18057fd114d006f6759f0a7cef2a9a3c6b4a42229ed9dbda540b0a1775c9d258

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe
Size

180KB
MD5

2423101674179bcc28ab9af4ce845ca8
SHA1

600afeda4e83510cf84e7ac6476579e59c7103f5
SHA256

18057fd114d006f6759f0a7cef2a9a3c6b4a42229ed9dbda540b0a1775c9d258
SHA512

ecbe76535cb9f35426ebad5f7446fee1d4b29f1df5874f58b62314d1bf33c6eb5e917f794db56b6593dff8b4d0be8391f331757c97c45a557609ab20d9e61e53
SSDEEP

3072:jEGh0oRlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGXl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E695B7F-96CE-4459-B700-A6DA320DD85A}	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E695B7F-96CE-4459-B700-A6DA320DD85A}\stubpath = "C:\\Windows\\{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe"	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9A32E8B-6723-4425-A9A1-54AADA63A62E}\stubpath = "C:\\Windows\\{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe"	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40492BED-5332-47ee-BBEF-1B446E38F2F5}	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C72A92D-6B00-4199-B70F-87A4FCA0313C}\stubpath = "C:\\Windows\\{5C72A92D-6B00-4199-B70F-87A4FCA0313C}.exe"	{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}\stubpath = "C:\\Windows\\{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe"	2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13094A60-452A-4c63-BF9C-2DE35C463C8D}\stubpath = "C:\\Windows\\{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe"	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481975F0-8B80-4339-B83A-01EF520A86EF}\stubpath = "C:\\Windows\\{481975F0-8B80-4339-B83A-01EF520A86EF}.exe"	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9A32E8B-6723-4425-A9A1-54AADA63A62E}	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C72A92D-6B00-4199-B70F-87A4FCA0313C}	{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21E79393-98D0-49e6-B3E8-9064C5B5F983}	{5C72A92D-6B00-4199-B70F-87A4FCA0313C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}	2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}\stubpath = "C:\\Windows\\{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe"	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}\stubpath = "C:\\Windows\\{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe"	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481975F0-8B80-4339-B83A-01EF520A86EF}	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40492BED-5332-47ee-BBEF-1B446E38F2F5}\stubpath = "C:\\Windows\\{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe"	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}\stubpath = "C:\\Windows\\{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe"	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13094A60-452A-4c63-BF9C-2DE35C463C8D}	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}\stubpath = "C:\\Windows\\{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe"	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21E79393-98D0-49e6-B3E8-9064C5B5F983}\stubpath = "C:\\Windows\\{21E79393-98D0-49e6-B3E8-9064C5B5F983}.exe"	{5C72A92D-6B00-4199-B70F-87A4FCA0313C}.exe

Executes dropped EXE 12 IoCs

pid	Process
2012	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe
64	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe
1372	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe
1076	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe
4028	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe
2940	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe
3928	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe
3232	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe
1108	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe
1220	{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe
2948	{5C72A92D-6B00-4199-B70F-87A4FCA0313C}.exe
2452	{21E79393-98D0-49e6-B3E8-9064C5B5F983}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe
File created	C:\Windows\{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe
File created	C:\Windows\{481975F0-8B80-4339-B83A-01EF520A86EF}.exe	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe
File created	C:\Windows\{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe
File created	C:\Windows\{5C72A92D-6B00-4199-B70F-87A4FCA0313C}.exe	{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe
File created	C:\Windows\{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe	2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe
File created	C:\Windows\{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe
File created	C:\Windows\{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe
File created	C:\Windows\{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe
File created	C:\Windows\{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe
File created	C:\Windows\{21E79393-98D0-49e6-B3E8-9064C5B5F983}.exe	{5C72A92D-6B00-4199-B70F-87A4FCA0313C}.exe
File created	C:\Windows\{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C72A92D-6B00-4199-B70F-87A4FCA0313C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21E79393-98D0-49e6-B3E8-9064C5B5F983}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2012	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe
Token: SeIncBasePriorityPrivilege	64	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe
Token: SeIncBasePriorityPrivilege	1372	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe
Token: SeIncBasePriorityPrivilege	1076	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe
Token: SeIncBasePriorityPrivilege	4028	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe
Token: SeIncBasePriorityPrivilege	2940	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe
Token: SeIncBasePriorityPrivilege	3928	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe
Token: SeIncBasePriorityPrivilege	3232	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe
Token: SeIncBasePriorityPrivilege	1108	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe
Token: SeIncBasePriorityPrivilege	1220	{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe
Token: SeIncBasePriorityPrivilege	2948	{5C72A92D-6B00-4199-B70F-87A4FCA0313C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2012	2304	2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe	94
PID 2304 wrote to memory of 2012	2304	2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe	94
PID 2304 wrote to memory of 2012	2304	2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe	94
PID 2304 wrote to memory of 1692	2304	2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe	95
PID 2304 wrote to memory of 1692	2304	2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe	95
PID 2304 wrote to memory of 1692	2304	2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe	95
PID 2012 wrote to memory of 64	2012	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe	96
PID 2012 wrote to memory of 64	2012	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe	96
PID 2012 wrote to memory of 64	2012	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe	96
PID 2012 wrote to memory of 1972	2012	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe	97
PID 2012 wrote to memory of 1972	2012	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe	97
PID 2012 wrote to memory of 1972	2012	{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe	97
PID 64 wrote to memory of 1372	64	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe	101
PID 64 wrote to memory of 1372	64	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe	101
PID 64 wrote to memory of 1372	64	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe	101
PID 64 wrote to memory of 244	64	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe	102
PID 64 wrote to memory of 244	64	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe	102
PID 64 wrote to memory of 244	64	{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe	102
PID 1372 wrote to memory of 1076	1372	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe	103
PID 1372 wrote to memory of 1076	1372	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe	103
PID 1372 wrote to memory of 1076	1372	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe	103
PID 1372 wrote to memory of 2564	1372	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe	104
PID 1372 wrote to memory of 2564	1372	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe	104
PID 1372 wrote to memory of 2564	1372	{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe	104
PID 1076 wrote to memory of 4028	1076	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe	105
PID 1076 wrote to memory of 4028	1076	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe	105
PID 1076 wrote to memory of 4028	1076	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe	105
PID 1076 wrote to memory of 952	1076	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe	106
PID 1076 wrote to memory of 952	1076	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe	106
PID 1076 wrote to memory of 952	1076	{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe	106
PID 4028 wrote to memory of 2940	4028	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe	108
PID 4028 wrote to memory of 2940	4028	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe	108
PID 4028 wrote to memory of 2940	4028	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe	108
PID 4028 wrote to memory of 216	4028	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe	109
PID 4028 wrote to memory of 216	4028	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe	109
PID 4028 wrote to memory of 216	4028	{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe	109
PID 2940 wrote to memory of 3928	2940	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe	110
PID 2940 wrote to memory of 3928	2940	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe	110
PID 2940 wrote to memory of 3928	2940	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe	110
PID 2940 wrote to memory of 4648	2940	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe	111
PID 2940 wrote to memory of 4648	2940	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe	111
PID 2940 wrote to memory of 4648	2940	{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe	111
PID 3928 wrote to memory of 3232	3928	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe	116
PID 3928 wrote to memory of 3232	3928	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe	116
PID 3928 wrote to memory of 3232	3928	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe	116
PID 3928 wrote to memory of 740	3928	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe	117
PID 3928 wrote to memory of 740	3928	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe	117
PID 3928 wrote to memory of 740	3928	{481975F0-8B80-4339-B83A-01EF520A86EF}.exe	117
PID 3232 wrote to memory of 1108	3232	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe	121
PID 3232 wrote to memory of 1108	3232	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe	121
PID 3232 wrote to memory of 1108	3232	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe	121
PID 3232 wrote to memory of 3216	3232	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe	122
PID 3232 wrote to memory of 3216	3232	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe	122
PID 3232 wrote to memory of 3216	3232	{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe	122
PID 1108 wrote to memory of 1220	1108	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe	123
PID 1108 wrote to memory of 1220	1108	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe	123
PID 1108 wrote to memory of 1220	1108	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe	123
PID 1108 wrote to memory of 4636	1108	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe	124
PID 1108 wrote to memory of 4636	1108	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe	124
PID 1108 wrote to memory of 4636	1108	{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe	124
PID 1220 wrote to memory of 2948	1220	{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe	125
PID 1220 wrote to memory of 2948	1220	{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe	125
PID 1220 wrote to memory of 2948	1220	{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe	125
PID 1220 wrote to memory of 3256	1220	{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_2423101674179bcc28ab9af4ce845ca8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe
  C:\Windows\{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe
    C:\Windows\{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\Windows\{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe
      C:\Windows\{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Windows\{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe
        
        C:\Windows\{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
      - C:\Windows\{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe
        
        C:\Windows\{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe
        
        C:\Windows\{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{481975F0-8B80-4339-B83A-01EF520A86EF}.exe
        
        C:\Windows\{481975F0-8B80-4339-B83A-01EF520A86EF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe
        
        C:\Windows\{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe
        
        C:\Windows\{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe
        
        C:\Windows\{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\{5C72A92D-6B00-4199-B70F-87A4FCA0313C}.exe
        
        C:\Windows\{5C72A92D-6B00-4199-B70F-87A4FCA0313C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\{21E79393-98D0-49e6-B3E8-9064C5B5F983}.exe
        
        C:\Windows\{21E79393-98D0-49e6-B3E8-9064C5B5F983}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C72A~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79BC7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40492~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9A32~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48197~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99C9D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E695~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13094~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D4E1~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F05E3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F1E1D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D4E1E25-E0C7-4a13-9AC6-AC083C561BAB}.exe

Filesize
180KB

MD5
6466ef680afb2076019da83fdb666d04

SHA1
c9f17d97380a269f0e1a1757a66a9f5b94537fb7

SHA256
689bbe7ebb8ec5589a0e154e760e65d2ce57b3eb11eb0a4710d9e4b2c8b85a37

SHA512
30323679ed0e3a8bfedf6c275ffb0f8aa7dbf491ad07ea9a8657139941790c4eefc9138fdf196e0d78e74d98d7451e05b6ab280ec3324acca1d90c0274b17671

Download Submit
C:\Windows\{13094A60-452A-4c63-BF9C-2DE35C463C8D}.exe

Filesize
180KB

MD5
0658a15b3a8254de8f14a0dd5c3bc5fe

SHA1
74ecd57f101f115120e4446bfcc14240aa1f0a05

SHA256
6c1793969afe3e2f8302966c251c53658e7413a9bef90f6c27800581e6fbffdc

SHA512
1fddb002c20b69a484e3e7591b889658cf1c4ee5469ffa8be0718f2e1d435d0e3c9f654613488616eb9a54ae772f42addf90e56d85ea0bd54acdbc610c7756c0

Download Submit
C:\Windows\{21E79393-98D0-49e6-B3E8-9064C5B5F983}.exe

Filesize
180KB

MD5
19440e23af86aa94c439dbf0253f0fb3

SHA1
a3ff756a9cf5376f7880d48a522291e34f378525

SHA256
96dc9c7592fed9538eae9c97c2d1cce251828702a264aaf2e489b6a93df4e286

SHA512
2a6c4dac814b3e8ea3741a26d6d08211c9dc4fe94663f9289fcff9b8cf17141fc02e85ba4b250bd31a9ed5172dd4ec57a479bd1730f531abe612375ade8fe2d0

Download Submit
C:\Windows\{40492BED-5332-47ee-BBEF-1B446E38F2F5}.exe

Filesize
180KB

MD5
2bf422584db74104b52edf34ed3f36f2

SHA1
303bee27f9f71aa290b2840f63d80a77f2400bb2

SHA256
d885fc1feadd0a01089002c571f8f13a46f3e0e6505a2478b6e05b7f249543ee

SHA512
1969a91f98d555a6677bd5bff44947fd3d5e5ceaec73cba0cc18f313ac58413a6153d12f0b300a8ca1fb19e754df00e0646ec678dce7425e94d8836f55f5fa9f

Download Submit
C:\Windows\{481975F0-8B80-4339-B83A-01EF520A86EF}.exe

Filesize
180KB

MD5
de2efb870e5acde360a82aa7ee22f1c2

SHA1
f70a3762126d19dac4410a041acdde6abc3abe30

SHA256
56275380cb2427e3250cd005cc69e520dfc69895240f46f31d086e3602c2668f

SHA512
45d927d43c8913a2f83ac384f2311a723e127db1b21476581f73409c6048152bc5ff43df7f7ac70307175bf962e625407df456431e5dbcdaa007c42a59ebca4f

Download Submit
C:\Windows\{5C72A92D-6B00-4199-B70F-87A4FCA0313C}.exe

Filesize
180KB

MD5
42c08f710def238f897be0cebf746f88

SHA1
f69b291cea470e3411fe87e76f661803a7c96c4b

SHA256
2fe4af7bdf43315f488774cfe1ea423bb3f7aaf2935d5a30972715d797d90178

SHA512
1821c86334040630effb3c925511c0dafc286ade8d89c037b7d00516986220886576681bda50c21c7085873749cb3daf545c715b0b9b9cba5501c904b5688800

Download Submit
C:\Windows\{6E695B7F-96CE-4459-B700-A6DA320DD85A}.exe

Filesize
180KB

MD5
7366817588a389e1a69a99430d35f365

SHA1
24838b0b19f7c64b35c542bb01440be14017e637

SHA256
9e56ee3c16ac89408301d1f889ececf7628dd32f204d90a64c934ae6b86d4110

SHA512
7cca636a91ba1551e4e3eafca227a16eeb147b5a707d238e1286a23023a21ce32ae62529049a478d045975105a43c17918eae988f0aad84488dde4e6215d60b2

Download Submit
C:\Windows\{79BC73EB-6B7F-4730-A8F2-824B9884A2B7}.exe

Filesize
180KB

MD5
dee0213458013e8c13707db97eb9c100

SHA1
42b43e0e29d0d54f27780dd9d82dcb05da58db7d

SHA256
403bae858794ae8aab1480e623e5505f143b2046bb62b513510c90b0a1c82c73

SHA512
6fb37333a6362ddfdba0ba8562c868c3a68991dbe789ae2245e47ba15e5014d75d5bcbd1ab5c553c093ffbfec14fbf45724cb39a0c48553e0f9ef93b2e241f47

Download Submit
C:\Windows\{99C9DEB8-CEDD-4328-A2C7-F005618D0DB7}.exe

Filesize
180KB

MD5
db4a42cc1d32ce37b884a74ea43572ae

SHA1
d938b41c607f9a607a4c1fc1a28a25111b7cad29

SHA256
8d13f54a9bde0bbc1014ff0c12f3e2a5d1ee7cfedc6368b0ce87c3b1e775c6cd

SHA512
712bed92898ec285dd2c8fa6e4eaf9ae2e9a0bf67db4c30e96671db0084fe3f5f54730de1cc582df66adfa92ec03fe8566e950e4932c68cad8389b387baecf89

Download Submit
C:\Windows\{D9A32E8B-6723-4425-A9A1-54AADA63A62E}.exe

Filesize
180KB

MD5
6cf24714ad8de54ee1829e09a6882ca3

SHA1
e040d9ef1f112bc4808dca3b0d964f11d4d57a17

SHA256
23f988d5645fe4564d9460ce1f8837b5a6a7742e4ddc5ad6fcc0ea0bbc2f8e26

SHA512
4272cf2f31e74fc86826afec28698a91feddf607f20e80ebce3c7a448e7e64e53d6ca6407e4f3bd0ebfd1ff435eb4884565135563e6a238cf1c4ae1831f0f302

Download Submit
C:\Windows\{F05E3757-0C10-4069-AAF6-3E37D39DA6B2}.exe

Filesize
180KB

MD5
64cae0dc63e3a2cfb1564c69f8445077

SHA1
844f43d2971cb5f58a4bb3193c68eb3591fd7f1a

SHA256
69220aeba83b60661c928cb747369db5292aab26b83d2804db7495f183bbd019

SHA512
838a9110d9fbe63fead8e3814e61359d25716af5cee87a26351971e33168cae0548b538a28e5a2370ee695344cad2102952ddf4e1ff00820a9109feef262c577

Download Submit
C:\Windows\{F1E1DF02-F8D4-48b4-AFC1-02E99821D398}.exe

Filesize
180KB

MD5
0a39373ec098e92bdc425d79b66a3644

SHA1
0c759ce7c56422b5f497f8521f197fd89669dfc0

SHA256
2e2fe16cf66244d3c1313574562d2deb916d53ef6e7a24221534c80cd4830c7f

SHA512
acd662273e82e235989df0d7d1761894c5be330a4010085c1e5d382d80e3720014aeed84bc668802161e44044e40f0eed5029c47cf93bd791c2ec22ec2f7ed2a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads