0ee95dfe205f20a6baf277c2a2074453f04e6160f6831a73eaf17b6d9cbe4844

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
Size

180KB
MD5

94a59ca41ad842cec2d7a2e03cf82557
SHA1

d98e22b91c98c6c57be8be340f77045d0a91382c
SHA256

0ee95dfe205f20a6baf277c2a2074453f04e6160f6831a73eaf17b6d9cbe4844
SHA512

0b49d7e2d1a153ece81a44f561690668f549f4e2ff09e56308fc64f0e9bc4db6d15089f2f4ecea2e175e449f2d2f385fd541ab586beb48441082761520ae48e2
SSDEEP

3072:jEGh0omlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGwl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F30559FB-AAE7-4399-BDCF-1530F352480B}\stubpath = "C:\\Windows\\{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe"	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFCF3C19-F8C6-4449-A517-8C4B8C522425}\stubpath = "C:\\Windows\\{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe"	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}\stubpath = "C:\\Windows\\{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe"	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F60A966-3E67-4c36-A351-F54985CCD1A5}\stubpath = "C:\\Windows\\{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe"	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D80A01-59C7-4666-9CA5-0EA36BF5C320}\stubpath = "C:\\Windows\\{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe"	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7891878D-A542-4497-BDE3-714530D96401}	{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803EA917-DCA7-4ff6-B75F-66A1CFD397CF}\stubpath = "C:\\Windows\\{803EA917-DCA7-4ff6-B75F-66A1CFD397CF}.exe"	{7891878D-A542-4497-BDE3-714530D96401}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}\stubpath = "C:\\Windows\\{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe"	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFCF3C19-F8C6-4449-A517-8C4B8C522425}	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71E3A716-EDB3-47c0-A1F2-210CBFE55398}	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7891878D-A542-4497-BDE3-714530D96401}\stubpath = "C:\\Windows\\{7891878D-A542-4497-BDE3-714530D96401}.exe"	{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803EA917-DCA7-4ff6-B75F-66A1CFD397CF}	{7891878D-A542-4497-BDE3-714530D96401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F60A966-3E67-4c36-A351-F54985CCD1A5}	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}\stubpath = "C:\\Windows\\{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe"	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}\stubpath = "C:\\Windows\\{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe"	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61D80A01-59C7-4666-9CA5-0EA36BF5C320}	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F30559FB-AAE7-4399-BDCF-1530F352480B}	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71E3A716-EDB3-47c0-A1F2-210CBFE55398}\stubpath = "C:\\Windows\\{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe"	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}\stubpath = "C:\\Windows\\{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe"	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe

Executes dropped EXE 12 IoCs

pid	Process
5064	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe
3628	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe
1292	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe
3220	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe
4232	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe
2376	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe
2528	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe
4928	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe
1200	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe
4224	{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe
1988	{7891878D-A542-4497-BDE3-714530D96401}.exe
4728	{803EA917-DCA7-4ff6-B75F-66A1CFD397CF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
File created	C:\Windows\{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe
File created	C:\Windows\{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe
File created	C:\Windows\{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe
File created	C:\Windows\{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe
File created	C:\Windows\{803EA917-DCA7-4ff6-B75F-66A1CFD397CF}.exe	{7891878D-A542-4497-BDE3-714530D96401}.exe
File created	C:\Windows\{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe
File created	C:\Windows\{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe
File created	C:\Windows\{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe
File created	C:\Windows\{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe
File created	C:\Windows\{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe
File created	C:\Windows\{7891878D-A542-4497-BDE3-714530D96401}.exe	{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7891878D-A542-4497-BDE3-714530D96401}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{803EA917-DCA7-4ff6-B75F-66A1CFD397CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2904	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5064	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe
Token: SeIncBasePriorityPrivilege	3628	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe
Token: SeIncBasePriorityPrivilege	1292	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe
Token: SeIncBasePriorityPrivilege	3220	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe
Token: SeIncBasePriorityPrivilege	4232	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe
Token: SeIncBasePriorityPrivilege	2376	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe
Token: SeIncBasePriorityPrivilege	2528	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe
Token: SeIncBasePriorityPrivilege	4928	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe
Token: SeIncBasePriorityPrivilege	1200	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe
Token: SeIncBasePriorityPrivilege	4224	{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe
Token: SeIncBasePriorityPrivilege	1988	{7891878D-A542-4497-BDE3-714530D96401}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 5064	2904	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	95
PID 2904 wrote to memory of 5064	2904	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	95
PID 2904 wrote to memory of 5064	2904	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	95
PID 2904 wrote to memory of 3712	2904	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	96
PID 2904 wrote to memory of 3712	2904	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	96
PID 2904 wrote to memory of 3712	2904	2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe	96
PID 5064 wrote to memory of 3628	5064	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe	97
PID 5064 wrote to memory of 3628	5064	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe	97
PID 5064 wrote to memory of 3628	5064	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe	97
PID 5064 wrote to memory of 1888	5064	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe	98
PID 5064 wrote to memory of 1888	5064	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe	98
PID 5064 wrote to memory of 1888	5064	{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe	98
PID 3628 wrote to memory of 1292	3628	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe	102
PID 3628 wrote to memory of 1292	3628	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe	102
PID 3628 wrote to memory of 1292	3628	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe	102
PID 3628 wrote to memory of 3804	3628	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe	103
PID 3628 wrote to memory of 3804	3628	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe	103
PID 3628 wrote to memory of 3804	3628	{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe	103
PID 1292 wrote to memory of 3220	1292	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe	104
PID 1292 wrote to memory of 3220	1292	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe	104
PID 1292 wrote to memory of 3220	1292	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe	104
PID 1292 wrote to memory of 1464	1292	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe	105
PID 1292 wrote to memory of 1464	1292	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe	105
PID 1292 wrote to memory of 1464	1292	{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe	105
PID 3220 wrote to memory of 4232	3220	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe	106
PID 3220 wrote to memory of 4232	3220	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe	106
PID 3220 wrote to memory of 4232	3220	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe	106
PID 3220 wrote to memory of 4324	3220	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe	107
PID 3220 wrote to memory of 4324	3220	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe	107
PID 3220 wrote to memory of 4324	3220	{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe	107
PID 4232 wrote to memory of 2376	4232	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe	109
PID 4232 wrote to memory of 2376	4232	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe	109
PID 4232 wrote to memory of 2376	4232	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe	109
PID 4232 wrote to memory of 3164	4232	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe	110
PID 4232 wrote to memory of 3164	4232	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe	110
PID 4232 wrote to memory of 3164	4232	{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe	110
PID 2376 wrote to memory of 2528	2376	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe	111
PID 2376 wrote to memory of 2528	2376	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe	111
PID 2376 wrote to memory of 2528	2376	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe	111
PID 2376 wrote to memory of 3204	2376	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe	112
PID 2376 wrote to memory of 3204	2376	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe	112
PID 2376 wrote to memory of 3204	2376	{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe	112
PID 2528 wrote to memory of 4928	2528	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe	117
PID 2528 wrote to memory of 4928	2528	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe	117
PID 2528 wrote to memory of 4928	2528	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe	117
PID 2528 wrote to memory of 4300	2528	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe	118
PID 2528 wrote to memory of 4300	2528	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe	118
PID 2528 wrote to memory of 4300	2528	{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe	118
PID 4928 wrote to memory of 1200	4928	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe	122
PID 4928 wrote to memory of 1200	4928	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe	122
PID 4928 wrote to memory of 1200	4928	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe	122
PID 4928 wrote to memory of 2448	4928	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe	123
PID 4928 wrote to memory of 2448	4928	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe	123
PID 4928 wrote to memory of 2448	4928	{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe	123
PID 1200 wrote to memory of 4224	1200	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe	124
PID 1200 wrote to memory of 4224	1200	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe	124
PID 1200 wrote to memory of 4224	1200	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe	124
PID 1200 wrote to memory of 4324	1200	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe	125
PID 1200 wrote to memory of 4324	1200	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe	125
PID 1200 wrote to memory of 4324	1200	{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe	125
PID 4224 wrote to memory of 1988	4224	{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe	129
PID 4224 wrote to memory of 1988	4224	{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe	129
PID 4224 wrote to memory of 1988	4224	{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe	129
PID 4224 wrote to memory of 2736	4224	{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-22_94a59ca41ad842cec2d7a2e03cf82557_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe
  C:\Windows\{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe
    C:\Windows\{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe
      C:\Windows\{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe
        
        C:\Windows\{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3220
      - C:\Windows\{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe
        
        C:\Windows\{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe
        
        C:\Windows\{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe
        
        C:\Windows\{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe
        
        C:\Windows\{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe
        
        C:\Windows\{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe
        
        C:\Windows\{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\{7891878D-A542-4497-BDE3-714530D96401}.exe
        
        C:\Windows\{7891878D-A542-4497-BDE3-714530D96401}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\{803EA917-DCA7-4ff6-B75F-66A1CFD397CF}.exe
        
        C:\Windows\{803EA917-DCA7-4ff6-B75F-66A1CFD397CF}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78918~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96D57~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71E3A~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFCF3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3055~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E051~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6655~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6096C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61D80~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A09D9~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7F60A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{6096CFC8-D5D5-4d42-9AA7-3CD473917B47}.exe

Filesize
180KB

MD5
ad479b1e1203a7c79fffe0bb58b946af

SHA1
475193058b72bfe29fd5e1d3d1fa378fcce2a2d5

SHA256
fb10229efe6167d0455d383c619c2da648834dd45d4c21bffb3b8ec0e0b6b358

SHA512
d50f04c3ffb9beba61b7625af1e33d5103910c64311e5a7f8531baddfd87176d4d2891b9a0f9a09a71e745a5af3b55d1f91027d0f6a936e8504d21cbe3536a7a

Download Submit
C:\Windows\{61D80A01-59C7-4666-9CA5-0EA36BF5C320}.exe

Filesize
180KB

MD5
f28fac8cd4753f6ab480cb9fbdc2f7e5

SHA1
26e622924fc3db50649f8745073a2e9abc73de15

SHA256
0e7c255881ed00b3af8be7c69ada02d2adb7ec47ee5e0e44e6c239b1b9bd85d1

SHA512
e543f19b3098e897ba7720110e89bed85b5c9bb198a11912081dbfa4d225517fc3c09b9bb7dafbe2ed1f8be37783d01256e10848a0b1bf8e6c483025e3b45812

Download Submit
C:\Windows\{71E3A716-EDB3-47c0-A1F2-210CBFE55398}.exe

Filesize
180KB

MD5
fcdd7a88fa8b2363f0b31fd5bb914ddf

SHA1
0571b5aa03569a0c4f87ad1d7c59dbbfed6d5d70

SHA256
7d369527ac9fbc4ff624f963e50f568953ee77615dd56aa97620d756c4eab76c

SHA512
72554f50cba056ba25c4a319d61900e3fd32151c061604963607f88bc48abe46d3e90b2b485b254af11413d3d845e12b0b5bf4c0e744310445ebf0c7d57d424a

Download Submit
C:\Windows\{7891878D-A542-4497-BDE3-714530D96401}.exe

Filesize
180KB

MD5
478843276331da4b05c67dc3ed1f8d60

SHA1
db4675d259d2feaba72d2c6ec4d4fa5fa53bcb3d

SHA256
35d7432df57d7ac7640d54ec136e6e29b936c265c9b6713a769e6ee9c8fc8830

SHA512
3b7a6198bb5b2a76db849a5869005591d45f340a071990efbd2b0586578897c0a07f1c3f6f7fa7212d7414f66e2f689d69752b363a60dfca5b6b26aa560ee822

Download Submit
C:\Windows\{7E051B53-7C6F-48d5-96CE-C0A3F5E91449}.exe

Filesize
180KB

MD5
b9a9fce61c49ca4040fa03e68b9fd07e

SHA1
6611e20954a63405bc5308013471211807f83c52

SHA256
58d56c70ed5492d5943b7f9c7a2752747a979c4d7fef04c65ab9b14f782017c7

SHA512
13884e633a594b04e4ea97c5b92aa5185347b098422fbacc0caa604eb2ea748457702e475b7e28e912b40b89893127dbf1aa91ac03cd87bc1344c53bb6666cc6

Download Submit
C:\Windows\{7F60A966-3E67-4c36-A351-F54985CCD1A5}.exe

Filesize
180KB

MD5
9331ddd0aa0d63002de03d61364003db

SHA1
11c5d26599136700987cf69208c727ad149019d5

SHA256
8befc311fd2f18acae075a202c7e5c382fb6ac71a4074fd7fdd9be9311e46063

SHA512
f8f875b33474ba27c23d6e68218b578847c1815b3d5a79246baadc8d15a339808e57996caf1efd6ac936b5000b83574c1c861ae1cc0d913ab63b51d5dcc67021

Download Submit
C:\Windows\{803EA917-DCA7-4ff6-B75F-66A1CFD397CF}.exe

Filesize
180KB

MD5
76e70c1d9b38b2912d10a5630f3dca88

SHA1
e25a87d62e7c321d050f17a0f06c163959b48240

SHA256
f0531e875e50cc3346d3ebc01180526da9cfdef16351042ff878b70a8ba8f29c

SHA512
635eebf23e101aa61981f10cb8361f88f322923f14148dcb9cb9d87c2e22477d5bdc835fd7e3ce73243bac55f8fb36882ad08f536c857a291c1144ee0f5a0993

Download Submit
C:\Windows\{96D5745D-62F2-4e14-8D7A-04CC0242E6E8}.exe

Filesize
180KB

MD5
0941664595d9f2662812c04491dde2e3

SHA1
e1cf4ca741ceb3cb4561423ae8bf21b397080e03

SHA256
e06ce83262b6fe58483f18fe47bc9da6e98b50dea5f1c02b701b00d576907c0f

SHA512
1beb1eab11aa430a163baaebdd2d7ada055efedcfd9acbd83c0a363eab25cccd3a4d98d081acfe186b0bda6e851367146f5129191db58503e71ca0c53ca60677

Download Submit
C:\Windows\{A09D9046-DE2C-4a27-AE65-ADB71655E0A8}.exe

Filesize
180KB

MD5
29a30de207441cca71a738d0604493f1

SHA1
5c5e18bab328d54335a6e5bd9c19d846ba389d58

SHA256
d504100f7650226e33d3dd3e6db3bd10ad640e551647044aa064bc0d01cdc16e

SHA512
e591436efffd1e270754c826c44bf045d7ebd26121fbeb513464ca34344c0a41bd2e5f67fc1b21806217d83ef6f028c057177921b574edd0718b78da184fd27b

Download Submit
C:\Windows\{AFCF3C19-F8C6-4449-A517-8C4B8C522425}.exe

Filesize
180KB

MD5
683b521def1cf48be7b8fb4c387a23d1

SHA1
2311b93d121801e6094eb991673dbabb60bff21a

SHA256
4a09a966560d0b61d2667c06938a92724dd09a9f79ced55ea3b8f61ecefb5320

SHA512
ece27c660f6ae5e92a3e10cd9d3ee5b9db31b9ffc335da1b8b3b16e70281eb40717501c49181ac72792a2c1949d0a73bc2238f7732056b4763b7733963070194

Download Submit
C:\Windows\{D6655E63-A0E9-4291-B8F4-4C4B5B529EF8}.exe

Filesize
180KB

MD5
20aecfc4b7c2b6fe3b275d66b18361ee

SHA1
087d0b92603b43a787c95c7537534d00c503463e

SHA256
817193c7b647ca468ed8dc47b97845071c0bd340bab46035075f3055c37a8f6c

SHA512
4358a9cfbabe544d40c92be5f904e3b51d82f18138df8d5539ae601a8d27a381a21f06bd5b477f8a243b34ab69bd9b4eaf44f98b02949f2888af54666a481a7c

Download Submit
C:\Windows\{F30559FB-AAE7-4399-BDCF-1530F352480B}.exe

Filesize
180KB

MD5
cb4961fca4b7ff0c7ae1029c34492f2f

SHA1
b4260a4e5f6b716564cecb4ef2977a0bd920d5e5

SHA256
cc3a330fc9c0490de0bdbc44bd1d8bf2e9fb02c9e0f4c377165122c161a07094

SHA512
563a864447c262fb26586716ee4ea9bad228ed85245d94055ba4716303a43d0d0490f85ac1371f63f4367dd0434cc49feb86f88b1d6abc9b8b9ff7aab6a2f746

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads