8f36579b33b1727c4d390bc96b9480d477ba158f9d19cb30fcf934b266ed2389

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe
Size

168KB
MD5

7b499e1e8d99c217bfda507c3b88877e
SHA1

56d1650a3a37d4480febf0b33976dfac5f8e217a
SHA256

8f36579b33b1727c4d390bc96b9480d477ba158f9d19cb30fcf934b266ed2389
SHA512

a1f2c53c96b5d9b63b387ab281513afe168175c325433e236c7b84b73b4503d2f0dcc90146667d231399bd38543219849269d5c8e92b6489f6d994ff729eae13
SSDEEP

1536:1EGh0oglq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oglqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0372F843-1770-441f-9189-711C48A2D200}	{A86E995A-2F5D-4a05-965B-349807734241}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0487EB3A-F067-4db2-A079-DFD4AAAE349B}	{0372F843-1770-441f-9189-711C48A2D200}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D323770-8D8A-48b6-8FE8-D05CDFDDD4C1}	{0487EB3A-F067-4db2-A079-DFD4AAAE349B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57599F31-9089-4702-819F-11E6E46D8FCE}	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57599F31-9089-4702-819F-11E6E46D8FCE}\stubpath = "C:\\Windows\\{57599F31-9089-4702-819F-11E6E46D8FCE}.exe"	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A86E995A-2F5D-4a05-965B-349807734241}	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3441CE2E-E022-4111-824F-D429A20F2B9D}	2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94C46680-5564-4ad1-A671-86513C2AD341}\stubpath = "C:\\Windows\\{94C46680-5564-4ad1-A671-86513C2AD341}.exe"	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}\stubpath = "C:\\Windows\\{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe"	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A86E995A-2F5D-4a05-965B-349807734241}\stubpath = "C:\\Windows\\{A86E995A-2F5D-4a05-965B-349807734241}.exe"	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0487EB3A-F067-4db2-A079-DFD4AAAE349B}\stubpath = "C:\\Windows\\{0487EB3A-F067-4db2-A079-DFD4AAAE349B}.exe"	{0372F843-1770-441f-9189-711C48A2D200}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3441CE2E-E022-4111-824F-D429A20F2B9D}\stubpath = "C:\\Windows\\{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe"	2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}	{94C46680-5564-4ad1-A671-86513C2AD341}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60D12212-EF75-421a-8146-80A619E568E1}\stubpath = "C:\\Windows\\{60D12212-EF75-421a-8146-80A619E568E1}.exe"	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}	{60D12212-EF75-421a-8146-80A619E568E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60D12212-EF75-421a-8146-80A619E568E1}	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}\stubpath = "C:\\Windows\\{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe"	{60D12212-EF75-421a-8146-80A619E568E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0372F843-1770-441f-9189-711C48A2D200}\stubpath = "C:\\Windows\\{0372F843-1770-441f-9189-711C48A2D200}.exe"	{A86E995A-2F5D-4a05-965B-349807734241}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D323770-8D8A-48b6-8FE8-D05CDFDDD4C1}\stubpath = "C:\\Windows\\{9D323770-8D8A-48b6-8FE8-D05CDFDDD4C1}.exe"	{0487EB3A-F067-4db2-A079-DFD4AAAE349B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94C46680-5564-4ad1-A671-86513C2AD341}	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}\stubpath = "C:\\Windows\\{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe"	{94C46680-5564-4ad1-A671-86513C2AD341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}\stubpath = "C:\\Windows\\{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe"	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe

Executes dropped EXE 12 IoCs

pid	Process
4396	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe
3960	{94C46680-5564-4ad1-A671-86513C2AD341}.exe
4796	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe
2224	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe
808	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe
436	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe
2668	{60D12212-EF75-421a-8146-80A619E568E1}.exe
4820	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe
5040	{A86E995A-2F5D-4a05-965B-349807734241}.exe
4648	{0372F843-1770-441f-9189-711C48A2D200}.exe
4876	{0487EB3A-F067-4db2-A079-DFD4AAAE349B}.exe
1816	{9D323770-8D8A-48b6-8FE8-D05CDFDDD4C1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0372F843-1770-441f-9189-711C48A2D200}.exe	{A86E995A-2F5D-4a05-965B-349807734241}.exe
File created	C:\Windows\{0487EB3A-F067-4db2-A079-DFD4AAAE349B}.exe	{0372F843-1770-441f-9189-711C48A2D200}.exe
File created	C:\Windows\{94C46680-5564-4ad1-A671-86513C2AD341}.exe	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe
File created	C:\Windows\{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe
File created	C:\Windows\{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe
File created	C:\Windows\{60D12212-EF75-421a-8146-80A619E568E1}.exe	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe
File created	C:\Windows\{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe	{60D12212-EF75-421a-8146-80A619E568E1}.exe
File created	C:\Windows\{A86E995A-2F5D-4a05-965B-349807734241}.exe	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe
File created	C:\Windows\{9D323770-8D8A-48b6-8FE8-D05CDFDDD4C1}.exe	{0487EB3A-F067-4db2-A079-DFD4AAAE349B}.exe
File created	C:\Windows\{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe	2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe
File created	C:\Windows\{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe	{94C46680-5564-4ad1-A671-86513C2AD341}.exe
File created	C:\Windows\{57599F31-9089-4702-819F-11E6E46D8FCE}.exe	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A86E995A-2F5D-4a05-965B-349807734241}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{60D12212-EF75-421a-8146-80A619E568E1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0372F843-1770-441f-9189-711C48A2D200}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0487EB3A-F067-4db2-A079-DFD4AAAE349B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9D323770-8D8A-48b6-8FE8-D05CDFDDD4C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94C46680-5564-4ad1-A671-86513C2AD341}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3488	2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4396	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe
Token: SeIncBasePriorityPrivilege	3960	{94C46680-5564-4ad1-A671-86513C2AD341}.exe
Token: SeIncBasePriorityPrivilege	4796	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe
Token: SeIncBasePriorityPrivilege	2224	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe
Token: SeIncBasePriorityPrivilege	808	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe
Token: SeIncBasePriorityPrivilege	436	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe
Token: SeIncBasePriorityPrivilege	2668	{60D12212-EF75-421a-8146-80A619E568E1}.exe
Token: SeIncBasePriorityPrivilege	4820	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe
Token: SeIncBasePriorityPrivilege	5040	{A86E995A-2F5D-4a05-965B-349807734241}.exe
Token: SeIncBasePriorityPrivilege	4648	{0372F843-1770-441f-9189-711C48A2D200}.exe
Token: SeIncBasePriorityPrivilege	4876	{0487EB3A-F067-4db2-A079-DFD4AAAE349B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 4396	3488	2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe	94
PID 3488 wrote to memory of 4396	3488	2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe	94
PID 3488 wrote to memory of 4396	3488	2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe	94
PID 3488 wrote to memory of 3004	3488	2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe	95
PID 3488 wrote to memory of 3004	3488	2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe	95
PID 3488 wrote to memory of 3004	3488	2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe	95
PID 4396 wrote to memory of 3960	4396	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe	96
PID 4396 wrote to memory of 3960	4396	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe	96
PID 4396 wrote to memory of 3960	4396	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe	96
PID 4396 wrote to memory of 2248	4396	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe	97
PID 4396 wrote to memory of 2248	4396	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe	97
PID 4396 wrote to memory of 2248	4396	{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe	97
PID 3960 wrote to memory of 4796	3960	{94C46680-5564-4ad1-A671-86513C2AD341}.exe	101
PID 3960 wrote to memory of 4796	3960	{94C46680-5564-4ad1-A671-86513C2AD341}.exe	101
PID 3960 wrote to memory of 4796	3960	{94C46680-5564-4ad1-A671-86513C2AD341}.exe	101
PID 3960 wrote to memory of 1872	3960	{94C46680-5564-4ad1-A671-86513C2AD341}.exe	102
PID 3960 wrote to memory of 1872	3960	{94C46680-5564-4ad1-A671-86513C2AD341}.exe	102
PID 3960 wrote to memory of 1872	3960	{94C46680-5564-4ad1-A671-86513C2AD341}.exe	102
PID 4796 wrote to memory of 2224	4796	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe	103
PID 4796 wrote to memory of 2224	4796	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe	103
PID 4796 wrote to memory of 2224	4796	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe	103
PID 4796 wrote to memory of 3260	4796	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe	104
PID 4796 wrote to memory of 3260	4796	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe	104
PID 4796 wrote to memory of 3260	4796	{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe	104
PID 2224 wrote to memory of 808	2224	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe	105
PID 2224 wrote to memory of 808	2224	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe	105
PID 2224 wrote to memory of 808	2224	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe	105
PID 2224 wrote to memory of 4380	2224	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe	106
PID 2224 wrote to memory of 4380	2224	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe	106
PID 2224 wrote to memory of 4380	2224	{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe	106
PID 808 wrote to memory of 436	808	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe	108
PID 808 wrote to memory of 436	808	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe	108
PID 808 wrote to memory of 436	808	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe	108
PID 808 wrote to memory of 4024	808	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe	109
PID 808 wrote to memory of 4024	808	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe	109
PID 808 wrote to memory of 4024	808	{57599F31-9089-4702-819F-11E6E46D8FCE}.exe	109
PID 436 wrote to memory of 2668	436	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe	110
PID 436 wrote to memory of 2668	436	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe	110
PID 436 wrote to memory of 2668	436	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe	110
PID 436 wrote to memory of 3900	436	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe	111
PID 436 wrote to memory of 3900	436	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe	111
PID 436 wrote to memory of 3900	436	{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe	111
PID 2668 wrote to memory of 4820	2668	{60D12212-EF75-421a-8146-80A619E568E1}.exe	116
PID 2668 wrote to memory of 4820	2668	{60D12212-EF75-421a-8146-80A619E568E1}.exe	116
PID 2668 wrote to memory of 4820	2668	{60D12212-EF75-421a-8146-80A619E568E1}.exe	116
PID 2668 wrote to memory of 1764	2668	{60D12212-EF75-421a-8146-80A619E568E1}.exe	117
PID 2668 wrote to memory of 1764	2668	{60D12212-EF75-421a-8146-80A619E568E1}.exe	117
PID 2668 wrote to memory of 1764	2668	{60D12212-EF75-421a-8146-80A619E568E1}.exe	117
PID 4820 wrote to memory of 5040	4820	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe	122
PID 4820 wrote to memory of 5040	4820	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe	122
PID 4820 wrote to memory of 5040	4820	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe	122
PID 4820 wrote to memory of 740	4820	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe	123
PID 4820 wrote to memory of 740	4820	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe	123
PID 4820 wrote to memory of 740	4820	{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe	123
PID 5040 wrote to memory of 4648	5040	{A86E995A-2F5D-4a05-965B-349807734241}.exe	124
PID 5040 wrote to memory of 4648	5040	{A86E995A-2F5D-4a05-965B-349807734241}.exe	124
PID 5040 wrote to memory of 4648	5040	{A86E995A-2F5D-4a05-965B-349807734241}.exe	124
PID 5040 wrote to memory of 2632	5040	{A86E995A-2F5D-4a05-965B-349807734241}.exe	125
PID 5040 wrote to memory of 2632	5040	{A86E995A-2F5D-4a05-965B-349807734241}.exe	125
PID 5040 wrote to memory of 2632	5040	{A86E995A-2F5D-4a05-965B-349807734241}.exe	125
PID 4648 wrote to memory of 4876	4648	{0372F843-1770-441f-9189-711C48A2D200}.exe	129
PID 4648 wrote to memory of 4876	4648	{0372F843-1770-441f-9189-711C48A2D200}.exe	129
PID 4648 wrote to memory of 4876	4648	{0372F843-1770-441f-9189-711C48A2D200}.exe	129
PID 4648 wrote to memory of 3644	4648	{0372F843-1770-441f-9189-711C48A2D200}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_7b499e1e8d99c217bfda507c3b88877e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe
  C:\Windows\{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\{94C46680-5564-4ad1-A671-86513C2AD341}.exe
    C:\Windows\{94C46680-5564-4ad1-A671-86513C2AD341}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Windows\{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe
      C:\Windows\{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe
        
        C:\Windows\{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\{57599F31-9089-4702-819F-11E6E46D8FCE}.exe
        
        C:\Windows\{57599F31-9089-4702-819F-11E6E46D8FCE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe
        
        C:\Windows\{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{60D12212-EF75-421a-8146-80A619E568E1}.exe
        
        C:\Windows\{60D12212-EF75-421a-8146-80A619E568E1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe
        
        C:\Windows\{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\{A86E995A-2F5D-4a05-965B-349807734241}.exe
        
        C:\Windows\{A86E995A-2F5D-4a05-965B-349807734241}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\{0372F843-1770-441f-9189-711C48A2D200}.exe
        
        C:\Windows\{0372F843-1770-441f-9189-711C48A2D200}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\{0487EB3A-F067-4db2-A079-DFD4AAAE349B}.exe
        
        C:\Windows\{0487EB3A-F067-4db2-A079-DFD4AAAE349B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\{9D323770-8D8A-48b6-8FE8-D05CDFDDD4C1}.exe
        
        C:\Windows\{9D323770-8D8A-48b6-8FE8-D05CDFDDD4C1}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0487E~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0372F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A86E9~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DDE4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60D12~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9C2C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57599~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D6E5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{897B1~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{94C46~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3441C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0372F843-1770-441f-9189-711C48A2D200}.exe

Filesize
168KB

MD5
bf2f54f2e8d7bc277646e18178dc695a

SHA1
633a78df16767b20d4e3ecbc27ff948b67b4d4ed

SHA256
6e32a774da365d88b986ef27b69ec769aaeadfa96f58bf4bafdf3ec09a469dbb

SHA512
67c6003c33b849ed2252a8f95ac3d6d141a163cc8973d886a061e7fe3dc40de9e5e38fb9b856448ad7867a726ffd1a7a8f5be522cc2b50b61e8e1b5aebeda4bb

Download Submit
C:\Windows\{0487EB3A-F067-4db2-A079-DFD4AAAE349B}.exe

Filesize
168KB

MD5
4be2d65b2fc0cc75463c37ac86312f48

SHA1
a91df3b1fbf866867a82642c9f5781ab42fe702f

SHA256
4282131bd837cd1220eab9cc836fb54b15c2f5a317891d9cb65e95f325ccb7e1

SHA512
5d65f437310491e201b56e7df36e4ec1ef3aa2d617b833cb599b1b2013311d2a43a8dc8229a859d642bd55d310f6bb795fc1eb8bb1c8802f98dc35bb7f649b13

Download Submit
C:\Windows\{1DDE4B70-76B6-48e0-B8F6-AC64DBC20271}.exe

Filesize
168KB

MD5
701c06a48fe11a4ea9b02ccbd8bdea28

SHA1
58b574ee6fe34f5e8bb154fab3290827a3c29f6d

SHA256
67c53b0d79fb336b18d3e9fb84f14aa85766dea564cfa48ae4bbdadea60c979b

SHA512
93d6effacdbfbed63b3ee4c90be3b7441841749eeca9d9c3eaff121d8f931d5b1cd05a1e5f5f91eea79baf718efd36e69ded8dd01a62097428c398f2c778e736

Download Submit
C:\Windows\{3441CE2E-E022-4111-824F-D429A20F2B9D}.exe

Filesize
168KB

MD5
1b398b31ceca612a7ac4e7b3a822749c

SHA1
a28762579dbb800bf045d3f0585171494b3f1e79

SHA256
aafd448808eb4ba5f5d2c70c56d29f00c0c506a0546f3caef7e1beff7ea23f51

SHA512
448b620e9d597ca71fb08eaf6a2fadb6e598391c8168d31303a2910dbac320c9e221c12db2191db802e63dc63cbc3707d22cfdf9e01086c0eb7f0b3f2255dca5

Download Submit
C:\Windows\{4D6E5653-4D59-4f55-B1BF-16352CDDDB43}.exe

Filesize
168KB

MD5
41bd7b6099e22e7b8c7f08338993b9dd

SHA1
4c47acabe35071e0336ba521ca552e9ce6fb05cf

SHA256
433f6ce90a108f19ce213806b7e3d50e913618d1937936e4e0bdfa728f749e3c

SHA512
edcc2b2a97368c23127886c743acf998c921c57383d4bc1be6739099510065eaf7dac76c5b111a862b378766613e4bfe8fed7e940bcd90d73324b214a38ef67f

Download Submit
C:\Windows\{57599F31-9089-4702-819F-11E6E46D8FCE}.exe

Filesize
168KB

MD5
46f13609a37c4d08f90cfc6cea48f8a5

SHA1
256b6324e87d861c7c34dcb42a219ced65e65c1e

SHA256
274bd9d1a4200962e4487eef8a86884a35feb7c8a48b8e0d240351d3645c029e

SHA512
f03b1a8630145e7f2d596a1efae0eb65f7a87f28f0df60fa0756624f1d431a09266fa3520ca4f4813593528483875ecd8c0092d688146649a2dfbddb1bddb9c8

Download Submit
C:\Windows\{60D12212-EF75-421a-8146-80A619E568E1}.exe

Filesize
168KB

MD5
0e15383548ac14e4dfb05718099bfb55

SHA1
f319bd45a7c825497533c9452f548e88aef265ac

SHA256
7d96c2febe4beab0058c30e816a122592739e6c25637eac14898601c73eef99a

SHA512
91dfbfdb8319b11489fc556a04899e3de7f3fc3e186fb9b19c7759bdaff4838bc7cb7413eae2f96d10be92035188b5e8cf2069a1772da2fc8dd37a28039ba592

Download Submit
C:\Windows\{897B1FA6-F28B-4b07-93B8-1012A62DBEB2}.exe

Filesize
168KB

MD5
8db2093ddf7001c4dc01629e0ee040fb

SHA1
82ba5993da40d4226975f44132d8c1083054e966

SHA256
eba46d0fae06bf5ad7d0054a3b30edca073e4ca5606bbc8fd8bc86629af91253

SHA512
1310ffd637a18dcc7347a9ac875e9535de72abaa9643e9008583094bbfaec6d31806f28e226e19d6add5bea5d2b92284b25a0b70b7eb05c16cffbd521621b06c

Download Submit
C:\Windows\{94C46680-5564-4ad1-A671-86513C2AD341}.exe

Filesize
168KB

MD5
5a787c17a594a58eb0129deff1edf670

SHA1
e53b8f61a92fa885c08d40ca3a39cef9bc58ef8f

SHA256
a47d279d166313313c2cc00fec197644b256c7565477200c7b418d60d917b63e

SHA512
fecfb59d367d3688140841dc8680cee18627d2012315bd0eb4e4eeb03fcc1c7d139539212e41cb7587389a4940e9f41abd6283a63734ab6ebfc8aa253881d3c2

Download Submit
C:\Windows\{9D323770-8D8A-48b6-8FE8-D05CDFDDD4C1}.exe

Filesize
168KB

MD5
3345ea5f0fc242d337fbe5771ab2b4d4

SHA1
b429ebc946a25e32677adebb0cc00d5b766cfb3f

SHA256
1195c0010a750052df9d6cccc5164f92bb38621dceaf4eef39864eef347b7d73

SHA512
c9c701a07aa70e0c6a28cfd4978c70721388dfb98ecdb2e7c398882277effeb25501682e0b1bc57eff057eff9c86c7fd062082c34a0e22c6c6ec3affbd6fa94a

Download Submit
C:\Windows\{A86E995A-2F5D-4a05-965B-349807734241}.exe

Filesize
168KB

MD5
5ad2a0bd0dd53b7bdb0db8ec598f0590

SHA1
168c0a9c4fda5998500a04d9cbd34d25daae2318

SHA256
798f3d5dc6571a52374a49aee25a059c04d312541b2a7964d4f9ce7e08b3b3fd

SHA512
d2be9c88967645a289df0a450f2380eaec6fbfe0699caa01a0599d6a71b1839d50a15675fde516cf74a3624e517c2c577aef52115f056bba74ce461d1eadb500

Download Submit
C:\Windows\{B9C2CD62-4DF9-408a-896C-6CAC24B545DB}.exe

Filesize
168KB

MD5
cdceec1cd21e8d13762aa403a63a100a

SHA1
7810bb9e5734afec175520d3f22a9af90cb311a1

SHA256
96a17e12697bae643fe7cf60a7756bf19a0671a9bb41ca14fc6d201d66c4ad50

SHA512
8386d0434b8e71c42cb6b37616140c5b438439f741e1c7eb959ebdfa9e1da6012dced00d9c908f5ba91ad366585c2a60b1c662847e0d15cd8ac64f141ca5ae59

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads