c68ddccac71785d1a5c9d6c075e97b27d81a62a3f234ca072a5eb265e653ff41

Analysis

max time kernel
149s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 09:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
Size

408KB
MD5

56edeea85378804d2a26dde9ab04bf2b
SHA1

03e7c3323266c9c26dbdc85f80ed1c717b299ec2
SHA256

c68ddccac71785d1a5c9d6c075e97b27d81a62a3f234ca072a5eb265e653ff41
SHA512

56d7ce43875a91c20489279daf68dd3b3aa3dfefcfa08f9f729bfd3c282fdeed8ad74ab63e1e019a9402420079dd4256323d772fe6c5a0d056ade0d5489a8f7a
SSDEEP

3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGRldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{491697A2-79EE-4c3f-AD8C-0B0F54789812}	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78E5E65F-9866-44b1-9E5B-557764387237}	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4142639-73FD-4374-8C15-CAC8CDBD9E50}\stubpath = "C:\\Windows\\{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe"	{78E5E65F-9866-44b1-9E5B-557764387237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3363B7DC-3078-4d27-831C-947F03D14D95}	{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}\stubpath = "C:\\Windows\\{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}.exe"	{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3363B7DC-3078-4d27-831C-947F03D14D95}\stubpath = "C:\\Windows\\{3363B7DC-3078-4d27-831C-947F03D14D95}.exe"	{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9884F61-886F-401f-949D-84CDD4FDFD4E}\stubpath = "C:\\Windows\\{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe"	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4142639-73FD-4374-8C15-CAC8CDBD9E50}	{78E5E65F-9866-44b1-9E5B-557764387237}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C147CDF-F57D-47a8-811C-862F270C4C8E}\stubpath = "C:\\Windows\\{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe"	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}\stubpath = "C:\\Windows\\{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe"	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13AD92C1-E917-458a-85B3-B6DCCA833C27}\stubpath = "C:\\Windows\\{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe"	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C147CDF-F57D-47a8-811C-862F270C4C8E}	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}\stubpath = "C:\\Windows\\{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe"	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30FF597C-284A-4657-A276-A5EE261F2CBC}	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30FF597C-284A-4657-A276-A5EE261F2CBC}\stubpath = "C:\\Windows\\{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe"	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}\stubpath = "C:\\Windows\\{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe"	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{491697A2-79EE-4c3f-AD8C-0B0F54789812}\stubpath = "C:\\Windows\\{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe"	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9884F61-886F-401f-949D-84CDD4FDFD4E}	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78E5E65F-9866-44b1-9E5B-557764387237}\stubpath = "C:\\Windows\\{78E5E65F-9866-44b1-9E5B-557764387237}.exe"	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13AD92C1-E917-458a-85B3-B6DCCA833C27}	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}	{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe

Executes dropped EXE 12 IoCs

pid	Process
1164	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe
2972	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe
5016	{78E5E65F-9866-44b1-9E5B-557764387237}.exe
4216	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe
4288	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe
4828	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe
808	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe
4116	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe
3808	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe
2528	{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe
2540	{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}.exe
4764	{3363B7DC-3078-4d27-831C-947F03D14D95}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe
File created	C:\Windows\{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe
File created	C:\Windows\{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe
File created	C:\Windows\{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe
File created	C:\Windows\{78E5E65F-9866-44b1-9E5B-557764387237}.exe	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe
File created	C:\Windows\{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe
File created	C:\Windows\{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe
File created	C:\Windows\{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}.exe	{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe
File created	C:\Windows\{3363B7DC-3078-4d27-831C-947F03D14D95}.exe	{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}.exe
File created	C:\Windows\{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
File created	C:\Windows\{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe	{78E5E65F-9866-44b1-9E5B-557764387237}.exe
File created	C:\Windows\{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3363B7DC-3078-4d27-831C-947F03D14D95}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{78E5E65F-9866-44b1-9E5B-557764387237}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1892	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1164	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe
Token: SeIncBasePriorityPrivilege	2972	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe
Token: SeIncBasePriorityPrivilege	5016	{78E5E65F-9866-44b1-9E5B-557764387237}.exe
Token: SeIncBasePriorityPrivilege	4216	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe
Token: SeIncBasePriorityPrivilege	4288	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe
Token: SeIncBasePriorityPrivilege	4828	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe
Token: SeIncBasePriorityPrivilege	808	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe
Token: SeIncBasePriorityPrivilege	4116	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe
Token: SeIncBasePriorityPrivilege	3808	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe
Token: SeIncBasePriorityPrivilege	2528	{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe
Token: SeIncBasePriorityPrivilege	2540	{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1164	1892	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	95
PID 1892 wrote to memory of 1164	1892	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	95
PID 1892 wrote to memory of 1164	1892	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	95
PID 1892 wrote to memory of 2132	1892	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	96
PID 1892 wrote to memory of 2132	1892	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	96
PID 1892 wrote to memory of 2132	1892	2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe	96
PID 1164 wrote to memory of 2972	1164	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe	97
PID 1164 wrote to memory of 2972	1164	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe	97
PID 1164 wrote to memory of 2972	1164	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe	97
PID 1164 wrote to memory of 1336	1164	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe	98
PID 1164 wrote to memory of 1336	1164	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe	98
PID 1164 wrote to memory of 1336	1164	{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe	98
PID 2972 wrote to memory of 5016	2972	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe	101
PID 2972 wrote to memory of 5016	2972	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe	101
PID 2972 wrote to memory of 5016	2972	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe	101
PID 2972 wrote to memory of 3424	2972	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe	102
PID 2972 wrote to memory of 3424	2972	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe	102
PID 2972 wrote to memory of 3424	2972	{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe	102
PID 5016 wrote to memory of 4216	5016	{78E5E65F-9866-44b1-9E5B-557764387237}.exe	104
PID 5016 wrote to memory of 4216	5016	{78E5E65F-9866-44b1-9E5B-557764387237}.exe	104
PID 5016 wrote to memory of 4216	5016	{78E5E65F-9866-44b1-9E5B-557764387237}.exe	104
PID 5016 wrote to memory of 3164	5016	{78E5E65F-9866-44b1-9E5B-557764387237}.exe	105
PID 5016 wrote to memory of 3164	5016	{78E5E65F-9866-44b1-9E5B-557764387237}.exe	105
PID 5016 wrote to memory of 3164	5016	{78E5E65F-9866-44b1-9E5B-557764387237}.exe	105
PID 4216 wrote to memory of 4288	4216	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe	106
PID 4216 wrote to memory of 4288	4216	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe	106
PID 4216 wrote to memory of 4288	4216	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe	106
PID 4216 wrote to memory of 4320	4216	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe	107
PID 4216 wrote to memory of 4320	4216	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe	107
PID 4216 wrote to memory of 4320	4216	{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe	107
PID 4288 wrote to memory of 4828	4288	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe	109
PID 4288 wrote to memory of 4828	4288	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe	109
PID 4288 wrote to memory of 4828	4288	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe	109
PID 4288 wrote to memory of 4456	4288	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe	110
PID 4288 wrote to memory of 4456	4288	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe	110
PID 4288 wrote to memory of 4456	4288	{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe	110
PID 4828 wrote to memory of 808	4828	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe	111
PID 4828 wrote to memory of 808	4828	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe	111
PID 4828 wrote to memory of 808	4828	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe	111
PID 4828 wrote to memory of 3288	4828	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe	112
PID 4828 wrote to memory of 3288	4828	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe	112
PID 4828 wrote to memory of 3288	4828	{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe	112
PID 808 wrote to memory of 4116	808	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe	113
PID 808 wrote to memory of 4116	808	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe	113
PID 808 wrote to memory of 4116	808	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe	113
PID 808 wrote to memory of 3956	808	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe	114
PID 808 wrote to memory of 3956	808	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe	114
PID 808 wrote to memory of 3956	808	{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe	114
PID 4116 wrote to memory of 3808	4116	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe	123
PID 4116 wrote to memory of 3808	4116	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe	123
PID 4116 wrote to memory of 3808	4116	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe	123
PID 4116 wrote to memory of 1524	4116	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe	124
PID 4116 wrote to memory of 1524	4116	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe	124
PID 4116 wrote to memory of 1524	4116	{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe	124
PID 3808 wrote to memory of 2528	3808	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe	125
PID 3808 wrote to memory of 2528	3808	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe	125
PID 3808 wrote to memory of 2528	3808	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe	125
PID 3808 wrote to memory of 3536	3808	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe	126
PID 3808 wrote to memory of 3536	3808	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe	126
PID 3808 wrote to memory of 3536	3808	{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe	126
PID 2528 wrote to memory of 2540	2528	{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe	130
PID 2528 wrote to memory of 2540	2528	{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe	130
PID 2528 wrote to memory of 2540	2528	{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe	130
PID 2528 wrote to memory of 60	2528	{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_56edeea85378804d2a26dde9ab04bf2b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe
  C:\Windows\{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe
    C:\Windows\{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\{78E5E65F-9866-44b1-9E5B-557764387237}.exe
      C:\Windows\{78E5E65F-9866-44b1-9E5B-557764387237}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe
        
        C:\Windows\{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Windows\{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe
        
        C:\Windows\{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe
        
        C:\Windows\{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe
        
        C:\Windows\{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe
        
        C:\Windows\{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe
        
        C:\Windows\{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe
        
        C:\Windows\{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}.exe
        
        C:\Windows\{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\{3363B7DC-3078-4d27-831C-947F03D14D95}.exe
        
        C:\Windows\{3363B7DC-3078-4d27-831C-947F03D14D95}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DDBB~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A261B~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30FF5~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7F23~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4342A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C147~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13AD9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4142~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78E5E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F9884~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{49169~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13AD92C1-E917-458a-85B3-B6DCCA833C27}.exe

Filesize
408KB

MD5
dd264352a6ae8087ecbe3ee82ac0e4ae

SHA1
6f63f081d58c4b0d38c1a330f7751fea1f86e32e

SHA256
a0653a2009b40d2f1973c8a8b7e1f6e4f0559c6c08317cb1b8122a9bb5d5c06d

SHA512
533090fa52c881ef79736cf1ea1eaf9ed6d910feaa3649e3c66fffb0d561e68631b5f7ee002e18119d6715400476d3808f3139af1eb873edb58b90cfb9ae015b

Download Submit
C:\Windows\{30FF597C-284A-4657-A276-A5EE261F2CBC}.exe

Filesize
408KB

MD5
036b6258407d2731b42197a13f559764

SHA1
d046573573e2e89b4b6c4e5a0d271c6872c5ad66

SHA256
6ed9d7886f41297050164c3b12b44f30c6ea2cd40ad660286bd26164965e7a3b

SHA512
8a0f52b3fd3f36071f1b96aa6cc2b8ac8b5cfce903ea7db9c0431c295d8298919b25f96ea4e79fdc9b3e3b75cb35ec8fea317725868ba83e91d2fa181c69a17f

Download Submit
C:\Windows\{3363B7DC-3078-4d27-831C-947F03D14D95}.exe

Filesize
408KB

MD5
6daeae4ea1f33d01fdd0fcbc383f841d

SHA1
70f747d1a708094fd6f564f8f543be90bacecaed

SHA256
42397507704e3cf20ac64f5538f1ac0867d7c5a772967dfb76d5d02002671d3b

SHA512
6496f90453ad5010bc6a4f8c6f1a74661c963f70c0361f2d7c647e8d9a391228eab3952242affacc82215f6f52c1dee288ce277dcb2733941f1116ef5f58238f

Download Submit
C:\Windows\{4342AE3B-16E9-4cf1-B64F-8F952DF0EC5B}.exe

Filesize
408KB

MD5
789abd328ea480a44e3c2133350f093e

SHA1
7f07990f97e770b7de42c7b13c27fa25a33ff83c

SHA256
1070942bbb59274165012eb9471600198257ad4433ae9f26c22658b82654dd9a

SHA512
6f35338cbb58314919adb30cb2282695920642a9e6408a7ecb8f7258eba86b385b6f78d7e456d89be2614fab1d5eed6099864947ad7356231bef051be7fdf894

Download Submit
C:\Windows\{491697A2-79EE-4c3f-AD8C-0B0F54789812}.exe

Filesize
408KB

MD5
5fcda30dfd8e79fe739a16aca1ae6df7

SHA1
13802f7a739d2415d39dca6c885c4ef0f7a70a8a

SHA256
e65bb4cd3c8f92fb18250acc1ac8c28aa20ec10bda20d2bbc4a2f1c59c826101

SHA512
577496b8d93fd496b06fb5a1fc3b746b61be0b29a724ef7d48cd60c3c1137986f9e631bae5d23afb27f7b715dc802811d26028b85bd358eb590a042188e8ad73

Download Submit
C:\Windows\{4C147CDF-F57D-47a8-811C-862F270C4C8E}.exe

Filesize
408KB

MD5
3d31982bb411e6efefd7209f460e30cc

SHA1
98b4b0afb8e95a0aed3bd94ba863af749d94b9b8

SHA256
38c3025566bcb7beef0aa199a52bc529aa4c6c40c7c5947546a330c383969f98

SHA512
4166efe54e0434cf86b3bfc676f2fa32e4398e2e5cb86c6e2484e2352e2909c979e029c0d6b0ca1a4516667e9294e3d3cca5fc3dc4a71b263799e82b27ce3020

Download Submit
C:\Windows\{6DDBBC3D-1B22-40d4-9AD0-63ED93D5C1BE}.exe

Filesize
408KB

MD5
27b6750377d1e21cda3aaa1bd4ffcc0c

SHA1
fa23ce7c124d157622c8cfa698a593b151e7d1e7

SHA256
25d5e716ed9686a0fa5307bbc69c4a69cbb91a57b9038f208d8b2fd00656c602

SHA512
fb47f2845b2ec35eb2a611cfa34acaada2176d19842d12f8aaa8a1cdbf7a4a6101fc48cfc8695b4a88449524753ce2d529e395fb0f9377795a875aae568dfcf6

Download Submit
C:\Windows\{78E5E65F-9866-44b1-9E5B-557764387237}.exe

Filesize
408KB

MD5
52f4ae97543e883b6c263f68fa0211c0

SHA1
5b603ec63a1b31730d4e4b484125cf2fbec32a30

SHA256
6e54b25f9f0d892aaa909a98b1339a782ea51f38d808453c2bd253222f24a15e

SHA512
8007986e99d9d29af27fe39851a231611a4bd64707327668b83fe1ccfefe7db8527a22432fe52c6fa8535c268851498cab0bca78ca75131113d3afdc8c9c9fc2

Download Submit
C:\Windows\{A261BEC3-4BD2-4fc9-9E38-74B5B213073B}.exe

Filesize
408KB

MD5
dacaab52322c6b1493c5edd38a3576ec

SHA1
afe44e52fcdf0f9be34380444d714356eac6de84

SHA256
317125aafe12a28dbf0400ebb1cb7b2e2380127df83e7de65f2d5a1ce57c02a3

SHA512
9c7ec42622dc5323dea46e7bc72ebf4f84987bbde49caf0ddef5f32e4cd07b523b3e4e0ff0bd9053a84560aa55f459c40942a012c72d75fc444cef3f574b3f28

Download Submit
C:\Windows\{D7F23EFA-2E89-4583-B396-98ECA4EA3A7A}.exe

Filesize
408KB

MD5
68d09762efcb7328dc0b590f7d034ea0

SHA1
77199089c5aa00aaa6dfc0208ddc45b37acb4f90

SHA256
5828c9c9f483f4a5ec2bd7d4f78547111a68bfdcab8599e2f7411b2b2f18e3f3

SHA512
ff80c2895b7dc81e3ee838cb6125a02711bd16cb6c083bc90fdd2e8109fb4d165b75319517bde9e44aa01e7dedf5cda5cb9160e19d1e9012f75821010519c9c3

Download Submit
C:\Windows\{F4142639-73FD-4374-8C15-CAC8CDBD9E50}.exe

Filesize
408KB

MD5
d29921b1eaac1aa83b5808c7c89bbb48

SHA1
8564219351f3095dad4dbfd2b7dfbcbfce386bba

SHA256
fa5ec46ac8025502ab1e63c909a3dde0fe5e66c9a624126a9079e7f6c30c9d00

SHA512
54d728eb06e29ce8f7afb94c6b752f157ffae3305b8c54907fe887fb905875819796f4ed04a589e30af28c70fee90638478a4f2a7241942026d13b7960d8ae76

Download Submit
C:\Windows\{F9884F61-886F-401f-949D-84CDD4FDFD4E}.exe

Filesize
408KB

MD5
770e0b71030316a0ba39d2deaba4cdc6

SHA1
fb5f13819dab1cba55de411ede459ffaae3fa9e2

SHA256
6c0e1964e668c77b457ffd672b61b086532e29826ba1e5398b9f92841d20d0ae

SHA512
aa698f02e22c0ea4492afe983a8c7c822e20cfa7be6275a9eac54e9b0e3f50bf6ef4b9fe505786fbb97bb47feab43ac0a512402337796fd6fbfaf9b6647bb3d5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads