2a2b0e97d0fd262c10207dcdffc51ec9d191a0e99c11fe4aa3a131e02533cc4d

Analysis

max time kernel
149s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 06:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
Size

192KB
MD5

72eee0c77e748fa0100f2fd070410e48
SHA1

4e6a28d0cbc9846bd91207d2198d6294bf037b1d
SHA256

2a2b0e97d0fd262c10207dcdffc51ec9d191a0e99c11fe4aa3a131e02533cc4d
SHA512

4109b119cde0ec52adf345f0b9d4272593f7107418352f22b836d8db239fc9946fc274e0a118e5bc2c32d459c9b0332228173e30e1b7a9cf5689c9d865061370
SSDEEP

1536:1EGh0oJLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0odl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B1D3896-6206-41f0-8A30-9627B5FABD3E}	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DD90F39-AF4F-4515-8CDE-39F098A663B0}\stubpath = "C:\\Windows\\{0DD90F39-AF4F-4515-8CDE-39F098A663B0}.exe"	{50BEC082-1B68-4467-96FB-2A28C636152C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{025F7905-BF45-4ea2-BBD7-A7A9BE605FAB}	{0DD90F39-AF4F-4515-8CDE-39F098A663B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2053C7BD-5190-4747-AA7E-799F4B0CDE34}\stubpath = "C:\\Windows\\{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe"	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{516142F7-780D-469a-B99C-0815901624A0}	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{561C3BC5-2CB9-4940-9B93-9FB9047005FD}	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{025F7905-BF45-4ea2-BBD7-A7A9BE605FAB}\stubpath = "C:\\Windows\\{025F7905-BF45-4ea2-BBD7-A7A9BE605FAB}.exe"	{0DD90F39-AF4F-4515-8CDE-39F098A663B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2053C7BD-5190-4747-AA7E-799F4B0CDE34}	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}	{516142F7-780D-469a-B99C-0815901624A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{784C81A3-5E34-4129-AB53-E117A43C8390}	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}\stubpath = "C:\\Windows\\{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe"	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DD90F39-AF4F-4515-8CDE-39F098A663B0}	{50BEC082-1B68-4467-96FB-2A28C636152C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80048CDB-65E7-4a73-8E3C-4493E9945D9B}	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80048CDB-65E7-4a73-8E3C-4493E9945D9B}\stubpath = "C:\\Windows\\{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe"	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B1D3896-6206-41f0-8A30-9627B5FABD3E}\stubpath = "C:\\Windows\\{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe"	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50BEC082-1B68-4467-96FB-2A28C636152C}	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50BEC082-1B68-4467-96FB-2A28C636152C}\stubpath = "C:\\Windows\\{50BEC082-1B68-4467-96FB-2A28C636152C}.exe"	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{516142F7-780D-469a-B99C-0815901624A0}\stubpath = "C:\\Windows\\{516142F7-780D-469a-B99C-0815901624A0}.exe"	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}\stubpath = "C:\\Windows\\{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe"	{516142F7-780D-469a-B99C-0815901624A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}\stubpath = "C:\\Windows\\{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe"	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{784C81A3-5E34-4129-AB53-E117A43C8390}\stubpath = "C:\\Windows\\{784C81A3-5E34-4129-AB53-E117A43C8390}.exe"	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{561C3BC5-2CB9-4940-9B93-9FB9047005FD}\stubpath = "C:\\Windows\\{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe"	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe

Executes dropped EXE 12 IoCs

pid	Process
1668	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe
3420	{516142F7-780D-469a-B99C-0815901624A0}.exe
2608	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe
3204	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe
4280	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe
4976	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe
4468	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe
4312	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe
4920	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe
2704	{50BEC082-1B68-4467-96FB-2A28C636152C}.exe
2932	{0DD90F39-AF4F-4515-8CDE-39F098A663B0}.exe
3396	{025F7905-BF45-4ea2-BBD7-A7A9BE605FAB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
File created	C:\Windows\{516142F7-780D-469a-B99C-0815901624A0}.exe	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe
File created	C:\Windows\{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe	{516142F7-780D-469a-B99C-0815901624A0}.exe
File created	C:\Windows\{784C81A3-5E34-4129-AB53-E117A43C8390}.exe	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe
File created	C:\Windows\{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe
File created	C:\Windows\{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe
File created	C:\Windows\{50BEC082-1B68-4467-96FB-2A28C636152C}.exe	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe
File created	C:\Windows\{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe
File created	C:\Windows\{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe
File created	C:\Windows\{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe
File created	C:\Windows\{0DD90F39-AF4F-4515-8CDE-39F098A663B0}.exe	{50BEC082-1B68-4467-96FB-2A28C636152C}.exe
File created	C:\Windows\{025F7905-BF45-4ea2-BBD7-A7A9BE605FAB}.exe	{0DD90F39-AF4F-4515-8CDE-39F098A663B0}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{516142F7-780D-469a-B99C-0815901624A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0DD90F39-AF4F-4515-8CDE-39F098A663B0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{025F7905-BF45-4ea2-BBD7-A7A9BE605FAB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{50BEC082-1B68-4467-96FB-2A28C636152C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3600	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1668	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe
Token: SeIncBasePriorityPrivilege	3420	{516142F7-780D-469a-B99C-0815901624A0}.exe
Token: SeIncBasePriorityPrivilege	2608	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe
Token: SeIncBasePriorityPrivilege	3204	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe
Token: SeIncBasePriorityPrivilege	4280	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe
Token: SeIncBasePriorityPrivilege	4976	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe
Token: SeIncBasePriorityPrivilege	4468	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe
Token: SeIncBasePriorityPrivilege	4312	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe
Token: SeIncBasePriorityPrivilege	4920	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe
Token: SeIncBasePriorityPrivilege	2704	{50BEC082-1B68-4467-96FB-2A28C636152C}.exe
Token: SeIncBasePriorityPrivilege	2932	{0DD90F39-AF4F-4515-8CDE-39F098A663B0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 1668	3600	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	94
PID 3600 wrote to memory of 1668	3600	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	94
PID 3600 wrote to memory of 1668	3600	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	94
PID 3600 wrote to memory of 4508	3600	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	95
PID 3600 wrote to memory of 4508	3600	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	95
PID 3600 wrote to memory of 4508	3600	2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe	95
PID 1668 wrote to memory of 3420	1668	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe	96
PID 1668 wrote to memory of 3420	1668	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe	96
PID 1668 wrote to memory of 3420	1668	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe	96
PID 1668 wrote to memory of 3216	1668	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe	97
PID 1668 wrote to memory of 3216	1668	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe	97
PID 1668 wrote to memory of 3216	1668	{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe	97
PID 3420 wrote to memory of 2608	3420	{516142F7-780D-469a-B99C-0815901624A0}.exe	100
PID 3420 wrote to memory of 2608	3420	{516142F7-780D-469a-B99C-0815901624A0}.exe	100
PID 3420 wrote to memory of 2608	3420	{516142F7-780D-469a-B99C-0815901624A0}.exe	100
PID 3420 wrote to memory of 996	3420	{516142F7-780D-469a-B99C-0815901624A0}.exe	101
PID 3420 wrote to memory of 996	3420	{516142F7-780D-469a-B99C-0815901624A0}.exe	101
PID 3420 wrote to memory of 996	3420	{516142F7-780D-469a-B99C-0815901624A0}.exe	101
PID 2608 wrote to memory of 3204	2608	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe	102
PID 2608 wrote to memory of 3204	2608	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe	102
PID 2608 wrote to memory of 3204	2608	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe	102
PID 2608 wrote to memory of 3032	2608	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe	103
PID 2608 wrote to memory of 3032	2608	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe	103
PID 2608 wrote to memory of 3032	2608	{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe	103
PID 3204 wrote to memory of 4280	3204	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe	104
PID 3204 wrote to memory of 4280	3204	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe	104
PID 3204 wrote to memory of 4280	3204	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe	104
PID 3204 wrote to memory of 456	3204	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe	105
PID 3204 wrote to memory of 456	3204	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe	105
PID 3204 wrote to memory of 456	3204	{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe	105
PID 4280 wrote to memory of 4976	4280	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe	106
PID 4280 wrote to memory of 4976	4280	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe	106
PID 4280 wrote to memory of 4976	4280	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe	106
PID 4280 wrote to memory of 4472	4280	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe	107
PID 4280 wrote to memory of 4472	4280	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe	107
PID 4280 wrote to memory of 4472	4280	{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe	107
PID 4976 wrote to memory of 4468	4976	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe	108
PID 4976 wrote to memory of 4468	4976	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe	108
PID 4976 wrote to memory of 4468	4976	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe	108
PID 4976 wrote to memory of 680	4976	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe	109
PID 4976 wrote to memory of 680	4976	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe	109
PID 4976 wrote to memory of 680	4976	{784C81A3-5E34-4129-AB53-E117A43C8390}.exe	109
PID 4468 wrote to memory of 4312	4468	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe	110
PID 4468 wrote to memory of 4312	4468	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe	110
PID 4468 wrote to memory of 4312	4468	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe	110
PID 4468 wrote to memory of 4596	4468	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe	111
PID 4468 wrote to memory of 4596	4468	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe	111
PID 4468 wrote to memory of 4596	4468	{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe	111
PID 4312 wrote to memory of 4920	4312	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe	112
PID 4312 wrote to memory of 4920	4312	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe	112
PID 4312 wrote to memory of 4920	4312	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe	112
PID 4312 wrote to memory of 3488	4312	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe	113
PID 4312 wrote to memory of 3488	4312	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe	113
PID 4312 wrote to memory of 3488	4312	{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe	113
PID 4920 wrote to memory of 2704	4920	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe	114
PID 4920 wrote to memory of 2704	4920	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe	114
PID 4920 wrote to memory of 2704	4920	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe	114
PID 4920 wrote to memory of 624	4920	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe	115
PID 4920 wrote to memory of 624	4920	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe	115
PID 4920 wrote to memory of 624	4920	{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe	115
PID 2704 wrote to memory of 2932	2704	{50BEC082-1B68-4467-96FB-2A28C636152C}.exe	116
PID 2704 wrote to memory of 2932	2704	{50BEC082-1B68-4467-96FB-2A28C636152C}.exe	116
PID 2704 wrote to memory of 2932	2704	{50BEC082-1B68-4467-96FB-2A28C636152C}.exe	116
PID 2704 wrote to memory of 4248	2704	{50BEC082-1B68-4467-96FB-2A28C636152C}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-03_72eee0c77e748fa0100f2fd070410e48_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe
  C:\Windows\{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\{516142F7-780D-469a-B99C-0815901624A0}.exe
    C:\Windows\{516142F7-780D-469a-B99C-0815901624A0}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe
      C:\Windows\{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe
        
        C:\Windows\{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3204
      - C:\Windows\{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe
        
        C:\Windows\{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\{784C81A3-5E34-4129-AB53-E117A43C8390}.exe
        
        C:\Windows\{784C81A3-5E34-4129-AB53-E117A43C8390}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe
        
        C:\Windows\{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe
        
        C:\Windows\{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe
        
        C:\Windows\{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\{50BEC082-1B68-4467-96FB-2A28C636152C}.exe
        
        C:\Windows\{50BEC082-1B68-4467-96FB-2A28C636152C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{0DD90F39-AF4F-4515-8CDE-39F098A663B0}.exe
        
        C:\Windows\{0DD90F39-AF4F-4515-8CDE-39F098A663B0}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\{025F7905-BF45-4ea2-BBD7-A7A9BE605FAB}.exe
        
        C:\Windows\{025F7905-BF45-4ea2-BBD7-A7A9BE605FAB}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DD90~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50BEC~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B1D3~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAC0A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{561C3~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{784C8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B206~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80048~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5297~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51614~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2053C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{025F7905-BF45-4ea2-BBD7-A7A9BE605FAB}.exe

Filesize
192KB

MD5
f9d8699c283cb9afcf58d6b0c0918d91

SHA1
27814d8be4f25597528170ba1628608fb081665e

SHA256
76a15fd2412c99ecc7f5dcd5e3554a8427dab307a82b5b948de95b5c39c889ef

SHA512
7b13b5184b580f420147802605985060edc7f9a51944d1445f39b8d051cc0ef9b027a90c1b4a5bb8305db738090090c446d04c06efee82eaa7599be9816e10b1

Download Submit
C:\Windows\{0DD90F39-AF4F-4515-8CDE-39F098A663B0}.exe

Filesize
192KB

MD5
a0f6843e0a23c2a6c1249e41a25f924d

SHA1
ed541c755af2b50aa5bd77108fb7b42199e47d33

SHA256
3f8e6cad1c64ad0ce562c2a68f3878c8539b64779ac172e1bb86ec5e42f876e4

SHA512
3eba5becef4b09d83f35442bea0603331b0fd1c5f6c928801240d7e83f3d96975dce5c908a617c4d272b3aecce146baa888d74a35993b759337697b5e5c69365

Download Submit
C:\Windows\{2053C7BD-5190-4747-AA7E-799F4B0CDE34}.exe

Filesize
192KB

MD5
3c4317faa85fd9cc31f4c5a70bf9b8f7

SHA1
63011a44140848ce7dbce6226f3c0638b5c0b7d7

SHA256
3d7ec9ac837ccba6948645d7590bae46ca66d07504fbf58656aecbdfd172aec0

SHA512
c73689113c889aea4e45ddcec5d1046a1bc1be61a04f5ceecf97a888362dbd58255d8176f1a5c8491df068a84bbcaed30af19723b15f5f255955a9f085c3a8e4

Download Submit
C:\Windows\{50BEC082-1B68-4467-96FB-2A28C636152C}.exe

Filesize
192KB

MD5
d4bb397bf0149b16d0007dd2982cfcfe

SHA1
dd2a1486b35c88c5dd182be3ffa9fc45a4186a3a

SHA256
93818357a37097689ddbfdbd64f8f76c12cab1e43e526e8524a9ee827977c2ff

SHA512
54c4556af436cac0c9572b06a9a71c40d5553353ba79524a0522433eb6512c195c3a791bbde1bdecde91859c4743387236c94164dc5ad7a5529ebc624433978d

Download Submit
C:\Windows\{516142F7-780D-469a-B99C-0815901624A0}.exe

Filesize
192KB

MD5
8f369b61c31ad36f17c04e4506c7809f

SHA1
274ebb42093c0af9a47d43e06b35f2f56ac648b5

SHA256
731928310c92cab3c2a9c8ed6189a94bed2cd91c9863f3c2c9de2fa9ce57435f

SHA512
1b3ca4f87cc0ea28e7be3d1fbc730b7fa88998b9da22243c79e705c68663b4d31256331d2508610de544c51fe5e5dd86b77ab353d6d5f77b79b1b184c8a451fc

Download Submit
C:\Windows\{561C3BC5-2CB9-4940-9B93-9FB9047005FD}.exe

Filesize
192KB

MD5
cac1949e9d52dc1fa06eb067bf6bfa2e

SHA1
e0004c7bf439d2c912fde038efb9ef65ccfd1273

SHA256
9ffa56c7a1d0d6485d7181998078966ed75b4ae0d1984cdaf6124ebad2f8908e

SHA512
86ed1270d3cb84a47ba94d930abdd51e1daf13ecb53c0e4fece61ddc1684fad1c8b3401d5a998f5849536640d98312746c3235b7fe11d15c4a9977b292da74f7

Download Submit
C:\Windows\{5B2065CF-C707-46e5-BCA2-2187B53A4B5D}.exe

Filesize
192KB

MD5
1b5562bf0cea5bdf3428fe12bd4f59da

SHA1
abe6735a72e7e83d307c8c90e73770f8768930fd

SHA256
3027f6f5fc353a647d667b6a3d2951b86b82efb4155ff45bcb65e56dc26d1a2d

SHA512
6898e51ab52b7801a7edf80af699734de0bb38be3a61024a4846ecbdd5db909dc09cd04138c3d30c26b32445429f12c20a57e28342e05d0438b4811f9447343e

Download Submit
C:\Windows\{784C81A3-5E34-4129-AB53-E117A43C8390}.exe

Filesize
192KB

MD5
1a02b2ff02f629f0d832206c6ff124f2

SHA1
8d46a397b99936d2cfdeca3af27d690586b50a25

SHA256
fd62492e7a831c39f468570ad4f9e4cef1542c26aea611ab8d2a8754faab1782

SHA512
888c0b50352a0721c8152a5129f3b274d4296d4cd49382c164e2c6a2552d4536fd9d21c9da099b0752fb51614d71b8607909ba59f97eb5e5cafa23b9960640e1

Download Submit
C:\Windows\{7B1D3896-6206-41f0-8A30-9627B5FABD3E}.exe

Filesize
192KB

MD5
b5f023770c6843c1a85f5173c586f634

SHA1
32925ebbf918d6a41d7b7ff280b8834161241186

SHA256
0aed0abc0ffca2baf06e5109f5c996c5ad0248101ec569baa8aca5dea7373df9

SHA512
a19a6ee86209031d3b3bbf4c93b4bb1a809308a83247b592fa0abf1dde9a82248ae1d45a798eab9b51743b32ff55893d4b35aa5c72c13070e4d3a87a4f846547

Download Submit
C:\Windows\{80048CDB-65E7-4a73-8E3C-4493E9945D9B}.exe

Filesize
192KB

MD5
d9f4b59179063e8ac339f7d819889508

SHA1
ca5f2054ed7cb62d4c353f107550534351771096

SHA256
199f4f7cf2f443794dcce791f2f739bc52814ac6060bc5d150135f1c04013b69

SHA512
0cee140a613641e98becba6016eefd127d9599c3c32dc964c35fdf40006c1f7130419d8527de9c4a7edfbaebc3ccb247eeae338feaf8d637b790415daa5c9d9a

Download Submit
C:\Windows\{CAC0A61F-4C17-4a67-87C3-16CE7DBF72FD}.exe

Filesize
192KB

MD5
f602495236a47ec0f34bbd3a39820625

SHA1
b06a4cda957c6dbef9c6dc4d392919e8e2118c72

SHA256
736bd5e9bd3960ff1160daa1b6c654f4e1a3d71e0f197098edcbbc4e3390b431

SHA512
be21f7ba21c9faa95d3534da002635d802df2e848f935bf55a68af503b12b94d77746d0ddd4ad25631251b696075cea64b57a053101ca0b1bd4a0e829c00a3e5

Download Submit
C:\Windows\{E5297D65-4734-414e-A7C9-DFDDF66EA6BE}.exe

Filesize
192KB

MD5
42852c6d0796dd0695932cfbb1d6c5f5

SHA1
5222bd079488662fd35e613eb3a75cb80ccea2a4

SHA256
9870ebf80f1cda0ae15b66fd7aaf9bb0ac14ffc7719f14015592583460e85ed3

SHA512
7ed6e18ed797587fb2367a9b127c00c1dd4d1faa967446e363fc9d2f14ff8eb1a6694689e4759ff846c6427b039af4112f2f005791bd9d3a9712d552dabc0902

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads