6ae0430df1a34165fb9bf25a01e183a409df962b6a9012ed10a582ec97e0420b

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
Size

168KB
MD5

e86336da9f846d1597e079b7e6777a28
SHA1

1b508ee677915a6a8a4512d1afb8ee88bacbebf9
SHA256

6ae0430df1a34165fb9bf25a01e183a409df962b6a9012ed10a582ec97e0420b
SHA512

0614bf5e6e2fc622f343149439cf6ad55ea0b4aceca4f68a2bf1b10b21683d5b32a13234e3746eff5fcefbbb871345a801165919909ce0d8238ffc8da3223b0d
SSDEEP

1536:1EGh0oXlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oXlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}\stubpath = "C:\\Windows\\{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe"	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFEB9557-A0EC-4f4c-ADAB-0EECA1DC2F61}	{976125D4-3122-4ed8-A7AC-18A12BAE4107}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F774526-0149-45ae-A855-A86FCFB3E351}\stubpath = "C:\\Windows\\{8F774526-0149-45ae-A855-A86FCFB3E351}.exe"	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB1A367E-4608-48da-8484-48DE71934C8B}	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76A8089D-B009-4647-91CD-96988A573456}\stubpath = "C:\\Windows\\{76A8089D-B009-4647-91CD-96988A573456}.exe"	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}\stubpath = "C:\\Windows\\{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe"	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{976125D4-3122-4ed8-A7AC-18A12BAE4107}	{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88B48665-3743-4342-8960-58CE6C9F1FE3}	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A25CC06-6589-4978-A9B0-211111C6AE03}	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}\stubpath = "C:\\Windows\\{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe"	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}	{76A8089D-B009-4647-91CD-96988A573456}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB1A367E-4608-48da-8484-48DE71934C8B}\stubpath = "C:\\Windows\\{AB1A367E-4608-48da-8484-48DE71934C8B}.exe"	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76A8089D-B009-4647-91CD-96988A573456}	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}\stubpath = "C:\\Windows\\{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe"	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F774526-0149-45ae-A855-A86FCFB3E351}	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88B48665-3743-4342-8960-58CE6C9F1FE3}\stubpath = "C:\\Windows\\{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe"	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A25CC06-6589-4978-A9B0-211111C6AE03}\stubpath = "C:\\Windows\\{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe"	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{976125D4-3122-4ed8-A7AC-18A12BAE4107}\stubpath = "C:\\Windows\\{976125D4-3122-4ed8-A7AC-18A12BAE4107}.exe"	{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFEB9557-A0EC-4f4c-ADAB-0EECA1DC2F61}\stubpath = "C:\\Windows\\{FFEB9557-A0EC-4f4c-ADAB-0EECA1DC2F61}.exe"	{976125D4-3122-4ed8-A7AC-18A12BAE4107}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}\stubpath = "C:\\Windows\\{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe"	{76A8089D-B009-4647-91CD-96988A573456}.exe

Executes dropped EXE 12 IoCs

pid	Process
3944	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe
4852	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe
5060	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe
1320	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe
1656	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe
4688	{76A8089D-B009-4647-91CD-96988A573456}.exe
4900	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe
3524	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe
1444	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe
3996	{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe
868	{976125D4-3122-4ed8-A7AC-18A12BAE4107}.exe
384	{FFEB9557-A0EC-4f4c-ADAB-0EECA1DC2F61}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8F774526-0149-45ae-A855-A86FCFB3E351}.exe	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
File created	C:\Windows\{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe
File created	C:\Windows\{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe
File created	C:\Windows\{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe	{76A8089D-B009-4647-91CD-96988A573456}.exe
File created	C:\Windows\{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe
File created	C:\Windows\{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe
File created	C:\Windows\{FFEB9557-A0EC-4f4c-ADAB-0EECA1DC2F61}.exe	{976125D4-3122-4ed8-A7AC-18A12BAE4107}.exe
File created	C:\Windows\{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe
File created	C:\Windows\{AB1A367E-4608-48da-8484-48DE71934C8B}.exe	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe
File created	C:\Windows\{76A8089D-B009-4647-91CD-96988A573456}.exe	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe
File created	C:\Windows\{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe
File created	C:\Windows\{976125D4-3122-4ed8-A7AC-18A12BAE4107}.exe	{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{976125D4-3122-4ed8-A7AC-18A12BAE4107}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FFEB9557-A0EC-4f4c-ADAB-0EECA1DC2F61}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76A8089D-B009-4647-91CD-96988A573456}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	760	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3944	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe
Token: SeIncBasePriorityPrivilege	4852	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe
Token: SeIncBasePriorityPrivilege	5060	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe
Token: SeIncBasePriorityPrivilege	1320	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe
Token: SeIncBasePriorityPrivilege	1656	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe
Token: SeIncBasePriorityPrivilege	4688	{76A8089D-B009-4647-91CD-96988A573456}.exe
Token: SeIncBasePriorityPrivilege	4900	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe
Token: SeIncBasePriorityPrivilege	3524	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe
Token: SeIncBasePriorityPrivilege	1444	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe
Token: SeIncBasePriorityPrivilege	3996	{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe
Token: SeIncBasePriorityPrivilege	868	{976125D4-3122-4ed8-A7AC-18A12BAE4107}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 3944	760	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	97
PID 760 wrote to memory of 3944	760	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	97
PID 760 wrote to memory of 3944	760	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	97
PID 760 wrote to memory of 2564	760	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	98
PID 760 wrote to memory of 2564	760	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	98
PID 760 wrote to memory of 2564	760	2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe	98
PID 3944 wrote to memory of 4852	3944	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe	99
PID 3944 wrote to memory of 4852	3944	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe	99
PID 3944 wrote to memory of 4852	3944	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe	99
PID 3944 wrote to memory of 2956	3944	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe	100
PID 3944 wrote to memory of 2956	3944	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe	100
PID 3944 wrote to memory of 2956	3944	{8F774526-0149-45ae-A855-A86FCFB3E351}.exe	100
PID 4852 wrote to memory of 5060	4852	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe	105
PID 4852 wrote to memory of 5060	4852	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe	105
PID 4852 wrote to memory of 5060	4852	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe	105
PID 4852 wrote to memory of 1164	4852	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe	106
PID 4852 wrote to memory of 1164	4852	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe	106
PID 4852 wrote to memory of 1164	4852	{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe	106
PID 5060 wrote to memory of 1320	5060	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe	107
PID 5060 wrote to memory of 1320	5060	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe	107
PID 5060 wrote to memory of 1320	5060	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe	107
PID 5060 wrote to memory of 3856	5060	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe	108
PID 5060 wrote to memory of 3856	5060	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe	108
PID 5060 wrote to memory of 3856	5060	{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe	108
PID 1320 wrote to memory of 1656	1320	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe	110
PID 1320 wrote to memory of 1656	1320	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe	110
PID 1320 wrote to memory of 1656	1320	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe	110
PID 1320 wrote to memory of 4644	1320	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe	111
PID 1320 wrote to memory of 4644	1320	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe	111
PID 1320 wrote to memory of 4644	1320	{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe	111
PID 1656 wrote to memory of 4688	1656	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe	112
PID 1656 wrote to memory of 4688	1656	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe	112
PID 1656 wrote to memory of 4688	1656	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe	112
PID 1656 wrote to memory of 2484	1656	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe	113
PID 1656 wrote to memory of 2484	1656	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe	113
PID 1656 wrote to memory of 2484	1656	{AB1A367E-4608-48da-8484-48DE71934C8B}.exe	113
PID 4688 wrote to memory of 4900	4688	{76A8089D-B009-4647-91CD-96988A573456}.exe	114
PID 4688 wrote to memory of 4900	4688	{76A8089D-B009-4647-91CD-96988A573456}.exe	114
PID 4688 wrote to memory of 4900	4688	{76A8089D-B009-4647-91CD-96988A573456}.exe	114
PID 4688 wrote to memory of 1772	4688	{76A8089D-B009-4647-91CD-96988A573456}.exe	115
PID 4688 wrote to memory of 1772	4688	{76A8089D-B009-4647-91CD-96988A573456}.exe	115
PID 4688 wrote to memory of 1772	4688	{76A8089D-B009-4647-91CD-96988A573456}.exe	115
PID 4900 wrote to memory of 3524	4900	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe	125
PID 4900 wrote to memory of 3524	4900	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe	125
PID 4900 wrote to memory of 3524	4900	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe	125
PID 4900 wrote to memory of 4984	4900	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe	126
PID 4900 wrote to memory of 4984	4900	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe	126
PID 4900 wrote to memory of 4984	4900	{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe	126
PID 3524 wrote to memory of 1444	3524	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe	127
PID 3524 wrote to memory of 1444	3524	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe	127
PID 3524 wrote to memory of 1444	3524	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe	127
PID 3524 wrote to memory of 1168	3524	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe	128
PID 3524 wrote to memory of 1168	3524	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe	128
PID 3524 wrote to memory of 1168	3524	{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe	128
PID 1444 wrote to memory of 3996	1444	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe	129
PID 1444 wrote to memory of 3996	1444	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe	129
PID 1444 wrote to memory of 3996	1444	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe	129
PID 1444 wrote to memory of 1440	1444	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe	130
PID 1444 wrote to memory of 1440	1444	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe	130
PID 1444 wrote to memory of 1440	1444	{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe	130
PID 3996 wrote to memory of 868	3996	{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe	133
PID 3996 wrote to memory of 868	3996	{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe	133
PID 3996 wrote to memory of 868	3996	{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe	133
PID 3996 wrote to memory of 5000	3996	{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_e86336da9f846d1597e079b7e6777a28_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\{8F774526-0149-45ae-A855-A86FCFB3E351}.exe
  C:\Windows\{8F774526-0149-45ae-A855-A86FCFB3E351}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe
    C:\Windows\{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe
      C:\Windows\{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe
        
        C:\Windows\{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Windows\{AB1A367E-4608-48da-8484-48DE71934C8B}.exe
        
        C:\Windows\{AB1A367E-4608-48da-8484-48DE71934C8B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{76A8089D-B009-4647-91CD-96988A573456}.exe
        
        C:\Windows\{76A8089D-B009-4647-91CD-96988A573456}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe
        
        C:\Windows\{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe
        
        C:\Windows\{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe
        
        C:\Windows\{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe
        
        C:\Windows\{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{976125D4-3122-4ed8-A7AC-18A12BAE4107}.exe
        
        C:\Windows\{976125D4-3122-4ed8-A7AC-18A12BAE4107}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\{FFEB9557-A0EC-4f4c-ADAB-0EECA1DC2F61}.exe
        
        C:\Windows\{FFEB9557-A0EC-4f4c-ADAB-0EECA1DC2F61}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97612~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F75~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42B60~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17D0B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A24C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76A80~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB1A3~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1244B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A25C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{88B48~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8F774~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1244BDCA-1D1B-4dcb-97E3-5FFFB2BF6E25}.exe

Filesize
168KB

MD5
6add350665de61fcc9a80a59dcdb3d43

SHA1
513f42149fc1fa3afa2e98783093d698608eba71

SHA256
343e8a137f4e6285372b6477bd5e2a4b31bd74b9cbc5387d38f51d01699bece3

SHA512
fdcab05ea1c36b690143d3975a81c94b13b085f707e62148985e172afcedb751e9bd6544591c54a438272dfb1a38bf6b85529d509a3a9bc967066b5cfea71db7

Download Submit
C:\Windows\{17D0B7E3-9DAE-4871-8DEC-4885147C6C8D}.exe

Filesize
168KB

MD5
ad393fc96a714b1cc6044addd2fe1d34

SHA1
ebccb32f110cbf763fadc8b94c3c62e1caa4afc8

SHA256
2625c45eb67edba4ba585680f71cd8b418d22833138abb811ec81730d251b99e

SHA512
e7a0d02b6992d7c222e003c73653bbe30c40feb27f19145d94ed53f7d192b2b95113641ec9e5d56d8bd363bd4272002d43312d6e9b537125140e9c5ee985f07d

Download Submit
C:\Windows\{1A25CC06-6589-4978-A9B0-211111C6AE03}.exe

Filesize
168KB

MD5
f5a80b62eea981e03f484627132eb771

SHA1
56f211c42f8baaa3e1526c1a434329b1538e0478

SHA256
0baab68200c5e00e9d3ddd3af313a656f5ed3f107561412d5a4c114fcbe5d545

SHA512
6b2097d3050328db6726c1f69859de8ac53989c17d561803df88dc5fa098cafc073f412049c197c5d53bb3d6fd998a05436daaec179578c9eeea3d3d6c23f763

Download Submit
C:\Windows\{42B605B9-0864-4d5c-B8CA-DACC78DAB40F}.exe

Filesize
168KB

MD5
2e2cb162e6fa028bcb18f24658800dce

SHA1
b9fc89880e8eb1d24bdfa8cd3d9d9022b2a082b0

SHA256
e8c5839bba4df2ea0601960ec4a4971e299ab257f94d1be6dbdb964b36b7e1b7

SHA512
f438c204f672b2e7668958d7a584605ae8771677e23cf5105a9857e45a8ce905f359ad33c10466d30c58955e0d20a78eccc76a8af4133f022a45e3bd271aa72e

Download Submit
C:\Windows\{76A8089D-B009-4647-91CD-96988A573456}.exe

Filesize
168KB

MD5
f009a7629c0cd4e89f8dee0c00e734e8

SHA1
235c9264ac4138f294314fe31b41e721966c5dab

SHA256
f6701181edd350c9324eb9938736fcb95bb571d02a4a0a8cbdf073d47e9935d5

SHA512
906e70165bc28e9ca5f52033101bd5157cbb36478e32c8e8f38f14b4c085a13a38fbb5fe5760594295912f82f67ed57defceeef5e98a13d9bb03b2cd87abdc8e

Download Submit
C:\Windows\{7A24C06C-ECF0-4743-98AC-AC3CA49836F8}.exe

Filesize
168KB

MD5
59a8caf03bb309ccb35fe6ba2e7c9d7d

SHA1
40593fb4f83e626d395ea51abc86fe7ef0e6d10f

SHA256
af88c5b64b2b96d1ef3dd2dcafbd21baec05e691a6c4391d51ca63b3739889fb

SHA512
4022da2b94456176ce3755886ec0ca8c13979772e67ee0d1aa24c46ea595852598f12284418e84d8c7ca4dea7cf7435f2c0b37609f2d01f95a7de2fca795b336

Download Submit
C:\Windows\{88B48665-3743-4342-8960-58CE6C9F1FE3}.exe

Filesize
168KB

MD5
24542aae73ac5f6c0813287146fca587

SHA1
18792003f40e3bdd56c35f82aa6ac2c83c140e87

SHA256
da747db5b5e397e33c51dd4bb374ddac594910667413a24e297747ee6e5ecbcc

SHA512
bd3d860c4b0edf90e9ebca33ff69cfcfe1efc560590b1376829dd4cbce2dabecb2fc5e5e5b8bb329cf97e502820f863ba48dda1209c3c4deec7401b2ef3d5887

Download Submit
C:\Windows\{8F774526-0149-45ae-A855-A86FCFB3E351}.exe

Filesize
168KB

MD5
2a0db6a663de512d8e421d14b5310803

SHA1
c69432e05f42f9c699ad5218408ed450798bcf74

SHA256
09ee369216ddb1071e9fd8474c949240dcad8b10762fb637b714b46121259f98

SHA512
f73b81babf3276d9bc9010c98dbf38f85bdd5d72d297d933f1daee2905c69292874bddd76a0fc1399a96d7ae805244f80576797cd3716b3313940db35a13f5ff

Download Submit
C:\Windows\{976125D4-3122-4ed8-A7AC-18A12BAE4107}.exe

Filesize
168KB

MD5
007c54f0423a98fddd35f74c9192dd73

SHA1
e7401ae6f3f9f9efbc3441c4ef5dbb6811523220

SHA256
5eab9c162d350a2bb28676b4bbbf97e8009acafc55812e6a5222eaa620d8a229

SHA512
0c80a3e279eecaa9f4d4f6b5562570ddc7a4fa112cbdfcd505e345b4c83017c0d8bae3d5db470622bb38a6fc98605b5ffd9ab0b2c856ce1766e65fd7acd015d7

Download Submit
C:\Windows\{AB1A367E-4608-48da-8484-48DE71934C8B}.exe

Filesize
168KB

MD5
79492aeda07da33c479cc3ca4f696fdc

SHA1
adac2ad445925dc8d6a062ab000cbca538bc44a7

SHA256
8256f0af37930e181eb3ab161c009b0d9d0ecbc16bd61a83388c5381e8cb15c4

SHA512
4a07021b7f5e8f73d81007c4aa4863ef7acc363652e8b61181771387155228d356f8a7f57a009fd0bfa9355bdbac2e5af248ed78678096f7323477f29b3a17c0

Download Submit
C:\Windows\{B7F75D21-8607-447c-8739-7F8B8C0CBDBE}.exe

Filesize
168KB

MD5
cb663fc0b6f3c0dc960363ed2ed296ac

SHA1
314aa1c3cc1863af49cc8eb64529921bf9907faa

SHA256
2ee76153e0c600e54169c5ed3d3562718ff1fe2319746d2ef4702d24e30bc983

SHA512
52f5ba733770a265ecf5990456560b49eed693a1da856e79d5445281aa1be205176a25c1e715e0142d94e41df639f6ede46e980b6dc794415b215617d0f09491

Download Submit
C:\Windows\{FFEB9557-A0EC-4f4c-ADAB-0EECA1DC2F61}.exe

Filesize
168KB

MD5
131967283df4a8b54b6418c4a270a0c8

SHA1
9c4607e3250afffb12b88bafe9ff0f42efe11248

SHA256
d99e749be54c0bdc51e2a658f32c8219501b53ccbe8ce47b1bc8986a4c289bcc

SHA512
96748253929955cc617208b0b195976918c038a616b74d635d92413fd7b8ba34c597ababf8a86e7f73cd2d841c705c5a8de99c8269de1c71069f1f0d673d400a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads