d9c02025ebe03290920a94c7a40af419950e6184d75555e8024b19ed28eea394

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe
Size

216KB
MD5

33ca5e1f6b97a77bd6f9d90661951069
SHA1

c1432a95b95dfc2bb2d9751e6b6d76057f5e327c
SHA256

d9c02025ebe03290920a94c7a40af419950e6184d75555e8024b19ed28eea394
SHA512

490e7bfac1ed61e108e8d9deafaa98f6f41b4eaed3b9dfb9020eb048b4318165b62da56efbc42f91f3c7447524da4fffa5a126c058bcc3a76486fedfc734b349
SSDEEP

3072:jEGh0o7l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGRlEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}\stubpath = "C:\\Windows\\{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe"	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29A9609E-A7D8-4010-92D3-4DE299083821}	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E956E73B-717A-4f3f-A6D2-58F7A87D7866}\stubpath = "C:\\Windows\\{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe"	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}\stubpath = "C:\\Windows\\{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe"	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1842E778-7489-4f32-8EFD-CA6FEAC912D0}\stubpath = "C:\\Windows\\{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe"	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F476C98F-14EE-44ce-BBC5-986C9548E322}\stubpath = "C:\\Windows\\{F476C98F-14EE-44ce-BBC5-986C9548E322}.exe"	{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{611F9104-C173-4114-B3CF-C1600ACA56D7}	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{370DE13E-58D6-4e22-8CA1-E9D610174158}\stubpath = "C:\\Windows\\{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe"	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F476C98F-14EE-44ce-BBC5-986C9548E322}	{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A14AE13-827A-4fcb-9A79-70B97C27A19D}\stubpath = "C:\\Windows\\{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe"	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}\stubpath = "C:\\Windows\\{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe"	2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A14AE13-827A-4fcb-9A79-70B97C27A19D}	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{611F9104-C173-4114-B3CF-C1600ACA56D7}\stubpath = "C:\\Windows\\{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe"	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}\stubpath = "C:\\Windows\\{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe"	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29A9609E-A7D8-4010-92D3-4DE299083821}\stubpath = "C:\\Windows\\{29A9609E-A7D8-4010-92D3-4DE299083821}.exe"	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1842E778-7489-4f32-8EFD-CA6FEAC912D0}	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91948E2D-F93C-40c0-A044-B67AF6B3239E}	{F476C98F-14EE-44ce-BBC5-986C9548E322}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}	2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{370DE13E-58D6-4e22-8CA1-E9D610174158}	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E956E73B-717A-4f3f-A6D2-58F7A87D7866}	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91948E2D-F93C-40c0-A044-B67AF6B3239E}\stubpath = "C:\\Windows\\{91948E2D-F93C-40c0-A044-B67AF6B3239E}.exe"	{F476C98F-14EE-44ce-BBC5-986C9548E322}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe

Executes dropped EXE 12 IoCs

pid	Process
3568	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe
2324	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe
1540	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe
908	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe
1576	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe
4864	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe
4008	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe
64	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe
3152	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe
632	{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe
3608	{F476C98F-14EE-44ce-BBC5-986C9548E322}.exe
4020	{91948E2D-F93C-40c0-A044-B67AF6B3239E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe
File created	C:\Windows\{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe
File created	C:\Windows\{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe
File created	C:\Windows\{F476C98F-14EE-44ce-BBC5-986C9548E322}.exe	{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe
File created	C:\Windows\{29A9609E-A7D8-4010-92D3-4DE299083821}.exe	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe
File created	C:\Windows\{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe
File created	C:\Windows\{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe
File created	C:\Windows\{91948E2D-F93C-40c0-A044-B67AF6B3239E}.exe	{F476C98F-14EE-44ce-BBC5-986C9548E322}.exe
File created	C:\Windows\{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe	2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe
File created	C:\Windows\{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe
File created	C:\Windows\{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe
File created	C:\Windows\{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F476C98F-14EE-44ce-BBC5-986C9548E322}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91948E2D-F93C-40c0-A044-B67AF6B3239E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	648	2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3568	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe
Token: SeIncBasePriorityPrivilege	2324	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe
Token: SeIncBasePriorityPrivilege	1540	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe
Token: SeIncBasePriorityPrivilege	908	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe
Token: SeIncBasePriorityPrivilege	1576	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe
Token: SeIncBasePriorityPrivilege	4864	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe
Token: SeIncBasePriorityPrivilege	4008	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe
Token: SeIncBasePriorityPrivilege	64	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe
Token: SeIncBasePriorityPrivilege	3152	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe
Token: SeIncBasePriorityPrivilege	632	{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe
Token: SeIncBasePriorityPrivilege	3608	{F476C98F-14EE-44ce-BBC5-986C9548E322}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 3568	648	2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe	96
PID 648 wrote to memory of 3568	648	2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe	96
PID 648 wrote to memory of 3568	648	2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe	96
PID 648 wrote to memory of 3624	648	2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe	97
PID 648 wrote to memory of 3624	648	2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe	97
PID 648 wrote to memory of 3624	648	2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe	97
PID 3568 wrote to memory of 2324	3568	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe	98
PID 3568 wrote to memory of 2324	3568	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe	98
PID 3568 wrote to memory of 2324	3568	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe	98
PID 3568 wrote to memory of 4420	3568	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe	99
PID 3568 wrote to memory of 4420	3568	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe	99
PID 3568 wrote to memory of 4420	3568	{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe	99
PID 2324 wrote to memory of 1540	2324	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe	105
PID 2324 wrote to memory of 1540	2324	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe	105
PID 2324 wrote to memory of 1540	2324	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe	105
PID 2324 wrote to memory of 4432	2324	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe	106
PID 2324 wrote to memory of 4432	2324	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe	106
PID 2324 wrote to memory of 4432	2324	{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe	106
PID 1540 wrote to memory of 908	1540	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe	107
PID 1540 wrote to memory of 908	1540	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe	107
PID 1540 wrote to memory of 908	1540	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe	107
PID 1540 wrote to memory of 3996	1540	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe	108
PID 1540 wrote to memory of 3996	1540	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe	108
PID 1540 wrote to memory of 3996	1540	{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe	108
PID 908 wrote to memory of 1576	908	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe	110
PID 908 wrote to memory of 1576	908	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe	110
PID 908 wrote to memory of 1576	908	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe	110
PID 908 wrote to memory of 1356	908	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe	111
PID 908 wrote to memory of 1356	908	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe	111
PID 908 wrote to memory of 1356	908	{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe	111
PID 1576 wrote to memory of 4864	1576	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe	112
PID 1576 wrote to memory of 4864	1576	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe	112
PID 1576 wrote to memory of 4864	1576	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe	112
PID 1576 wrote to memory of 1172	1576	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe	113
PID 1576 wrote to memory of 1172	1576	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe	113
PID 1576 wrote to memory of 1172	1576	{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe	113
PID 4864 wrote to memory of 4008	4864	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe	114
PID 4864 wrote to memory of 4008	4864	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe	114
PID 4864 wrote to memory of 4008	4864	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe	114
PID 4864 wrote to memory of 1188	4864	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe	115
PID 4864 wrote to memory of 1188	4864	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe	115
PID 4864 wrote to memory of 1188	4864	{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe	115
PID 4008 wrote to memory of 64	4008	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe	120
PID 4008 wrote to memory of 64	4008	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe	120
PID 4008 wrote to memory of 64	4008	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe	120
PID 4008 wrote to memory of 2912	4008	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe	121
PID 4008 wrote to memory of 2912	4008	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe	121
PID 4008 wrote to memory of 2912	4008	{29A9609E-A7D8-4010-92D3-4DE299083821}.exe	121
PID 64 wrote to memory of 3152	64	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe	122
PID 64 wrote to memory of 3152	64	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe	122
PID 64 wrote to memory of 3152	64	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe	122
PID 64 wrote to memory of 4416	64	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe	123
PID 64 wrote to memory of 4416	64	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe	123
PID 64 wrote to memory of 4416	64	{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe	123
PID 3152 wrote to memory of 632	3152	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe	128
PID 3152 wrote to memory of 632	3152	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe	128
PID 3152 wrote to memory of 632	3152	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe	128
PID 3152 wrote to memory of 2120	3152	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe	129
PID 3152 wrote to memory of 2120	3152	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe	129
PID 3152 wrote to memory of 2120	3152	{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe	129
PID 632 wrote to memory of 3608	632	{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe	132
PID 632 wrote to memory of 3608	632	{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe	132
PID 632 wrote to memory of 3608	632	{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe	132
PID 632 wrote to memory of 4088	632	{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-11_33ca5e1f6b97a77bd6f9d90661951069_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe
  C:\Windows\{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe
    C:\Windows\{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe
      C:\Windows\{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe
        
        C:\Windows\{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe
        
        C:\Windows\{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe
        
        C:\Windows\{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\{29A9609E-A7D8-4010-92D3-4DE299083821}.exe
        
        C:\Windows\{29A9609E-A7D8-4010-92D3-4DE299083821}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe
        
        C:\Windows\{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe
        
        C:\Windows\{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe
        
        C:\Windows\{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{F476C98F-14EE-44ce-BBC5-986C9548E322}.exe
        
        C:\Windows\{F476C98F-14EE-44ce-BBC5-986C9548E322}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
        
        C:\Windows\{91948E2D-F93C-40c0-A044-B67AF6B3239E}.exe
        
        C:\Windows\{91948E2D-F93C-40c0-A044-B67AF6B3239E}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F476C~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1842E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D07F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E956E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29A96~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EB43~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{370DE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AE6A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{611F9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1A14A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E2D03~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D07FEA3-CB63-45b8-8914-5B70A31D2A20}.exe

Filesize
216KB

MD5
13ce485c08460bcd5a2d9d316582250c

SHA1
49e7feca581967beae35fe625b307d83e27da779

SHA256
1d98647572f7c2a5c8ff8d7bab7491957ca93e086055930ff6de73b847bfef2b

SHA512
934bd643124ec651c9ea47e130572de70f77401551d6a2536d3edef8be5fffa865e509b679664fd4c3dfe0f2637ae0758106693e4ce4ea1324d437596ceab4c0

Download Submit
C:\Windows\{1842E778-7489-4f32-8EFD-CA6FEAC912D0}.exe

Filesize
216KB

MD5
8ba413073357fe0f173206fedc5e6bd8

SHA1
9ecc8f0ff96309638e319b82814abd187c6b55b1

SHA256
e4af1fdcc1a787d9ab0f8d0381356bfaed92d78c8e0284dc8facf6d0cb453679

SHA512
c738e205accd7b8d602d7ed2375de02cea341dd9ec7c08b444a3267bcf74d2e8d7c80c7216a47529ec8e9ec68e04e6bf0947d2d122b5d1f7b8d8dfe9f45bf525

Download Submit
C:\Windows\{1A14AE13-827A-4fcb-9A79-70B97C27A19D}.exe

Filesize
216KB

MD5
a74183b0c1c4d939348a308000742817

SHA1
d6e89051998f18dd8d9dccd86b9933a4efa3db9b

SHA256
2a623dcee6f97e17924fa8d538d3953ca45a9e05cb3cd6fc8e0331f5652a35d4

SHA512
90c815361b22fc61ecdf4afb8ce231bdee65496eb0050b6004296780ccabca74341ff24a5ddd0723ac345476f2ba2df6e6cba9abb2b4cbc0e20b62540b5f094a

Download Submit
C:\Windows\{1AE6A76C-4D49-4f97-BD2D-5A688A1EB38C}.exe

Filesize
216KB

MD5
71b7fdbfa41dbe4a7f3ab89714294834

SHA1
b7b66567b29f5f67bb42a6bec9d1e0a56e33ea0e

SHA256
055e8677d64ec3c669719ae5fd899f51324a1dd49677e11262e72b2497e935b5

SHA512
a14ef376e5bd500de6221e753569a28c5b4447f280a09f720a291394b8a89a5ea75a492fc48ed67a5d3bc24b2554fbd8f41b791a315b11f83e0bc29f3a54c3dc

Download Submit
C:\Windows\{29A9609E-A7D8-4010-92D3-4DE299083821}.exe

Filesize
216KB

MD5
617261f6726ac7b83d2e1b776d0568d5

SHA1
0870709bee25e9a29b1914a492d7da56b6b75ab7

SHA256
e2e955845c3c204216880fd5d7f1fa4f719e3521198e1a059e54580e510ef4f4

SHA512
7e7e1343388fff133fd5f0401c0b61db7f5bdc804cc8de6b8d354ca8ab64c80565eb4750d0130ca8d993fa2c75ce66afa001d9662af980e5c058525f49ffdbf3

Download Submit
C:\Windows\{370DE13E-58D6-4e22-8CA1-E9D610174158}.exe

Filesize
216KB

MD5
5fed182a07c8c94d8713ccfdc93cb822

SHA1
8ba61e27bf9457769853148863293b939cfffa07

SHA256
3d9b897986ba0d707be6cdb507afdfda9dd3ecbbca8c08ac048329672030e462

SHA512
326b8d3d6a1557f99423ec16e569bdb4114f747ff1d1df777075e1f36bf70f44ded7af26c6341751da4418136dc1dda2812a8f7f2d7be0d37e1bd73adc9e830d

Download Submit
C:\Windows\{611F9104-C173-4114-B3CF-C1600ACA56D7}.exe

Filesize
216KB

MD5
a4f1958fffbb9ab9c591d42be8b8992d

SHA1
5270b6c53f32418c3aa5cf2a8acd03cf756ac5b7

SHA256
624f142d7cf84ccf87a40d75fdcf5b5592111bd29cc92f167588f7a629e18458

SHA512
e5a2627dda175ebb4dd7fae59adf52d0db1559600bc25e08795a70bd91e1b9964e81e5d215b98d878bb61557de4c3455cf19c7a13cc3d05a0c03f127c6379718

Download Submit
C:\Windows\{7EB43FA4-43B9-4c57-BD7B-622A504F91E5}.exe

Filesize
216KB

MD5
72ab734f2ae7f269feed08aacf39fe63

SHA1
8743b52b2a2c3922bc6aa7c95a6b9062d9511d28

SHA256
5eb2f4c9d669a0bf3d64882e59d0cdcfdb7a8dd44d3edc517f96db0f694b51c9

SHA512
63123049f9cbaafafc6185f8653589e58b6238e96164286ef6047d262870e012770eabbbc7bde5a0db01a875ab18f2cdffd9514fcc3e952ec09265c931033862

Download Submit
C:\Windows\{91948E2D-F93C-40c0-A044-B67AF6B3239E}.exe

Filesize
216KB

MD5
d3ebad5d5e11e2f208879816317e857a

SHA1
2e75c97841d35e8d7910000cbe239612170b16e1

SHA256
1eea5fee2d08489559eafef1b3011f2733d157b4b64f3297285d80c67c11160b

SHA512
f0948aceb993d6caf10350b56e143adf340afa0610be848d6e32c7c57732a409b15ee929ae4e592e477451268d625ea9e6f9d316ea01da95c5f7eefdbe71ba2a

Download Submit
C:\Windows\{E2D036DB-B0EB-468b-A53C-FDE468ABA2E7}.exe

Filesize
216KB

MD5
592cefa7933138712371f945aefb67a4

SHA1
6a77f2530bb5cd87837de37a60c114bd528c10bc

SHA256
2d32a8c811b22352d0e31e57be41ef44ee7aad1e9abf3a6d4344dd796b0e7dd7

SHA512
e3b6a073d28b0099bb11b84a624990b720e255288624e6430a54b020b87560c8ade497a81bf0fefc9e57a1755482829690490aa4d37fc5dc176fb917e9945854

Download Submit
C:\Windows\{E956E73B-717A-4f3f-A6D2-58F7A87D7866}.exe

Filesize
216KB

MD5
7a66cb030badd909e33576518a5d4bd8

SHA1
c82a74d14fd12bed8b029da91cfd3e7b4c33eb84

SHA256
60103e157701f4d8c94c5efb0939d99d9799fc5fce351ecae17146eda434f6c7

SHA512
a4f0b2d4237675ebe9addf42ad0e7c686ca478333e02688430153785bd15a28336c85e28b4e8e26decfdec9f0030256ae6e1111b02dafe18dd1589e3d1babb2c

Download Submit
C:\Windows\{F476C98F-14EE-44ce-BBC5-986C9548E322}.exe

Filesize
216KB

MD5
9d78caa48f2700f27e54bbe32ba077f5

SHA1
d1cce5c6e2bbab69c5c9b75b4c4749b1d5b522c4

SHA256
fa06d397b6c5d8a5bac9a4cca442f3be59324e3ff03abee03f13742e76e26580

SHA512
1f3d11fbd693ac0cebc27c7f9bbb6a5131015eb87cd1ef81865df476f2e4ecd35c1af0d260f8ed3ddfacc70f825ee738b4559537de6cf681fe9be97ee74ed3a2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads