34efbb5a5a0f580470d72aafd6a5b5bb3921fd6c192ad2b492b87fe49df8b238

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
Size

216KB
MD5

8f85011dbac1adfd8c4ad92fb657a78d
SHA1

de15e697eae8416a29bc0a31b94e238872dc19fa
SHA256

34efbb5a5a0f580470d72aafd6a5b5bb3921fd6c192ad2b492b87fe49df8b238
SHA512

30eeb153e8d8501c66557b5a0a065b857ff845741b8a0df9189665ef01c7d81cdbbd999dcb4f808d045534e6b9b5f49579ea9f6001bd86373ee6ff005b0181ae
SSDEEP

3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGglEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE13FB15-878E-4f96-A9B6-507E1565CEB6}	{F60877FB-BFF7-4959-B54E-B4E3C61E3560}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D32EDBB-7277-4979-A0FA-493C3BA744D6}	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D32EDBB-7277-4979-A0FA-493C3BA744D6}\stubpath = "C:\\Windows\\{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe"	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B862865-F68F-4ee5-820E-196025283BC8}	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D8B1CC-3572-4dfc-A91B-0A4A31392915}	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39F9D508-2269-4b5e-8030-B0E00D72217B}\stubpath = "C:\\Windows\\{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe"	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F60877FB-BFF7-4959-B54E-B4E3C61E3560}	{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F60877FB-BFF7-4959-B54E-B4E3C61E3560}\stubpath = "C:\\Windows\\{F60877FB-BFF7-4959-B54E-B4E3C61E3560}.exe"	{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FD61844-D491-4111-B10E-24F558C5CCA3}	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FD61844-D491-4111-B10E-24F558C5CCA3}\stubpath = "C:\\Windows\\{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe"	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67C6D6D7-1310-4742-B212-DDAFA3091777}	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D8B1CC-3572-4dfc-A91B-0A4A31392915}\stubpath = "C:\\Windows\\{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe"	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92E640CD-D648-4ba8-A525-D9568C6E523D}	{0B862865-F68F-4ee5-820E-196025283BC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37DA2AAA-472A-469f-8F7D-92D2D870D657}\stubpath = "C:\\Windows\\{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe"	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC8B3223-EA49-4409-A682-EDC49D2070FC}	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE13FB15-878E-4f96-A9B6-507E1565CEB6}\stubpath = "C:\\Windows\\{BE13FB15-878E-4f96-A9B6-507E1565CEB6}.exe"	{F60877FB-BFF7-4959-B54E-B4E3C61E3560}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC8B3223-EA49-4409-A682-EDC49D2070FC}\stubpath = "C:\\Windows\\{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe"	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39F9D508-2269-4b5e-8030-B0E00D72217B}	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B862865-F68F-4ee5-820E-196025283BC8}\stubpath = "C:\\Windows\\{0B862865-F68F-4ee5-820E-196025283BC8}.exe"	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92E640CD-D648-4ba8-A525-D9568C6E523D}\stubpath = "C:\\Windows\\{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe"	{0B862865-F68F-4ee5-820E-196025283BC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}\stubpath = "C:\\Windows\\{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe"	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67C6D6D7-1310-4742-B212-DDAFA3091777}\stubpath = "C:\\Windows\\{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe"	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37DA2AAA-472A-469f-8F7D-92D2D870D657}	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe

Executes dropped EXE 12 IoCs

pid	Process
1144	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe
2744	{0B862865-F68F-4ee5-820E-196025283BC8}.exe
3432	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe
3944	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe
4412	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe
1800	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe
4720	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe
4380	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe
2268	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe
3272	{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe
4076	{F60877FB-BFF7-4959-B54E-B4E3C61E3560}.exe
1240	{BE13FB15-878E-4f96-A9B6-507E1565CEB6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe
File created	C:\Windows\{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe
File created	C:\Windows\{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe
File created	C:\Windows\{F60877FB-BFF7-4959-B54E-B4E3C61E3560}.exe	{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe
File created	C:\Windows\{BE13FB15-878E-4f96-A9B6-507E1565CEB6}.exe	{F60877FB-BFF7-4959-B54E-B4E3C61E3560}.exe
File created	C:\Windows\{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe
File created	C:\Windows\{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe
File created	C:\Windows\{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe	{0B862865-F68F-4ee5-820E-196025283BC8}.exe
File created	C:\Windows\{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe
File created	C:\Windows\{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe
File created	C:\Windows\{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
File created	C:\Windows\{0B862865-F68F-4ee5-820E-196025283BC8}.exe	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B862865-F68F-4ee5-820E-196025283BC8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE13FB15-878E-4f96-A9B6-507E1565CEB6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F60877FB-BFF7-4959-B54E-B4E3C61E3560}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3764	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1144	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe
Token: SeIncBasePriorityPrivilege	2744	{0B862865-F68F-4ee5-820E-196025283BC8}.exe
Token: SeIncBasePriorityPrivilege	3432	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe
Token: SeIncBasePriorityPrivilege	3944	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe
Token: SeIncBasePriorityPrivilege	4412	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe
Token: SeIncBasePriorityPrivilege	1800	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe
Token: SeIncBasePriorityPrivilege	4720	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe
Token: SeIncBasePriorityPrivilege	4380	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe
Token: SeIncBasePriorityPrivilege	2268	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe
Token: SeIncBasePriorityPrivilege	3272	{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe
Token: SeIncBasePriorityPrivilege	4076	{F60877FB-BFF7-4959-B54E-B4E3C61E3560}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 1144	3764	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	95
PID 3764 wrote to memory of 1144	3764	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	95
PID 3764 wrote to memory of 1144	3764	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	95
PID 3764 wrote to memory of 2348	3764	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	96
PID 3764 wrote to memory of 2348	3764	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	96
PID 3764 wrote to memory of 2348	3764	2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe	96
PID 1144 wrote to memory of 2744	1144	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe	97
PID 1144 wrote to memory of 2744	1144	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe	97
PID 1144 wrote to memory of 2744	1144	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe	97
PID 1144 wrote to memory of 4016	1144	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe	98
PID 1144 wrote to memory of 4016	1144	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe	98
PID 1144 wrote to memory of 4016	1144	{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe	98
PID 2744 wrote to memory of 3432	2744	{0B862865-F68F-4ee5-820E-196025283BC8}.exe	102
PID 2744 wrote to memory of 3432	2744	{0B862865-F68F-4ee5-820E-196025283BC8}.exe	102
PID 2744 wrote to memory of 3432	2744	{0B862865-F68F-4ee5-820E-196025283BC8}.exe	102
PID 2744 wrote to memory of 2332	2744	{0B862865-F68F-4ee5-820E-196025283BC8}.exe	103
PID 2744 wrote to memory of 2332	2744	{0B862865-F68F-4ee5-820E-196025283BC8}.exe	103
PID 2744 wrote to memory of 2332	2744	{0B862865-F68F-4ee5-820E-196025283BC8}.exe	103
PID 3432 wrote to memory of 3944	3432	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe	104
PID 3432 wrote to memory of 3944	3432	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe	104
PID 3432 wrote to memory of 3944	3432	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe	104
PID 3432 wrote to memory of 2840	3432	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe	105
PID 3432 wrote to memory of 2840	3432	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe	105
PID 3432 wrote to memory of 2840	3432	{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe	105
PID 3944 wrote to memory of 4412	3944	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe	106
PID 3944 wrote to memory of 4412	3944	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe	106
PID 3944 wrote to memory of 4412	3944	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe	106
PID 3944 wrote to memory of 3784	3944	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe	107
PID 3944 wrote to memory of 3784	3944	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe	107
PID 3944 wrote to memory of 3784	3944	{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe	107
PID 4412 wrote to memory of 1800	4412	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe	109
PID 4412 wrote to memory of 1800	4412	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe	109
PID 4412 wrote to memory of 1800	4412	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe	109
PID 4412 wrote to memory of 4712	4412	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe	110
PID 4412 wrote to memory of 4712	4412	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe	110
PID 4412 wrote to memory of 4712	4412	{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe	110
PID 1800 wrote to memory of 4720	1800	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe	111
PID 1800 wrote to memory of 4720	1800	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe	111
PID 1800 wrote to memory of 4720	1800	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe	111
PID 1800 wrote to memory of 2672	1800	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe	112
PID 1800 wrote to memory of 2672	1800	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe	112
PID 1800 wrote to memory of 2672	1800	{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe	112
PID 4720 wrote to memory of 4380	4720	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe	117
PID 4720 wrote to memory of 4380	4720	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe	117
PID 4720 wrote to memory of 4380	4720	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe	117
PID 4720 wrote to memory of 2204	4720	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe	118
PID 4720 wrote to memory of 2204	4720	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe	118
PID 4720 wrote to memory of 2204	4720	{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe	118
PID 4380 wrote to memory of 2268	4380	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe	123
PID 4380 wrote to memory of 2268	4380	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe	123
PID 4380 wrote to memory of 2268	4380	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe	123
PID 4380 wrote to memory of 3520	4380	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe	124
PID 4380 wrote to memory of 3520	4380	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe	124
PID 4380 wrote to memory of 3520	4380	{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe	124
PID 2268 wrote to memory of 3272	2268	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe	125
PID 2268 wrote to memory of 3272	2268	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe	125
PID 2268 wrote to memory of 3272	2268	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe	125
PID 2268 wrote to memory of 5040	2268	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe	126
PID 2268 wrote to memory of 5040	2268	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe	126
PID 2268 wrote to memory of 5040	2268	{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe	126
PID 3272 wrote to memory of 4076	3272	{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe	130
PID 3272 wrote to memory of 4076	3272	{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe	130
PID 3272 wrote to memory of 4076	3272	{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe	130
PID 3272 wrote to memory of 4136	3272	{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-23_8f85011dbac1adfd8c4ad92fb657a78d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe
  C:\Windows\{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\{0B862865-F68F-4ee5-820E-196025283BC8}.exe
    C:\Windows\{0B862865-F68F-4ee5-820E-196025283BC8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe
      C:\Windows\{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Windows\{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe
        
        C:\Windows\{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3944
      - C:\Windows\{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe
        
        C:\Windows\{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe
        
        C:\Windows\{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe
        
        C:\Windows\{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe
        
        C:\Windows\{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe
        
        C:\Windows\{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe
        
        C:\Windows\{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\{F60877FB-BFF7-4959-B54E-B4E3C61E3560}.exe
        
        C:\Windows\{F60877FB-BFF7-4959-B54E-B4E3C61E3560}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
        
        C:\Windows\{BE13FB15-878E-4f96-A9B6-507E1565CEB6}.exe
        
        C:\Windows\{BE13FB15-878E-4f96-A9B6-507E1565CEB6}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6087~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39F9D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC8B3~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37D8B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37DA2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67C6D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64C0B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FD61~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92E64~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0B862~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0D32E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B862865-F68F-4ee5-820E-196025283BC8}.exe

Filesize
216KB

MD5
d52c62b252ccccb51d87de8b7575d9e0

SHA1
cff41062165b46cbf94c90de4ce98a3fb037c0c8

SHA256
ad876570587952414652a7b0152b12f7b1fe19330ae2880cc9b6a7195a7a2d32

SHA512
18847e38bf1cd2c9ea213d54fbf68caa5ddd12f7ee21684eb76389e6c2082c4f455550b55e1bf8f2eb50df900022cb26fa59a2255ddb72c2cfafe8ec09099b62

Download Submit
C:\Windows\{0D32EDBB-7277-4979-A0FA-493C3BA744D6}.exe

Filesize
216KB

MD5
c5b8d290c75718de815d841ec9d1bdfe

SHA1
49dd37759a8f7a80da684b54ed92df713f40c30f

SHA256
94ce782467c88fa2f115b42db99aa1c4b8e356204ba6064c7a7e605a6a1adc17

SHA512
44172cb2a693cc0ed5dbcfae155a23d89b3d12094e18206e53cc17ff00abd622f0a5b89945f40093f1d20fdf57ceb89451675ef120b0d984efc3ed4821a0340e

Download Submit
C:\Windows\{2FD61844-D491-4111-B10E-24F558C5CCA3}.exe

Filesize
216KB

MD5
69abdbbf153485dd5cca70f37b139f34

SHA1
b236e29711d1c93497fb39a853a4771d71163f3d

SHA256
2798ed96d99a21ac379989c9036e68f5636ba9268fdf8667c32df23b55fe4b3b

SHA512
d28df1af642215b7bb16611f460f77cb171c8ea59b8418fe4cd4f4bc4ebecddce6a566da092f2c161bd2944963fdff8978f0c11c87f1d09b75daf704b90f3466

Download Submit
C:\Windows\{37D8B1CC-3572-4dfc-A91B-0A4A31392915}.exe

Filesize
216KB

MD5
db694302b7d64fa8d3221721f7d72cc9

SHA1
8c077643c2e083a14984b9c34a7b44a4768e7a7f

SHA256
2ea642b3e128d660ccfff7e44a055b70eb8ebac684c959d3fd4def9613db62d2

SHA512
ed28f83d474cb23349bd87e3d8210b34f753ae5e1c768b0e2fe5a88ea3215774b911ebbfbd23076010cc8809a253954a2686abc35b723198866803dbd4f43cd8

Download Submit
C:\Windows\{37DA2AAA-472A-469f-8F7D-92D2D870D657}.exe

Filesize
216KB

MD5
8a7fd2c06461dfa05eb27303acd64095

SHA1
b2b3853169715753259d7ded2aa51660ca0aa875

SHA256
32ef067462c5ae5261aed9348ad0ebf46b641cfe42f28b7efb2af4917c6fef28

SHA512
2b7f234966822e5abd4b1002a5194f6007fe78fb062af0f332651ebd5d5997262a73ffc1b67881d79750bdce356dd2a21e9803e418034e8db8ebf86d938944f8

Download Submit
C:\Windows\{39F9D508-2269-4b5e-8030-B0E00D72217B}.exe

Filesize
216KB

MD5
b9c052b13815ee23825b4da96cbb8635

SHA1
08796e8e553b1c8232ff48dc85a73371e5171fb5

SHA256
84abf72c28506010d9b652623426e27656116d241c1fb1c7d7ca756363331b7c

SHA512
ef51dd22a217ff3d3b7bd748036d7c12057cfbcb7e177af6a72624d193b6e73d9f6241211d6318c0b68393b49f5b2af2b44aa4b9223d7f4049615782a7cfa6f0

Download Submit
C:\Windows\{64C0BA19-2C62-4cfe-BFB7-2746DAD9D5BA}.exe

Filesize
216KB

MD5
7cab5c16bfc2e2355c878f527b799df3

SHA1
1e58c3e8ab23a5d619f3a650f880e5fdf9d2e9bc

SHA256
f2ff16c8eeda4999c9a51de599898d9661d0f2d79792c18248ce2b6e77142327

SHA512
68963e5295428935f7522e60a13a14324f91f97ff9f25149585b6ade8444a74aab99a44ee7079aa8ba3622d232cedacc1cec819a76f4613900a5bae5a23cd895

Download Submit
C:\Windows\{67C6D6D7-1310-4742-B212-DDAFA3091777}.exe

Filesize
216KB

MD5
8022d669c6a71d6d0168880fcdc26526

SHA1
0f819ce23eb5a93e6c29d02a5f2c0814e61bd203

SHA256
f3a1d9132e6c131b499edfa0b6c4fcb4b0ae9154debf07c64341de4d41044764

SHA512
1168560e43a905346bca6ed7e23807e390d4807784638381de4d7abcd2c514ce7e6da950b585c107f74fb6049d2e57941c51d2754a71bed93499540463c5622c

Download Submit
C:\Windows\{92E640CD-D648-4ba8-A525-D9568C6E523D}.exe

Filesize
216KB

MD5
2aa56c22360f4c3cbff90c0a04676b15

SHA1
12e1175b7831f0d512d9e8dccfed6bc16b44120b

SHA256
3d737e3f8fb007ccb2409d2d0a10a42489f1ce92b79e0195fbe87643b3a877b3

SHA512
b8b94a916c16fdffdbc71728a0ae3f3b0f46b9989fba08438741f82bfad1a2c379ae64f5251edd64c920f0b560e242aebcf00f29f069457ca02690723e40e591

Download Submit
C:\Windows\{BE13FB15-878E-4f96-A9B6-507E1565CEB6}.exe

Filesize
216KB

MD5
f63953b4bc2a09201b0a39b666299beb

SHA1
7a0e5f68b4d249e8d2b62b2404f28c0c955464e6

SHA256
b323fffdedfc7c29b77edcd13a146e094e707741bf8306e811e09d1641b941a8

SHA512
6f0277b7672d966a39806561dbc4b786a6d1702468b29f345ad1664252e46d918f3f2e5080957c9db44c681b0d865dd30138afb2ba038ef493ac3e4b99acb97f

Download Submit
C:\Windows\{F60877FB-BFF7-4959-B54E-B4E3C61E3560}.exe

Filesize
216KB

MD5
93768438d9ed4e9713b65d8841037c72

SHA1
b467e6e367bd9d5c1e9b750c806d3949292dedb5

SHA256
bf1b3d3441aabdc0e921c9c44e79ddabbda1087523402cd17d3e3f277ed46c07

SHA512
acf8d370e6f5760cdc1ffd3a571cf9f17f8124fb5daa5ffca8aa7a53ef87342b00c9de72c4b61f48ddba080a8e8640d1919e8a4480a25373c48accc8339c88b0

Download Submit
C:\Windows\{FC8B3223-EA49-4409-A682-EDC49D2070FC}.exe

Filesize
216KB

MD5
8c70bd37bbdc184cd59c9173dcb8153a

SHA1
0ad0a905a4bfd72ef2b49d336b99b37f7e003798

SHA256
450cf2cc67d5aced14064956bdf6bf7ddcf86a14ed6c348011cb2df1bbd16fd8

SHA512
2e3c122bebc5145792c684fcb70fc56111eedd988b585a99468c28b373bfcf9fe348f8d45831739af859c361f050e68c5a9418ed21a07a5a0d4638acbbe63b52

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads