e89bf326e3cc2f1b0bc347d2e73ed3e3b503925fa01f79002c38b71cb08e57f0

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 10:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
Size

372KB
MD5

f49db05c7562d0410452652367e7e117
SHA1

6a29c3513cda5532bf75d0f17f7c59117d7164c6
SHA256

e89bf326e3cc2f1b0bc347d2e73ed3e3b503925fa01f79002c38b71cb08e57f0
SHA512

f014362261c6d7efe30acd310c6e85d75694216aab12d925cd3ddcda07efd0b49c5784e5aa988bccc9e1aa6c3cc20a35ab809e0fd1b5b8de3f42e36d4db39b01
SSDEEP

3072:CEGh0oclMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGWlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACAE5B18-C78C-4941-8A16-41AEBC641D34}	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A063C7D-9C3B-4729-8664-5F6451B36FDE}	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}\stubpath = "C:\\Windows\\{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe"	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F300F90-B681-4f40-AA1A-97AD30480D27}	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}\stubpath = "C:\\Windows\\{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe"	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28596F62-BBED-4204-8F70-3C7EF15F1C24}	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28596F62-BBED-4204-8F70-3C7EF15F1C24}\stubpath = "C:\\Windows\\{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe"	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82FBCCAF-9E27-444b-BCCD-367127C99264}	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACAE5B18-C78C-4941-8A16-41AEBC641D34}\stubpath = "C:\\Windows\\{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe"	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F300F90-B681-4f40-AA1A-97AD30480D27}\stubpath = "C:\\Windows\\{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe"	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E388C18-D100-4777-819B-1F36F67F9D19}	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E388C18-D100-4777-819B-1F36F67F9D19}\stubpath = "C:\\Windows\\{6E388C18-D100-4777-819B-1F36F67F9D19}.exe"	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A063C7D-9C3B-4729-8664-5F6451B36FDE}\stubpath = "C:\\Windows\\{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe"	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AEE38E1-2878-4c9e-93A3-82B4C1FE6A83}	{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}\stubpath = "C:\\Windows\\{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe"	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}\stubpath = "C:\\Windows\\{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe"	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82FBCCAF-9E27-444b-BCCD-367127C99264}\stubpath = "C:\\Windows\\{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe"	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AEE38E1-2878-4c9e-93A3-82B4C1FE6A83}\stubpath = "C:\\Windows\\{0AEE38E1-2878-4c9e-93A3-82B4C1FE6A83}.exe"	{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}	{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}\stubpath = "C:\\Windows\\{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}.exe"	{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe

Executes dropped EXE 12 IoCs

pid	Process
3164	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe
4948	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe
2716	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe
1292	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe
3016	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe
2200	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe
1532	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe
1896	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe
4376	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe
1880	{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe
676	{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}.exe
3656	{0AEE38E1-2878-4c9e-93A3-82B4C1FE6A83}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
File created	C:\Windows\{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe
File created	C:\Windows\{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe
File created	C:\Windows\{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe
File created	C:\Windows\{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}.exe	{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe
File created	C:\Windows\{0AEE38E1-2878-4c9e-93A3-82B4C1FE6A83}.exe	{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}.exe
File created	C:\Windows\{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe
File created	C:\Windows\{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe
File created	C:\Windows\{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe
File created	C:\Windows\{6E388C18-D100-4777-819B-1F36F67F9D19}.exe	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe
File created	C:\Windows\{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe
File created	C:\Windows\{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0AEE38E1-2878-4c9e-93A3-82B4C1FE6A83}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4868	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3164	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe
Token: SeIncBasePriorityPrivilege	4948	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe
Token: SeIncBasePriorityPrivilege	2716	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe
Token: SeIncBasePriorityPrivilege	1292	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe
Token: SeIncBasePriorityPrivilege	3016	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe
Token: SeIncBasePriorityPrivilege	2200	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe
Token: SeIncBasePriorityPrivilege	1532	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe
Token: SeIncBasePriorityPrivilege	1896	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe
Token: SeIncBasePriorityPrivilege	4376	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe
Token: SeIncBasePriorityPrivilege	1880	{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe
Token: SeIncBasePriorityPrivilege	676	{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 3164	4868	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	94
PID 4868 wrote to memory of 3164	4868	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	94
PID 4868 wrote to memory of 3164	4868	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	94
PID 4868 wrote to memory of 4740	4868	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	95
PID 4868 wrote to memory of 4740	4868	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	95
PID 4868 wrote to memory of 4740	4868	2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe	95
PID 3164 wrote to memory of 4948	3164	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe	96
PID 3164 wrote to memory of 4948	3164	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe	96
PID 3164 wrote to memory of 4948	3164	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe	96
PID 3164 wrote to memory of 3956	3164	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe	97
PID 3164 wrote to memory of 3956	3164	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe	97
PID 3164 wrote to memory of 3956	3164	{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe	97
PID 4948 wrote to memory of 2716	4948	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe	101
PID 4948 wrote to memory of 2716	4948	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe	101
PID 4948 wrote to memory of 2716	4948	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe	101
PID 4948 wrote to memory of 2496	4948	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe	102
PID 4948 wrote to memory of 2496	4948	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe	102
PID 4948 wrote to memory of 2496	4948	{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe	102
PID 2716 wrote to memory of 1292	2716	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe	103
PID 2716 wrote to memory of 1292	2716	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe	103
PID 2716 wrote to memory of 1292	2716	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe	103
PID 2716 wrote to memory of 540	2716	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe	104
PID 2716 wrote to memory of 540	2716	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe	104
PID 2716 wrote to memory of 540	2716	{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe	104
PID 1292 wrote to memory of 3016	1292	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe	105
PID 1292 wrote to memory of 3016	1292	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe	105
PID 1292 wrote to memory of 3016	1292	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe	105
PID 1292 wrote to memory of 2104	1292	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe	106
PID 1292 wrote to memory of 2104	1292	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe	106
PID 1292 wrote to memory of 2104	1292	{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe	106
PID 3016 wrote to memory of 2200	3016	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe	108
PID 3016 wrote to memory of 2200	3016	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe	108
PID 3016 wrote to memory of 2200	3016	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe	108
PID 3016 wrote to memory of 5064	3016	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe	109
PID 3016 wrote to memory of 5064	3016	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe	109
PID 3016 wrote to memory of 5064	3016	{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe	109
PID 2200 wrote to memory of 1532	2200	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe	110
PID 2200 wrote to memory of 1532	2200	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe	110
PID 2200 wrote to memory of 1532	2200	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe	110
PID 2200 wrote to memory of 3980	2200	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe	111
PID 2200 wrote to memory of 3980	2200	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe	111
PID 2200 wrote to memory of 3980	2200	{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe	111
PID 1532 wrote to memory of 1896	1532	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe	118
PID 1532 wrote to memory of 1896	1532	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe	118
PID 1532 wrote to memory of 1896	1532	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe	118
PID 1532 wrote to memory of 3432	1532	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe	119
PID 1532 wrote to memory of 3432	1532	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe	119
PID 1532 wrote to memory of 3432	1532	{6E388C18-D100-4777-819B-1F36F67F9D19}.exe	119
PID 1896 wrote to memory of 4376	1896	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe	122
PID 1896 wrote to memory of 4376	1896	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe	122
PID 1896 wrote to memory of 4376	1896	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe	122
PID 1896 wrote to memory of 4004	1896	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe	123
PID 1896 wrote to memory of 4004	1896	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe	123
PID 1896 wrote to memory of 4004	1896	{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe	123
PID 4376 wrote to memory of 1880	4376	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe	124
PID 4376 wrote to memory of 1880	4376	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe	124
PID 4376 wrote to memory of 1880	4376	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe	124
PID 4376 wrote to memory of 916	4376	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe	125
PID 4376 wrote to memory of 916	4376	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe	125
PID 4376 wrote to memory of 916	4376	{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe	125
PID 1880 wrote to memory of 676	1880	{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe	128
PID 1880 wrote to memory of 676	1880	{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe	128
PID 1880 wrote to memory of 676	1880	{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe	128
PID 1880 wrote to memory of 4212	1880	{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_f49db05c7562d0410452652367e7e117_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe
  C:\Windows\{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe
    C:\Windows\{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe
      C:\Windows\{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe
        
        C:\Windows\{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe
        
        C:\Windows\{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe
        
        C:\Windows\{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{6E388C18-D100-4777-819B-1F36F67F9D19}.exe
        
        C:\Windows\{6E388C18-D100-4777-819B-1F36F67F9D19}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe
        
        C:\Windows\{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe
        
        C:\Windows\{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe
        
        C:\Windows\{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}.exe
        
        C:\Windows\{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
        
        C:\Windows\{0AEE38E1-2878-4c9e-93A3-82B4C1FE6A83}.exe
        
        C:\Windows\{0AEE38E1-2878-4c9e-93A3-82B4C1FE6A83}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E65D~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A063~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACAE5~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82FBC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E388~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10FC9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28596~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3EC7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD713~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7F300~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A2EEE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AEE38E1-2878-4c9e-93A3-82B4C1FE6A83}.exe

Filesize
372KB

MD5
e27d5edd15ddf85b45a0432af94c1ecb

SHA1
b99f1d519b823e0d6b7c32f86cfeafd90721ad9c

SHA256
e5c4de9260f01ef7c553207e53e77fdf4b93a33a6423d23ed866ee5f340acdc6

SHA512
f0f69df356182329b99b37d82ca2d811806b79c6a7c9c9a6fef4ca7659a882ef998150f8ffc5a3824e7267b0270c2157323c3a498a5a6ec5647ca8281b18e857

Download Submit
C:\Windows\{10FC966F-0DD5-46fb-B12A-2EA8910CD1E8}.exe

Filesize
372KB

MD5
26ae12cb4fc7d1a80ee63ea0306672e5

SHA1
785a965548f3b2674dff0bfb56741a4e571aa6a3

SHA256
94a904fc962cc3cf90a8897a03f45d8d1bce1fc639d35f73ef98d5b152a27d7a

SHA512
ccb81e7c91ec3fd616c4e4a5745e891493846573906660501e6fbe0aa7cbc541366a1799345f1d02d24ba0d8d92851fd6fc741723de8496466bae8e3a2b0e0b1

Download Submit
C:\Windows\{28596F62-BBED-4204-8F70-3C7EF15F1C24}.exe

Filesize
372KB

MD5
74675b7f7be69f3fc65c5a2d87630fc2

SHA1
4155d004178320c72782efa17f42cd72ab716194

SHA256
cc1c1de3abba63132be2c33bfea05cfdcddfbeb0232d05e6b017a9a8c00ae408

SHA512
aab153293621c49cf167381ba6afe413d0c76ac29a2ea9f47ebeafb566d757628318544c432f6d3ccd0b01b7d91bd875cbb032e71c55c9ce88dc6a6d910fc44e

Download Submit
C:\Windows\{6E388C18-D100-4777-819B-1F36F67F9D19}.exe

Filesize
372KB

MD5
229221a509acf471650bf04b47286e9b

SHA1
cab23ff11788ae63c86a4eabc454967f5aa7d8af

SHA256
6e9af5ec49a8639c2080a992f16fc6ee31b1954dae56f4bd1ef35fb0ab3b6b5e

SHA512
af52a69fc97129bc9242e9647b6d118bc01e0a2e5d78ecbe7a05e94c05abd7767d30aeeb27733d08227ea05df70acf546c33ef61821d248625afe08f420439c0

Download Submit
C:\Windows\{7F300F90-B681-4f40-AA1A-97AD30480D27}.exe

Filesize
372KB

MD5
cd40e10503571be94fb67f4674d5154b

SHA1
1e7aaacad8df5a788273de3562034935182936d4

SHA256
6c1196597bd7c99212aa06f681515da4183db3dbdc95f2b3eb1d6482b9c79a3f

SHA512
920269cd4226bbcd9b7c3f6cfc19d23959c221d313713834fb087d8f5203ca9ca5d938e2ec5a61c297fe0c1ff671c4ae89444fd658f529836e72792805904981

Download Submit
C:\Windows\{82FBCCAF-9E27-444b-BCCD-367127C99264}.exe

Filesize
372KB

MD5
8140ccb8e865c37bf9897b7d733822ef

SHA1
cbae9f9d0811fa4fe0d2b5ee8640feb50d33d194

SHA256
fb8532a28ca0ea87bb1c075703e14f6d4ba4e208187def042eecbfe94d5a79f3

SHA512
96ed38804826b5c652d4c44a66cde4d06f7adac16c48a017ab94b7e21aaba90ba24e62c3cebaf6059ae7725e887dbc86f3cc9e1d213e0da50de374bfcecce26f

Download Submit
C:\Windows\{8A063C7D-9C3B-4729-8664-5F6451B36FDE}.exe

Filesize
372KB

MD5
b891e0624a34a2414acb5c5f00f4312e

SHA1
f95a9ef434088d6f7fa8c4845615551c75f6e297

SHA256
ab2e6a4c159a3eb12bf2f5ed661fac94ff28c4d0f777aedaf4a2aea56cb57049

SHA512
982ccf78e9782024c14c45fb2fa78566fdb222c8e54415d2f6467691da015fa5bb6e582a42fb534f82649c9cc510561896da57f59f7e7c2d5dcecbdbda21b2f9

Download Submit
C:\Windows\{8E65D95F-08F6-4cae-9E40-4853EC5D48ED}.exe

Filesize
372KB

MD5
cbbf22f509c84fb50892b36c2d2cb609

SHA1
95ace96ba184914ed3f101ff28eb6c19a14a0598

SHA256
2def777a8c2fa79599bb2fc1241d8b7f00f40b4697f3958279a1e58720548e49

SHA512
99da750439a7c1399882e379b6f3a467c2fd533508e533e393f0724c963573963c8ec7d32cbd37e1ea19b4d41f9db06feee523547345c654855ec94d2af562b5

Download Submit
C:\Windows\{A2EEE372-28D1-47a2-BA17-4EADD67D3BF7}.exe

Filesize
372KB

MD5
3810dcae4b186586d48fe82614a8e00a

SHA1
7712d122c4b04db8bf0d4a59191ae20f9935153d

SHA256
0288f21256e6abe2b93ceabbebf3ccd9b327cd3d612c4c11f3235490289292d7

SHA512
ede2c63ec35138cd98dfe9148a65bb109817e9eb9dfff6bd99e20d5fb0d2482575b889527706d9af6bf24d1a3cf86efd52ce12a926eb44704aeef0a8be95bef1

Download Submit
C:\Windows\{A3EC7742-1A4C-4ead-BBEA-5B4A151371A1}.exe

Filesize
372KB

MD5
384c506c36af3ed8f413a646b96976bb

SHA1
bf8688b4d0dbaaa960ca65604a7eea4727a3e1dc

SHA256
9fda532bd94538780982b592852b4437f867fdb59596833bf0dd5a77ec5c0dff

SHA512
36df22ed12373152d9ab54586a9eb63daa2c327bc9dc592bbd506b40e97b4446df9485102cf2a7121c431b826c6b3dbfd4064855ef471bb4cdb7f98a2282e1a3

Download Submit
C:\Windows\{ACAE5B18-C78C-4941-8A16-41AEBC641D34}.exe

Filesize
372KB

MD5
7e1a33cc0eb0d2fad16238a5a7d1760b

SHA1
ccc2f72c479bd7ff87a74967b055ee5ed5618009

SHA256
852dc647aad2dbf40ad41fb029ac9e577e35b48c1ca97073b410d688d9f9443f

SHA512
78b0de8c13771c00e2347d1800a69c1e1bde02d474b3d5200b3eb72207d0eb4e7205df33ce07a6d7f7eb2519eb06aad2e6f30fb785ed53ebaccb82a26a586459

Download Submit
C:\Windows\{CD713744-A723-4f7b-B8FF-610BB4D1FC7D}.exe

Filesize
372KB

MD5
948b50398f3687ceb24fe440b9129395

SHA1
b3162d69c84c4a4edd78345bb549c6eb3eb6f6ca

SHA256
4d70eadb0e51a47511f076fca29a8c66470c2428a25968f7c4773c5762f66f59

SHA512
f73a09bf172ff1b426a65ba326bbf02158c3550f77292899889f3f79a2e5c9c5c188b5cad699c048de8106659792c97ea91b3fee386fb0398b4ba4e0a24d564e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads