d7563b028c5b62385043e9bfe48c32e878fc454eb29e5004a8b6dcd5a2777784

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe
Size

168KB
MD5

6968efd0e06414e73af3591e6b9a5da5
SHA1

8c45121c9cabdf125badd437da91fd32ac49aa1d
SHA256

d7563b028c5b62385043e9bfe48c32e878fc454eb29e5004a8b6dcd5a2777784
SHA512

510868c8d005fa922ef4b3308a829c76036dd637e4d716b8b1573e878aabbfa52aa32eeeee8c6d17bdc046b8331d1816fe8e1568d1ef0fd89dcb927d3efdec7d
SSDEEP

1536:1EGh0oPlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oPlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEFEEE2D-A680-4095-A3DD-C38B18076D56}\stubpath = "C:\\Windows\\{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe"	{88480A8F-137D-4961-9547-9755943121D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05DB92B4-8755-4efa-94E1-8D10F236C0F1}	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}	{05DB92B4-8755-4efa-94E1-8D10F236C0F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}\stubpath = "C:\\Windows\\{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe"	{05DB92B4-8755-4efa-94E1-8D10F236C0F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F12D46E2-C836-477d-9EA5-7149B1996F41}	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}\stubpath = "C:\\Windows\\{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe"	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBF67802-8054-4b1b-B1ED-14781875AF72}\stubpath = "C:\\Windows\\{EBF67802-8054-4b1b-B1ED-14781875AF72}.exe"	{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88480A8F-137D-4961-9547-9755943121D4}	2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88480A8F-137D-4961-9547-9755943121D4}\stubpath = "C:\\Windows\\{88480A8F-137D-4961-9547-9755943121D4}.exe"	2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{834D94B7-0C5A-455f-96A9-79A0068010BA}	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{834D94B7-0C5A-455f-96A9-79A0068010BA}\stubpath = "C:\\Windows\\{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe"	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F12D46E2-C836-477d-9EA5-7149B1996F41}\stubpath = "C:\\Windows\\{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe"	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF71FC65-422C-432d-887C-34E7EF2B5578}\stubpath = "C:\\Windows\\{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe"	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEFEEE2D-A680-4095-A3DD-C38B18076D56}	{88480A8F-137D-4961-9547-9755943121D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B76A92A-652A-49a9-87A8-C7F6656CF93E}\stubpath = "C:\\Windows\\{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe"	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05DB92B4-8755-4efa-94E1-8D10F236C0F1}\stubpath = "C:\\Windows\\{05DB92B4-8755-4efa-94E1-8D10F236C0F1}.exe"	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}	{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B76A92A-652A-49a9-87A8-C7F6656CF93E}	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}\stubpath = "C:\\Windows\\{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe"	{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}\stubpath = "C:\\Windows\\{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe"	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF71FC65-422C-432d-887C-34E7EF2B5578}	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBF67802-8054-4b1b-B1ED-14781875AF72}	{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe

Executes dropped EXE 11 IoCs

pid	Process
4024	{88480A8F-137D-4961-9547-9755943121D4}.exe
4184	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe
2116	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe
3684	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe
4888	{05DB92B4-8755-4efa-94E1-8D10F236C0F1}.exe
3580	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe
896	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe
4668	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe
4368	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe
1840	{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe
1904	{EBF67802-8054-4b1b-B1ED-14781875AF72}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe
File created	C:\Windows\{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe
File created	C:\Windows\{EBF67802-8054-4b1b-B1ED-14781875AF72}.exe	{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe
File created	C:\Windows\{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe	{88480A8F-137D-4961-9547-9755943121D4}.exe
File created	C:\Windows\{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe
File created	C:\Windows\{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe
File created	C:\Windows\{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe	{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe
File created	C:\Windows\{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe
File created	C:\Windows\{88480A8F-137D-4961-9547-9755943121D4}.exe	2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe
File created	C:\Windows\{05DB92B4-8755-4efa-94E1-8D10F236C0F1}.exe	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe
File created	C:\Windows\{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{88480A8F-137D-4961-9547-9755943121D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{05DB92B4-8755-4efa-94E1-8D10F236C0F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EBF67802-8054-4b1b-B1ED-14781875AF72}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3900	2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4024	{88480A8F-137D-4961-9547-9755943121D4}.exe
Token: SeIncBasePriorityPrivilege	4184	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe
Token: SeIncBasePriorityPrivilege	2116	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe
Token: SeIncBasePriorityPrivilege	3684	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe
Token: SeIncBasePriorityPrivilege	4784	{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe
Token: SeIncBasePriorityPrivilege	3580	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe
Token: SeIncBasePriorityPrivilege	896	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe
Token: SeIncBasePriorityPrivilege	4668	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe
Token: SeIncBasePriorityPrivilege	4368	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe
Token: SeIncBasePriorityPrivilege	1840	{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 4024	3900	2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe	94
PID 3900 wrote to memory of 4024	3900	2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe	94
PID 3900 wrote to memory of 4024	3900	2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe	94
PID 3900 wrote to memory of 512	3900	2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe	95
PID 3900 wrote to memory of 512	3900	2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe	95
PID 3900 wrote to memory of 512	3900	2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe	95
PID 4024 wrote to memory of 4184	4024	{88480A8F-137D-4961-9547-9755943121D4}.exe	96
PID 4024 wrote to memory of 4184	4024	{88480A8F-137D-4961-9547-9755943121D4}.exe	96
PID 4024 wrote to memory of 4184	4024	{88480A8F-137D-4961-9547-9755943121D4}.exe	96
PID 4024 wrote to memory of 1208	4024	{88480A8F-137D-4961-9547-9755943121D4}.exe	97
PID 4024 wrote to memory of 1208	4024	{88480A8F-137D-4961-9547-9755943121D4}.exe	97
PID 4024 wrote to memory of 1208	4024	{88480A8F-137D-4961-9547-9755943121D4}.exe	97
PID 4184 wrote to memory of 2116	4184	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe	101
PID 4184 wrote to memory of 2116	4184	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe	101
PID 4184 wrote to memory of 2116	4184	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe	101
PID 4184 wrote to memory of 4504	4184	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe	102
PID 4184 wrote to memory of 4504	4184	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe	102
PID 4184 wrote to memory of 4504	4184	{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe	102
PID 2116 wrote to memory of 3684	2116	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe	103
PID 2116 wrote to memory of 3684	2116	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe	103
PID 2116 wrote to memory of 3684	2116	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe	103
PID 2116 wrote to memory of 3608	2116	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe	104
PID 2116 wrote to memory of 3608	2116	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe	104
PID 2116 wrote to memory of 3608	2116	{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe	104
PID 3684 wrote to memory of 4888	3684	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe	105
PID 3684 wrote to memory of 4888	3684	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe	105
PID 3684 wrote to memory of 4888	3684	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe	105
PID 3684 wrote to memory of 4296	3684	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe	106
PID 3684 wrote to memory of 4296	3684	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe	106
PID 3684 wrote to memory of 4296	3684	{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe	106
PID 4784 wrote to memory of 3580	4784	{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe	110
PID 4784 wrote to memory of 3580	4784	{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe	110
PID 4784 wrote to memory of 3580	4784	{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe	110
PID 4784 wrote to memory of 4860	4784	{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe	111
PID 4784 wrote to memory of 4860	4784	{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe	111
PID 4784 wrote to memory of 4860	4784	{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe	111
PID 3580 wrote to memory of 896	3580	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe	114
PID 3580 wrote to memory of 896	3580	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe	114
PID 3580 wrote to memory of 896	3580	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe	114
PID 3580 wrote to memory of 1212	3580	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe	115
PID 3580 wrote to memory of 1212	3580	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe	115
PID 3580 wrote to memory of 1212	3580	{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe	115
PID 896 wrote to memory of 4668	896	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe	122
PID 896 wrote to memory of 4668	896	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe	122
PID 896 wrote to memory of 4668	896	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe	122
PID 896 wrote to memory of 4532	896	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe	123
PID 896 wrote to memory of 4532	896	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe	123
PID 896 wrote to memory of 4532	896	{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe	123
PID 4668 wrote to memory of 4368	4668	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe	124
PID 4668 wrote to memory of 4368	4668	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe	124
PID 4668 wrote to memory of 4368	4668	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe	124
PID 4668 wrote to memory of 3588	4668	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe	125
PID 4668 wrote to memory of 3588	4668	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe	125
PID 4668 wrote to memory of 3588	4668	{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe	125
PID 4368 wrote to memory of 1840	4368	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe	129
PID 4368 wrote to memory of 1840	4368	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe	129
PID 4368 wrote to memory of 1840	4368	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe	129
PID 4368 wrote to memory of 3192	4368	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe	130
PID 4368 wrote to memory of 3192	4368	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe	130
PID 4368 wrote to memory of 3192	4368	{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe	130
PID 1840 wrote to memory of 1904	1840	{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe	131
PID 1840 wrote to memory of 1904	1840	{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe	131
PID 1840 wrote to memory of 1904	1840	{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe	131
PID 1840 wrote to memory of 2640	1840	{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-20_6968efd0e06414e73af3591e6b9a5da5_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\{88480A8F-137D-4961-9547-9755943121D4}.exe
  C:\Windows\{88480A8F-137D-4961-9547-9755943121D4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe
    C:\Windows\{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe
      C:\Windows\{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe
        
        C:\Windows\{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3684
      - C:\Windows\{05DB92B4-8755-4efa-94E1-8D10F236C0F1}.exe
        
        C:\Windows\{05DB92B4-8755-4efa-94E1-8D10F236C0F1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe
        
        C:\Windows\{4F1268FA-D8E5-4fb6-A647-2F92AD85F53A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe
        
        C:\Windows\{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe
        
        C:\Windows\{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe
        
        C:\Windows\{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe
        
        C:\Windows\{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe
        
        C:\Windows\{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\{EBF67802-8054-4b1b-B1ED-14781875AF72}.exe
        
        C:\Windows\{EBF67802-8054-4b1b-B1ED-14781875AF72}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF71F~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3C0C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EDE6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F12D4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E5E7~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F126~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05DB9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{834D9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B76A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CEFEE~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{88480~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05DB92B4-8755-4efa-94E1-8D10F236C0F1}.exe

Filesize
168KB

MD5
edc6a1bdf4370cb7f0698bd00339eba4

SHA1
4e50c6b26cfd47c7ed7c2e8555b299294206fbea

SHA256
670af2dbd764b3f30da119bcde56d6e4e1d8821994dcc91b7304835547691955

SHA512
edf5c65f596a00ea0f3641453d6479c0ad81f8aeba5656cb7dcfb130b8dc56eefc35c0aab367a6e11a3a165bb5e3f5a3f9b56f5af05684c4ca61c271b0f2508e

Download Submit
C:\Windows\{0E5E71DA-15B3-4763-9DA5-D7A0ECD729CE}.exe

Filesize
168KB

MD5
18281b024c4172e9d2094d9618a0bad2

SHA1
888da8c7b15ac8121317c8619fca7626263b24f7

SHA256
b87f2ee2357f8ddae958f158a38fa541f9e740605a819be417b1ba47412bc0ae

SHA512
2dc795b6e4352006a9228a3b8a076a72b68e165cb4dc0af0720e899baf882014b22121b792793ff88d61449b4a33c48730108fac49e46bd7ebbe0ad3967343ae

Download Submit
C:\Windows\{4B76A92A-652A-49a9-87A8-C7F6656CF93E}.exe

Filesize
168KB

MD5
670be8509215606723a1cbfc0b7a5509

SHA1
0f0d5a36218c73c62f8a1fff9a8463959581e141

SHA256
7d907bae23d5e798f3d991a4c4c5b0e052ef0be6d728a66abf8e68d82e15953d

SHA512
0fa3abbdad156335e47827c6814cf6632c59281900e6a19be6c3adb6d92ee51bbfe7d1b22ebc654878c297a6dafd2ec1b539bc2ebdc06e712edac2cb86206c92

Download Submit
C:\Windows\{5EDE6BAC-DEAB-4f2c-92E8-81D3CA28B608}.exe

Filesize
168KB

MD5
4464a4aabc63e871746444265779e741

SHA1
c0c89438d9ffeef11141fb5c5c0e5b734fb05fe8

SHA256
8a6a992a3f30f842ee6174f5a1b543eefa73eb74ebe6da50edbf6de0f8840ee2

SHA512
75585b9c242589ee6b447ebb908a6a66024a65d60c55f441ad55d8e51e2495c5aff8e4b7328f72158c283057349a200eeddde7512592f020a09044103301ebbf

Download Submit
C:\Windows\{834D94B7-0C5A-455f-96A9-79A0068010BA}.exe

Filesize
168KB

MD5
559e5bb7ca371b41d900f68f138af0bc

SHA1
0aeee58d2183e2ff061acad0c4e2c0126c625d6c

SHA256
bc19e4a8c9a5505ce27163ea001e609a5ea8e71be5283e429333fe0f96f5f527

SHA512
06eeeb6416de88db4d58fe939f0635302179cb3d48d6f15f96ba81f47833b109a00d4d3b796909f1719f8d8fcb0c5b84d323856f0ef2937f1fe7f9093adc901b

Download Submit
C:\Windows\{88480A8F-137D-4961-9547-9755943121D4}.exe

Filesize
168KB

MD5
a079fb66bf9cd8eb9f5cd9d34e36ec76

SHA1
06f668af8f083f8dff41e6e4bb8aea16ec0bdf68

SHA256
64beca4f79609908bc68a56471636dd7c49c88a0562992dd93beaf36df17ed68

SHA512
78dc5a4cd4b1aac5c50b96dc92342c33d8994bd3d90ccfe325f847e87a5eb48247024546369368e32aaaaa2475c47355c387f656eb4d7bc296736ae3ffe4b283

Download Submit
C:\Windows\{C3C0C612-B0B0-446a-9FFD-A6ABAD7EF8FD}.exe

Filesize
168KB

MD5
d12015ac72858c0aaf47204d048efa55

SHA1
27196e4e799e1e79820b6badd2cb9a3afdfa6c06

SHA256
393f02d4227aa3373a298433b16a59318379b8a84e42cf6d7187f7ce096651bd

SHA512
d1902f6e1d433b4f62f2fb15785e3b0ce84115d66ddf7ee03571f7ef085e76384281f4f7bf2051f7a81028e8a3ce328f68bce3b216f1c7ffdfca613ad08516e3

Download Submit
C:\Windows\{CEFEEE2D-A680-4095-A3DD-C38B18076D56}.exe

Filesize
168KB

MD5
4308ee2123d91c11bf4c84b9cfd388d0

SHA1
eaf458694d4d287764c5fe8485311373fd1ea177

SHA256
4a035db33f80f17b719c25510e2a43e08de1fb4ebe397fce9b4cc8f130ba35b8

SHA512
4429c9f6ba8398f6cf790ef6cb04af08462abd5b81a71e648b97df8c46404d7cb81f153bac57dda45daec9691a9b15eb1f6193949a189ef772868734fc9588ef

Download Submit
C:\Windows\{CF71FC65-422C-432d-887C-34E7EF2B5578}.exe

Filesize
168KB

MD5
428a489ddcef0b1db906d9f388a5cfc1

SHA1
a226b286b6cdd107161c27d50d1be5ea4824592c

SHA256
0df2bf010f9c80842b2a0582fd7a6c66eb0b83e5b9215399bc5201859357dfc7

SHA512
63cc8a37fba6eee5565556bd4edc8b86e945bd1a280637b19a9718d87111a70e35cfcdfd9553b3b7fccaa07b23ddc6d630f0c18bd5c493d29275705cb17f4056

Download Submit
C:\Windows\{EBF67802-8054-4b1b-B1ED-14781875AF72}.exe

Filesize
168KB

MD5
bc97d33c68de5734226a5990c3c28a92

SHA1
456ff4dc61f7d45496c12e08f2fb27f6c625dc99

SHA256
6e9f5c4512a5ae1517288ad3fa6dcfd3db8fb3e59d2c63323bef6da7a4416346

SHA512
8a3ab8b4af44be2e4b56efa5e94a69140dcdb79ecf6d4571b7d95e4a92008897df4ff82a90307aa6baa1546cb29843bfc0b4b774f2428d29783d4e53dd6db423

Download Submit
C:\Windows\{F12D46E2-C836-477d-9EA5-7149B1996F41}.exe

Filesize
168KB

MD5
8fe8740570adbf01caf8681afaf2976e

SHA1
12dbc1014ec0f9f0d795a654e4d7cb4afd6fa8ef

SHA256
6c8c3e55d8b47c2f3a4aa56dd16d2ec8f791ec8403f348e5dcc6352e322dcf3b

SHA512
a0f02f537fe10f8aec30ea89afba4caac032435f80f78835a1d65dc3c577df4368601f3652dea81b1df0f5c37eaab30849a202315e1ee76778555ef9d954d6f7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads