a9c179ff104c630a4ddd24fc5390819281a888e353b45b12d2ab6ed8ba1eb9b8

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 02:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
Size

372KB
MD5

d6d53f1da4d795ef4989ef45adbbce24
SHA1

5be5a89ea2436d871a27ffef5daae5778b1caaa4
SHA256

a9c179ff104c630a4ddd24fc5390819281a888e353b45b12d2ab6ed8ba1eb9b8
SHA512

80df69239f14c178a3682bf1fce26f783c318f53950ed321d0c33173eb390a6dbeed685916509abf80afa75cc086181f9321b0372c2199cb4f4224fa9f9480a7
SSDEEP

3072:CEGh0oKlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGElkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}\stubpath = "C:\\Windows\\{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe"	{507991C5-E180-47df-8449-D543AF2FFED5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2828802A-8A57-4754-805E-0A1888FB2B58}\stubpath = "C:\\Windows\\{2828802A-8A57-4754-805E-0A1888FB2B58}.exe"	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2828802A-8A57-4754-805E-0A1888FB2B58}	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{507991C5-E180-47df-8449-D543AF2FFED5}	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{507991C5-E180-47df-8449-D543AF2FFED5}\stubpath = "C:\\Windows\\{507991C5-E180-47df-8449-D543AF2FFED5}.exe"	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3033DBD-9228-482b-90A5-EC675EED8A2C}\stubpath = "C:\\Windows\\{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe"	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1E32904-1C65-406c-9493-96DAD33A6F55}	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}\stubpath = "C:\\Windows\\{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe"	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}\stubpath = "C:\\Windows\\{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe"	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}\stubpath = "C:\\Windows\\{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe"	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA882CB8-1730-4098-BD10-76BBD11E200A}	{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3033DBD-9228-482b-90A5-EC675EED8A2C}	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1E32904-1C65-406c-9493-96DAD33A6F55}\stubpath = "C:\\Windows\\{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe"	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24ED924B-275F-4c84-B7E4-29E1C9C13D05}	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA882CB8-1730-4098-BD10-76BBD11E200A}\stubpath = "C:\\Windows\\{EA882CB8-1730-4098-BD10-76BBD11E200A}.exe"	{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA53B87B-8E64-4e3a-966B-0ABF7EB6D241}	{EA882CB8-1730-4098-BD10-76BBD11E200A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}	{507991C5-E180-47df-8449-D543AF2FFED5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AA2765A-153A-43c7-BA1B-E886D61F080E}	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AA2765A-153A-43c7-BA1B-E886D61F080E}\stubpath = "C:\\Windows\\{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe"	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24ED924B-275F-4c84-B7E4-29E1C9C13D05}\stubpath = "C:\\Windows\\{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe"	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA53B87B-8E64-4e3a-966B-0ABF7EB6D241}\stubpath = "C:\\Windows\\{AA53B87B-8E64-4e3a-966B-0ABF7EB6D241}.exe"	{EA882CB8-1730-4098-BD10-76BBD11E200A}.exe

Executes dropped EXE 12 IoCs

pid	Process
2988	{507991C5-E180-47df-8449-D543AF2FFED5}.exe
4252	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe
4368	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe
4488	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe
544	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe
1900	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe
4564	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe
1684	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe
4652	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe
4048	{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe
2908	{EA882CB8-1730-4098-BD10-76BBD11E200A}.exe
3172	{AA53B87B-8E64-4e3a-966B-0ABF7EB6D241}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe
File created	C:\Windows\{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe
File created	C:\Windows\{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe
File created	C:\Windows\{2828802A-8A57-4754-805E-0A1888FB2B58}.exe	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe
File created	C:\Windows\{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe
File created	C:\Windows\{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe
File created	C:\Windows\{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe
File created	C:\Windows\{507991C5-E180-47df-8449-D543AF2FFED5}.exe	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
File created	C:\Windows\{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe	{507991C5-E180-47df-8449-D543AF2FFED5}.exe
File created	C:\Windows\{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe
File created	C:\Windows\{EA882CB8-1730-4098-BD10-76BBD11E200A}.exe	{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe
File created	C:\Windows\{AA53B87B-8E64-4e3a-966B-0ABF7EB6D241}.exe	{EA882CB8-1730-4098-BD10-76BBD11E200A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{507991C5-E180-47df-8449-D543AF2FFED5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA882CB8-1730-4098-BD10-76BBD11E200A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA53B87B-8E64-4e3a-966B-0ABF7EB6D241}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4172	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2988	{507991C5-E180-47df-8449-D543AF2FFED5}.exe
Token: SeIncBasePriorityPrivilege	4252	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe
Token: SeIncBasePriorityPrivilege	4368	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe
Token: SeIncBasePriorityPrivilege	4488	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe
Token: SeIncBasePriorityPrivilege	544	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe
Token: SeIncBasePriorityPrivilege	1900	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe
Token: SeIncBasePriorityPrivilege	4564	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe
Token: SeIncBasePriorityPrivilege	1684	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe
Token: SeIncBasePriorityPrivilege	4652	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe
Token: SeIncBasePriorityPrivilege	4048	{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe
Token: SeIncBasePriorityPrivilege	2908	{EA882CB8-1730-4098-BD10-76BBD11E200A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 2988	4172	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	100
PID 4172 wrote to memory of 2988	4172	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	100
PID 4172 wrote to memory of 2988	4172	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	100
PID 4172 wrote to memory of 4064	4172	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	101
PID 4172 wrote to memory of 4064	4172	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	101
PID 4172 wrote to memory of 4064	4172	2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe	101
PID 2988 wrote to memory of 4252	2988	{507991C5-E180-47df-8449-D543AF2FFED5}.exe	102
PID 2988 wrote to memory of 4252	2988	{507991C5-E180-47df-8449-D543AF2FFED5}.exe	102
PID 2988 wrote to memory of 4252	2988	{507991C5-E180-47df-8449-D543AF2FFED5}.exe	102
PID 2988 wrote to memory of 3996	2988	{507991C5-E180-47df-8449-D543AF2FFED5}.exe	103
PID 2988 wrote to memory of 3996	2988	{507991C5-E180-47df-8449-D543AF2FFED5}.exe	103
PID 2988 wrote to memory of 3996	2988	{507991C5-E180-47df-8449-D543AF2FFED5}.exe	103
PID 4252 wrote to memory of 4368	4252	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe	107
PID 4252 wrote to memory of 4368	4252	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe	107
PID 4252 wrote to memory of 4368	4252	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe	107
PID 4252 wrote to memory of 812	4252	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe	108
PID 4252 wrote to memory of 812	4252	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe	108
PID 4252 wrote to memory of 812	4252	{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe	108
PID 4368 wrote to memory of 4488	4368	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe	109
PID 4368 wrote to memory of 4488	4368	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe	109
PID 4368 wrote to memory of 4488	4368	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe	109
PID 4368 wrote to memory of 2740	4368	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe	110
PID 4368 wrote to memory of 2740	4368	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe	110
PID 4368 wrote to memory of 2740	4368	{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe	110
PID 4488 wrote to memory of 544	4488	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe	111
PID 4488 wrote to memory of 544	4488	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe	111
PID 4488 wrote to memory of 544	4488	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe	111
PID 4488 wrote to memory of 1548	4488	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe	112
PID 4488 wrote to memory of 1548	4488	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe	112
PID 4488 wrote to memory of 1548	4488	{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe	112
PID 544 wrote to memory of 1900	544	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe	114
PID 544 wrote to memory of 1900	544	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe	114
PID 544 wrote to memory of 1900	544	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe	114
PID 544 wrote to memory of 3720	544	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe	115
PID 544 wrote to memory of 3720	544	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe	115
PID 544 wrote to memory of 3720	544	{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe	115
PID 1900 wrote to memory of 4564	1900	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe	116
PID 1900 wrote to memory of 4564	1900	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe	116
PID 1900 wrote to memory of 4564	1900	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe	116
PID 1900 wrote to memory of 1484	1900	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe	117
PID 1900 wrote to memory of 1484	1900	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe	117
PID 1900 wrote to memory of 1484	1900	{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe	117
PID 4564 wrote to memory of 1684	4564	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe	122
PID 4564 wrote to memory of 1684	4564	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe	122
PID 4564 wrote to memory of 1684	4564	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe	122
PID 4564 wrote to memory of 4356	4564	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe	123
PID 4564 wrote to memory of 4356	4564	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe	123
PID 4564 wrote to memory of 4356	4564	{2828802A-8A57-4754-805E-0A1888FB2B58}.exe	123
PID 1684 wrote to memory of 4652	1684	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe	128
PID 1684 wrote to memory of 4652	1684	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe	128
PID 1684 wrote to memory of 4652	1684	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe	128
PID 1684 wrote to memory of 2624	1684	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe	129
PID 1684 wrote to memory of 2624	1684	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe	129
PID 1684 wrote to memory of 2624	1684	{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe	129
PID 4652 wrote to memory of 4048	4652	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe	130
PID 4652 wrote to memory of 4048	4652	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe	130
PID 4652 wrote to memory of 4048	4652	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe	130
PID 4652 wrote to memory of 1408	4652	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe	131
PID 4652 wrote to memory of 1408	4652	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe	131
PID 4652 wrote to memory of 1408	4652	{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe	131
PID 4048 wrote to memory of 2908	4048	{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe	134
PID 4048 wrote to memory of 2908	4048	{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe	134
PID 4048 wrote to memory of 2908	4048	{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe	134
PID 4048 wrote to memory of 3904	4048	{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe	135

C:\Users\Admin\AppData\Local\Temp\2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_d6d53f1da4d795ef4989ef45adbbce24_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\{507991C5-E180-47df-8449-D543AF2FFED5}.exe
  C:\Windows\{507991C5-E180-47df-8449-D543AF2FFED5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe
    C:\Windows\{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe
      C:\Windows\{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe
        
        C:\Windows\{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Windows\{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe
        
        C:\Windows\{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe
        
        C:\Windows\{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\{2828802A-8A57-4754-805E-0A1888FB2B58}.exe
        
        C:\Windows\{2828802A-8A57-4754-805E-0A1888FB2B58}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe
        
        C:\Windows\{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe
        
        C:\Windows\{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe
        
        C:\Windows\{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\{EA882CB8-1730-4098-BD10-76BBD11E200A}.exe
        
        C:\Windows\{EA882CB8-1730-4098-BD10-76BBD11E200A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\{AA53B87B-8E64-4e3a-966B-0ABF7EB6D241}.exe
        
        C:\Windows\{AA53B87B-8E64-4e3a-966B-0ABF7EB6D241}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA882~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB9E0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24ED9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AA27~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28288~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45B4B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B961~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1E32~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3033~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7466A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{50799~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1AA2765A-153A-43c7-BA1B-E886D61F080E}.exe

Filesize
372KB

MD5
81ded5f96b1071e0d5f89832f3355a28

SHA1
dc1a904a792d156ca1337e91be8394dfd5684f79

SHA256
c6adb869791abec12f904ce706c5593c8b93152ab737b29ae9a1577a9cde8905

SHA512
7a8614cbff56df9f305752f3fd346db3cb955e1fc776c822a12af0e702da11a4e001e0ad396cc69799abb985985827f1a9f4dad21f8608d99947fb5bc54a5090

Download Submit
C:\Windows\{24ED924B-275F-4c84-B7E4-29E1C9C13D05}.exe

Filesize
372KB

MD5
b2036423d244fc29412f7df8dea78bce

SHA1
553eaac0e5c343a82b358b364c03150c8cb059c4

SHA256
a9e00585e99acc11df950bacda997611dbd074cb9c07a262d56cd4f37c0fac5e

SHA512
b37ef57bb7b2a9637355d6697cdafeecb96f6d66027e459ff2cb54cea75d831708550c80635e2506597dde11bc913a4e2fbdbd54956dbc8ebe468c28c5d20f03

Download Submit
C:\Windows\{2828802A-8A57-4754-805E-0A1888FB2B58}.exe

Filesize
372KB

MD5
895b9dc0a6e8ea0f7bace17562d82480

SHA1
10ba249a30828362adfe06713fd671d0c06e8d90

SHA256
17843d9940cdc35852246598b155c4395a4f73bde5710c8d63d4790c20732fe4

SHA512
c5e5245dac56e1cabfb4581b00cc5417534904ca599e4259ea98db03cc0b1738a7e43f7734e7568d659a638aef937049cc30fcd5843f112e159d171835a862b6

Download Submit
C:\Windows\{45B4B8DD-DAC3-4e74-9BE9-70944AE7E277}.exe

Filesize
372KB

MD5
aef2a3f28538d98de3b024dbb0500df3

SHA1
4edf6933b9660597f0bb01563ab26740aa5c9e5c

SHA256
b6cf179282db555d54d62ddb071f95a9a0d1565ccbef0ba99a308f313fc08348

SHA512
474061cab376a1e9501456bb010bff8f396e88244cd3242f6dced5dc155881595ffbc7514c4ab9481cdbfcfb4682a6649d43762b66039d9cb086a0bc0c35741f

Download Submit
C:\Windows\{507991C5-E180-47df-8449-D543AF2FFED5}.exe

Filesize
372KB

MD5
bdfbf2b1a5ddabce86d38a2ae25c13fd

SHA1
7c0e9b0bc0d9500ddbbdd36b7442a6339388fec3

SHA256
200af888043ab6461f8ea61d3decf1102e679141e7fa8b6ff3b90ff8f0923b30

SHA512
bfc79d77e455440691f6b754deb8b15f55565aa1861e4896c7c275a44e54451d57375d39ecf71f4c00b5eb6e8f6db5d14ff58b7b79de9275da0ac1725344d697

Download Submit
C:\Windows\{6B96179E-00F7-42fa-9008-B4C04DBC6EAD}.exe

Filesize
372KB

MD5
377346f23962a8ee5bcdeaa745a3bf1b

SHA1
d781d8824f8649bcffc7263416c0b4367c346238

SHA256
ae7420f5692debe6736ad25b79f4ea88628f03b2873ff7e5702f2fd4aaaf7560

SHA512
dfbb9dae65423e43079978aab13cf2a10c36f59b3de53297b87521951882883d30399e4920728ee50ddca363ac493663c6e260d8135bb343b2654f9d76813c80

Download Submit
C:\Windows\{7466AE55-BA9F-4ebf-BBCC-D46BA1306505}.exe

Filesize
372KB

MD5
6153210ddf6b61dca9d3905438873146

SHA1
522a698fc588a2afef3bf56e493f8888bfb33ca6

SHA256
9157e3693aa4a31e25c45f6132b5cb28acbb28b889c2b667d6c25c200611d491

SHA512
364793adeb74cf166807f1b1f51c2b689e28068394938bc69254b2cae79f3ef28edf2186e9c4baf055059bc51b65b880a50b99230a6a77c59078d4ecca4923c3

Download Submit
C:\Windows\{AA53B87B-8E64-4e3a-966B-0ABF7EB6D241}.exe

Filesize
372KB

MD5
068fdfc2e9971965ae505acbea8b475d

SHA1
4e0ddb02fef525c371f74780d57293eb8d8d5fcf

SHA256
b9d13013eee9dba3336605da7d9e833b3394b4bcddbce648026f824ffba29804

SHA512
624fd650df7b34969b347f0a7051d1579a0e5f88f898c9349efd30ca032f2bddee0ac9f3613b374e209ff242607498970720d55b406b58a0f50096fa941e347c

Download Submit
C:\Windows\{B1E32904-1C65-406c-9493-96DAD33A6F55}.exe

Filesize
372KB

MD5
14088c50aede636cb1fdbc1f86c07075

SHA1
1abcf538633782bdf29e826fbd94e6892f842c40

SHA256
3e0d46b4339f990c2df8d4e02fa5248c2f95d7ff98f2522ca7b6b74de053f5ef

SHA512
a40d05453440f82e31f4aca6ce969daed1c7c9ba2e11a1927917ddef0f636db161744db0c6901697be024bc157a8c909e2593660bf11b067ff36db20b59853ea

Download Submit
C:\Windows\{D3033DBD-9228-482b-90A5-EC675EED8A2C}.exe

Filesize
372KB

MD5
18f493731d47335ad6e40badf42acc9a

SHA1
8be70971277ab1c6f6b24a961fedb313025e86cf

SHA256
40dbf21beb6ce954dbc8460f715679d95a3417e24184787ab30f1b5e0b98d69e

SHA512
890450de740b2fc01df5be2144e547a8107d5655611f899dfc3ef9a21d13d927277abd7cebf537a4a7a514566c6ba3ae8764365351380b704cbc86295bfd5cda

Download Submit
C:\Windows\{EA882CB8-1730-4098-BD10-76BBD11E200A}.exe

Filesize
372KB

MD5
6ed55fc4c738c45000c87c86fb8255c4

SHA1
c40da03a2be1b7c30d08ac1fa19adf9a2ba6bede

SHA256
e66379d9290ca09e74066650fd7e49c8e486c3263bc09e9934237e08bbf4452b

SHA512
23754f17646cf93b1fe0939133cc381268409192cda8b14c627aa0e212db7e1eaa40269106f09667fbd4581ba46374ebaf3205f924cca07db6ba306ec8df094a

Download Submit
C:\Windows\{FB9E06F1-609A-4d99-9B35-1A24FE8B00DF}.exe

Filesize
372KB

MD5
9ccfce2be82bc3b71ea348616f74cd94

SHA1
5416f98e2eaf06694f4f02714416b6384a81338e

SHA256
1f8878d87976a6bf6f1cf7b7fe9a3a60a38204e62346ef84604fd6fafaf86003

SHA512
f402927abf0dca244544ae55899a88241e8ffb09f9c68488642647095ff77554ff49c70027d8b851824079d59ba28e05035994c42df4067862b9180a1aa906d3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads