1be252e762c372604a8143ef57fba89da58017d5322b9ac04c9eba1ef7962128

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
Size

408KB
MD5

73e1fe21535ab492c706b6d336ddc885
SHA1

6082c186038a41021f941d86b442d1cdc1b52ccf
SHA256

1be252e762c372604a8143ef57fba89da58017d5322b9ac04c9eba1ef7962128
SHA512

e5b1296f803fd21e320c61701d670595ed9e5d35426e2c5d421d103ca66b15af3b24aa5d82ec098d69548cdb524c935aa83cd51fdccb888f644e11f6e1a3614c
SSDEEP

3072:CEGh0oNl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGbldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46B9B14E-63E5-4945-BE0D-42B77CF6249F}\stubpath = "C:\\Windows\\{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe"	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E912744B-0160-4497-8F52-9E1AA7078811}	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD639D6B-6062-40c2-94A1-6645C20EEC2F}	{E912744B-0160-4497-8F52-9E1AA7078811}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5171091A-ED98-4bfb-8135-9AEF7BCA753B}	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5171091A-ED98-4bfb-8135-9AEF7BCA753B}\stubpath = "C:\\Windows\\{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe"	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49FD373D-7932-4f31-8B55-C956399F6469}	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33518B0B-4432-46e6-A69F-711F458A34D9}	{49FD373D-7932-4f31-8B55-C956399F6469}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{240C16D0-622C-4080-902F-9A99889D3FE8}	{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}\stubpath = "C:\\Windows\\{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe"	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46B9B14E-63E5-4945-BE0D-42B77CF6249F}	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{240C16D0-622C-4080-902F-9A99889D3FE8}\stubpath = "C:\\Windows\\{240C16D0-622C-4080-902F-9A99889D3FE8}.exe"	{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C05E01D-6155-4948-B665-B06317B56CFA}	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C05E01D-6155-4948-B665-B06317B56CFA}\stubpath = "C:\\Windows\\{2C05E01D-6155-4948-B665-B06317B56CFA}.exe"	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49FD373D-7932-4f31-8B55-C956399F6469}\stubpath = "C:\\Windows\\{49FD373D-7932-4f31-8B55-C956399F6469}.exe"	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33518B0B-4432-46e6-A69F-711F458A34D9}\stubpath = "C:\\Windows\\{33518B0B-4432-46e6-A69F-711F458A34D9}.exe"	{49FD373D-7932-4f31-8B55-C956399F6469}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}\stubpath = "C:\\Windows\\{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe"	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{025204EE-E2B6-4084-8DDE-951A4232743E}	{240C16D0-622C-4080-902F-9A99889D3FE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{025204EE-E2B6-4084-8DDE-951A4232743E}\stubpath = "C:\\Windows\\{025204EE-E2B6-4084-8DDE-951A4232743E}.exe"	{240C16D0-622C-4080-902F-9A99889D3FE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}\stubpath = "C:\\Windows\\{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe"	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E912744B-0160-4497-8F52-9E1AA7078811}\stubpath = "C:\\Windows\\{E912744B-0160-4497-8F52-9E1AA7078811}.exe"	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD639D6B-6062-40c2-94A1-6645C20EEC2F}\stubpath = "C:\\Windows\\{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe"	{E912744B-0160-4497-8F52-9E1AA7078811}.exe

Executes dropped EXE 12 IoCs

pid	Process
4416	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe
2052	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe
3736	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe
1260	{E912744B-0160-4497-8F52-9E1AA7078811}.exe
4216	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe
1804	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe
5040	{49FD373D-7932-4f31-8B55-C956399F6469}.exe
388	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe
3432	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe
4132	{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe
2068	{240C16D0-622C-4080-902F-9A99889D3FE8}.exe
1568	{025204EE-E2B6-4084-8DDE-951A4232743E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E912744B-0160-4497-8F52-9E1AA7078811}.exe	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe
File created	C:\Windows\{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe	{E912744B-0160-4497-8F52-9E1AA7078811}.exe
File created	C:\Windows\{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe
File created	C:\Windows\{49FD373D-7932-4f31-8B55-C956399F6469}.exe	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe
File created	C:\Windows\{240C16D0-622C-4080-902F-9A99889D3FE8}.exe	{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe
File created	C:\Windows\{025204EE-E2B6-4084-8DDE-951A4232743E}.exe	{240C16D0-622C-4080-902F-9A99889D3FE8}.exe
File created	C:\Windows\{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe
File created	C:\Windows\{2C05E01D-6155-4948-B665-B06317B56CFA}.exe	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe
File created	C:\Windows\{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe
File created	C:\Windows\{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe
File created	C:\Windows\{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
File created	C:\Windows\{33518B0B-4432-46e6-A69F-711F458A34D9}.exe	{49FD373D-7932-4f31-8B55-C956399F6469}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49FD373D-7932-4f31-8B55-C956399F6469}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{240C16D0-622C-4080-902F-9A99889D3FE8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E912744B-0160-4497-8F52-9E1AA7078811}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{025204EE-E2B6-4084-8DDE-951A4232743E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4716	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4416	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe
Token: SeIncBasePriorityPrivilege	2052	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe
Token: SeIncBasePriorityPrivilege	3736	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe
Token: SeIncBasePriorityPrivilege	1260	{E912744B-0160-4497-8F52-9E1AA7078811}.exe
Token: SeIncBasePriorityPrivilege	4216	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe
Token: SeIncBasePriorityPrivilege	1804	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe
Token: SeIncBasePriorityPrivilege	5040	{49FD373D-7932-4f31-8B55-C956399F6469}.exe
Token: SeIncBasePriorityPrivilege	388	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe
Token: SeIncBasePriorityPrivilege	3432	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe
Token: SeIncBasePriorityPrivilege	4132	{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe
Token: SeIncBasePriorityPrivilege	2068	{240C16D0-622C-4080-902F-9A99889D3FE8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 4416	4716	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	97
PID 4716 wrote to memory of 4416	4716	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	97
PID 4716 wrote to memory of 4416	4716	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	97
PID 4716 wrote to memory of 4384	4716	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	98
PID 4716 wrote to memory of 4384	4716	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	98
PID 4716 wrote to memory of 4384	4716	2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe	98
PID 4416 wrote to memory of 2052	4416	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe	99
PID 4416 wrote to memory of 2052	4416	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe	99
PID 4416 wrote to memory of 2052	4416	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe	99
PID 4416 wrote to memory of 4048	4416	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe	100
PID 4416 wrote to memory of 4048	4416	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe	100
PID 4416 wrote to memory of 4048	4416	{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe	100
PID 2052 wrote to memory of 3736	2052	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe	104
PID 2052 wrote to memory of 3736	2052	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe	104
PID 2052 wrote to memory of 3736	2052	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe	104
PID 2052 wrote to memory of 732	2052	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe	105
PID 2052 wrote to memory of 732	2052	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe	105
PID 2052 wrote to memory of 732	2052	{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe	105
PID 3736 wrote to memory of 1260	3736	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe	106
PID 3736 wrote to memory of 1260	3736	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe	106
PID 3736 wrote to memory of 1260	3736	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe	106
PID 3736 wrote to memory of 4776	3736	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe	107
PID 3736 wrote to memory of 4776	3736	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe	107
PID 3736 wrote to memory of 4776	3736	{2C05E01D-6155-4948-B665-B06317B56CFA}.exe	107
PID 1260 wrote to memory of 4216	1260	{E912744B-0160-4497-8F52-9E1AA7078811}.exe	108
PID 1260 wrote to memory of 4216	1260	{E912744B-0160-4497-8F52-9E1AA7078811}.exe	108
PID 1260 wrote to memory of 4216	1260	{E912744B-0160-4497-8F52-9E1AA7078811}.exe	108
PID 1260 wrote to memory of 3508	1260	{E912744B-0160-4497-8F52-9E1AA7078811}.exe	109
PID 1260 wrote to memory of 3508	1260	{E912744B-0160-4497-8F52-9E1AA7078811}.exe	109
PID 1260 wrote to memory of 3508	1260	{E912744B-0160-4497-8F52-9E1AA7078811}.exe	109
PID 4216 wrote to memory of 1804	4216	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe	111
PID 4216 wrote to memory of 1804	4216	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe	111
PID 4216 wrote to memory of 1804	4216	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe	111
PID 4216 wrote to memory of 1852	4216	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe	112
PID 4216 wrote to memory of 1852	4216	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe	112
PID 4216 wrote to memory of 1852	4216	{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe	112
PID 1804 wrote to memory of 5040	1804	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe	113
PID 1804 wrote to memory of 5040	1804	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe	113
PID 1804 wrote to memory of 5040	1804	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe	113
PID 1804 wrote to memory of 184	1804	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe	114
PID 1804 wrote to memory of 184	1804	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe	114
PID 1804 wrote to memory of 184	1804	{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe	114
PID 5040 wrote to memory of 388	5040	{49FD373D-7932-4f31-8B55-C956399F6469}.exe	118
PID 5040 wrote to memory of 388	5040	{49FD373D-7932-4f31-8B55-C956399F6469}.exe	118
PID 5040 wrote to memory of 388	5040	{49FD373D-7932-4f31-8B55-C956399F6469}.exe	118
PID 5040 wrote to memory of 5008	5040	{49FD373D-7932-4f31-8B55-C956399F6469}.exe	119
PID 5040 wrote to memory of 5008	5040	{49FD373D-7932-4f31-8B55-C956399F6469}.exe	119
PID 5040 wrote to memory of 5008	5040	{49FD373D-7932-4f31-8B55-C956399F6469}.exe	119
PID 388 wrote to memory of 3432	388	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe	120
PID 388 wrote to memory of 3432	388	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe	120
PID 388 wrote to memory of 3432	388	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe	120
PID 388 wrote to memory of 3528	388	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe	121
PID 388 wrote to memory of 3528	388	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe	121
PID 388 wrote to memory of 3528	388	{33518B0B-4432-46e6-A69F-711F458A34D9}.exe	121
PID 3432 wrote to memory of 4132	3432	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe	122
PID 3432 wrote to memory of 4132	3432	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe	122
PID 3432 wrote to memory of 4132	3432	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe	122
PID 3432 wrote to memory of 1492	3432	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe	123
PID 3432 wrote to memory of 1492	3432	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe	123
PID 3432 wrote to memory of 1492	3432	{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe	123
PID 4132 wrote to memory of 2068	4132	{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe	128
PID 4132 wrote to memory of 2068	4132	{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe	128
PID 4132 wrote to memory of 2068	4132	{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe	128
PID 4132 wrote to memory of 4000	4132	{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_73e1fe21535ab492c706b6d336ddc885_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe
  C:\Windows\{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe
    C:\Windows\{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\{2C05E01D-6155-4948-B665-B06317B56CFA}.exe
      C:\Windows\{2C05E01D-6155-4948-B665-B06317B56CFA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Windows\{E912744B-0160-4497-8F52-9E1AA7078811}.exe
        
        C:\Windows\{E912744B-0160-4497-8F52-9E1AA7078811}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
      - C:\Windows\{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe
        
        C:\Windows\{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe
        
        C:\Windows\{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\{49FD373D-7932-4f31-8B55-C956399F6469}.exe
        
        C:\Windows\{49FD373D-7932-4f31-8B55-C956399F6469}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{33518B0B-4432-46e6-A69F-711F458A34D9}.exe
        
        C:\Windows\{33518B0B-4432-46e6-A69F-711F458A34D9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe
        
        C:\Windows\{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe
        
        C:\Windows\{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\{240C16D0-622C-4080-902F-9A99889D3FE8}.exe
        
        C:\Windows\{240C16D0-622C-4080-902F-9A99889D3FE8}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{025204EE-E2B6-4084-8DDE-951A4232743E}.exe
        
        C:\Windows\{025204EE-E2B6-4084-8DDE-951A4232743E}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{240C1~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F856~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46B9B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33518~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49FD3~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51710~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD639~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9127~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C05E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2BD5C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BE9BE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{025204EE-E2B6-4084-8DDE-951A4232743E}.exe

Filesize
408KB

MD5
6d104023d75f5041e4f1039cf5ae1331

SHA1
4e21b62f6be8901de486a62732afad56e006a4e1

SHA256
ed65e570e2eafb3d7424b50d647d7ed3fea030dac23e0c67c1d034632055d368

SHA512
9fbfb17d64c579c3a6a204c4a17fd1b2e49a2874011d099b3e7c6696c1b23bdd5d7a60f3a800642c11fad72c27776f8fd2f0773e33fdfbb459d22edf7bdc29e0

Download Submit
C:\Windows\{0F856D2A-EFBC-4eee-BEE9-F2EEBAFB1978}.exe

Filesize
408KB

MD5
c196001417094e68676478ca850435d9

SHA1
9de0ed8885d49b48810cad9c63546ccf77864c5e

SHA256
f93b7f24bc6a1b901dbdcfe650cf44d2ea420172fd1b274b68a5970eb712b5be

SHA512
f71d177028e3a94674b8a4a0a911ab57be7bd8d63a1429b736c4fa26c04558e5354d8b1aa6b033e998f93dea5f3a87d71574f6bdf9ff631af0690249fee7908b

Download Submit
C:\Windows\{240C16D0-622C-4080-902F-9A99889D3FE8}.exe

Filesize
408KB

MD5
819840156b1aa77b0b4d99b89beceabd

SHA1
05f8f2f24841f0d6f8e9c7b7f2c64256d0af0893

SHA256
6c07f9555e0d3b4824d9c91b6268de613295ab0bfa702cf7d272fa024c456c9d

SHA512
53d27a2d147a0e4d2411c38597034c9f1d0a67084641691d7fa6bdf4c871ea8adbc0af63ae242b5d519f2c480f2f78af3e21be881dfe70fbcaad8bbcc1bbf08b

Download Submit
C:\Windows\{2BD5C69E-DEC0-48c9-9567-1B8D60399F98}.exe

Filesize
408KB

MD5
4d6420a93403d57bdb18fadb75da92c1

SHA1
e2277520a756e0b76ac116b73c1dd2542e84cce6

SHA256
856f048d2244a6c60b6f62a35c0dae16f8ad2d06387428c355f40da12601f2dd

SHA512
12d9c0e8f9a98e671fc309e32dbebcf21469d2513cd85484ee9d7cb27fc8574ee419c58b440f16e608076681e20ff02461dcf212fecaa5e5edbf678db5805784

Download Submit
C:\Windows\{2C05E01D-6155-4948-B665-B06317B56CFA}.exe

Filesize
408KB

MD5
3f8afc1f09752d2983993a49ab029cf9

SHA1
585f3334cf924c721515d4a36417826d0e77ace4

SHA256
673f9649affce52a1e6426b282fa2407efc292cb0075cfc2b4ce4dbf049c86ba

SHA512
9e9fa6300aa5f2e6a6ca4ec681a1070ddd0655c39c906a09d918d7970d74744cd6fb33e6d3b6a80a90de2a1cfc600a86d8803d7dcea00924648b0009914c1818

Download Submit
C:\Windows\{33518B0B-4432-46e6-A69F-711F458A34D9}.exe

Filesize
408KB

MD5
29c854f11e20c34ff3ff89e7491dee14

SHA1
d6c4ad1ccb50aaa5301175247f173ef8571312c3

SHA256
846a9fd940f1dd8c1684f284b27ecf1145de679b687a59cb3c912ce0f6766c35

SHA512
c89bd57fa7034c4fa0866e711844a4a8780f0d4d102d85406ad9c996b708a8432bd42b26c81b2948cdc70481a77aa5e3ebb65f04fd90c4e4d73fe33e1a5d4bff

Download Submit
C:\Windows\{46B9B14E-63E5-4945-BE0D-42B77CF6249F}.exe

Filesize
408KB

MD5
ce0fb43469c232d6971b5914d19ea35e

SHA1
76dad83b7fb2a1502b6d8e2286d61ce61d63c9cf

SHA256
038001aeca544681d44f47e2baa84490cbce37b6ab5512e2961f5d92e43e5b83

SHA512
3084ec343d4db979b01883b4f9796e84e63c78f143b62796154c21adb15e08b1c2d967b8875cb4605ff6b7c98e7d950f487f2faa6d00aa8a4c3bf03a0e47d125

Download Submit
C:\Windows\{49FD373D-7932-4f31-8B55-C956399F6469}.exe

Filesize
408KB

MD5
27405222454d2240a898a485978270be

SHA1
fa00e8a87e1f9060e728db636e4074d75f684b0e

SHA256
dcddcda125e1c58eb3f5d9f4327e693d54adda474d78505e3757a36cf87f3b32

SHA512
94389de5ebd545cfffba3154272acf0a0f5b202a37123a7dd6a01d8d3d38d0e1ba6bece98a5352f2ddc24d88987ed0f2da656fc3a78023b185008461e4147aca

Download Submit
C:\Windows\{5171091A-ED98-4bfb-8135-9AEF7BCA753B}.exe

Filesize
408KB

MD5
f95916f49e746ee7f35bc247ae092846

SHA1
cebe1bf961919a3bf55d88852efab549a7aca16c

SHA256
a556ce2139ee1c6afedfc8cd3bb189ae0f0cac6993a990742e508ff1230bf7e7

SHA512
4cb361c832e4cc50cc0795275c7730c8820859c5af4a9a340d7bfe217e938f16c1d1394d9e2c8d3fe8ad169bc773b46678fc68aa0868e4a0219ed993be795e27

Download Submit
C:\Windows\{BD639D6B-6062-40c2-94A1-6645C20EEC2F}.exe

Filesize
408KB

MD5
4f4ac187253e60d2976a167ff56eda16

SHA1
e02c0dc837b59dc37ba6aec908e151abbc6f3038

SHA256
648cd72040b6f82d3e8d0762f479c155b9be133b02db7d2bff9af25347efe36e

SHA512
09d080b9d91b0b2b583e191ffd52a5339e7028f8359030dfc48e091049c83de9cf3f63311baee361d8d51836ab2ab7ca8820bae5d182cce03a6850201945e25c

Download Submit
C:\Windows\{BE9BE501-EC6B-4c98-B1E5-EA94835CD296}.exe

Filesize
408KB

MD5
08ea72afa6136ea88774ad8662e28da4

SHA1
f6858566811f2e32ac756cfee12626351def66a8

SHA256
a972ad23eafc8a1094b3aabbc3a159fb891d473e0977d97a9e8b1a61f9581a29

SHA512
454a9cdc6eb27d1261b537b91be8c751b65e4c66dd2423f423b8e67f2fdda6a46145c10be32e5a59bf55f85ad2e254a6e494941911b463c31930008f846c6c4a

Download Submit
C:\Windows\{E912744B-0160-4497-8F52-9E1AA7078811}.exe

Filesize
408KB

MD5
f884c9bd6aa096bf9a2686afdc1ce0aa

SHA1
4311733d475dad2c681bc09956728127690b3d5c

SHA256
0e753fcbf5c03d920c5e2b031b7f4afdca236b283b790df3a6a20a985368b72b

SHA512
136c7d5d576ff6e6de161dc6368e2afc0baaf94c2fc77ac3857320a2c228366996d41e5e452696cfb9c596af17c845083111ca22236b4e2d7e52518f63e7af8f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads