674ad5de64c23d0e0bb26d875d0ffac969bec6bdc38f76e5a135970980d3d54d

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
Size

372KB
MD5

62cd081bd3e7f9784db59a7d190bfa57
SHA1

def16a2b60a6aa463506dd16e62e2e123ee6e19a
SHA256

674ad5de64c23d0e0bb26d875d0ffac969bec6bdc38f76e5a135970980d3d54d
SHA512

f9c90f55b3cfe7ceb2185c7f55122b8793c8bcb8c627a1c05ad7ef264f4944f887772233762a5f34b5ea81a60b1867bc66ce93117ba45da0ed438836489cd42e
SSDEEP

3072:CEGh0o2lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG4lkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9585027D-3CB8-4e74-B2E5-3AE4E860E536}\stubpath = "C:\\Windows\\{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe"	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}\stubpath = "C:\\Windows\\{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe"	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{817D8823-3CCE-43d8-8D9C-7102CE646076}	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A5E3C3C-C473-4896-9DBE-17918C7AE916}	{038E9120-E956-4f54-A731-ECE1AD143064}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A5E3C3C-C473-4896-9DBE-17918C7AE916}\stubpath = "C:\\Windows\\{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe"	{038E9120-E956-4f54-A731-ECE1AD143064}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9585027D-3CB8-4e74-B2E5-3AE4E860E536}	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{704AF3F6-DB7D-4391-B551-A8157B387586}	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C402A16C-5F53-4409-9437-87384B7E16D9}	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}\stubpath = "C:\\Windows\\{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe"	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{038E9120-E956-4f54-A731-ECE1AD143064}	{3F3C22DA-D761-436f-A31C-B326EB5429AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70AE49C8-27A8-4388-B354-0A85FA315DD7}	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{704AF3F6-DB7D-4391-B551-A8157B387586}\stubpath = "C:\\Windows\\{704AF3F6-DB7D-4391-B551-A8157B387586}.exe"	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C402A16C-5F53-4409-9437-87384B7E16D9}\stubpath = "C:\\Windows\\{C402A16C-5F53-4409-9437-87384B7E16D9}.exe"	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F3C22DA-D761-436f-A31C-B326EB5429AD}\stubpath = "C:\\Windows\\{3F3C22DA-D761-436f-A31C-B326EB5429AD}.exe"	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70AE49C8-27A8-4388-B354-0A85FA315DD7}\stubpath = "C:\\Windows\\{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe"	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40BFF8E3-4F90-461a-B68C-3AC356201D60}	{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69368BBD-8745-4c91-A69C-68C89E3EA58D}	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69368BBD-8745-4c91-A69C-68C89E3EA58D}\stubpath = "C:\\Windows\\{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe"	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{817D8823-3CCE-43d8-8D9C-7102CE646076}\stubpath = "C:\\Windows\\{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe"	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F3C22DA-D761-436f-A31C-B326EB5429AD}	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{038E9120-E956-4f54-A731-ECE1AD143064}\stubpath = "C:\\Windows\\{038E9120-E956-4f54-A731-ECE1AD143064}.exe"	{3F3C22DA-D761-436f-A31C-B326EB5429AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40BFF8E3-4F90-461a-B68C-3AC356201D60}\stubpath = "C:\\Windows\\{40BFF8E3-4F90-461a-B68C-3AC356201D60}.exe"	{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe

Executes dropped EXE 11 IoCs

pid	Process
832	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe
2424	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe
3836	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe
2628	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe
5108	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe
4900	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe
2992	{3F3C22DA-D761-436f-A31C-B326EB5429AD}.exe
2528	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe
1408	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe
4136	{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe
4960	{40BFF8E3-4F90-461a-B68C-3AC356201D60}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3F3C22DA-D761-436f-A31C-B326EB5429AD}.exe	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe
File created	C:\Windows\{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe	{038E9120-E956-4f54-A731-ECE1AD143064}.exe
File created	C:\Windows\{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe
File created	C:\Windows\{40BFF8E3-4F90-461a-B68C-3AC356201D60}.exe	{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe
File created	C:\Windows\{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe
File created	C:\Windows\{C402A16C-5F53-4409-9437-87384B7E16D9}.exe	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe
File created	C:\Windows\{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe
File created	C:\Windows\{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe
File created	C:\Windows\{704AF3F6-DB7D-4391-B551-A8157B387586}.exe	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
File created	C:\Windows\{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe
File created	C:\Windows\{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{40BFF8E3-4F90-461a-B68C-3AC356201D60}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3F3C22DA-D761-436f-A31C-B326EB5429AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{038E9120-E956-4f54-A731-ECE1AD143064}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2252	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
Token: SeIncBasePriorityPrivilege	832	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe
Token: SeIncBasePriorityPrivilege	2424	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe
Token: SeIncBasePriorityPrivilege	3836	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe
Token: SeIncBasePriorityPrivilege	2628	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe
Token: SeIncBasePriorityPrivilege	5108	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe
Token: SeIncBasePriorityPrivilege	4900	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe
Token: SeIncBasePriorityPrivilege	4516	{038E9120-E956-4f54-A731-ECE1AD143064}.exe
Token: SeIncBasePriorityPrivilege	2528	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe
Token: SeIncBasePriorityPrivilege	1408	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe
Token: SeIncBasePriorityPrivilege	4136	{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 832	2252	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	91
PID 2252 wrote to memory of 832	2252	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	91
PID 2252 wrote to memory of 832	2252	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	91
PID 2252 wrote to memory of 2404	2252	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	92
PID 2252 wrote to memory of 2404	2252	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	92
PID 2252 wrote to memory of 2404	2252	2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe	92
PID 832 wrote to memory of 2424	832	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe	95
PID 832 wrote to memory of 2424	832	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe	95
PID 832 wrote to memory of 2424	832	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe	95
PID 832 wrote to memory of 4404	832	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe	96
PID 832 wrote to memory of 4404	832	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe	96
PID 832 wrote to memory of 4404	832	{704AF3F6-DB7D-4391-B551-A8157B387586}.exe	96
PID 2424 wrote to memory of 3836	2424	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe	98
PID 2424 wrote to memory of 3836	2424	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe	98
PID 2424 wrote to memory of 3836	2424	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe	98
PID 2424 wrote to memory of 2416	2424	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe	99
PID 2424 wrote to memory of 2416	2424	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe	99
PID 2424 wrote to memory of 2416	2424	{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe	99
PID 3836 wrote to memory of 2628	3836	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe	101
PID 3836 wrote to memory of 2628	3836	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe	101
PID 3836 wrote to memory of 2628	3836	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe	101
PID 3836 wrote to memory of 2540	3836	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe	102
PID 3836 wrote to memory of 2540	3836	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe	102
PID 3836 wrote to memory of 2540	3836	{C402A16C-5F53-4409-9437-87384B7E16D9}.exe	102
PID 2628 wrote to memory of 5108	2628	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe	103
PID 2628 wrote to memory of 5108	2628	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe	103
PID 2628 wrote to memory of 5108	2628	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe	103
PID 2628 wrote to memory of 4216	2628	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe	104
PID 2628 wrote to memory of 4216	2628	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe	104
PID 2628 wrote to memory of 4216	2628	{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe	104
PID 5108 wrote to memory of 4900	5108	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe	105
PID 5108 wrote to memory of 4900	5108	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe	105
PID 5108 wrote to memory of 4900	5108	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe	105
PID 5108 wrote to memory of 1832	5108	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe	106
PID 5108 wrote to memory of 1832	5108	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe	106
PID 5108 wrote to memory of 1832	5108	{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe	106
PID 4900 wrote to memory of 2992	4900	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe	107
PID 4900 wrote to memory of 2992	4900	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe	107
PID 4900 wrote to memory of 2992	4900	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe	107
PID 4900 wrote to memory of 4308	4900	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe	108
PID 4900 wrote to memory of 4308	4900	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe	108
PID 4900 wrote to memory of 4308	4900	{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe	108
PID 4516 wrote to memory of 2528	4516	{038E9120-E956-4f54-A731-ECE1AD143064}.exe	111
PID 4516 wrote to memory of 2528	4516	{038E9120-E956-4f54-A731-ECE1AD143064}.exe	111
PID 4516 wrote to memory of 2528	4516	{038E9120-E956-4f54-A731-ECE1AD143064}.exe	111
PID 4516 wrote to memory of 468	4516	{038E9120-E956-4f54-A731-ECE1AD143064}.exe	112
PID 4516 wrote to memory of 468	4516	{038E9120-E956-4f54-A731-ECE1AD143064}.exe	112
PID 4516 wrote to memory of 468	4516	{038E9120-E956-4f54-A731-ECE1AD143064}.exe	112
PID 2528 wrote to memory of 1408	2528	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe	113
PID 2528 wrote to memory of 1408	2528	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe	113
PID 2528 wrote to memory of 1408	2528	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe	113
PID 2528 wrote to memory of 3092	2528	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe	114
PID 2528 wrote to memory of 3092	2528	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe	114
PID 2528 wrote to memory of 3092	2528	{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe	114
PID 1408 wrote to memory of 4136	1408	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe	115
PID 1408 wrote to memory of 4136	1408	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe	115
PID 1408 wrote to memory of 4136	1408	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe	115
PID 1408 wrote to memory of 3160	1408	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe	116
PID 1408 wrote to memory of 3160	1408	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe	116
PID 1408 wrote to memory of 3160	1408	{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe	116
PID 4136 wrote to memory of 4960	4136	{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe	117
PID 4136 wrote to memory of 4960	4136	{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe	117
PID 4136 wrote to memory of 4960	4136	{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe	117
PID 4136 wrote to memory of 1528	4136	{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-05_62cd081bd3e7f9784db59a7d190bfa57_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\{704AF3F6-DB7D-4391-B551-A8157B387586}.exe
  C:\Windows\{704AF3F6-DB7D-4391-B551-A8157B387586}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe
    C:\Windows\{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\{C402A16C-5F53-4409-9437-87384B7E16D9}.exe
      C:\Windows\{C402A16C-5F53-4409-9437-87384B7E16D9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Windows\{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe
        
        C:\Windows\{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe
        
        C:\Windows\{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe
        
        C:\Windows\{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{3F3C22DA-D761-436f-A31C-B326EB5429AD}.exe
        
        C:\Windows\{3F3C22DA-D761-436f-A31C-B326EB5429AD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\{038E9120-E956-4f54-A731-ECE1AD143064}.exe
        
        C:\Windows\{038E9120-E956-4f54-A731-ECE1AD143064}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe
        
        C:\Windows\{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe
        
        C:\Windows\{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe
        
        C:\Windows\{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\{40BFF8E3-4F90-461a-B68C-3AC356201D60}.exe
        
        C:\Windows\{40BFF8E3-4F90-461a-B68C-3AC356201D60}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95850~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70AE4~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A5E3~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{038E9~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F3C2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{817D8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E71DB~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69368~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C402A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{52BE3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{704AF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A5E3C3C-C473-4896-9DBE-17918C7AE916}.exe

Filesize
372KB

MD5
a310adb655ba74e88a05d5c8b5874ef5

SHA1
c4ffef20b2b9ea5c6dceb7d2733015abf5bd1031

SHA256
0829bafcd3ee6d94ae3d21f9b41e92ef8d518fae0c5d500141c1658036456264

SHA512
6eafdc3a183f50ac3b95eab15b2121ccf2a363eed1295d650d9803c493ece33619e170bc1cea6c0fff2b80aee23faec813fbbcb13793025bcffaa4f112115b83

Download Submit
C:\Windows\{3F3C22DA-D761-436f-A31C-B326EB5429AD}.exe

Filesize
372KB

MD5
54039cbba68e317f3e0ae03a2773b222

SHA1
6fada30d049ec02bf2600112f63bb1b7446d50ed

SHA256
7f78965cba1d155789e39694f1e5d65756bf8d1ae216a717e0f4f0577daef074

SHA512
7dfdc478d5b81fb87be35e12ea605da5d396b31e12b3853e3114f1053833b1a977884c6b9c5fe0e9620992d17478b4cda7d632ade8ae95e74af8f22b413263fd

Download Submit
C:\Windows\{40BFF8E3-4F90-461a-B68C-3AC356201D60}.exe

Filesize
372KB

MD5
7d408cbe343272d61092f42a3bbd47f0

SHA1
95b757db1e1620e68c327a8a83006dd1b4944aee

SHA256
414e46e9adc4209a9985ff7ffc54ba8ed50e67ae3a53df582019ee7a6581bd24

SHA512
15919b64c351531395d5367eb95c500fa8d11bb2f0207bafa67515c699f3f7d1a08c85021dfd159dd46f3dd3b8e84faed93a77cbf36d1e172776be34db7926c4

Download Submit
C:\Windows\{52BE3816-4D6B-41c1-9FCD-D0B070E935D4}.exe

Filesize
372KB

MD5
0d6b2456d40889bf06e4d143a0637094

SHA1
af6a5a817f3ee107eb444b0130b8fa13548ab803

SHA256
13a3886e96ae73f75428960b2c6613c31c408c0a3b6e216fc7b3b1c62ea47c0c

SHA512
93ce9e5fa44bb1301bb4a957944c923588bf09704a19a685bc4ee0a42d6c9920d429581e9d26542afa345bcd6969d8e1877e6a5d06ad77ad534ccc2aece454b5

Download Submit
C:\Windows\{69368BBD-8745-4c91-A69C-68C89E3EA58D}.exe

Filesize
372KB

MD5
2002a3da0befcf72b2474291a3332144

SHA1
7388521291a7e05eba166dd1909cf16936656e87

SHA256
2af911b650a49f2c276d1f206cb5d4e10dfe24a2af7e9ea60b20a76b1b933c1b

SHA512
7a65a546fda272e0bd55da72be4b19a35a0ccdf7a64bb73f41dffd431408d9bede938cdef05f7ee522db02ff547fe27bd941a9e8fb0cb60adf443ce632a2ecd3

Download Submit
C:\Windows\{704AF3F6-DB7D-4391-B551-A8157B387586}.exe

Filesize
372KB

MD5
4efb46a51b6fa74bb6ba060c538ac8db

SHA1
58b264ecfe15512686a852be5890b7efd2eb5bc3

SHA256
22ffbb86bf0ea142ca6a8d376e858648998a04528c70638a42ec95fbcfdb5ba4

SHA512
b6212b7601aa8a2ce55df3c4655c22f6597ab68e8864ddb2d78ba1c6af65d5278b972cd51ee97108f79ab2bed8cf6f798848d1c021fffc2640e07e104fa6286a

Download Submit
C:\Windows\{70AE49C8-27A8-4388-B354-0A85FA315DD7}.exe

Filesize
372KB

MD5
44cf722dbdbe4b860d7e5cd52c476dd2

SHA1
0f2def616003950c0ab4e1c601732acabd1509de

SHA256
425d34277da705b911c1dbc6cf45deb8a78a2c38736701ab7ab1af22404f912f

SHA512
2911b404db1cee872ee351ba43d20e6baa7715d370761bcdae64e802566c02ce2e5e4265a68d39c18a5b74f7b80869168694eec1e38f2fcb39e8c3754e8d8637

Download Submit
C:\Windows\{817D8823-3CCE-43d8-8D9C-7102CE646076}.exe

Filesize
372KB

MD5
70f91344217f477fac216ca6253c79ae

SHA1
45769c46610e6a571ccf0da306cea11ff47181b6

SHA256
62f8b5fb65e5be156d306954ad8363c06ce6ae44f471299bb4b7405ed41be6b7

SHA512
30e12919bb3c5eb5e276a14a1dec934042bbae9f0c5b68cf2a6b69c0002d7925ab9af7589a29c735ef3ba1db56d8f46fee94aad324f1dd6a01fd62b9497306a6

Download Submit
C:\Windows\{9585027D-3CB8-4e74-B2E5-3AE4E860E536}.exe

Filesize
372KB

MD5
37a4bd0946a1445841173241943a9454

SHA1
606204ca6b97542dd44136e9995214db48abb5a7

SHA256
7509c1a26ced8acf1ee6f99a0f66b4760e00e379bf0203dcb6c61d3810633c34

SHA512
922d1e64e1775662001d75c7931277188ee0661c519604870a332efc305c9a40b0178211778a131a02c0b7b552a70eb7ff4babee5ff03dd57c20d16c36ccb59f

Download Submit
C:\Windows\{C402A16C-5F53-4409-9437-87384B7E16D9}.exe

Filesize
372KB

MD5
b8bf1001266b14d17f9f88b3b0dbf9c2

SHA1
b5a741d16b2ae45dbf6d9a8440d06525f6f8e039

SHA256
d97c15919b70fc343a29387ebcf058c02f0ec25521f0520f52b68599dbae3203

SHA512
e4288ff5f4806bcb668466bf8ff1241d2b5fcbeca8722372b6efd759ad0678707fcfe55760f4cc4560b83d086269ada0984e03ae5dd60c75d16fb5b659710c54

Download Submit
C:\Windows\{E71DB1DA-0112-4a2f-A9F6-6B6A9DF40045}.exe

Filesize
372KB

MD5
784004b88b93652028a61e737c2e2b6a

SHA1
6ca75b46559ce3ef3af4a62db67c5d7699026782

SHA256
13c248ff6ba5773b74c4a5e4b23d260e8aa75c2c24b0dcb7fc14d30c9c7a73db

SHA512
7e1b1c57480867ade1567dc8933542b31a3397a3754a31710e66be344e1dc9a185a3405763301238ad49328949cbab1dae6df9abff72af052a216c56700435c8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads