5e6909198165f34a018faf339247b747c34708058b5ad848afeaff731f6b47e7

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe
Size

197KB
MD5

74884e89b5b0e301481d6a7bb46a7418
SHA1

5e403ffecf97ed38ebc96d00c3cf698299cc91c6
SHA256

5e6909198165f34a018faf339247b747c34708058b5ad848afeaff731f6b47e7
SHA512

73126c2ea37fb96af8cb24c1fce783e086b46d355c74497311703b8fa1af9bc2c5b9365a8f986a5819b0c299d78fc2d9338d0b1b5b92f47d59d34c910a278492
SSDEEP

3072:jEGh0oOl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGwlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0756C7C7-45D7-4c13-8943-A4811B04A255}	2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}\stubpath = "C:\\Windows\\{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe"	{1D561BFC-6606-4932-A563-36CD25949E00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{081314C6-D1CC-4a37-845D-4D9BE27B86CE}\stubpath = "C:\\Windows\\{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe"	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}\stubpath = "C:\\Windows\\{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe"	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{081314C6-D1CC-4a37-845D-4D9BE27B86CE}	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7B317AA-2B58-40b4-A5C0-8079D69F702A}\stubpath = "C:\\Windows\\{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe"	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92DC91B6-DAC5-4d72-AA36-77780705CEC2}\stubpath = "C:\\Windows\\{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe"	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{097310CC-748D-4ffa-BCA1-D361CD778C91}\stubpath = "C:\\Windows\\{097310CC-748D-4ffa-BCA1-D361CD778C91}.exe"	{27D22551-332A-4f60-8618-9B15D292E518}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7D44A07-B8BE-41ff-B214-29388386F2F3}	{097310CC-748D-4ffa-BCA1-D361CD778C91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7D44A07-B8BE-41ff-B214-29388386F2F3}\stubpath = "C:\\Windows\\{A7D44A07-B8BE-41ff-B214-29388386F2F3}.exe"	{097310CC-748D-4ffa-BCA1-D361CD778C91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0756C7C7-45D7-4c13-8943-A4811B04A255}\stubpath = "C:\\Windows\\{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe"	2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}\stubpath = "C:\\Windows\\{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe"	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D561BFC-6606-4932-A563-36CD25949E00}	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}	{1D561BFC-6606-4932-A563-36CD25949E00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}\stubpath = "C:\\Windows\\{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe"	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7B317AA-2B58-40b4-A5C0-8079D69F702A}	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92DC91B6-DAC5-4d72-AA36-77780705CEC2}	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27D22551-332A-4f60-8618-9B15D292E518}\stubpath = "C:\\Windows\\{27D22551-332A-4f60-8618-9B15D292E518}.exe"	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D561BFC-6606-4932-A563-36CD25949E00}\stubpath = "C:\\Windows\\{1D561BFC-6606-4932-A563-36CD25949E00}.exe"	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27D22551-332A-4f60-8618-9B15D292E518}	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{097310CC-748D-4ffa-BCA1-D361CD778C91}	{27D22551-332A-4f60-8618-9B15D292E518}.exe

Executes dropped EXE 12 IoCs

pid	Process
3820	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe
4184	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe
2584	{1D561BFC-6606-4932-A563-36CD25949E00}.exe
2412	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe
3720	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe
1388	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe
832	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe
4892	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe
3288	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe
4492	{27D22551-332A-4f60-8618-9B15D292E518}.exe
4828	{097310CC-748D-4ffa-BCA1-D361CD778C91}.exe
2284	{A7D44A07-B8BE-41ff-B214-29388386F2F3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe	{1D561BFC-6606-4932-A563-36CD25949E00}.exe
File created	C:\Windows\{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe
File created	C:\Windows\{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe
File created	C:\Windows\{27D22551-332A-4f60-8618-9B15D292E518}.exe	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe
File created	C:\Windows\{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe	2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe
File created	C:\Windows\{1D561BFC-6606-4932-A563-36CD25949E00}.exe	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe
File created	C:\Windows\{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe
File created	C:\Windows\{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe
File created	C:\Windows\{097310CC-748D-4ffa-BCA1-D361CD778C91}.exe	{27D22551-332A-4f60-8618-9B15D292E518}.exe
File created	C:\Windows\{A7D44A07-B8BE-41ff-B214-29388386F2F3}.exe	{097310CC-748D-4ffa-BCA1-D361CD778C91}.exe
File created	C:\Windows\{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe
File created	C:\Windows\{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{097310CC-748D-4ffa-BCA1-D361CD778C91}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27D22551-332A-4f60-8618-9B15D292E518}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D561BFC-6606-4932-A563-36CD25949E00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7D44A07-B8BE-41ff-B214-29388386F2F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4108	2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3820	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe
Token: SeIncBasePriorityPrivilege	4184	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe
Token: SeIncBasePriorityPrivilege	2584	{1D561BFC-6606-4932-A563-36CD25949E00}.exe
Token: SeIncBasePriorityPrivilege	2412	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe
Token: SeIncBasePriorityPrivilege	3720	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe
Token: SeIncBasePriorityPrivilege	1388	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe
Token: SeIncBasePriorityPrivilege	832	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe
Token: SeIncBasePriorityPrivilege	4892	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe
Token: SeIncBasePriorityPrivilege	3288	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe
Token: SeIncBasePriorityPrivilege	4492	{27D22551-332A-4f60-8618-9B15D292E518}.exe
Token: SeIncBasePriorityPrivilege	4828	{097310CC-748D-4ffa-BCA1-D361CD778C91}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 3820	4108	2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe	94
PID 4108 wrote to memory of 3820	4108	2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe	94
PID 4108 wrote to memory of 3820	4108	2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe	94
PID 4108 wrote to memory of 3440	4108	2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe	95
PID 4108 wrote to memory of 3440	4108	2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe	95
PID 4108 wrote to memory of 3440	4108	2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe	95
PID 3820 wrote to memory of 4184	3820	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe	96
PID 3820 wrote to memory of 4184	3820	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe	96
PID 3820 wrote to memory of 4184	3820	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe	96
PID 3820 wrote to memory of 2284	3820	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe	97
PID 3820 wrote to memory of 2284	3820	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe	97
PID 3820 wrote to memory of 2284	3820	{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe	97
PID 4184 wrote to memory of 2584	4184	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe	101
PID 4184 wrote to memory of 2584	4184	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe	101
PID 4184 wrote to memory of 2584	4184	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe	101
PID 4184 wrote to memory of 1856	4184	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe	102
PID 4184 wrote to memory of 1856	4184	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe	102
PID 4184 wrote to memory of 1856	4184	{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe	102
PID 2584 wrote to memory of 2412	2584	{1D561BFC-6606-4932-A563-36CD25949E00}.exe	103
PID 2584 wrote to memory of 2412	2584	{1D561BFC-6606-4932-A563-36CD25949E00}.exe	103
PID 2584 wrote to memory of 2412	2584	{1D561BFC-6606-4932-A563-36CD25949E00}.exe	103
PID 2584 wrote to memory of 1960	2584	{1D561BFC-6606-4932-A563-36CD25949E00}.exe	104
PID 2584 wrote to memory of 1960	2584	{1D561BFC-6606-4932-A563-36CD25949E00}.exe	104
PID 2584 wrote to memory of 1960	2584	{1D561BFC-6606-4932-A563-36CD25949E00}.exe	104
PID 2412 wrote to memory of 3720	2412	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe	105
PID 2412 wrote to memory of 3720	2412	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe	105
PID 2412 wrote to memory of 3720	2412	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe	105
PID 2412 wrote to memory of 3288	2412	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe	106
PID 2412 wrote to memory of 3288	2412	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe	106
PID 2412 wrote to memory of 3288	2412	{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe	106
PID 3720 wrote to memory of 1388	3720	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe	109
PID 3720 wrote to memory of 1388	3720	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe	109
PID 3720 wrote to memory of 1388	3720	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe	109
PID 3720 wrote to memory of 4176	3720	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe	110
PID 3720 wrote to memory of 4176	3720	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe	110
PID 3720 wrote to memory of 4176	3720	{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe	110
PID 1388 wrote to memory of 832	1388	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe	111
PID 1388 wrote to memory of 832	1388	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe	111
PID 1388 wrote to memory of 832	1388	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe	111
PID 1388 wrote to memory of 1212	1388	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe	112
PID 1388 wrote to memory of 1212	1388	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe	112
PID 1388 wrote to memory of 1212	1388	{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe	112
PID 832 wrote to memory of 4892	832	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe	117
PID 832 wrote to memory of 4892	832	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe	117
PID 832 wrote to memory of 4892	832	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe	117
PID 832 wrote to memory of 1356	832	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe	118
PID 832 wrote to memory of 1356	832	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe	118
PID 832 wrote to memory of 1356	832	{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe	118
PID 4892 wrote to memory of 3288	4892	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe	123
PID 4892 wrote to memory of 3288	4892	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe	123
PID 4892 wrote to memory of 3288	4892	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe	123
PID 4892 wrote to memory of 464	4892	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe	124
PID 4892 wrote to memory of 464	4892	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe	124
PID 4892 wrote to memory of 464	4892	{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe	124
PID 3288 wrote to memory of 4492	3288	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe	125
PID 3288 wrote to memory of 4492	3288	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe	125
PID 3288 wrote to memory of 4492	3288	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe	125
PID 3288 wrote to memory of 3788	3288	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe	126
PID 3288 wrote to memory of 3788	3288	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe	126
PID 3288 wrote to memory of 3788	3288	{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe	126
PID 4492 wrote to memory of 4828	4492	{27D22551-332A-4f60-8618-9B15D292E518}.exe	127
PID 4492 wrote to memory of 4828	4492	{27D22551-332A-4f60-8618-9B15D292E518}.exe	127
PID 4492 wrote to memory of 4828	4492	{27D22551-332A-4f60-8618-9B15D292E518}.exe	127
PID 4492 wrote to memory of 3460	4492	{27D22551-332A-4f60-8618-9B15D292E518}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_74884e89b5b0e301481d6a7bb46a7418_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe
  C:\Windows\{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe
    C:\Windows\{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\{1D561BFC-6606-4932-A563-36CD25949E00}.exe
      C:\Windows\{1D561BFC-6606-4932-A563-36CD25949E00}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe
        
        C:\Windows\{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe
        
        C:\Windows\{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe
        
        C:\Windows\{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe
        
        C:\Windows\{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe
        
        C:\Windows\{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe
        
        C:\Windows\{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\{27D22551-332A-4f60-8618-9B15D292E518}.exe
        
        C:\Windows\{27D22551-332A-4f60-8618-9B15D292E518}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\{097310CC-748D-4ffa-BCA1-D361CD778C91}.exe
        
        C:\Windows\{097310CC-748D-4ffa-BCA1-D361CD778C91}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\{A7D44A07-B8BE-41ff-B214-29388386F2F3}.exe
        
        C:\Windows\{A7D44A07-B8BE-41ff-B214-29388386F2F3}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09731~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27D22~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92DC9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7B31~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08131~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEA92~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC2E6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76E6D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D561~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FD49E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0756C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0756C7C7-45D7-4c13-8943-A4811B04A255}.exe

Filesize
197KB

MD5
2c5e068bf99e9752ac20742d88d2767a

SHA1
16b0dbd74a880a75f51aed625dfdc6014d898063

SHA256
1073acd61e3d07580e44b6bfa891a487b24eea1c0d382c9bea3ed851f8a5607b

SHA512
735eec68a51706c27ba0b247ef95b80a48f4990f9f6b1f37d1f053c1753fdbbb6f09a4054b911a40e6679c9b3def8546f3a63804d2b4106699fcf35a11b17c71

Download Submit
C:\Windows\{081314C6-D1CC-4a37-845D-4D9BE27B86CE}.exe

Filesize
197KB

MD5
fc33f7a526995ce2e04548756183a003

SHA1
c51bc9afe81a681e8c20d62931ae6ce11101479d

SHA256
14c31681f27ac1c928a1ef9f197ca3984ade28b0acb770a078ded6b682e30157

SHA512
b3c177586b89afd1c4932b1800f6efee335a948c632ee5ae202650b6260f512b9a54f6a7e0462c1e71c4302ba7155ad1cb255ca517c524cdecb95d1b3279a8e3

Download Submit
C:\Windows\{097310CC-748D-4ffa-BCA1-D361CD778C91}.exe

Filesize
197KB

MD5
eea239110e9ce73bfa06ea0b78395a9f

SHA1
10e3648526b1cb05df98783510b5b4c1aa74fceb

SHA256
027dadd0807c37dec16aefcd2b09718ccf9f67f96a9494be5a3c19dd2a4e52e4

SHA512
74ffd284b7c602a032d3be0c0067130106c8e4e7a418e2681204931030c3618d3cbb3017c33aa3e4df8e6af77521ef9d182cb4946e835350f9f76cb334458deb

Download Submit
C:\Windows\{1D561BFC-6606-4932-A563-36CD25949E00}.exe

Filesize
197KB

MD5
f98639e5cf771a285db2befc02aa61ff

SHA1
3c76bdf65f0952f258394e6f82b14c79726e90da

SHA256
43bdb2cc4bc4759acc3ceb6522fb9dc4507e0281fb5e15ec61ef9f6ca08ef068

SHA512
4bf301a3e870745f4ecc243ee01556beee903ad147c01108306e6eae9b08f8951d095c536baf72d10bffabbb33bff6cc43af6a43485dca7f1ad02db3714bfdc9

Download Submit
C:\Windows\{27D22551-332A-4f60-8618-9B15D292E518}.exe

Filesize
197KB

MD5
03fb4b7c091ab5ab7429e38f41fa7162

SHA1
73b7bb9fa8f11ed371eff5f5a621b9bb8860f6ca

SHA256
662cda5e69dd032889dcb808a645e41995fd2f9e30c82dcf3e952dbe6112d55d

SHA512
f488d87398cbddce996033f2d3361487792b21c0f308b24caea7121263ecba4294109f7d39194d1ea34d38dcc19059f32c631938f38ad86c38c68ca9fd01fcde

Download Submit
C:\Windows\{76E6D79B-DE21-40b5-AF6A-4F3F61146D1D}.exe

Filesize
197KB

MD5
418e7517cae84ceca99f5555feed5f18

SHA1
556129305c512d801e56188c8d18ec5c411c29bc

SHA256
9009c27d800a82aa6528b99706ace3d6318f32b63af9e7cc016131d3bf8624c1

SHA512
28f20a84d3dcd86aeaf8ccf6e42f0460053f34e19d89cbb61172ef02fae49779adf35bd39b61573a5d0fbc6932ff95a33b13c2bf72620a4c3c3b2bc5b9fb0318

Download Submit
C:\Windows\{92DC91B6-DAC5-4d72-AA36-77780705CEC2}.exe

Filesize
197KB

MD5
62d236c961262de03d87e6f38fa6250b

SHA1
a05918e5bca1de9c9863c3ced7eff40052120647

SHA256
fea11a38d301254c0066f10f26392113525d643282c5cbf3a235fcd6c36ba5b8

SHA512
c73f9804e56c1038896d05850f97cb2cef15cab65c8ea5edd5a9be2e20097c24f2d3cad6259d098e9ce9edca301d7de4c30d09200d897ca099f9314c3be25da5

Download Submit
C:\Windows\{A7B317AA-2B58-40b4-A5C0-8079D69F702A}.exe

Filesize
197KB

MD5
d413d98ccb19f0b3011708759e029c37

SHA1
e5241d572d0858a10f0c849e4fbc7c34e11248c1

SHA256
cfe1fde535c356448a5ecbaed11708da50b9b86ba059a40771879f2eb7cffeeb

SHA512
51d645059b949771ee9b022c2e2308e65d80791122bd95018effe17e456f0d7d55ef9b45320b3356c30cf14c1fa38e047e301d3acd6fc346fcffdeb24c8466d6

Download Submit
C:\Windows\{A7D44A07-B8BE-41ff-B214-29388386F2F3}.exe

Filesize
197KB

MD5
f83648acb7096a7c0799a1d03bcd1c74

SHA1
ea04e30eab13f5b2c67ce2efd309666ebf5214e6

SHA256
abd26a7504f2499d3486617b4726d1a9dd1cede6a19fdfd99dd72ac3231c4c1d

SHA512
21944c3b73401eee09b14fad03639495b0994b50d53f8d7fd84d9167c00b0178ee9463586a1398c8362618c5d6dbb700ad829fa4d226e3ad3c52269585105929

Download Submit
C:\Windows\{AC2E6301-1BBC-4f1e-9541-C7373E9C854A}.exe

Filesize
197KB

MD5
e6551e8a648bb14b9e3718279a6c7419

SHA1
4fcd6b45ecfdb65ef62faa6c0bf5ef9be7d025af

SHA256
f1b3073a132ea03c8561a4417c50c27667a83933a8d6d69b11358beff222737a

SHA512
0b8f7dfad1da3a4885a4d37aac4baf58b941df9ed6def5b062967fd96c5502f80c93a6a4bc1d61d3eb16e52d507e0200285973f1e2a2e753beccb84e82f286cc

Download Submit
C:\Windows\{FD49E6F4-CB28-4bbb-AC4B-F26A1D55DBC4}.exe

Filesize
197KB

MD5
6ab30b98a339c4916adc8f303ce097e2

SHA1
38d018d3583ee0d3b2597a9f2a31774d34f2d4dc

SHA256
111d16d18d59129bd027f453c17214f42c47ee34860d23c5fc829381b29d7779

SHA512
6e032a8e6e504e6b8fbd12feee00b3170249bf1efa0c7eee5e983c7870b94e552f9885231524d1c91ada6caad6cf58821a339ba778edd9a8e5af3538c534cde2

Download Submit
C:\Windows\{FEA92A9A-0CDF-48c3-BE7C-DBEBD182A50B}.exe

Filesize
197KB

MD5
8bdb883c45fdb991ac24de2834c923d1

SHA1
c39f8be4c425f8e317c052fd22dc051e5ce7bc72

SHA256
b29234202740d0a7d0754a518ba59cf8146013e36d4bb3cded9210d5e467e20d

SHA512
d53bcf018b7f5a92858af0c712c8c9742bf58eb129f262b6b1d56a0745e21f60c2a7e7f83ff38393b58639bd739b5018ce00d451a63bd0860d9d99226301ddc9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads