6337ffad33b369c6be593ff5447a76c06cf381c1625da01ba7946e399b923303

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe
Size

216KB
MD5

3c93b97c5852127e8b42b547b359854e
SHA1

b18abe54984b6479963b38339ffce2620d2c775a
SHA256

6337ffad33b369c6be593ff5447a76c06cf381c1625da01ba7946e399b923303
SHA512

c8f732d45d65df424516b1b7a1136248eea7c37e9a85cdddc84426cc32dbf095f722dd5d757bd6deae4e2559114de9ff62bbb16298e098e03fed58fd95b745ff
SSDEEP

3072:jEGh0oSl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGklEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CBBCD84-312E-41ae-824E-7C418577A7FB}	2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CBBCD84-312E-41ae-824E-7C418577A7FB}\stubpath = "C:\\Windows\\{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe"	2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A069AB37-87B1-47df-9CD8-398574CFCCE3}\stubpath = "C:\\Windows\\{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe"	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{251BCE32-C9F4-4b74-9894-156419DAEB7A}\stubpath = "C:\\Windows\\{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe"	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}\stubpath = "C:\\Windows\\{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe"	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}\stubpath = "C:\\Windows\\{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe"	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A839DA4-5213-4db5-AE57-BC7C197CD098}\stubpath = "C:\\Windows\\{2A839DA4-5213-4db5-AE57-BC7C197CD098}.exe"	{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{251BCE32-C9F4-4b74-9894-156419DAEB7A}	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}\stubpath = "C:\\Windows\\{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe"	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}\stubpath = "C:\\Windows\\{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe"	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A839DA4-5213-4db5-AE57-BC7C197CD098}	{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64D565C8-A928-4f88-BFED-D0A3D80BC0E8}	{2A839DA4-5213-4db5-AE57-BC7C197CD098}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}\stubpath = "C:\\Windows\\{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe"	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58B19A92-E17F-4d1b-9671-0E4236C78783}	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58B19A92-E17F-4d1b-9671-0E4236C78783}\stubpath = "C:\\Windows\\{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe"	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}\stubpath = "C:\\Windows\\{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe"	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A069AB37-87B1-47df-9CD8-398574CFCCE3}	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64D565C8-A928-4f88-BFED-D0A3D80BC0E8}\stubpath = "C:\\Windows\\{64D565C8-A928-4f88-BFED-D0A3D80BC0E8}.exe"	{2A839DA4-5213-4db5-AE57-BC7C197CD098}.exe

Executes dropped EXE 12 IoCs

pid	Process
760	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe
4808	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe
3772	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe
4708	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe
4408	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe
3024	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe
4240	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe
5088	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe
4656	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe
4416	{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe
764	{2A839DA4-5213-4db5-AE57-BC7C197CD098}.exe
4672	{64D565C8-A928-4f88-BFED-D0A3D80BC0E8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe
File created	C:\Windows\{64D565C8-A928-4f88-BFED-D0A3D80BC0E8}.exe	{2A839DA4-5213-4db5-AE57-BC7C197CD098}.exe
File created	C:\Windows\{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe	2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe
File created	C:\Windows\{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe
File created	C:\Windows\{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe
File created	C:\Windows\{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe
File created	C:\Windows\{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe
File created	C:\Windows\{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe
File created	C:\Windows\{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe
File created	C:\Windows\{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe
File created	C:\Windows\{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe
File created	C:\Windows\{2A839DA4-5213-4db5-AE57-BC7C197CD098}.exe	{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A839DA4-5213-4db5-AE57-BC7C197CD098}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	376	2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	760	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe
Token: SeIncBasePriorityPrivilege	4808	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe
Token: SeIncBasePriorityPrivilege	3772	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe
Token: SeIncBasePriorityPrivilege	4708	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe
Token: SeIncBasePriorityPrivilege	4408	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe
Token: SeIncBasePriorityPrivilege	3024	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe
Token: SeIncBasePriorityPrivilege	4240	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe
Token: SeIncBasePriorityPrivilege	5088	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe
Token: SeIncBasePriorityPrivilege	4656	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe
Token: SeIncBasePriorityPrivilege	4416	{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe
Token: SeIncBasePriorityPrivilege	764	{2A839DA4-5213-4db5-AE57-BC7C197CD098}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 760	376	2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe	95
PID 376 wrote to memory of 760	376	2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe	95
PID 376 wrote to memory of 760	376	2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe	95
PID 376 wrote to memory of 4272	376	2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe	96
PID 376 wrote to memory of 4272	376	2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe	96
PID 376 wrote to memory of 4272	376	2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe	96
PID 760 wrote to memory of 4808	760	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe	97
PID 760 wrote to memory of 4808	760	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe	97
PID 760 wrote to memory of 4808	760	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe	97
PID 760 wrote to memory of 2220	760	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe	98
PID 760 wrote to memory of 2220	760	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe	98
PID 760 wrote to memory of 2220	760	{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe	98
PID 4808 wrote to memory of 3772	4808	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe	102
PID 4808 wrote to memory of 3772	4808	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe	102
PID 4808 wrote to memory of 3772	4808	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe	102
PID 4808 wrote to memory of 1328	4808	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe	103
PID 4808 wrote to memory of 1328	4808	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe	103
PID 4808 wrote to memory of 1328	4808	{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe	103
PID 3772 wrote to memory of 4708	3772	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe	104
PID 3772 wrote to memory of 4708	3772	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe	104
PID 3772 wrote to memory of 4708	3772	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe	104
PID 3772 wrote to memory of 4984	3772	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe	105
PID 3772 wrote to memory of 4984	3772	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe	105
PID 3772 wrote to memory of 4984	3772	{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe	105
PID 4708 wrote to memory of 4408	4708	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe	106
PID 4708 wrote to memory of 4408	4708	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe	106
PID 4708 wrote to memory of 4408	4708	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe	106
PID 4708 wrote to memory of 3824	4708	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe	107
PID 4708 wrote to memory of 3824	4708	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe	107
PID 4708 wrote to memory of 3824	4708	{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe	107
PID 4408 wrote to memory of 3024	4408	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe	109
PID 4408 wrote to memory of 3024	4408	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe	109
PID 4408 wrote to memory of 3024	4408	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe	109
PID 4408 wrote to memory of 1208	4408	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe	110
PID 4408 wrote to memory of 1208	4408	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe	110
PID 4408 wrote to memory of 1208	4408	{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe	110
PID 3024 wrote to memory of 4240	3024	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe	111
PID 3024 wrote to memory of 4240	3024	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe	111
PID 3024 wrote to memory of 4240	3024	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe	111
PID 3024 wrote to memory of 4084	3024	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe	112
PID 3024 wrote to memory of 4084	3024	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe	112
PID 3024 wrote to memory of 4084	3024	{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe	112
PID 4240 wrote to memory of 5088	4240	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe	117
PID 4240 wrote to memory of 5088	4240	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe	117
PID 4240 wrote to memory of 5088	4240	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe	117
PID 4240 wrote to memory of 3708	4240	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe	118
PID 4240 wrote to memory of 3708	4240	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe	118
PID 4240 wrote to memory of 3708	4240	{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe	118
PID 5088 wrote to memory of 4656	5088	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe	122
PID 5088 wrote to memory of 4656	5088	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe	122
PID 5088 wrote to memory of 4656	5088	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe	122
PID 5088 wrote to memory of 4596	5088	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe	123
PID 5088 wrote to memory of 4596	5088	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe	123
PID 5088 wrote to memory of 4596	5088	{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe	123
PID 4656 wrote to memory of 4416	4656	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe	124
PID 4656 wrote to memory of 4416	4656	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe	124
PID 4656 wrote to memory of 4416	4656	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe	124
PID 4656 wrote to memory of 2056	4656	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe	125
PID 4656 wrote to memory of 2056	4656	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe	125
PID 4656 wrote to memory of 2056	4656	{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe	125
PID 4416 wrote to memory of 764	4416	{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe	129
PID 4416 wrote to memory of 764	4416	{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe	129
PID 4416 wrote to memory of 764	4416	{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe	129
PID 4416 wrote to memory of 1124	4416	{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_3c93b97c5852127e8b42b547b359854e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe
  C:\Windows\{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe
    C:\Windows\{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe
      C:\Windows\{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3772
    - - C:\Windows\{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe
        
        C:\Windows\{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
      - C:\Windows\{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe
        
        C:\Windows\{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe
        
        C:\Windows\{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe
        
        C:\Windows\{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe
        
        C:\Windows\{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe
        
        C:\Windows\{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe
        
        C:\Windows\{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\{2A839DA4-5213-4db5-AE57-BC7C197CD098}.exe
        
        C:\Windows\{2A839DA4-5213-4db5-AE57-BC7C197CD098}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\{64D565C8-A928-4f88-BFED-D0A3D80BC0E8}.exe
        
        C:\Windows\{64D565C8-A928-4f88-BFED-D0A3D80BC0E8}.exe
        13⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A839~1.EXE > nul
        13⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEDD7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EED7~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30F23~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E645~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{251BC~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58B19~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A069A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E44FB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C4C79~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8CBBC~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{251BCE32-C9F4-4b74-9894-156419DAEB7A}.exe

Filesize
216KB

MD5
df9421c660ec80392692c91e568567fb

SHA1
4f37444733a61a11d95ba7be459836c73d00323d

SHA256
41c826fe5e5400ab78a7b79c2e587fad8a2ed8a6747d2ddadc3758c1b476314f

SHA512
51baac5d184e4ac65149cc4113fda2ebfe393772bac45bbfe0fa8d333bbfdf523503089272576f426f82fb80dcfe4589e1e848dcb913dcf5d4853a41322f5f07

Download Submit
C:\Windows\{2A839DA4-5213-4db5-AE57-BC7C197CD098}.exe

Filesize
216KB

MD5
855240548e12cfdae5cdddf382820f73

SHA1
baf595a9b6a8cb420639d2c5ee78ce9f95f92479

SHA256
c00686056008b9aa0fd12d07285bd02b876acafee82f28b6c9e3fb2dcff416ee

SHA512
58546916cdcbaf2a6f32504a12bfcd81c3ac2325acae5957fb23288698792c66483c645fe860a87f21c5491a63bcd2bfe177623f8309dc5509cfb0c4495247a3

Download Submit
C:\Windows\{30F23B0A-7F2F-4d3b-A3E6-869ED847105D}.exe

Filesize
216KB

MD5
7c4d6a154cad42070ac6ea2908300526

SHA1
9f96035eff18c0152362fe6e6f3f9288c68579b8

SHA256
260b372a7719b9e2637307b75a90a6dace9578004aa3672985424d518380be62

SHA512
9da23727a9d2e6ce022cc184d0b774833480eb5259cb0a513aaae582bd48ece5cd21962554095af8716ccd5c57348a5d2ee558605b4bff012663757c09b7c963

Download Submit
C:\Windows\{58B19A92-E17F-4d1b-9671-0E4236C78783}.exe

Filesize
216KB

MD5
61bb2edd6da2a252cb31b5d3dbc8f46b

SHA1
729b1b9b03b3e25135f04eb34095a8745010f4e0

SHA256
9936180690d2511f175c071f1700441b4455b2d6c6e07318eb2dc698a4525277

SHA512
1583351c151a2ce946914f835d1d1d3d285fb2fd2f926bdecd059c12e6f8eeb1416a2a7fbb2b9c54ea3aefc5f0c3ed1e11af9aad05414575e6924073f9e326d5

Download Submit
C:\Windows\{64D565C8-A928-4f88-BFED-D0A3D80BC0E8}.exe

Filesize
216KB

MD5
36cc40353fb58e4cfa3225943beb3f8f

SHA1
87a9af872b5c4a81f4763ec426163c9966fb32c7

SHA256
e57636c832b249f7f9781e0e4e4bdad94810d7ca9acf2f134edbdd78cb40381f

SHA512
33fc8c951c224e9366de960dee5ceaaf7ebe36f869d7a3b6337ed80f9c8a303b757444b1fb023bfbbbb1637e49fd88c6c6821c4a3f8141d83db19341b8fe45c7

Download Submit
C:\Windows\{6E645440-21F9-4ce0-A8BF-B6B8C03C56FB}.exe

Filesize
216KB

MD5
534fbba8ae9eeafef6db11f32da21ed4

SHA1
b688f7694ded6ef3ea0f147a35bf2daa1322ebc2

SHA256
3fd1cfe2a615e9fd6a9b8182b95ceb6c9d1c810796b1537b59e61fc10d26fd4f

SHA512
2c589a58acf728f5a77eabd910e307c6922ce050126293a38fb040b32caddb3f1b86d5b4f24d2982bd61efc873d999c5e87d6899b9c27430e7b0061bea5f35bf

Download Submit
C:\Windows\{8CBBCD84-312E-41ae-824E-7C418577A7FB}.exe

Filesize
216KB

MD5
36d2e489fe50b004f0f4a35a33012ac9

SHA1
398fe28eab6c10ad2cfdc2d63e252b2546953381

SHA256
9082ed5a846ada0bec8293b87ae2d60c7ebb23f1f9b829c8370b7eb9e875c27c

SHA512
9a253a283db484746a740ca3903319b6021aaf43ce58b9b21f7c236aa5b4a035bfc908b03422188a7938434906112281e241f4541c36d626bbd7c254b7aa42ca

Download Submit
C:\Windows\{9EED7BFE-5F24-4bc3-980A-80C84E6BA719}.exe

Filesize
216KB

MD5
6312e61f1ba48dfc6abf057813ccb803

SHA1
a455b2dc177aec29e84da4848cb7611c7652705c

SHA256
64ad68e46a57a83c38d3ffbb8fadae1c4a8f01bb12c9747189eb972ccbda6f0c

SHA512
ecf0fcabfcc1311148ae3c735ade23acac1ebb2ec5412b8c9c9031d0c39773be26730257eb6542fc73ec6ecba2336677af2460fc17f4739766a8bdf08be53f8e

Download Submit
C:\Windows\{A069AB37-87B1-47df-9CD8-398574CFCCE3}.exe

Filesize
216KB

MD5
c4a18b11b3de355538b2a76dae10acf3

SHA1
c266cd9c14d6eb7b0b900b66ac75170279c52095

SHA256
f62063f076af2a4db3284faae3ea87f094e1145478e05378721b4af6dc8c3495

SHA512
1fe056a2e68d86b267ad7b037fbfb3cef4e667e4097c31f52e06e5622573154f6249cc5dde696da2f41471b69d3255acc207f49f6f7b701ffc25fdcc7ff34bf2

Download Submit
C:\Windows\{AEDD766F-7218-44ff-BBCA-7A7D813CAE91}.exe

Filesize
216KB

MD5
ec3435415c898f7fdc21ce5b54c0be33

SHA1
b22ae49094b7555a61e27ab29510fe44d7fcf243

SHA256
d920373716b3e01c52df7dce21ef7ab68f91a35cdae837a2fcb6f11584ba82a1

SHA512
6619e63cd80a35f6381e3a36454015f54528c96965169b3f97818302ad0bbddd5321e8ae18aadd5637ea8b178ac15965c1fe7790d9bd047da3d8ad280ce4c6c2

Download Submit
C:\Windows\{C4C79883-4ECF-4fc6-8C8C-7D08D2F1B94B}.exe

Filesize
216KB

MD5
b34c6fe2b6a94f637f83f78a8b2ea422

SHA1
4e71c7fb0989ec0f58c4733a7aa06c4e01e4e6f3

SHA256
356930672257e925c8e1847ee8590b51dbe511622eb6a6af04d432638e67d065

SHA512
7a8b182dbcef2547e26e4f0f5ea60b5131dd4413ba5452399d5643225406001379a12d1d12ea44801425b64fb477d7af5de6274589b9fb176bcd27c0b4eee474

Download Submit
C:\Windows\{E44FB7E6-AEA7-46df-9DD6-D2DE686F34B9}.exe

Filesize
216KB

MD5
39738d6b4b5eb1e61f1094933bd870a1

SHA1
b40a6ac26179444fd4f038978f9d9b2166e92e9d

SHA256
7a92c5934b6abfe9d6e4e157faa2d40b912608acb8bbfd73bb1c357543864eab

SHA512
2da87e96b4478eb415426b8e687119d9a08d35be414f2aeafb3c6639b88ab229201ec8d19ed30534936b3bf89372cff92cc9c0276255c7e892bd3dee535d511e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads