38c67

SHA256
3c445558810de6b07e8f870c3b2237c411531d2df5c877c7df6c6fc1bae39414

SHA512
2b48ebead3b7a39f24e2b56762c08ad28d6741a8f79196ee5091e0be5280ae9f02849063e20da72284afd365dc81f39f33039d70e071b6cbb73d7609f25e5b1c

Download Submit
C:\Windows\{5C077AD4-B5FC-4fc5-85F7-E6CDA74F15A9}.exe

Filesize
408KB

MD5
5ef749736c08dacf17214f6269770317

SHA1
0cc9e5f194854c157a2dfb00fa13e8d70f79ad6b

SHA256
1b826308222bdac9e42c7938c4fe9b50d9e10d9ce47372f6ee5ef580593c9d00

SHA512
e91c4091fa244811b5197514e42b975e4401752d596e68a0d6ffc2806e6db0f243729b4cb58b3da56aed42bdb0a843eb07fecf56e88ed71a0cd7eae712591969

Download Submit
C:\Windows\{6D99E827-7DF0-4c77-86D6-B6E6DC457E1F}.exe

Filesize
408KB

MD5
9f88690057870c2be1a0085d9c9a70db

SHA1
f6b7fffeeac38a84eacaa98e5353ac96e3112a4c

SHA256
b6877c99d9f055be273de455c446b876a872b671f196ff579a33bf1c2afc6652

SHA512
ae7892895c5a983bce77d9ca0335cc7569873f2172add6054dfd9eed301df5d5b4956a26ebecc186941d8b6f18e7888b3c7da5f8b68cf627e7e41319efb3afe0

Download Submit
C:\Windows\{9419FF7D-C369-403f-9483-0B6945899AC9}.exe

Filesize
408KB

MD5
ee2eb45ef364af4a2df3ae71d572357c

SHA1
c1ebb915265cb9960706b9e3bac714ed8920e178

SHA256
e749fea0f5a2505b77b93119af22578afdf71e30897401135efb4f7eb3419148

SHA512
9f8503fa2a3f27b39b70024eab11e0f2bb313d7b9ef784fccdf7e402a5cb5ff47b07284b61bff348a5c98d7587e26bc91f992da4c05ef1ecc2595e2edf6abafb

Download Submit
C:\Windows\{A621839C-ABE6-464b-821F-5957868BE18D}.exe

Filesize
408KB

MD5
9394e99f7bc2fa9e301f643c339164ae

SHA1
d7401d3b2255daa6c2d610102faa2aed690bb708

SHA256
bc2cb3f7656f0a125a9ee4797e6311ceed6a0802db2537153371b26c00ba1dfa

SHA512
88747363f0d8fec0cfe0db25749d1ab662f89ca1950add624017d64564b49c94032d1ef4979b9acc8b1144c12d517a4b1126829f708d00f99ae118e1d7f08c4d

Download Submit
C:\Windows\{AFDBEC44-10E0-41c1-B4FA-FEEEDC207428}.exe

Filesize
408KB

MD5
6b1a611d86852e55654fe0b58fcfb227

SHA1
593360d9386aa2fa4eeb8e4d4bea098f4c00ce08

SHA256
9976f4671a4b57021b068b8f53bf702be89bd021628524bf0c29f1f33092a77f

SHA512
9680b007c396909d72346607368860d8f62bc7cfe2302d58ff27c309d1bef15fa548350ae309c9a751bea3f894022ba7757c7100fe7f2944aa5dac871a5e9d78

Download Submit
C:\Windows\{CAF39FDB-9958-444d-951F-0A39653ED4F6}.exe

Filesize
408KB

MD5
120b15aa4424a037cdd28215ef2c329f

SHA1
112fc9d995bcf8791bf6f7f6f370f66c178b6c27

SHA256
38a30725fff43fc4bfa9f4e57747796f09d189247d8bff2001635137399a51fe

SHA512
46ce16cb04a4e190dbf04285e5877184b444b6b3795575490a1310f0e9d75aa1ce6e0d3c02a99cc174096d46cbcb19d5df039c074ef651ab8c4d3d4971207a48

Download Submit
C:\Windows\{D12DC75A-F044-4df4-B10D-A6D960D2BFD5}.exe

Filesize
408KB

MD5
af7f4267e77ecd8e5d6606c500a49d6d

SHA1
c4f6f43367000dc7112f4f6350d8ba70e6789e1d

SHA256
14dd018987672c1975501a0f90a4588492993367fa32496a7e8bb1af4fc07e75

SHA512
62fc544b945c09a0887216530eb42c4a5d81309cf359c5a813528c06f54670005db0fb4372d0dd6c302199c90e5143e9b8425bade0c4499f6f1407ee7c13e015

Download Submit
C:\Windows\{D8E02CFB-F215-4faf-A3EA-01FDC8480FB5}.exe

Filesize
408KB

MD5
962936b511492a7eee3d9fd5080b5a9d

SHA1
3a03d03ad85996de684ae491a0947fc0a6ba1089

SHA256
fda40cb63d38905d8c2d27cf91a1dedd5958882bac2dea0248cccf820aa82d81

SHA512
eec5d9347dd4d106f6ca50a28fbbc1a50664df4eddddead8b621c6139a718ec70c01639338915b6cdfe7ce56eea84be17d0fc6d3cfe4db4c6be7b74718b96c67

Download Submit
C:\Windows\{E63EF5CE-48A2-4a30-AE60-ACB4EEE4CDB1}.exe

Filesize
408KB

MD5
7269a886d0845c39a458d6c16d2b8188

SHA1
9997c74753e334d29284bfa2e58f231dd061538c

SHA256
f99c4265d226c5b9049dd99baeeabd37a944e4f9441e228fafc60dfe879fbe47

SHA512
fad508cafd7a7575eb344f6dc3b9f47ae4356b8d4a3a64a37ec673c98736509ab2a4a3fc7df34c801682dd3171a8ed567b823147df5c6459defa27d6475a4360

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads