1bec1d8d19c5967ea4f055350601566e5ee1405fe683394e9db3ac1f3bdfaaed

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
Size

380KB
MD5

6b72bc43e7689fa8be7ea99be793d661
SHA1

0a4bf2738266e3cf417ae7a6703272aeb870e7ca
SHA256

1bec1d8d19c5967ea4f055350601566e5ee1405fe683394e9db3ac1f3bdfaaed
SHA512

5e6c310b55361811fc46bb5dbb90b14f9317c0ba5ff3b4b1fe956536b3630b9ea1ede1ef8f838d23a5198c8822eec1acc1010843d770ac1c201a3b7d88d2a1f9
SSDEEP

3072:mEGh0oslPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG2l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC19CF7F-8191-435c-B786-231CC54E564B}\stubpath = "C:\\Windows\\{FC19CF7F-8191-435c-B786-231CC54E564B}.exe"	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96C0775E-2773-4a19-8522-F045E8E2A9E4}\stubpath = "C:\\Windows\\{96C0775E-2773-4a19-8522-F045E8E2A9E4}.exe"	{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96C0775E-2773-4a19-8522-F045E8E2A9E4}	{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}\stubpath = "C:\\Windows\\{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe"	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22160313-821C-4b12-A95C-22AC024DCC2D}	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7159F473-48C4-446b-9814-366130BFBF54}	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}\stubpath = "C:\\Windows\\{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe"	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC19CF7F-8191-435c-B786-231CC54E564B}	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0A3FDFB-E565-4030-8439-405B545CCEB6}\stubpath = "C:\\Windows\\{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe"	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}\stubpath = "C:\\Windows\\{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}.exe"	{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0A3FDFB-E565-4030-8439-405B545CCEB6}	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22160313-821C-4b12-A95C-22AC024DCC2D}\stubpath = "C:\\Windows\\{22160313-821C-4b12-A95C-22AC024DCC2D}.exe"	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{995854E7-B464-4be6-BFA7-2A49FFD8CB37}	{7159F473-48C4-446b-9814-366130BFBF54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{995854E7-B464-4be6-BFA7-2A49FFD8CB37}\stubpath = "C:\\Windows\\{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe"	{7159F473-48C4-446b-9814-366130BFBF54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93624884-69D9-4a92-B1DF-CA524FA1130D}	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7B2C558-270E-458e-B1A7-D64EEA9566D7}	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7B2C558-270E-458e-B1A7-D64EEA9566D7}\stubpath = "C:\\Windows\\{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe"	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}	{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7159F473-48C4-446b-9814-366130BFBF54}\stubpath = "C:\\Windows\\{7159F473-48C4-446b-9814-366130BFBF54}.exe"	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93624884-69D9-4a92-B1DF-CA524FA1130D}\stubpath = "C:\\Windows\\{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe"	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}\stubpath = "C:\\Windows\\{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe"	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe

Executes dropped EXE 12 IoCs

pid	Process
1444	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe
2836	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe
2448	{7159F473-48C4-446b-9814-366130BFBF54}.exe
2848	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe
4816	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe
1268	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe
4308	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe
5012	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe
4712	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe
4008	{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe
2380	{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}.exe
5008	{96C0775E-2773-4a19-8522-F045E8E2A9E4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FC19CF7F-8191-435c-B786-231CC54E564B}.exe	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe
File created	C:\Windows\{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe
File created	C:\Windows\{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}.exe	{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe
File created	C:\Windows\{96C0775E-2773-4a19-8522-F045E8E2A9E4}.exe	{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}.exe
File created	C:\Windows\{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
File created	C:\Windows\{22160313-821C-4b12-A95C-22AC024DCC2D}.exe	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe
File created	C:\Windows\{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe
File created	C:\Windows\{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe
File created	C:\Windows\{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe
File created	C:\Windows\{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe
File created	C:\Windows\{7159F473-48C4-446b-9814-366130BFBF54}.exe	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe
File created	C:\Windows\{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe	{7159F473-48C4-446b-9814-366130BFBF54}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96C0775E-2773-4a19-8522-F045E8E2A9E4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7159F473-48C4-446b-9814-366130BFBF54}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	552	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1444	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe
Token: SeIncBasePriorityPrivilege	2836	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe
Token: SeIncBasePriorityPrivilege	2448	{7159F473-48C4-446b-9814-366130BFBF54}.exe
Token: SeIncBasePriorityPrivilege	2848	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe
Token: SeIncBasePriorityPrivilege	4816	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe
Token: SeIncBasePriorityPrivilege	1268	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe
Token: SeIncBasePriorityPrivilege	4308	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe
Token: SeIncBasePriorityPrivilege	5012	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe
Token: SeIncBasePriorityPrivilege	4712	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe
Token: SeIncBasePriorityPrivilege	4008	{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe
Token: SeIncBasePriorityPrivilege	2380	{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 1444	552	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	94
PID 552 wrote to memory of 1444	552	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	94
PID 552 wrote to memory of 1444	552	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	94
PID 552 wrote to memory of 4052	552	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	95
PID 552 wrote to memory of 4052	552	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	95
PID 552 wrote to memory of 4052	552	2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe	95
PID 1444 wrote to memory of 2836	1444	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe	96
PID 1444 wrote to memory of 2836	1444	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe	96
PID 1444 wrote to memory of 2836	1444	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe	96
PID 1444 wrote to memory of 424	1444	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe	97
PID 1444 wrote to memory of 424	1444	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe	97
PID 1444 wrote to memory of 424	1444	{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe	97
PID 2836 wrote to memory of 2448	2836	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe	100
PID 2836 wrote to memory of 2448	2836	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe	100
PID 2836 wrote to memory of 2448	2836	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe	100
PID 2836 wrote to memory of 4340	2836	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe	101
PID 2836 wrote to memory of 4340	2836	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe	101
PID 2836 wrote to memory of 4340	2836	{22160313-821C-4b12-A95C-22AC024DCC2D}.exe	101
PID 2448 wrote to memory of 2848	2448	{7159F473-48C4-446b-9814-366130BFBF54}.exe	102
PID 2448 wrote to memory of 2848	2448	{7159F473-48C4-446b-9814-366130BFBF54}.exe	102
PID 2448 wrote to memory of 2848	2448	{7159F473-48C4-446b-9814-366130BFBF54}.exe	102
PID 2448 wrote to memory of 2368	2448	{7159F473-48C4-446b-9814-366130BFBF54}.exe	103
PID 2448 wrote to memory of 2368	2448	{7159F473-48C4-446b-9814-366130BFBF54}.exe	103
PID 2448 wrote to memory of 2368	2448	{7159F473-48C4-446b-9814-366130BFBF54}.exe	103
PID 2848 wrote to memory of 4816	2848	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe	104
PID 2848 wrote to memory of 4816	2848	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe	104
PID 2848 wrote to memory of 4816	2848	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe	104
PID 2848 wrote to memory of 1972	2848	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe	105
PID 2848 wrote to memory of 1972	2848	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe	105
PID 2848 wrote to memory of 1972	2848	{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe	105
PID 4816 wrote to memory of 1268	4816	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe	106
PID 4816 wrote to memory of 1268	4816	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe	106
PID 4816 wrote to memory of 1268	4816	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe	106
PID 4816 wrote to memory of 4260	4816	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe	107
PID 4816 wrote to memory of 4260	4816	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe	107
PID 4816 wrote to memory of 4260	4816	{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe	107
PID 1268 wrote to memory of 4308	1268	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe	108
PID 1268 wrote to memory of 4308	1268	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe	108
PID 1268 wrote to memory of 4308	1268	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe	108
PID 1268 wrote to memory of 4292	1268	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe	109
PID 1268 wrote to memory of 4292	1268	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe	109
PID 1268 wrote to memory of 4292	1268	{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe	109
PID 4308 wrote to memory of 5012	4308	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe	110
PID 4308 wrote to memory of 5012	4308	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe	110
PID 4308 wrote to memory of 5012	4308	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe	110
PID 4308 wrote to memory of 3700	4308	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe	111
PID 4308 wrote to memory of 3700	4308	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe	111
PID 4308 wrote to memory of 3700	4308	{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe	111
PID 5012 wrote to memory of 4712	5012	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe	112
PID 5012 wrote to memory of 4712	5012	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe	112
PID 5012 wrote to memory of 4712	5012	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe	112
PID 5012 wrote to memory of 1196	5012	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe	113
PID 5012 wrote to memory of 1196	5012	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe	113
PID 5012 wrote to memory of 1196	5012	{FC19CF7F-8191-435c-B786-231CC54E564B}.exe	113
PID 4712 wrote to memory of 4008	4712	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe	114
PID 4712 wrote to memory of 4008	4712	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe	114
PID 4712 wrote to memory of 4008	4712	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe	114
PID 4712 wrote to memory of 884	4712	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe	115
PID 4712 wrote to memory of 884	4712	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe	115
PID 4712 wrote to memory of 884	4712	{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe	115
PID 4008 wrote to memory of 2380	4008	{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe	116
PID 4008 wrote to memory of 2380	4008	{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe	116
PID 4008 wrote to memory of 2380	4008	{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe	116
PID 4008 wrote to memory of 608	4008	{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-04_6b72bc43e7689fa8be7ea99be793d661_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe
  C:\Windows\{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\{22160313-821C-4b12-A95C-22AC024DCC2D}.exe
    C:\Windows\{22160313-821C-4b12-A95C-22AC024DCC2D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\{7159F473-48C4-446b-9814-366130BFBF54}.exe
      C:\Windows\{7159F473-48C4-446b-9814-366130BFBF54}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe
        
        C:\Windows\{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe
        
        C:\Windows\{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe
        
        C:\Windows\{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe
        
        C:\Windows\{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\{FC19CF7F-8191-435c-B786-231CC54E564B}.exe
        
        C:\Windows\{FC19CF7F-8191-435c-B786-231CC54E564B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe
        
        C:\Windows\{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe
        
        C:\Windows\{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}.exe
        
        C:\Windows\{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\{96C0775E-2773-4a19-8522-F045E8E2A9E4}.exe
        
        C:\Windows\{96C0775E-2773-4a19-8522-F045E8E2A9E4}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26D66~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0A3F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29F58~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC19C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{760F8~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7B2C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93624~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99585~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7159F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{22160~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{40F22~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22160313-821C-4b12-A95C-22AC024DCC2D}.exe

Filesize
380KB

MD5
8c173bb89bdc4af67469867517b98919

SHA1
945d9d76ebe474d799504f8d5cf1fbd5f983cc68

SHA256
df2339d7dca7419a0d91ed28fdea66c168aaa5b24e0a0e4fe0eeafe04cb05c53

SHA512
3ad2c1fd06945159eed7500fa08657f0a859768ab36db79ebf327fc744a3f98a523d083df50df985acec51d4de9d3ad40c7cdf56ff7f502e0ced39decc11aa00

Download Submit
C:\Windows\{26D6673A-9291-4c92-BBE2-3FCAA7EF97E3}.exe

Filesize
380KB

MD5
61fa716812c16444a1dbe93befc7707f

SHA1
bcd4f37ec1a7b5b14a944f66fe0c32e2dee3df49

SHA256
031b3dec46aad5400f9f32190e1a0afa75062a4d5b9285b33957a1ffb26616d9

SHA512
5608d37a877332705980f0699dd7660886851276adf751c5f246fd8525a4295790f5e0a975156ce35dd3d872f39f3914c818fc10f147c8e2baf6ddf5763c12bb

Download Submit
C:\Windows\{29F5891A-BD35-4c0a-A9DE-6F4EAC831A6F}.exe

Filesize
380KB

MD5
77427f563cc30b6de4bcaf44f5e88f08

SHA1
b117a71b8adda2d51a083b0927e992e5ba5a7f22

SHA256
3df02f37620248e9f3c54a12eeb5b4e855564e1e4d0248685dcf139d881eeade

SHA512
3f9f94a83a8e2f4121ff039ec1e5e81575ab0f69aa98124d17ea1b6497105b28bdba82f0b770b3011969994c6aac07629ac91ab9482295188eeccce9da164a86

Download Submit
C:\Windows\{40F22A3C-51D5-4c6c-9C1E-92EB8FDF16F0}.exe

Filesize
380KB

MD5
eb5080108857c1f0af4291e7e45ca576

SHA1
6d69b8273a61fc29a6bd0a08241d89c23d3b7377

SHA256
41bb9ca31cd48a1551928949db4a15280294cde4b9dda1383b9ce9a39ee717cf

SHA512
38ec4be73ab1015c9eb285abb5d03267958dab9586e6a62308110c2a636c3746d6a7ff04628c8af4b37cea9154290657f2e2e2484078d0d1e943143a5d8787be

Download Submit
C:\Windows\{7159F473-48C4-446b-9814-366130BFBF54}.exe

Filesize
380KB

MD5
b4e5e774b82ee962030520a70dc952ff

SHA1
8283382c67b9db378514769c59789807ff270381

SHA256
bd336b0c4216085b67e46a3a8ebae7d56b0d702b4ed8b0d889e440dcc38984cc

SHA512
8da54daa3fa9507557397d3a92f0e2ced82806483ae7fc455fed194d652a4d4d3aa89b61582cacf559d0390eee61cc09f8518171ae11259ebb003e43c19d3a5d

Download Submit
C:\Windows\{760F8B6B-F74F-4adf-B8F8-843C2502A2D5}.exe

Filesize
380KB

MD5
a7e2f4a95bf309b850ad51589d765a56

SHA1
7b5ad113ce5fb0ee417a943c9df82f0f05d779d3

SHA256
8ce16939055f2b1939b2ff0be0a9dd2bdd07c36f0ece56bad050932d2ef2e029

SHA512
216a1e49ed288129eda052cc7f903ef18c60bfe6cfab145bebc44588eae39aac35467dadac11e40e45479822624f56feff35d67d5b9e31c61258ec84a6c4d01e

Download Submit
C:\Windows\{93624884-69D9-4a92-B1DF-CA524FA1130D}.exe

Filesize
380KB

MD5
b90d2b7b65d070444455eb269f3944b5

SHA1
109fd46c7231c0d9c702dcbfa7d6ca356bfbe5e1

SHA256
84914372ccda44addf5db24367adbd00fa91a069be568849309e07b2808d1518

SHA512
3a2100fc0d88d4535a167cd8252b8a6b296c12341b73d9858322dd775cdfd190a2c30a53e2103f6f2a71cf65a4f11609dfafaa42c42b7965df9a2ae396108489

Download Submit
C:\Windows\{96C0775E-2773-4a19-8522-F045E8E2A9E4}.exe

Filesize
380KB

MD5
7d80d0d96f333dd70c5b3fbd48ff586e

SHA1
19fcf79a6acb1ea2eb1bff2479d8c09c2dd5bf42

SHA256
0bbe72b5af0110e9fc7701ea819243dc7772ffddc31f7adbd0b8cb94000f588b

SHA512
b5c28d67dddd2eda0a7542b8ebae7c190935a1cf40ee72580bbcaed1e1f3b5b673a4f25088b4bea602c506c3bb7c63166ecd5fa24c2c4e7f2ef779d6e7576158

Download Submit
C:\Windows\{995854E7-B464-4be6-BFA7-2A49FFD8CB37}.exe

Filesize
380KB

MD5
47ba564b16faeb1a6fad1eeed9187659

SHA1
38307da3fcbdea9adcfbf1f976c7a07c5d9f0660

SHA256
21bce52d824e22c5ee56ef933c65645c6fd80c152ab2c080b46795b426614724

SHA512
1288b6d44a2305e7b784cead33060e0ba8ffc8389b571a9ba6bbda845d502ade209273aa63753f967484e8bd61b2928be22bb99b73550c92f15114ca8ab31e41

Download Submit
C:\Windows\{B7B2C558-270E-458e-B1A7-D64EEA9566D7}.exe

Filesize
380KB

MD5
132bf6737da0c836410c7878615c1415

SHA1
d3ada7d0d6d00f379e12b5d7e1917052893a9844

SHA256
cc18f850fe8ec842304320b094cd018a84937416cc83657462a367385d94d27b

SHA512
0a0a187a94f9a5521a507277ba77bb1e527a802c27b42afd46d6109d1f328d735c0cbe56c0f5f4bda920bd29426ac9537d3ea44864c7e7894eb477341fd35237

Download Submit
C:\Windows\{D0A3FDFB-E565-4030-8439-405B545CCEB6}.exe

Filesize
380KB

MD5
812c42c1943ea5d0289735cf21ded6a9

SHA1
f43c7ec2a0aa8bdb4842e2edafa27fdf1426281d

SHA256
b49519c57a1d0c3cb77ee294c83042e078c4a74dbd72e7701bbef03381dc93de

SHA512
1c0f28ea0f7febb0c1a472e56aca6fe4ea0b7617e49d687765f3fd7db03702318efb54506cf47b2a7b7a21636ab196e0bbdc8288a20888c749cd16b38d312a84

Download Submit
C:\Windows\{FC19CF7F-8191-435c-B786-231CC54E564B}.exe

Filesize
380KB

MD5
e282b5620e30c1d6cc912a0efad3fd21

SHA1
b37f466589e3d6adf6810ab8aef767abf9b34db6

SHA256
91f3bae85c6bc8623e64ec28372906dd45aeb54fb9c1e03972e85332d03490c4

SHA512
29bd99b00da6b5244a02e5bf5560e0d084d74e4eb10eace45003a3cbafeb4cdae96387b3b32a3980d5253ed6ef27e928ec295ec201ff37a0d9623ed0402ce788

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads