a07953552d337b40ccf6add58d742877b85d03699e959712b3eb7020a6b57487

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe
Size

180KB
MD5

469d59cb12d4b8fdcf5f96b156736d76
SHA1

b1255858095e652f181f77ad82c699241e079589
SHA256

a07953552d337b40ccf6add58d742877b85d03699e959712b3eb7020a6b57487
SHA512

f86a47a0632bdf20625fcbea427b8d25f61d18f57f400c82d394203c8ea3f360713fc822fee5ecaf94c3a261ad3503b98a368866719664c08b2ddc9f8deccd9d
SSDEEP

3072:jEGh0oRlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGXl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}	{31A04293-9063-43bb-AFEA-88738E359E51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4948F373-3CBA-438c-8610-FA0DB73A7F72}	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4948F373-3CBA-438c-8610-FA0DB73A7F72}\stubpath = "C:\\Windows\\{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe"	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8F5A33B-38ED-41af-9584-F28BE9761D7B}	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31A04293-9063-43bb-AFEA-88738E359E51}	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31A04293-9063-43bb-AFEA-88738E359E51}\stubpath = "C:\\Windows\\{31A04293-9063-43bb-AFEA-88738E359E51}.exe"	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}\stubpath = "C:\\Windows\\{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe"	2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8088F042-A653-4b74-8E41-C531FC093D59}	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8088F042-A653-4b74-8E41-C531FC093D59}\stubpath = "C:\\Windows\\{8088F042-A653-4b74-8E41-C531FC093D59}.exe"	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}\stubpath = "C:\\Windows\\{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe"	{8088F042-A653-4b74-8E41-C531FC093D59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65B82A87-E1BC-4abe-9FCD-97329372CA3D}	{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}	2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8F5A33B-38ED-41af-9584-F28BE9761D7B}\stubpath = "C:\\Windows\\{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe"	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}\stubpath = "C:\\Windows\\{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe"	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}	{8088F042-A653-4b74-8E41-C531FC093D59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65B82A87-E1BC-4abe-9FCD-97329372CA3D}\stubpath = "C:\\Windows\\{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe"	{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}\stubpath = "C:\\Windows\\{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe"	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}\stubpath = "C:\\Windows\\{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe"	{31A04293-9063-43bb-AFEA-88738E359E51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}\stubpath = "C:\\Windows\\{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe"	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C2777B3-66F5-4f02-979E-C892F9E72F47}	{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C2777B3-66F5-4f02-979E-C892F9E72F47}\stubpath = "C:\\Windows\\{6C2777B3-66F5-4f02-979E-C892F9E72F47}.exe"	{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe

Executes dropped EXE 12 IoCs

pid	Process
2992	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe
2704	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe
2224	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe
2200	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe
2184	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe
2788	{31A04293-9063-43bb-AFEA-88738E359E51}.exe
4964	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe
5064	{8088F042-A653-4b74-8E41-C531FC093D59}.exe
4804	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe
1004	{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe
592	{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe
1548	{6C2777B3-66F5-4f02-979E-C892F9E72F47}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe
File created	C:\Windows\{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe
File created	C:\Windows\{31A04293-9063-43bb-AFEA-88738E359E51}.exe	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe
File created	C:\Windows\{8088F042-A653-4b74-8E41-C531FC093D59}.exe	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe
File created	C:\Windows\{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe	{8088F042-A653-4b74-8E41-C531FC093D59}.exe
File created	C:\Windows\{6C2777B3-66F5-4f02-979E-C892F9E72F47}.exe	{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe
File created	C:\Windows\{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe	2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe
File created	C:\Windows\{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe
File created	C:\Windows\{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe
File created	C:\Windows\{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe	{31A04293-9063-43bb-AFEA-88738E359E51}.exe
File created	C:\Windows\{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe
File created	C:\Windows\{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe	{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31A04293-9063-43bb-AFEA-88738E359E51}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8088F042-A653-4b74-8E41-C531FC093D59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C2777B3-66F5-4f02-979E-C892F9E72F47}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4764	2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2992	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe
Token: SeIncBasePriorityPrivilege	2704	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe
Token: SeIncBasePriorityPrivilege	2224	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe
Token: SeIncBasePriorityPrivilege	2200	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe
Token: SeIncBasePriorityPrivilege	2184	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe
Token: SeIncBasePriorityPrivilege	2788	{31A04293-9063-43bb-AFEA-88738E359E51}.exe
Token: SeIncBasePriorityPrivilege	4964	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe
Token: SeIncBasePriorityPrivilege	5064	{8088F042-A653-4b74-8E41-C531FC093D59}.exe
Token: SeIncBasePriorityPrivilege	4804	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe
Token: SeIncBasePriorityPrivilege	1004	{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe
Token: SeIncBasePriorityPrivilege	592	{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2992	4764	2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe	92
PID 4764 wrote to memory of 2992	4764	2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe	92
PID 4764 wrote to memory of 2992	4764	2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe	92
PID 4764 wrote to memory of 2248	4764	2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe	93
PID 4764 wrote to memory of 2248	4764	2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe	93
PID 4764 wrote to memory of 2248	4764	2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe	93
PID 2992 wrote to memory of 2704	2992	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe	95
PID 2992 wrote to memory of 2704	2992	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe	95
PID 2992 wrote to memory of 2704	2992	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe	95
PID 2992 wrote to memory of 2064	2992	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe	96
PID 2992 wrote to memory of 2064	2992	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe	96
PID 2992 wrote to memory of 2064	2992	{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe	96
PID 2704 wrote to memory of 2224	2704	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe	100
PID 2704 wrote to memory of 2224	2704	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe	100
PID 2704 wrote to memory of 2224	2704	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe	100
PID 2704 wrote to memory of 4156	2704	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe	101
PID 2704 wrote to memory of 4156	2704	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe	101
PID 2704 wrote to memory of 4156	2704	{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe	101
PID 2224 wrote to memory of 2200	2224	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe	102
PID 2224 wrote to memory of 2200	2224	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe	102
PID 2224 wrote to memory of 2200	2224	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe	102
PID 2224 wrote to memory of 1836	2224	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe	103
PID 2224 wrote to memory of 1836	2224	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe	103
PID 2224 wrote to memory of 1836	2224	{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe	103
PID 2200 wrote to memory of 2184	2200	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe	104
PID 2200 wrote to memory of 2184	2200	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe	104
PID 2200 wrote to memory of 2184	2200	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe	104
PID 2200 wrote to memory of 544	2200	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe	105
PID 2200 wrote to memory of 544	2200	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe	105
PID 2200 wrote to memory of 544	2200	{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe	105
PID 2184 wrote to memory of 2788	2184	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe	107
PID 2184 wrote to memory of 2788	2184	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe	107
PID 2184 wrote to memory of 2788	2184	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe	107
PID 2184 wrote to memory of 4300	2184	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe	108
PID 2184 wrote to memory of 4300	2184	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe	108
PID 2184 wrote to memory of 4300	2184	{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe	108
PID 2788 wrote to memory of 4964	2788	{31A04293-9063-43bb-AFEA-88738E359E51}.exe	109
PID 2788 wrote to memory of 4964	2788	{31A04293-9063-43bb-AFEA-88738E359E51}.exe	109
PID 2788 wrote to memory of 4964	2788	{31A04293-9063-43bb-AFEA-88738E359E51}.exe	109
PID 2788 wrote to memory of 3588	2788	{31A04293-9063-43bb-AFEA-88738E359E51}.exe	110
PID 2788 wrote to memory of 3588	2788	{31A04293-9063-43bb-AFEA-88738E359E51}.exe	110
PID 2788 wrote to memory of 3588	2788	{31A04293-9063-43bb-AFEA-88738E359E51}.exe	110
PID 4964 wrote to memory of 5064	4964	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe	112
PID 4964 wrote to memory of 5064	4964	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe	112
PID 4964 wrote to memory of 5064	4964	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe	112
PID 4964 wrote to memory of 4428	4964	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe	113
PID 4964 wrote to memory of 4428	4964	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe	113
PID 4964 wrote to memory of 4428	4964	{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe	113
PID 5064 wrote to memory of 4804	5064	{8088F042-A653-4b74-8E41-C531FC093D59}.exe	120
PID 5064 wrote to memory of 4804	5064	{8088F042-A653-4b74-8E41-C531FC093D59}.exe	120
PID 5064 wrote to memory of 4804	5064	{8088F042-A653-4b74-8E41-C531FC093D59}.exe	120
PID 5064 wrote to memory of 1340	5064	{8088F042-A653-4b74-8E41-C531FC093D59}.exe	121
PID 5064 wrote to memory of 1340	5064	{8088F042-A653-4b74-8E41-C531FC093D59}.exe	121
PID 5064 wrote to memory of 1340	5064	{8088F042-A653-4b74-8E41-C531FC093D59}.exe	121
PID 4804 wrote to memory of 1004	4804	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe	122
PID 4804 wrote to memory of 1004	4804	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe	122
PID 4804 wrote to memory of 1004	4804	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe	122
PID 4804 wrote to memory of 2884	4804	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe	123
PID 4804 wrote to memory of 2884	4804	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe	123
PID 4804 wrote to memory of 2884	4804	{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe	123
PID 1004 wrote to memory of 592	1004	{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe	124
PID 1004 wrote to memory of 592	1004	{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe	124
PID 1004 wrote to memory of 592	1004	{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe	124
PID 1004 wrote to memory of 1208	1004	{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_469d59cb12d4b8fdcf5f96b156736d76_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe
  C:\Windows\{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe
    C:\Windows\{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe
      C:\Windows\{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe
        
        C:\Windows\{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe
        
        C:\Windows\{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{31A04293-9063-43bb-AFEA-88738E359E51}.exe
        
        C:\Windows\{31A04293-9063-43bb-AFEA-88738E359E51}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe
        
        C:\Windows\{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\{8088F042-A653-4b74-8E41-C531FC093D59}.exe
        
        C:\Windows\{8088F042-A653-4b74-8E41-C531FC093D59}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe
        
        C:\Windows\{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe
        
        C:\Windows\{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe
        
        C:\Windows\{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\{6C2777B3-66F5-4f02-979E-C892F9E72F47}.exe
        
        C:\Windows\{6C2777B3-66F5-4f02-979E-C892F9E72F47}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65B82~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFCDA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97B0F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8088F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02C34~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31A04~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE580~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA38D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8F5A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4948F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C5BB2~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02C34584-EA3D-4a16-BC86-FDFBCF3240BF}.exe

Filesize
180KB

MD5
be3466d4226a6fb1e7448f4a5e2621c0

SHA1
9c65269783da5683e3c1ba64cfa66d49ae58e33a

SHA256
ddbc3620bacfb3c33adbab73e4e8b70e9b680b3b91e0b1c285b35649f60bf66d

SHA512
7757e7a2e2b246a2cf07442f3d00329b4e5b3b73eb7a623603ff50d2078a2b7065e3af5ec9352f715d62fffd8c5db2d8f622019e622db8053c42ca17541afa06

Download Submit
C:\Windows\{31A04293-9063-43bb-AFEA-88738E359E51}.exe

Filesize
180KB

MD5
473d941388b39e22bc910d8348293d52

SHA1
f2ddd12254917f6d831e849d56f6488aa2ef6652

SHA256
3df9a14cdcc567b1d45173fe656971310c33b04457b6ffb4ff08472ce1426df0

SHA512
a1a039a769d7e6b5070d7324d273f1cb8b1aba26cd37b2b3c9c4d10d9ccf62635ea92d9619e62541463f06f81ae376d70f91e3c717777c06292974b888d8e0d1

Download Submit
C:\Windows\{4948F373-3CBA-438c-8610-FA0DB73A7F72}.exe

Filesize
180KB

MD5
9ffa560c83619191bd6800b2e7e70694

SHA1
8d85153c4835ac8b7dd8736e6b986817aacb1d1a

SHA256
2411844beb82535258a04a08a4bd2cb20b64e2ea4ea721b412f8fc756e6c75e2

SHA512
49dd774a6bd208dad5063d77c22e7950de1940656dfccc784f89b7829aabe8cc516fe7e3536d0092844743d4273086fb88d6087c87d52713080ded22ded7bd67

Download Submit
C:\Windows\{65B82A87-E1BC-4abe-9FCD-97329372CA3D}.exe

Filesize
180KB

MD5
43e35a6574715f4f25d6cfa4e5a436e6

SHA1
bd1fe63cad8076efcfaf2dd9409cb8a0082af072

SHA256
6bb88806b6891f01d3f5140c484bbfea82a529d251af90c4060959e2b4acb16a

SHA512
4d871fd9b7f2046ed6b4c9fd1afc9a6ec77158444e5afa38fc39e5fe29235bcfc5399ea3f39c8e956de2b60c44f297423cb2cc75fefa486a69f15bf4633682d8

Download Submit
C:\Windows\{6C2777B3-66F5-4f02-979E-C892F9E72F47}.exe

Filesize
180KB

MD5
df5a2119d196411016e388df0724007e

SHA1
af3dbc7a3cad0cb49512fb0c11df553ad500b9b6

SHA256
bdcfc02d42b80aa16743c59ca907cde3d073f592da919bd18b4b85d3b673a212

SHA512
f8430cd0ff584ce485f5d4d3c21641e01c24b377177f4828d64c9f3716455c11d1c5de12ae9c86048a8a60aadc972a5c6c5bf35a11d04c6f5432022ed89aa92d

Download Submit
C:\Windows\{8088F042-A653-4b74-8E41-C531FC093D59}.exe

Filesize
180KB

MD5
d349c5e29de9d52da3f301afb22376b1

SHA1
e55101088ce97e5b18ed2e395ab3cb8a390f48fa

SHA256
08b0cb4a374cc4a04f161d4ab51d5369ec704f4ea751d713c9de1a71a265df4b

SHA512
edf5ab745694a33ade303869962146bc7e251a77d131a1e2117402c557a34693190ca67c9e2e39bf0702398f8c9cc385006015b549436e1a5fead98494b6616b

Download Submit
C:\Windows\{97B0FD97-73A1-4ebc-AD69-6D9D2552F12F}.exe

Filesize
180KB

MD5
a41da3b3ae239086618e5d962154df99

SHA1
7d07f0a281c9181480c3b2d8be119f40723c75f0

SHA256
6fb4d2e40b2d94a280ec8a5613ba09b3222f79c8d19ac0b8599cf9b8a4b33146

SHA512
e3af53924572b0d846491d8be4db5524b58ac74dcc945bbe2ecea3fd847df3e7bcb3acdcdb8c01bbfd34f73730923733cc0193350d4419c2806087cfbac697ac

Download Submit
C:\Windows\{B8F5A33B-38ED-41af-9584-F28BE9761D7B}.exe

Filesize
180KB

MD5
300b662764f06c013e0ffb86e41b4b10

SHA1
9a735976f760f5719dbc3dde58069dd5d29daa92

SHA256
d26d01478af61e07ab50661737ce2a11bc522e1651684c26b3537a8c03d8fb20

SHA512
8df71b6a2827a27307561dfc6505e1bace9b906c19c0ea0278415887a8df9437912c9262188f66e867673451b0e4f94df0875edf5c06cc88688a44314f1a2fa0

Download Submit
C:\Windows\{C5BB205D-2446-4c1c-BBE8-8EE2FEFE6C54}.exe

Filesize
180KB

MD5
a0fdd95a061ff553e536f3187c043543

SHA1
61ead5ae29617ae1bfb7d3f7722d272fa80d17a1

SHA256
63cd561d9648446e4de0e56c76876b4cce519e5d5585ef64904c105b135af3f6

SHA512
7ae1e44329ee9502bf70c1a574ae84e1035145e94737a862dcf3fc12f2a5ea1b9c978ceade8dab3318bb6eafe59931a47e925dd422255d3964b51c11e455c5ee

Download Submit
C:\Windows\{DA38DC8F-AA15-4fea-91A5-3CB2616F89CD}.exe

Filesize
180KB

MD5
0af66f43de41d42e4e8395498d3875c6

SHA1
938ebf8a8da2c50c7e078c1fa35ce86dfdbdad80

SHA256
0615802ec3d3273b444b4e4a77711e293248782c0665362d86fe95a0549d777c

SHA512
26b3393e788293dd5c4e938f6ca77e2f131dee8f5674b54372097032b62cc5b4e6ced4deb1b8f876e1812e9106e8423cb66d3b53c577da5260a84ae7511c6f14

Download Submit
C:\Windows\{DFCDA1FC-877E-4aaf-86A9-A5D684B13FEE}.exe

Filesize
180KB

MD5
2323dbc85e5f9fa2b14f7528fe61ff37

SHA1
9b42bdd023592b31216fcc7520773dcb5cc41ad2

SHA256
2bd98c4b1c2db756072ec6763411f5656d457f247cc41ccb9c6a6ac9f3e88eb5

SHA512
1c310ac32cc30a25289b127764de8fa1642bd97a0caade5545450146c63419bd3f84db5bf1297e122e023f869c77505bcc05e1a2b8fd72d3da2cdb2fc3d6e1ca

Download Submit
C:\Windows\{EE5806C4-7AD1-442b-B719-6BCDA796E2A1}.exe

Filesize
180KB

MD5
39eafc65228511c0d6db433bcccb86c2

SHA1
e31145bcd84cd2b2546a4e7763ca67fd6991e387

SHA256
2f90fc2b3c56e4ceead305b11e23eb1fa9aad2738c16aec38d45fd56a63c4429

SHA512
f5775f2e83f68d173e7f41282bc30cc6082537107b06a7b30c260d0d96d5b6740e79caa152d1d73ca893177cf8d576e8d6aa7f1041e854386a66eb33edf7d3af

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads