4fc8c9ad0b12de21d35e20382335f01f45045e132fc7f1cb7003a95c9e65e60e

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
Size

372KB
MD5

7e14f1094e801b01ed01ca1aafbaaaa7
SHA1

31d033b04519e5eec22e18c6b9efc97e7e3a0c9f
SHA256

4fc8c9ad0b12de21d35e20382335f01f45045e132fc7f1cb7003a95c9e65e60e
SHA512

a2d712e488c5d59ad9fc2ba411d36421ba25e76bb2adc854a83ac281b50cae6c2a09a43c6c70e9ac9fb2abe39cb92d694c30650dc4d5af771289d346a369a34a
SSDEEP

3072:CEGh0oamlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGNl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401A14C1-F153-459b-87B7-F848DCA23A6A}\stubpath = "C:\\Windows\\{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe"	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51245DBC-4EEF-4ca8-811F-D74D98860006}\stubpath = "C:\\Windows\\{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe"	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC14F464-99F1-4a99-A2AA-01F4791E8277}	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}\stubpath = "C:\\Windows\\{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe"	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F1EE03F-2431-438a-956B-F8254F3328E6}	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}\stubpath = "C:\\Windows\\{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe"	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC14F464-99F1-4a99-A2AA-01F4791E8277}\stubpath = "C:\\Windows\\{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe"	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C5F12C-E877-4617-98AB-6C433344DDAE}	{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}\stubpath = "C:\\Windows\\{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe"	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D924DF34-117D-4d79-A25C-67E9C7313EDD}	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D924DF34-117D-4d79-A25C-67E9C7313EDD}\stubpath = "C:\\Windows\\{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe"	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F1EE03F-2431-438a-956B-F8254F3328E6}\stubpath = "C:\\Windows\\{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe"	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51245DBC-4EEF-4ca8-811F-D74D98860006}	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}\stubpath = "C:\\Windows\\{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe"	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{932D2EA5-4DA2-4e2e-87AC-B69F63854E58}\stubpath = "C:\\Windows\\{932D2EA5-4DA2-4e2e-87AC-B69F63854E58}.exe"	{A1C5F12C-E877-4617-98AB-6C433344DDAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401A14C1-F153-459b-87B7-F848DCA23A6A}	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C5F12C-E877-4617-98AB-6C433344DDAE}\stubpath = "C:\\Windows\\{A1C5F12C-E877-4617-98AB-6C433344DDAE}.exe"	{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{932D2EA5-4DA2-4e2e-87AC-B69F63854E58}	{A1C5F12C-E877-4617-98AB-6C433344DDAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}\stubpath = "C:\\Windows\\{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe"	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe

Executes dropped EXE 12 IoCs

pid	Process
5088	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe
3616	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe
4284	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe
4752	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe
3868	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe
3928	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe
3792	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe
2668	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe
1664	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe
2280	{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe
1048	{A1C5F12C-E877-4617-98AB-6C433344DDAE}.exe
2860	{932D2EA5-4DA2-4e2e-87AC-B69F63854E58}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe
File created	C:\Windows\{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe
File created	C:\Windows\{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe
File created	C:\Windows\{932D2EA5-4DA2-4e2e-87AC-B69F63854E58}.exe	{A1C5F12C-E877-4617-98AB-6C433344DDAE}.exe
File created	C:\Windows\{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe
File created	C:\Windows\{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe
File created	C:\Windows\{A1C5F12C-E877-4617-98AB-6C433344DDAE}.exe	{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe
File created	C:\Windows\{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
File created	C:\Windows\{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe
File created	C:\Windows\{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe
File created	C:\Windows\{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe
File created	C:\Windows\{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{932D2EA5-4DA2-4e2e-87AC-B69F63854E58}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1C5F12C-E877-4617-98AB-6C433344DDAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3804	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5088	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe
Token: SeIncBasePriorityPrivilege	3616	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe
Token: SeIncBasePriorityPrivilege	4284	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe
Token: SeIncBasePriorityPrivilege	4752	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe
Token: SeIncBasePriorityPrivilege	3868	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe
Token: SeIncBasePriorityPrivilege	3928	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe
Token: SeIncBasePriorityPrivilege	3792	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe
Token: SeIncBasePriorityPrivilege	2668	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe
Token: SeIncBasePriorityPrivilege	1664	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe
Token: SeIncBasePriorityPrivilege	2280	{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe
Token: SeIncBasePriorityPrivilege	1048	{A1C5F12C-E877-4617-98AB-6C433344DDAE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 5088	3804	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	95
PID 3804 wrote to memory of 5088	3804	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	95
PID 3804 wrote to memory of 5088	3804	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	95
PID 3804 wrote to memory of 4556	3804	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	96
PID 3804 wrote to memory of 4556	3804	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	96
PID 3804 wrote to memory of 4556	3804	2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe	96
PID 5088 wrote to memory of 3616	5088	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe	97
PID 5088 wrote to memory of 3616	5088	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe	97
PID 5088 wrote to memory of 3616	5088	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe	97
PID 5088 wrote to memory of 2020	5088	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe	98
PID 5088 wrote to memory of 2020	5088	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe	98
PID 5088 wrote to memory of 2020	5088	{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe	98
PID 3616 wrote to memory of 4284	3616	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe	102
PID 3616 wrote to memory of 4284	3616	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe	102
PID 3616 wrote to memory of 4284	3616	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe	102
PID 3616 wrote to memory of 4736	3616	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe	103
PID 3616 wrote to memory of 4736	3616	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe	103
PID 3616 wrote to memory of 4736	3616	{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe	103
PID 4284 wrote to memory of 4752	4284	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe	104
PID 4284 wrote to memory of 4752	4284	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe	104
PID 4284 wrote to memory of 4752	4284	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe	104
PID 4284 wrote to memory of 3084	4284	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe	105
PID 4284 wrote to memory of 3084	4284	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe	105
PID 4284 wrote to memory of 3084	4284	{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe	105
PID 4752 wrote to memory of 3868	4752	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe	106
PID 4752 wrote to memory of 3868	4752	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe	106
PID 4752 wrote to memory of 3868	4752	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe	106
PID 4752 wrote to memory of 5108	4752	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe	107
PID 4752 wrote to memory of 5108	4752	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe	107
PID 4752 wrote to memory of 5108	4752	{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe	107
PID 3868 wrote to memory of 3928	3868	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe	109
PID 3868 wrote to memory of 3928	3868	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe	109
PID 3868 wrote to memory of 3928	3868	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe	109
PID 3868 wrote to memory of 3708	3868	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe	110
PID 3868 wrote to memory of 3708	3868	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe	110
PID 3868 wrote to memory of 3708	3868	{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe	110
PID 3928 wrote to memory of 3792	3928	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe	111
PID 3928 wrote to memory of 3792	3928	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe	111
PID 3928 wrote to memory of 3792	3928	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe	111
PID 3928 wrote to memory of 3388	3928	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe	112
PID 3928 wrote to memory of 3388	3928	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe	112
PID 3928 wrote to memory of 3388	3928	{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe	112
PID 3792 wrote to memory of 2668	3792	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe	117
PID 3792 wrote to memory of 2668	3792	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe	117
PID 3792 wrote to memory of 2668	3792	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe	117
PID 3792 wrote to memory of 4180	3792	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe	118
PID 3792 wrote to memory of 4180	3792	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe	118
PID 3792 wrote to memory of 4180	3792	{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe	118
PID 2668 wrote to memory of 1664	2668	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe	122
PID 2668 wrote to memory of 1664	2668	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe	122
PID 2668 wrote to memory of 1664	2668	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe	122
PID 2668 wrote to memory of 756	2668	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe	123
PID 2668 wrote to memory of 756	2668	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe	123
PID 2668 wrote to memory of 756	2668	{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe	123
PID 1664 wrote to memory of 2280	1664	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe	124
PID 1664 wrote to memory of 2280	1664	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe	124
PID 1664 wrote to memory of 2280	1664	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe	124
PID 1664 wrote to memory of 4348	1664	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe	125
PID 1664 wrote to memory of 4348	1664	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe	125
PID 1664 wrote to memory of 4348	1664	{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe	125
PID 2280 wrote to memory of 1048	2280	{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe	129
PID 2280 wrote to memory of 1048	2280	{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe	129
PID 2280 wrote to memory of 1048	2280	{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe	129
PID 2280 wrote to memory of 4996	2280	{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_7e14f1094e801b01ed01ca1aafbaaaa7_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe
  C:\Windows\{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe
    C:\Windows\{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe
      C:\Windows\{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe
        
        C:\Windows\{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe
        
        C:\Windows\{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe
        
        C:\Windows\{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe
        
        C:\Windows\{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe
        
        C:\Windows\{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe
        
        C:\Windows\{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe
        
        C:\Windows\{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\{A1C5F12C-E877-4617-98AB-6C433344DDAE}.exe
        
        C:\Windows\{A1C5F12C-E877-4617-98AB-6C433344DDAE}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\{932D2EA5-4DA2-4e2e-87AC-B69F63854E58}.exe
        
        C:\Windows\{932D2EA5-4DA2-4e2e-87AC-B69F63854E58}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C5F~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC14F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51245~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{401A1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECA96~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{976DD~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F1EE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D924D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E9EC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{93BB7~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7BFF9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{401A14C1-F153-459b-87B7-F848DCA23A6A}.exe

Filesize
372KB

MD5
fbc2d188332d99e4d768b07370fc3445

SHA1
c380b3edf7020ba99fe1f2829aaa97c9b983241c

SHA256
27b8b35bb0deb6b99b86c499a841bda9f628862049035f3cce490da11cb25c6d

SHA512
70f9c035c1cd3ae06c7a169fe20e0b00fb59b0c253f473217a40fcd190afabf6d665024bcfd047091664c98543fe8429fbb8c123f65e8c35258928874a3f727c

Download Submit
C:\Windows\{51245DBC-4EEF-4ca8-811F-D74D98860006}.exe

Filesize
372KB

MD5
e2cc811763af4c53bb79dbccd0e3f367

SHA1
3411d2b4bf511fc2fb5a5b485bb327dd0bcbad96

SHA256
67fb021e8ac618cb325a7d75bbde9d82dbbf873d55202f28b4da3f7a94acda19

SHA512
9008ea165191cb38c9a118b3c04882c28146491c389298f096c4d8a7423da926d5aad0dbdf4725b3abcf1157616de8252a5508dae703b016ae0c8ff362f8ab84

Download Submit
C:\Windows\{5E9EC06A-E26F-45cb-8527-6DEBE7C9B232}.exe

Filesize
372KB

MD5
6a14583da0109094fd669da6e47fac7b

SHA1
3d89859866900022a00b4d9a82ba82d40dc480ef

SHA256
f2de5ad06c43c6cc4ceb58217b546cc5fec44e64502ccd381dc86b92162da04a

SHA512
59bdd3e2ce1a53c931397b87974ce94f9cbfa7c5114409d4935f8286cb374ea7fffedb5e48cb3b4e44b0585c29040aa22aa910bf2cfb9430c95ca1338e318769

Download Submit
C:\Windows\{5F1EE03F-2431-438a-956B-F8254F3328E6}.exe

Filesize
372KB

MD5
caaf7594fca934bb01ba2a1cdd3bc0c4

SHA1
c05b907415d1d45427c0e216a080d6b256b5fef1

SHA256
8193ec2eb2321ad78eae9be2254d8888f7c8e94beef56ae2978174bca097f6ea

SHA512
d560c1269127f4fa3ace223c0e3e0a1de23a97db0e3e46562048cb564c0d62b44d6ac358f58659756f2679e6c9b67bf3003f73f02b278404cd34353878d7b6f6

Download Submit
C:\Windows\{7BFF9EB0-430E-4ff0-BC38-0FADCFF07263}.exe

Filesize
372KB

MD5
dbe616806807e5b64549f014754da7b4

SHA1
05dbec3e934c8eb0102ecf660b29788a73959397

SHA256
3dbcf63f9968a1aa9912ebf348a7d6be4fc49f4ebffa07b199f2cb394f5026af

SHA512
334986afa9811ef28f5a0274093f16113080be58799410b17fd2e8413e175d30746415d39a786ce3412c9d6358bd9d63d78746e31f381183d105aeb92e26b311

Download Submit
C:\Windows\{932D2EA5-4DA2-4e2e-87AC-B69F63854E58}.exe

Filesize
372KB

MD5
5a03f6c337c1d231a76e9f81b5f91f03

SHA1
cd1f31171ef1f34a70d0a76b93f1139e223ccc68

SHA256
03f1fe7440416021212408414a36aac08bf7ae1ecdd58b100f1efd9fb09b3fbc

SHA512
492a4a2a1e580f679a92e382bab9cbf7958f8cb8ce6cc7bc37c52898e441ab40b4f2cad332ae7af5f2f6a1bce5cb7308c036f861196b8c0b9790d3a66fac4e88

Download Submit
C:\Windows\{93BB7B74-4177-4ee9-AA07-6F7C3DE9DB64}.exe

Filesize
372KB

MD5
d7d3c738cbac62c236b537172bb2e82d

SHA1
fc9e7e9af99366d70b8cbab8cfd7e91900de7246

SHA256
7d402a1f9010f47385fe163aabaf9525287b9776f8a4e1e0099bd39bbfa7cb87

SHA512
20462c1908a65ff1f6b504dd879806329664a0d50ccbc09ba02e9042d09736099d2032c5727282f907473f0d0e4993c7d2d2ad5765d4f1858d76b5e42187c85c

Download Submit
C:\Windows\{976DD607-EE35-436b-AC9D-AE4F0E1E4A40}.exe

Filesize
372KB

MD5
1e73192d7149b77265b2d6062541f9d7

SHA1
21a7521e9fab4d57a1bcf1c23e386fcc6a034c51

SHA256
33d3d8608164e9cd6d8e2d3f4bfcccc76ca1b17ebbb223dc5b11e3b2019e233d

SHA512
aaaee46eb1b820813bc579e429e760510c44bd5c4f4590c1440d28aef3f1f6ff0d154a35a94dea2676eb7b2129fa8a4134492b1f3e29abf569e550ded537ef6c

Download Submit
C:\Windows\{A1C5F12C-E877-4617-98AB-6C433344DDAE}.exe

Filesize
372KB

MD5
7d95ac48cb99faeb0e3d9b4ffe290320

SHA1
fdf72191c7ff5856721d145e0ab9884856480fc9

SHA256
b5b1b002a9bb0df7b0fe63f98d40cfa46648e650ae831409c3768bd23a766a3c

SHA512
c135dcbdda6f4d63b0111cbc8b45c3995c8d9fd590a483550acbc4795be61b97e9ca5e9717220a88f0fede9a86cf83902ebd4b72ffb7f411034a0212bbc2fd7d

Download Submit
C:\Windows\{D924DF34-117D-4d79-A25C-67E9C7313EDD}.exe

Filesize
372KB

MD5
857aa24166c6236ec44ef77831c1c8e8

SHA1
5ef75d178bc3ef24745c3c333bc56ae675b9a7d6

SHA256
3325c46b141d89aead7a71c74903dc739f7a59813b1a68186eea6b94b89a9835

SHA512
b5e5dcf0d524c6e3bdf26a5e63ac5e3a0a22ce927dc21bad4057151a5b2f1eab99a71625f233539c8cf887550670f5d529e71e860508f66647996429143b43d7

Download Submit
C:\Windows\{EC14F464-99F1-4a99-A2AA-01F4791E8277}.exe

Filesize
372KB

MD5
b8613ddf456479399b5e48fefa59d3bb

SHA1
0d6d6cd8cbb51e2ccfbad1fe49568ffbfbe11563

SHA256
9fb303e5a1456232cd0e3f5580e34b0f40722ab84edda797bf171ad0bbca0dd3

SHA512
3c5473242072f46b18d3fd6ef4c6f7556f0a6cab580b7adc6ef468208bda882c0d6762cb18351820af5d8a668fedb7402af5185f7a42b12300a462e225689d95

Download Submit
C:\Windows\{ECA9669F-8A1B-4212-8411-4A384E4A2E2F}.exe

Filesize
372KB

MD5
cde0a5e3ab8ce6409e42656271bdcaeb

SHA1
ee770c60f095c734e73b05960502210c055a74a7

SHA256
88d822a509f39361580d49c7d708d8217bbf1d581799bd314883a8f08a98f1b4

SHA512
db592a76383950d9deb4eeb3d555e2277a86c025503a7de1a468b5fce136da4de17d9d5d36905be8b3c365abe9ab6d75dd994859b8030786df26d5b6cc2458ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads