9831989c706dda8a38658756e2cc79d7a0d6049b1476d9073f0ab1d7805b76e8

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
Size

380KB
MD5

2dc0282bf677cb5fd6467a7a26b29f8f
SHA1

851da886f6caa65fde4ee1d4043b3b37bb9aed5a
SHA256

9831989c706dda8a38658756e2cc79d7a0d6049b1476d9073f0ab1d7805b76e8
SHA512

ded17249dab0763ba79631e8234985fa1d20afe3d9895d11991b3b6a1c4a17555f6559c6e2aab3e6df408c6ceca637f5e5c370e27173780ec8ca044ed1681bef
SSDEEP

3072:mEGh0o2lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGYl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75E70D56-573C-4781-A3B5-8BC684289554}\stubpath = "C:\\Windows\\{75E70D56-573C-4781-A3B5-8BC684289554}.exe"	{71722749-7E22-4169-8FEC-F10E375390A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA556AC1-99AC-4f35-85E9-7175809DE862}	{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}\stubpath = "C:\\Windows\\{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe"	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC242352-2425-453c-B23C-600B1A1640FC}	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71722749-7E22-4169-8FEC-F10E375390A9}	{CC242352-2425-453c-B23C-600B1A1640FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}\stubpath = "C:\\Windows\\{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe"	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC242352-2425-453c-B23C-600B1A1640FC}\stubpath = "C:\\Windows\\{CC242352-2425-453c-B23C-600B1A1640FC}.exe"	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39806AEC-2DD4-4503-98D7-1B9514539FB9}	{75E70D56-573C-4781-A3B5-8BC684289554}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39806AEC-2DD4-4503-98D7-1B9514539FB9}\stubpath = "C:\\Windows\\{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe"	{75E70D56-573C-4781-A3B5-8BC684289554}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}\stubpath = "C:\\Windows\\{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe"	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}\stubpath = "C:\\Windows\\{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe"	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA556AC1-99AC-4f35-85E9-7175809DE862}\stubpath = "C:\\Windows\\{BA556AC1-99AC-4f35-85E9-7175809DE862}.exe"	{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD775686-02AA-49b7-B445-1A55EEAD18AD}	{BA556AC1-99AC-4f35-85E9-7175809DE862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD775686-02AA-49b7-B445-1A55EEAD18AD}\stubpath = "C:\\Windows\\{DD775686-02AA-49b7-B445-1A55EEAD18AD}.exe"	{BA556AC1-99AC-4f35-85E9-7175809DE862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9A18619-3079-45d8-91E9-4DC136B6AFA9}\stubpath = "C:\\Windows\\{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe"	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71722749-7E22-4169-8FEC-F10E375390A9}\stubpath = "C:\\Windows\\{71722749-7E22-4169-8FEC-F10E375390A9}.exe"	{CC242352-2425-453c-B23C-600B1A1640FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}\stubpath = "C:\\Windows\\{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe"	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9A18619-3079-45d8-91E9-4DC136B6AFA9}	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75E70D56-573C-4781-A3B5-8BC684289554}	{71722749-7E22-4169-8FEC-F10E375390A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe

Executes dropped EXE 12 IoCs

pid	Process
1736	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe
908	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe
1880	{CC242352-2425-453c-B23C-600B1A1640FC}.exe
760	{71722749-7E22-4169-8FEC-F10E375390A9}.exe
2668	{75E70D56-573C-4781-A3B5-8BC684289554}.exe
4032	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe
4716	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe
396	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe
1648	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe
904	{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe
3444	{BA556AC1-99AC-4f35-85E9-7175809DE862}.exe
4812	{DD775686-02AA-49b7-B445-1A55EEAD18AD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe
File created	C:\Windows\{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe
File created	C:\Windows\{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
File created	C:\Windows\{CC242352-2425-453c-B23C-600B1A1640FC}.exe	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe
File created	C:\Windows\{71722749-7E22-4169-8FEC-F10E375390A9}.exe	{CC242352-2425-453c-B23C-600B1A1640FC}.exe
File created	C:\Windows\{75E70D56-573C-4781-A3B5-8BC684289554}.exe	{71722749-7E22-4169-8FEC-F10E375390A9}.exe
File created	C:\Windows\{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe
File created	C:\Windows\{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe
File created	C:\Windows\{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe	{75E70D56-573C-4781-A3B5-8BC684289554}.exe
File created	C:\Windows\{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe
File created	C:\Windows\{BA556AC1-99AC-4f35-85E9-7175809DE862}.exe	{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe
File created	C:\Windows\{DD775686-02AA-49b7-B445-1A55EEAD18AD}.exe	{BA556AC1-99AC-4f35-85E9-7175809DE862}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC242352-2425-453c-B23C-600B1A1640FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71722749-7E22-4169-8FEC-F10E375390A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD775686-02AA-49b7-B445-1A55EEAD18AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BA556AC1-99AC-4f35-85E9-7175809DE862}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75E70D56-573C-4781-A3B5-8BC684289554}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1272	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1736	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe
Token: SeIncBasePriorityPrivilege	908	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe
Token: SeIncBasePriorityPrivilege	1880	{CC242352-2425-453c-B23C-600B1A1640FC}.exe
Token: SeIncBasePriorityPrivilege	760	{71722749-7E22-4169-8FEC-F10E375390A9}.exe
Token: SeIncBasePriorityPrivilege	2668	{75E70D56-573C-4781-A3B5-8BC684289554}.exe
Token: SeIncBasePriorityPrivilege	4032	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe
Token: SeIncBasePriorityPrivilege	4716	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe
Token: SeIncBasePriorityPrivilege	396	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe
Token: SeIncBasePriorityPrivilege	1648	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe
Token: SeIncBasePriorityPrivilege	904	{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe
Token: SeIncBasePriorityPrivilege	3444	{BA556AC1-99AC-4f35-85E9-7175809DE862}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1736	1272	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	94
PID 1272 wrote to memory of 1736	1272	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	94
PID 1272 wrote to memory of 1736	1272	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	94
PID 1272 wrote to memory of 4644	1272	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	95
PID 1272 wrote to memory of 4644	1272	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	95
PID 1272 wrote to memory of 4644	1272	2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe	95
PID 1736 wrote to memory of 908	1736	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe	96
PID 1736 wrote to memory of 908	1736	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe	96
PID 1736 wrote to memory of 908	1736	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe	96
PID 1736 wrote to memory of 4944	1736	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe	97
PID 1736 wrote to memory of 4944	1736	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe	97
PID 1736 wrote to memory of 4944	1736	{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe	97
PID 908 wrote to memory of 1880	908	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe	101
PID 908 wrote to memory of 1880	908	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe	101
PID 908 wrote to memory of 1880	908	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe	101
PID 908 wrote to memory of 1084	908	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe	102
PID 908 wrote to memory of 1084	908	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe	102
PID 908 wrote to memory of 1084	908	{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe	102
PID 1880 wrote to memory of 760	1880	{CC242352-2425-453c-B23C-600B1A1640FC}.exe	103
PID 1880 wrote to memory of 760	1880	{CC242352-2425-453c-B23C-600B1A1640FC}.exe	103
PID 1880 wrote to memory of 760	1880	{CC242352-2425-453c-B23C-600B1A1640FC}.exe	103
PID 1880 wrote to memory of 4192	1880	{CC242352-2425-453c-B23C-600B1A1640FC}.exe	104
PID 1880 wrote to memory of 4192	1880	{CC242352-2425-453c-B23C-600B1A1640FC}.exe	104
PID 1880 wrote to memory of 4192	1880	{CC242352-2425-453c-B23C-600B1A1640FC}.exe	104
PID 760 wrote to memory of 2668	760	{71722749-7E22-4169-8FEC-F10E375390A9}.exe	105
PID 760 wrote to memory of 2668	760	{71722749-7E22-4169-8FEC-F10E375390A9}.exe	105
PID 760 wrote to memory of 2668	760	{71722749-7E22-4169-8FEC-F10E375390A9}.exe	105
PID 760 wrote to memory of 5048	760	{71722749-7E22-4169-8FEC-F10E375390A9}.exe	106
PID 760 wrote to memory of 5048	760	{71722749-7E22-4169-8FEC-F10E375390A9}.exe	106
PID 760 wrote to memory of 5048	760	{71722749-7E22-4169-8FEC-F10E375390A9}.exe	106
PID 2668 wrote to memory of 4032	2668	{75E70D56-573C-4781-A3B5-8BC684289554}.exe	109
PID 2668 wrote to memory of 4032	2668	{75E70D56-573C-4781-A3B5-8BC684289554}.exe	109
PID 2668 wrote to memory of 4032	2668	{75E70D56-573C-4781-A3B5-8BC684289554}.exe	109
PID 2668 wrote to memory of 3856	2668	{75E70D56-573C-4781-A3B5-8BC684289554}.exe	110
PID 2668 wrote to memory of 3856	2668	{75E70D56-573C-4781-A3B5-8BC684289554}.exe	110
PID 2668 wrote to memory of 3856	2668	{75E70D56-573C-4781-A3B5-8BC684289554}.exe	110
PID 4032 wrote to memory of 4716	4032	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe	111
PID 4032 wrote to memory of 4716	4032	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe	111
PID 4032 wrote to memory of 4716	4032	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe	111
PID 4032 wrote to memory of 4812	4032	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe	112
PID 4032 wrote to memory of 4812	4032	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe	112
PID 4032 wrote to memory of 4812	4032	{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe	112
PID 4716 wrote to memory of 396	4716	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe	120
PID 4716 wrote to memory of 396	4716	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe	120
PID 4716 wrote to memory of 396	4716	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe	120
PID 4716 wrote to memory of 4512	4716	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe	121
PID 4716 wrote to memory of 4512	4716	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe	121
PID 4716 wrote to memory of 4512	4716	{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe	121
PID 396 wrote to memory of 1648	396	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe	123
PID 396 wrote to memory of 1648	396	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe	123
PID 396 wrote to memory of 1648	396	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe	123
PID 396 wrote to memory of 2476	396	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe	124
PID 396 wrote to memory of 2476	396	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe	124
PID 396 wrote to memory of 2476	396	{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe	124
PID 1648 wrote to memory of 904	1648	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe	125
PID 1648 wrote to memory of 904	1648	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe	125
PID 1648 wrote to memory of 904	1648	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe	125
PID 1648 wrote to memory of 3676	1648	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe	126
PID 1648 wrote to memory of 3676	1648	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe	126
PID 1648 wrote to memory of 3676	1648	{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe	126
PID 904 wrote to memory of 3444	904	{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe	127
PID 904 wrote to memory of 3444	904	{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe	127
PID 904 wrote to memory of 3444	904	{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe	127
PID 904 wrote to memory of 5036	904	{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-11_2dc0282bf677cb5fd6467a7a26b29f8f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe
  C:\Windows\{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe
    C:\Windows\{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\{CC242352-2425-453c-B23C-600B1A1640FC}.exe
      C:\Windows\{CC242352-2425-453c-B23C-600B1A1640FC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Windows\{71722749-7E22-4169-8FEC-F10E375390A9}.exe
        
        C:\Windows\{71722749-7E22-4169-8FEC-F10E375390A9}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Windows\{75E70D56-573C-4781-A3B5-8BC684289554}.exe
        
        C:\Windows\{75E70D56-573C-4781-A3B5-8BC684289554}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe
        
        C:\Windows\{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe
        
        C:\Windows\{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe
        
        C:\Windows\{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe
        
        C:\Windows\{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe
        
        C:\Windows\{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\{BA556AC1-99AC-4f35-85E9-7175809DE862}.exe
        
        C:\Windows\{BA556AC1-99AC-4f35-85E9-7175809DE862}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
        
        C:\Windows\{DD775686-02AA-49b7-B445-1A55EEAD18AD}.exe
        
        C:\Windows\{DD775686-02AA-49b7-B445-1A55EEAD18AD}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA556~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF23~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DCA2~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CA6B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{740CA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39806~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75E70~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71722~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC242~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C9A18~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A9A2D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2DCA2919-C6C9-4aa6-9A58-FA374BE3A118}.exe

Filesize
380KB

MD5
e2a50de9292af061ea2c6cb04f9817a7

SHA1
35c2bb3391660c5d9687c1ababb4526beabdb0bb

SHA256
b46160b98a8f642af57a8b9d9450c292bdf422789a284f52ca7f4344165105ba

SHA512
2c650fdb7e6ddd8d63bf4b26fb36582176dd4e6cdaabbaf8b59e7fbaa52d66e09fd0647223d2933fb14b39af9ffb1d0ffe92c73455bb65094f8ea2218c3b6aa9

Download Submit
C:\Windows\{39806AEC-2DD4-4503-98D7-1B9514539FB9}.exe

Filesize
380KB

MD5
5c2e34567658d04bc97dec3dd0ab1504

SHA1
ab63e1af8d675d44c210069e4340bd565e9b2d0d

SHA256
b23340d2b928b067ffd3d2f1f50700919aa7a7f11f15c0dbe31c20c0a090b4f8

SHA512
3f1414c7c72defeb51fdf340cf23eaa12eb7a4b1a9edaf859797178f03c0cfb1d46f53ad3b6088e6681d410662c10c8ee74015e947ee098dc09e3549fd9098fb

Download Submit
C:\Windows\{3BF23255-6F71-4fe4-9AF5-385FBFEE91ED}.exe

Filesize
380KB

MD5
d18c29df8f3b057e33849ae2bca284d0

SHA1
1f47861d3c0dc5fe9f60fc1d213e174e9e9c9953

SHA256
99ba630c2f6c9dff4c7f95eb890533d74364fc9efdfefd78f78f70d0df361142

SHA512
53756db0d53f071d3527e4e2adf2c39c10a175cee0310d0db48574e14587c711d9c882d24e55f09903c69ac2d7990932efaaa9849be1b63297d813578dd83bed

Download Submit
C:\Windows\{71722749-7E22-4169-8FEC-F10E375390A9}.exe

Filesize
380KB

MD5
89e8e771f95322219b99f6cb9eda33f8

SHA1
dc8f8cd58f26269345f7ce99ed6cf96dd3928f1e

SHA256
1664aaadd383053a1e19190887555e7b1915125f3c39003de78faa157832aca5

SHA512
397945ef73dc96af6585c0e62fce01b9dbc90103bbbaa55320b50963eb2d79b00d19cdf5f98db137d6b5bae3d7b24aab43f4f319509023426a8e445a23839d85

Download Submit
C:\Windows\{740CA52A-E0B2-4e09-BCFD-6FAF21A8EF59}.exe

Filesize
380KB

MD5
b8357cc19fca7b9b57e77eadbca1bb6f

SHA1
dab9bc08076b1368cd5bdf4c91f9e75673bee939

SHA256
cb04c36dc089a9a6cab7f9b245d31673fd454c9b4ad5d046fe7cf73459df60f7

SHA512
a26964b2972f0f1487ef6041658c98b0941557e2cf68d069596a4d9594ae9600ea5b055e8d7869d38d60682123a1d855d3fba178f9b95c57c798d23766babae3

Download Submit
C:\Windows\{75E70D56-573C-4781-A3B5-8BC684289554}.exe

Filesize
380KB

MD5
f2af7b3abbb7abe621b7d66a26421d10

SHA1
5aa86902f44ece2ab219bf4a4fd6cf0bb2c78de4

SHA256
07d7f15e283598379e5338d48a498e739dc28b6d1b2cf0dbc22d8590416468f1

SHA512
8446c797ec18e1debe69d6bb8cce7902db581400eb8c6979a2cfc981adc6f1f50c256fac897e63b3dc4bb8a8cc8aa8dbc48225957a9ef543a9d57731074f9f2f

Download Submit
C:\Windows\{8CA6B31F-1AB8-4f4b-8804-82D4539EFA5A}.exe

Filesize
380KB

MD5
744ed9d4d00e0ccb6c5d06aec98e8b3f

SHA1
89f6d7b36b422958cce92b4d1cc5da9d70cd1f4f

SHA256
1e1f5292bec52e78dfbb4db26d2ac8be10f8ca7f073dd48f70833aebb6585d5d

SHA512
44133e868ecd1ce7ca2497dae7e87cc26cf67ddcfada8e32fde4c88589ca4aacd85b56f2611ad844b1e90bb5623565dcf3c6fa73401b27cd5157cf0482fb9ce8

Download Submit
C:\Windows\{A9A2DF41-54C6-48cf-97E2-61F5319FCAEC}.exe

Filesize
380KB

MD5
d23eff7ceeeb8ea1ea9ee0c02809669f

SHA1
b03f2d79e17874a0e8c322c6d581802b1b52794f

SHA256
49b7d978201351c87dba0bd3d003e1697e5c5d50481a4c001b8e22431f64fce7

SHA512
18f766a9636f7e8fd66ad251e57a69f4179ccfeed43a87164f8f1ef4c90a2edf9686b7167bbc77d6b721cd857c5314d93eb24ebbee482e2a525d267648b01d51

Download Submit
C:\Windows\{BA556AC1-99AC-4f35-85E9-7175809DE862}.exe

Filesize
380KB

MD5
a1cfc8d0c4ab2443abd8c8314ae0bfe0

SHA1
8f52b7941906f29efc1e07e818a58a2dc7631bca

SHA256
f433efd4a4237a2210bb8127e83a5987d0cf7e4bfeb3e5a787b05d545ca3206b

SHA512
ac61e1b056f0cca6dd537930cc98a691576806c11dfab033d079b80ae6013b32091dad5c7cea3d993bb61a9a5185a2587c89a4bb69abb48dd2d34a1687ed3c19

Download Submit
C:\Windows\{C9A18619-3079-45d8-91E9-4DC136B6AFA9}.exe

Filesize
380KB

MD5
8f5be0049ad3f2e214220117489fd6d2

SHA1
319196ad00690067e8299bc4f4026d3a71eab974

SHA256
6dda50a663ea06ad991fb2aff45e387005d104758a9efbd395804071e856497f

SHA512
40154f5e15e1ca8f8931959ee4300c3e972c3408af2078a272004b14c2b117ceb11d5b9fda32235ba362287a066069983e81f4ce48ff169dd6b1503a2c01b102

Download Submit
C:\Windows\{CC242352-2425-453c-B23C-600B1A1640FC}.exe

Filesize
380KB

MD5
16a5a5f36990fe5052e0b197276d1437

SHA1
9553f879aa107e60e28af1db0180a415d5300551

SHA256
675f5da7da6327877ded4f5734e8b930f005205f4c1ce157e3d205e3179800d5

SHA512
ebc6e1be6c3ce6ca3432b23b984b2ce52f7d283a5e9c302dcf9985e3d19a2137dc2c5fd8c0bf10ab7bf9a4c69a6ade74287d81fec2ab300f3183b87b53e936cb

Download Submit
C:\Windows\{DD775686-02AA-49b7-B445-1A55EEAD18AD}.exe

Filesize
380KB

MD5
350757f5a64f5dffa5d361ee4d03efbb

SHA1
cae1405aca03a1c111f6ec2fdad565dc5d3ee70b

SHA256
b00733d2971fd39816ce2a68e8ee7d785660a3fb770e02124df69cf63c8b9d42

SHA512
fc11ab854dcf185f1b58c79aaaaf26695847330cee2c0fc4388536d26d1e69fb0dbcacac065a4b73cdc44edc0b7d4444840e4b0ef796698bc9372671eb0e7dbe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads