5fe36e03fd9575ca8c3059b86f8d8ea8fc0989dfcbdf79f509188b025eaa82f4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
Size

197KB
MD5

c75dc8f3168f6f1fcdb7e996504f2b95
SHA1

74c97a0f2490f1f46704cc3de4d728676f3265a5
SHA256

5fe36e03fd9575ca8c3059b86f8d8ea8fc0989dfcbdf79f509188b025eaa82f4
SHA512

35744b0696f2edf9fb1a196459c8b8b2e4496d18a1f1ed2ee00b10e5507852b458bdc8b52d7c0b75919f7328d6134e56b97a751b5a863a153e38fa8aebba4e00
SSDEEP

3072:jEGh0oil+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGklEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}\stubpath = "C:\\Windows\\{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe"	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C88C1BC-A98F-4acc-B5DF-74C567971190}\stubpath = "C:\\Windows\\{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe"	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B469BB41-10ED-47cf-9C86-BAD916638A3A}\stubpath = "C:\\Windows\\{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe"	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C33A00A-E931-4aa1-A75A-781BB549DC6D}	{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803B3277-F9BC-40cb-819A-A213BF8BA8CF}	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{803B3277-F9BC-40cb-819A-A213BF8BA8CF}\stubpath = "C:\\Windows\\{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe"	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}\stubpath = "C:\\Windows\\{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe"	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}\stubpath = "C:\\Windows\\{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe"	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E0D01A6-89B2-4064-833F-512B9D48C735}	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E0D01A6-89B2-4064-833F-512B9D48C735}\stubpath = "C:\\Windows\\{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe"	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}\stubpath = "C:\\Windows\\{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}.exe"	{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{179B04AA-6142-40c0-809D-29798F1D4A67}	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{179B04AA-6142-40c0-809D-29798F1D4A67}\stubpath = "C:\\Windows\\{179B04AA-6142-40c0-809D-29798F1D4A67}.exe"	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C88C1BC-A98F-4acc-B5DF-74C567971190}	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}\stubpath = "C:\\Windows\\{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe"	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B469BB41-10ED-47cf-9C86-BAD916638A3A}	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C26482B-7D0D-41bf-A157-3236681778C5}	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C26482B-7D0D-41bf-A157-3236681778C5}\stubpath = "C:\\Windows\\{1C26482B-7D0D-41bf-A157-3236681778C5}.exe"	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}	{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C33A00A-E931-4aa1-A75A-781BB549DC6D}\stubpath = "C:\\Windows\\{8C33A00A-E931-4aa1-A75A-781BB549DC6D}.exe"	{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}.exe

Executes dropped EXE 12 IoCs

pid	Process
4832	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe
4956	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe
980	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe
3416	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe
4888	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe
1532	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe
316	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe
5056	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe
4868	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe
4952	{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe
1340	{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}.exe
3572	{8C33A00A-E931-4aa1-A75A-781BB549DC6D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8C33A00A-E931-4aa1-A75A-781BB549DC6D}.exe	{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}.exe
File created	C:\Windows\{179B04AA-6142-40c0-809D-29798F1D4A67}.exe	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe
File created	C:\Windows\{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe
File created	C:\Windows\{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe
File created	C:\Windows\{1C26482B-7D0D-41bf-A157-3236681778C5}.exe	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe
File created	C:\Windows\{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe
File created	C:\Windows\{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe
File created	C:\Windows\{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}.exe	{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe
File created	C:\Windows\{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
File created	C:\Windows\{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe
File created	C:\Windows\{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe
File created	C:\Windows\{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C33A00A-E931-4aa1-A75A-781BB549DC6D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2016	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4832	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe
Token: SeIncBasePriorityPrivilege	4956	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe
Token: SeIncBasePriorityPrivilege	980	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe
Token: SeIncBasePriorityPrivilege	3416	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe
Token: SeIncBasePriorityPrivilege	4888	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe
Token: SeIncBasePriorityPrivilege	1532	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe
Token: SeIncBasePriorityPrivilege	316	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe
Token: SeIncBasePriorityPrivilege	5056	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe
Token: SeIncBasePriorityPrivilege	4868	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe
Token: SeIncBasePriorityPrivilege	4952	{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe
Token: SeIncBasePriorityPrivilege	1340	{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 4832	2016	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	94
PID 2016 wrote to memory of 4832	2016	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	94
PID 2016 wrote to memory of 4832	2016	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	94
PID 2016 wrote to memory of 3524	2016	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	95
PID 2016 wrote to memory of 3524	2016	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	95
PID 2016 wrote to memory of 3524	2016	2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe	95
PID 4832 wrote to memory of 4956	4832	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe	96
PID 4832 wrote to memory of 4956	4832	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe	96
PID 4832 wrote to memory of 4956	4832	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe	96
PID 4832 wrote to memory of 2000	4832	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe	97
PID 4832 wrote to memory of 2000	4832	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe	97
PID 4832 wrote to memory of 2000	4832	{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe	97
PID 4956 wrote to memory of 980	4956	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe	101
PID 4956 wrote to memory of 980	4956	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe	101
PID 4956 wrote to memory of 980	4956	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe	101
PID 4956 wrote to memory of 4836	4956	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe	102
PID 4956 wrote to memory of 4836	4956	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe	102
PID 4956 wrote to memory of 4836	4956	{179B04AA-6142-40c0-809D-29798F1D4A67}.exe	102
PID 980 wrote to memory of 3416	980	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe	103
PID 980 wrote to memory of 3416	980	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe	103
PID 980 wrote to memory of 3416	980	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe	103
PID 980 wrote to memory of 3424	980	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe	104
PID 980 wrote to memory of 3424	980	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe	104
PID 980 wrote to memory of 3424	980	{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe	104
PID 3416 wrote to memory of 4888	3416	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe	105
PID 3416 wrote to memory of 4888	3416	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe	105
PID 3416 wrote to memory of 4888	3416	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe	105
PID 3416 wrote to memory of 1676	3416	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe	106
PID 3416 wrote to memory of 1676	3416	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe	106
PID 3416 wrote to memory of 1676	3416	{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe	106
PID 4888 wrote to memory of 1532	4888	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe	108
PID 4888 wrote to memory of 1532	4888	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe	108
PID 4888 wrote to memory of 1532	4888	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe	108
PID 4888 wrote to memory of 3344	4888	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe	109
PID 4888 wrote to memory of 3344	4888	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe	109
PID 4888 wrote to memory of 3344	4888	{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe	109
PID 1532 wrote to memory of 316	1532	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe	110
PID 1532 wrote to memory of 316	1532	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe	110
PID 1532 wrote to memory of 316	1532	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe	110
PID 1532 wrote to memory of 3108	1532	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe	111
PID 1532 wrote to memory of 3108	1532	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe	111
PID 1532 wrote to memory of 3108	1532	{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe	111
PID 316 wrote to memory of 5056	316	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe	116
PID 316 wrote to memory of 5056	316	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe	116
PID 316 wrote to memory of 5056	316	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe	116
PID 316 wrote to memory of 4560	316	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe	117
PID 316 wrote to memory of 4560	316	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe	117
PID 316 wrote to memory of 4560	316	{1C26482B-7D0D-41bf-A157-3236681778C5}.exe	117
PID 5056 wrote to memory of 4868	5056	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe	121
PID 5056 wrote to memory of 4868	5056	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe	121
PID 5056 wrote to memory of 4868	5056	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe	121
PID 5056 wrote to memory of 636	5056	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe	122
PID 5056 wrote to memory of 636	5056	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe	122
PID 5056 wrote to memory of 636	5056	{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe	122
PID 4868 wrote to memory of 4952	4868	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe	123
PID 4868 wrote to memory of 4952	4868	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe	123
PID 4868 wrote to memory of 4952	4868	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe	123
PID 4868 wrote to memory of 532	4868	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe	124
PID 4868 wrote to memory of 532	4868	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe	124
PID 4868 wrote to memory of 532	4868	{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe	124
PID 4952 wrote to memory of 1340	4952	{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe	128
PID 4952 wrote to memory of 1340	4952	{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe	128
PID 4952 wrote to memory of 1340	4952	{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe	128
PID 4952 wrote to memory of 3128	4952	{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_c75dc8f3168f6f1fcdb7e996504f2b95_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe
  C:\Windows\{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\{179B04AA-6142-40c0-809D-29798F1D4A67}.exe
    C:\Windows\{179B04AA-6142-40c0-809D-29798F1D4A67}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe
      C:\Windows\{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:980
    - - C:\Windows\{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe
        
        C:\Windows\{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
      - C:\Windows\{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe
        
        C:\Windows\{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe
        
        C:\Windows\{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{1C26482B-7D0D-41bf-A157-3236681778C5}.exe
        
        C:\Windows\{1C26482B-7D0D-41bf-A157-3236681778C5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe
        
        C:\Windows\{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe
        
        C:\Windows\{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe
        
        C:\Windows\{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}.exe
        
        C:\Windows\{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\{8C33A00A-E931-4aa1-A75A-781BB549DC6D}.exe
        
        C:\Windows\{8C33A00A-E931-4aa1-A75A-781BB549DC6D}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6801F~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E0D0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B255~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{803B3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C264~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35C0A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B469B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45115~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C88C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{179B0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9FFAB~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B255513-5276-40eb-BF2E-F4C6AFFCF70E}.exe

Filesize
197KB

MD5
a7db01844bc14bedbbdb703c3df57794

SHA1
68d8d5f46d035fa36a6aa7ce73d38f9fc5fb4b9a

SHA256
2508863e16a52a2b31a6f71d789784bfde116ba855fc89b26edf70e5b0d01588

SHA512
75f3c6bb6883a8e93773f6561da3a076179bb29324c9831bf7050d1b0c51540af68a34d507246468454384f5001e6877f0dc85894e3e173d50e42f463a48a278

Download Submit
C:\Windows\{179B04AA-6142-40c0-809D-29798F1D4A67}.exe

Filesize
197KB

MD5
0d94df70e80b6c423d0dd6da4a9efd42

SHA1
df9d249f6b2c4f3ecae071f4bb7bcefd3a65bcce

SHA256
f4cdfc9a414ac6812a16a0a582672c39bd23961df3d903ca4a6cc5aaf9075797

SHA512
5bc45ea860713a783a625fefc24d5e8657496393df7915815d4f402ea03e35e6b65063f679c040c2c70d674cfaaf923dd913f679789a5c9d3b100bdcb22db6c2

Download Submit
C:\Windows\{1C26482B-7D0D-41bf-A157-3236681778C5}.exe

Filesize
197KB

MD5
c1a5bf192ea62a25dce16ac8bdde9f3d

SHA1
4ff42734c3de9f5eec22d55fc6b41f8e26c0a90d

SHA256
619a8efe433e4202d70c50473f2da709281d94dc1bd778717c012f10b9a333dc

SHA512
9e44f48807a2e7ed6485af50f58040e671783efbf965035f75801a64dba8b41505cd2a5fbf3ecdab759fe476b7934c4815cdc5e953cbe077e5d11ab6ee9b8fe8

Download Submit
C:\Windows\{35C0A804-1095-4e6e-89BD-5AD6C94E1B53}.exe

Filesize
197KB

MD5
bf2a3ff59c6ccc132497724f67930467

SHA1
43fc316d72259872da42f29c1465facd4b004c32

SHA256
b130d9d7bf7c5fec55b86cc3b1d80f77d6808047a959d382a1a5a1336d46e540

SHA512
ebf53c0185c5e398c8931e495f670c6a250a6409f285ebb3720529791e489575940c35a3d8156848594e950b5bb2d2615ef9c0479c19b563441565d5aec2f021

Download Submit
C:\Windows\{45115C7A-AE5B-4a9d-A3A0-9B1691B8A1F4}.exe

Filesize
197KB

MD5
425c35f0d2680b2cd096e888f83c43b9

SHA1
2a0cadd00762f4ef9aed1f93efe47f87e881c370

SHA256
074407aebba1e47e0986ea1cbc2c6b37dc93b64f8cdffe274568110f6180d2f5

SHA512
1aee151b726f0911d55a6b2a5b57f8645a90a83a17993669094deebf6d96fdf30d01f5574462a92f865d99738c6bc47ae55819ad7bf41e1689912386496519c0

Download Submit
C:\Windows\{6801FA78-5C6B-48fa-AF38-BEAFD76D6DD3}.exe

Filesize
197KB

MD5
27ce7a5aba8508835d4f764359f61ae7

SHA1
27b4ec0b47dfcac91c7223b32956fbdea5923e0d

SHA256
eb9ef305c7953aad6717d8c7459d1d01704eb9659c8f939efcc71064ea5e7c42

SHA512
8f0684acb495d31a5b2ca005694dd4463a411cd3193ba0d535fbb9e66ddfd40bdbc0bdf809f5381acd74808a43c1853d8d25b20683fb9200d12cd5116e0abe9d

Download Submit
C:\Windows\{803B3277-F9BC-40cb-819A-A213BF8BA8CF}.exe

Filesize
197KB

MD5
79dcaa8638c34ff4ac2c5a4a6e74d807

SHA1
c946f58be17f6dbc4b46a336bce1e0a2333c82a2

SHA256
470167099b5e2e8b01bfca8f454d8b886aba30de24fe9789fdb3e2ef70adac64

SHA512
808e8818ba1e43e947c74d775051eeeee272a848093ea34e5a6e1dacf41faf0f6384c400981a825ac5afcf9a9b326a797444b1369d102260e202f76976a192d9

Download Submit
C:\Windows\{8C33A00A-E931-4aa1-A75A-781BB549DC6D}.exe

Filesize
197KB

MD5
99bc9ee613e17724a39bad9913c3557f

SHA1
96614ce754339617576aa7bce52d3267df76deae

SHA256
bfc23d0c7ccd1c4d92bb3ed602321eb94ef21f3c1e38d6123ded82f15ae98305

SHA512
6a050e19ff96174fe1e3158278364fef2593057e425528a3383d7b9b160e881f3b6cb92c04a0e9f89f24ddb2d64a2b016f0c7ae1553dfa7f799b1d429257de2e

Download Submit
C:\Windows\{8C88C1BC-A98F-4acc-B5DF-74C567971190}.exe

Filesize
197KB

MD5
c87b1d10890676ed869650fe1f0c51f1

SHA1
c82ef77756cca2c5c56421bc27189126aec80e36

SHA256
4a8d456a5bd6a7299cd9c0e0718d3db14d24af73d85c8b0b460a663e368b559e

SHA512
e1d5c4999fd7fe8a6120ddfa701c20f441386213bcb8d9b6caf43697a7537adcbb0226bca96d39a835fccd4cfd09d6e9cd3025fd950682676a613768fa4cb3e0

Download Submit
C:\Windows\{8E0D01A6-89B2-4064-833F-512B9D48C735}.exe

Filesize
197KB

MD5
56ef1527b0d9ea79a4142537c171373d

SHA1
64465afc6a70348301072e132ed26279fab07a28

SHA256
3d264673fb13134d0cc9ce56a18f0bb7b62331121bc690e5bdcf2ddc68ffa2ea

SHA512
8e818d35eb13cf7b901aed326790e8d86d3704cd75801b6eff1fed55937441f1be7b6de969b3736adb04df90a1bf1db7c71b8de28c7d64428cb555fb85c5fe24

Download Submit
C:\Windows\{9FFABA61-AFF4-46bd-9045-FA8BB8FE1BA4}.exe

Filesize
197KB

MD5
69635b5ecc58840743fd7a3b71290631

SHA1
23486633aa99921456ec0a453bde2bf1f17bd9b8

SHA256
8cc0ddb34676714e75dc6e303b596652022c332a6c2d7bbc0944cc03d6c19aef

SHA512
6a5da4d8eba4326ad25bd0a8347810eee863d5ec31ae433d155e5d5c2c5833bf4b4a86354398733914e17a9cc4a90c0dcf02f50ecb54788375d61b3f5e29bc88

Download Submit
C:\Windows\{B469BB41-10ED-47cf-9C86-BAD916638A3A}.exe

Filesize
197KB

MD5
836281b3a1a8b03d1ba64277aebc6bc9

SHA1
9c251d4daee3f7f48dbfac2181b4107287572e1f

SHA256
ae434278328386f1dbf9caf09090d6d3e381fc1d0913b5dbf025d1acf96ee1ce

SHA512
f6f9ad69618374e05102e70ae97fc71fd656c051f01f9b4a6bef94f2afe0be4e10e66e01d74955c80f3460bd5fbc1c129ed332faa1790dcf3fb126cec7d4e7d7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads