63d7c1ae349d9ec6d5e8a13019a8616ff6d6db124f00958ae631b33ee5ba9b45

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 06:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe
Size

408KB
MD5

b4294ca0f2142d56cc72c09053b5d798
SHA1

9df86df22f74a7d6df309adf08ef66c58e59cdba
SHA256

63d7c1ae349d9ec6d5e8a13019a8616ff6d6db124f00958ae631b33ee5ba9b45
SHA512

3c0d3047682a8dc547b5630b33ee087d4fb9ac1f916554e69709ee82d9c6efc55f53077e243f68b8b0b4cb211a6315e632f1fcc505b537ba7161e9e5a2f01bdf
SSDEEP

3072:CEGh0okl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGqldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7784388-FE35-4239-90F6-496CEE7EF2F1}	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C26454C7-7876-4643-BCA2-28EA0D674377}\stubpath = "C:\\Windows\\{C26454C7-7876-4643-BCA2-28EA0D674377}.exe"	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0768780-1DBA-420c-9F58-EBA7240C2795}\stubpath = "C:\\Windows\\{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe"	2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}\stubpath = "C:\\Windows\\{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe"	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}\stubpath = "C:\\Windows\\{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe"	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D612D845-719E-4b8e-AD23-45D68CBBC611}	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D612D845-719E-4b8e-AD23-45D68CBBC611}\stubpath = "C:\\Windows\\{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe"	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}\stubpath = "C:\\Windows\\{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe"	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB99BE92-261F-48fe-97F9-AB4A46B6A691}	{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}	{C26454C7-7876-4643-BCA2-28EA0D674377}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00CFC30E-5220-4467-BAC0-6DDAC82729A2}\stubpath = "C:\\Windows\\{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe"	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C26454C7-7876-4643-BCA2-28EA0D674377}	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}\stubpath = "C:\\Windows\\{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}.exe"	{C26454C7-7876-4643-BCA2-28EA0D674377}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0768780-1DBA-420c-9F58-EBA7240C2795}	2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB453D62-07CB-478d-8C40-4B463BD3BCE2}\stubpath = "C:\\Windows\\{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe"	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00CFC30E-5220-4467-BAC0-6DDAC82729A2}	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}\stubpath = "C:\\Windows\\{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe"	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7784388-FE35-4239-90F6-496CEE7EF2F1}\stubpath = "C:\\Windows\\{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe"	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB99BE92-261F-48fe-97F9-AB4A46B6A691}\stubpath = "C:\\Windows\\{DB99BE92-261F-48fe-97F9-AB4A46B6A691}.exe"	{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB453D62-07CB-478d-8C40-4B463BD3BCE2}	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe

Executes dropped EXE 12 IoCs

pid	Process
3504	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe
3168	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe
100	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe
4320	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe
4380	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe
1424	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe
1820	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe
1040	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe
4752	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe
1800	{C26454C7-7876-4643-BCA2-28EA0D674377}.exe
4876	{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}.exe
4904	{DB99BE92-261F-48fe-97F9-AB4A46B6A691}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C26454C7-7876-4643-BCA2-28EA0D674377}.exe	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe
File created	C:\Windows\{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe	2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe
File created	C:\Windows\{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe
File created	C:\Windows\{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe
File created	C:\Windows\{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe
File created	C:\Windows\{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe
File created	C:\Windows\{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe
File created	C:\Windows\{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe
File created	C:\Windows\{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe
File created	C:\Windows\{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe
File created	C:\Windows\{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}.exe	{C26454C7-7876-4643-BCA2-28EA0D674377}.exe
File created	C:\Windows\{DB99BE92-261F-48fe-97F9-AB4A46B6A691}.exe	{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C26454C7-7876-4643-BCA2-28EA0D674377}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB99BE92-261F-48fe-97F9-AB4A46B6A691}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3148	2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3504	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe
Token: SeIncBasePriorityPrivilege	3168	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe
Token: SeIncBasePriorityPrivilege	100	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe
Token: SeIncBasePriorityPrivilege	4320	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe
Token: SeIncBasePriorityPrivilege	4380	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe
Token: SeIncBasePriorityPrivilege	1424	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe
Token: SeIncBasePriorityPrivilege	1820	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe
Token: SeIncBasePriorityPrivilege	1040	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe
Token: SeIncBasePriorityPrivilege	4752	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe
Token: SeIncBasePriorityPrivilege	1800	{C26454C7-7876-4643-BCA2-28EA0D674377}.exe
Token: SeIncBasePriorityPrivilege	4876	{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3504	3148	2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe	95
PID 3148 wrote to memory of 3504	3148	2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe	95
PID 3148 wrote to memory of 3504	3148	2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe	95
PID 3148 wrote to memory of 4308	3148	2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe	96
PID 3148 wrote to memory of 4308	3148	2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe	96
PID 3148 wrote to memory of 4308	3148	2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe	96
PID 3504 wrote to memory of 3168	3504	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe	97
PID 3504 wrote to memory of 3168	3504	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe	97
PID 3504 wrote to memory of 3168	3504	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe	97
PID 3504 wrote to memory of 3392	3504	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe	98
PID 3504 wrote to memory of 3392	3504	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe	98
PID 3504 wrote to memory of 3392	3504	{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe	98
PID 3168 wrote to memory of 100	3168	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe	102
PID 3168 wrote to memory of 100	3168	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe	102
PID 3168 wrote to memory of 100	3168	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe	102
PID 3168 wrote to memory of 4556	3168	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe	103
PID 3168 wrote to memory of 4556	3168	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe	103
PID 3168 wrote to memory of 4556	3168	{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe	103
PID 100 wrote to memory of 4320	100	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe	104
PID 100 wrote to memory of 4320	100	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe	104
PID 100 wrote to memory of 4320	100	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe	104
PID 100 wrote to memory of 2576	100	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe	105
PID 100 wrote to memory of 2576	100	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe	105
PID 100 wrote to memory of 2576	100	{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe	105
PID 4320 wrote to memory of 4380	4320	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe	106
PID 4320 wrote to memory of 4380	4320	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe	106
PID 4320 wrote to memory of 4380	4320	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe	106
PID 4320 wrote to memory of 400	4320	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe	107
PID 4320 wrote to memory of 400	4320	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe	107
PID 4320 wrote to memory of 400	4320	{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe	107
PID 4380 wrote to memory of 1424	4380	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe	109
PID 4380 wrote to memory of 1424	4380	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe	109
PID 4380 wrote to memory of 1424	4380	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe	109
PID 4380 wrote to memory of 4492	4380	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe	110
PID 4380 wrote to memory of 4492	4380	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe	110
PID 4380 wrote to memory of 4492	4380	{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe	110
PID 1424 wrote to memory of 1820	1424	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe	111
PID 1424 wrote to memory of 1820	1424	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe	111
PID 1424 wrote to memory of 1820	1424	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe	111
PID 1424 wrote to memory of 3196	1424	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe	112
PID 1424 wrote to memory of 3196	1424	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe	112
PID 1424 wrote to memory of 3196	1424	{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe	112
PID 1820 wrote to memory of 1040	1820	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe	117
PID 1820 wrote to memory of 1040	1820	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe	117
PID 1820 wrote to memory of 1040	1820	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe	117
PID 1820 wrote to memory of 1144	1820	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe	118
PID 1820 wrote to memory of 1144	1820	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe	118
PID 1820 wrote to memory of 1144	1820	{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe	118
PID 1040 wrote to memory of 4752	1040	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe	123
PID 1040 wrote to memory of 4752	1040	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe	123
PID 1040 wrote to memory of 4752	1040	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe	123
PID 1040 wrote to memory of 4424	1040	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe	124
PID 1040 wrote to memory of 4424	1040	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe	124
PID 1040 wrote to memory of 4424	1040	{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe	124
PID 4752 wrote to memory of 1800	4752	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe	125
PID 4752 wrote to memory of 1800	4752	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe	125
PID 4752 wrote to memory of 1800	4752	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe	125
PID 4752 wrote to memory of 3176	4752	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe	126
PID 4752 wrote to memory of 3176	4752	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe	126
PID 4752 wrote to memory of 3176	4752	{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe	126
PID 1800 wrote to memory of 4876	1800	{C26454C7-7876-4643-BCA2-28EA0D674377}.exe	130
PID 1800 wrote to memory of 4876	1800	{C26454C7-7876-4643-BCA2-28EA0D674377}.exe	130
PID 1800 wrote to memory of 4876	1800	{C26454C7-7876-4643-BCA2-28EA0D674377}.exe	130
PID 1800 wrote to memory of 4312	1800	{C26454C7-7876-4643-BCA2-28EA0D674377}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_b4294ca0f2142d56cc72c09053b5d798_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe
  C:\Windows\{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe
    C:\Windows\{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe
      C:\Windows\{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:100
    - - C:\Windows\{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe
        
        C:\Windows\{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Windows\{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe
        
        C:\Windows\{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe
        
        C:\Windows\{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe
        
        C:\Windows\{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe
        
        C:\Windows\{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe
        
        C:\Windows\{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\{C26454C7-7876-4643-BCA2-28EA0D674377}.exe
        
        C:\Windows\{C26454C7-7876-4643-BCA2-28EA0D674377}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}.exe
        
        C:\Windows\{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\{DB99BE92-261F-48fe-97F9-AB4A46B6A691}.exe
        
        C:\Windows\{DB99BE92-261F-48fe-97F9-AB4A46B6A691}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC0D4~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2645~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D19E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7784~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D612D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C1D6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FFC7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4492
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C22A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00CFC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB453~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D0768~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00CFC30E-5220-4467-BAC0-6DDAC82729A2}.exe

Filesize
408KB

MD5
c99efd244ec4a3d705f31e55b54244e0

SHA1
a212030c229baec5879db0561ae031b0372b5a02

SHA256
ad7616cb59b9bd18ebc7e900bfb2abac09ec2b7d19c273ae2f5738debdd40b08

SHA512
064ba2dd56e4be6bfb25c9d99d85c0562a1ad648630ffcdebedc750c5d80357f5d359d0bc8e1518c64d9825af45fd102d8a7b8d74d42859a4e251cfeb0184eb8

Download Submit
C:\Windows\{2C1D61D6-297D-41c2-AE3D-BCA8D090485A}.exe

Filesize
408KB

MD5
cad765bd6f48bef97edaddf65e3c6db4

SHA1
697b14ac067aeb74a14bcdfc9a0935af2c540c31

SHA256
55a4a46d876c60e51b3363adbacd0ba6b5f5917dd58b0e7c8c799a07fb2c2576

SHA512
950fc004ff4e006255d40e9ce1c5ef9ef9589609817a14158ade30ae29556ffeea1280835b21dd1fffee14d7b498e95119596f11b0d2af5d891b2c1eba1d8e3a

Download Submit
C:\Windows\{5FFC7BF4-EB51-4c7a-B7F1-066F3F96EB6F}.exe

Filesize
408KB

MD5
87b949399051c3007b6c1ed62e453f18

SHA1
43a6af4827d11b0f0bbea0af74dd2cc054ce918f

SHA256
3fd0a2ec6aa60b8824abef5c7951283b40a7a4684f56163267f50d3840dc33f3

SHA512
23d2dd7e22eff8f8ebfb6262a71449375b1ddb5da7466d22f1f426a0699b67196934e52cd13f1f76a75f07a39bc4b2fef0648552f409f8c601f0ef15b5a38f5a

Download Submit
C:\Windows\{7D19E7A6-C1CC-4050-9AC1-B0B20345BADB}.exe

Filesize
408KB

MD5
27110fce43e635531f389dfdd24722cb

SHA1
d4b60507f084a012050b9f8f33ca34edb52420c1

SHA256
5e7fa72c234436e8cc9084e4bbed427da939f40f147a19409217d448b45d62cc

SHA512
207d765f9c81fa832dad3aa52034b9f5003f4230cf9344c1e3204c1e65fbe4357e99ca12e124604e22efa89c36150a01ec3aa3114d1db2564164b515aae02b88

Download Submit
C:\Windows\{9C22A0C0-2759-42f7-A9F3-1B1FBE0CC2CF}.exe

Filesize
408KB

MD5
0cfefa80b6cf216deb418541569d2c22

SHA1
11e031f97b0ae5ef9db0d93ecfa01998b2d2f639

SHA256
6a36ce9ed78d73caedca671fe8604f65687c1f2387b4d44144ce729243f147dd

SHA512
cf4116749c4201b122d937494ba3515d2c0a23ff4303bb710e59e3ba2611ab4a58039929630175e4f4df9067ab8c274286ea77e9a4cd0fa1f8f118d965bd1e28

Download Submit
C:\Windows\{C26454C7-7876-4643-BCA2-28EA0D674377}.exe

Filesize
408KB

MD5
7a8427d850fc056bc3f1e0e0356b188c

SHA1
7247832debabd5718e01bb89428933f01479536b

SHA256
5fd2384a3ee76ceda6d1f7697c5666dbff94c64ff20150c6bf64d0e781b1a7e0

SHA512
b388d3d5e3212a91a0092855e5f26d3bdac2b9a95558a6fd3410aabe9534fb8e3e452258e6a0b02972f58a762e2f6b66c2d7aa8732a04389c5e4d3e6d4de1d24

Download Submit
C:\Windows\{C7784388-FE35-4239-90F6-496CEE7EF2F1}.exe

Filesize
408KB

MD5
9c8f9591c2d062ef8161cae370de1164

SHA1
5a03a7a66ff89963c3701d422bc4a4656cacd671

SHA256
7aecad93f2b9ae36d24c405ccf1b97f615b97438010fd48aa74cf268308aae22

SHA512
8e9c304ea328a009504fa37b914d6b8004ad60607bc2ec6bdb345817bb6b729eed44fbd6a0b35a25bf99384bfe3a45ef4fcbc6f391f36bc6b8a6df83b90488d2

Download Submit
C:\Windows\{D0768780-1DBA-420c-9F58-EBA7240C2795}.exe

Filesize
408KB

MD5
d9495144aebdc7e490f95911b0f60e25

SHA1
b37000f58ddc5127dce704b151639f5bfe1553c1

SHA256
50c462c7f4349532d69612e9c0b478d8d4782a556350d6c7d89d266de9dce8ff

SHA512
88cbf9367166f545ed656e2f7c5e570a070c027aa1dd955d7a31cfe12b0bbb17c93866e87caad4a0f06f6488ae72cf1654c6255de9cbf4002b909d55a366130f

Download Submit
C:\Windows\{D612D845-719E-4b8e-AD23-45D68CBBC611}.exe

Filesize
408KB

MD5
d158b544a7eda51badd098f83a7fd26f

SHA1
96b20e2ac80eb16c0f4dc91f277ea3390623066f

SHA256
c6643b1100d513ea661605303fc936b217acc9e5d8ba911f61713c358ee71213

SHA512
f0f095dea2de95e84cdff5f3a1eb0218671e0a8fba999bd1ed6934d4aecd5aad1a753eb5c50fe56af70549535c7017e2c97ddac64c7dce2c9f47ab63cf0c9679

Download Submit
C:\Windows\{DB99BE92-261F-48fe-97F9-AB4A46B6A691}.exe

Filesize
408KB

MD5
7789975fd283483eeb21b79dd4b4f8b6

SHA1
6a2c54f92cfe06b807dded6e9c8f82dc2bb30422

SHA256
aac1fa8d0a92404101ba98ce041bb8c1138fd3f0103ea118b8c3f5240bb9ee63

SHA512
2d1b23420d01a3fb739e6da19369908373798c74de78eb8fdf9dcaf637ef67475b4e60b4e3abee8606d3e2572dd60079800eca63ace6899876621db41a3ed430

Download Submit
C:\Windows\{DC0D429E-116A-4fa8-AE3D-14A3BE0172F4}.exe

Filesize
408KB

MD5
db352a34782c6a408a749fa02bf12f2e

SHA1
1b911a1e39ae952198745be40f0963861140ad28

SHA256
d79dddd58aa199d9b3dfbe11090183065eb75bebdac143fe9c97a7da6f5b6c0a

SHA512
3b85fd2a66d3326082a2802a83ef94347e10071ee35195b830ab6b41149c0972c2b8b565fa361471ea418fd8bebf74a4f9c176c564da828a90ab10377f20c248

Download Submit
C:\Windows\{EB453D62-07CB-478d-8C40-4B463BD3BCE2}.exe

Filesize
408KB

MD5
b08af350743980f20e599e7cf5bcc228

SHA1
efa2045e83cc4ff88a6bf917cee0d09581fd9f00

SHA256
324e3d0e659de966a952247f1f6610a85326dda7de70a79a430af59c41a94039

SHA512
8a897239dc244e0124cdeba9c278baee1444209eea5c20f5348fe712c518b1fb7118710d9a64afac76929f1d186dfbad3d256d165a2ced80cc5ee8e1ace18925

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads