51501a3547efdd6fd1c136dab628609cec269649b0dc73b69ba968b5ca6c57b2

Analysis

max time kernel
149s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
Size

380KB
MD5

cca048eb7b923d08382dc52a055590c1
SHA1

6befe52eceebe91da7eb228848310ff10386c3ef
SHA256

51501a3547efdd6fd1c136dab628609cec269649b0dc73b69ba968b5ca6c57b2
SHA512

ce66a497b9e45e7d06f9dfa417ee89221f2d13a37e9e96014e4f6dd3de24ec8630bd5e218c820c8354dfacd4af8a53dd66e4644003ebe3deb1c65b238d3a562d
SSDEEP

3072:mEGh0oflPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGll7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}\stubpath = "C:\\Windows\\{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe"	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6931D0-A72A-4dce-A514-04F368B22A44}	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{920FC977-DE36-4985-8F20-A9C4D3CB671C}	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5362A4B-3412-49bf-AF12-EB44C56B49A1}\stubpath = "C:\\Windows\\{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe"	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667F8F8A-903A-4417-B1B3-07442D0EE1A1}\stubpath = "C:\\Windows\\{667F8F8A-903A-4417-B1B3-07442D0EE1A1}.exe"	{0B433F96-3EA7-4726-9320-86E3019E786B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF6931D0-A72A-4dce-A514-04F368B22A44}\stubpath = "C:\\Windows\\{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe"	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{404F839C-1092-4c23-8465-D73F5D722AEA}	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{404F839C-1092-4c23-8465-D73F5D722AEA}\stubpath = "C:\\Windows\\{404F839C-1092-4c23-8465-D73F5D722AEA}.exe"	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AC607E5-3593-441d-85A5-0527E536F93E}\stubpath = "C:\\Windows\\{5AC607E5-3593-441d-85A5-0527E536F93E}.exe"	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B433F96-3EA7-4726-9320-86E3019E786B}	{5AC607E5-3593-441d-85A5-0527E536F93E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667F8F8A-903A-4417-B1B3-07442D0EE1A1}	{0B433F96-3EA7-4726-9320-86E3019E786B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5362A4B-3412-49bf-AF12-EB44C56B49A1}	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{085A3C3C-01B7-431b-9561-094CC9BA7B41}	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{085A3C3C-01B7-431b-9561-094CC9BA7B41}\stubpath = "C:\\Windows\\{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe"	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EB11B11-20D6-4be1-86F2-A13CD2979223}	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EB11B11-20D6-4be1-86F2-A13CD2979223}\stubpath = "C:\\Windows\\{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe"	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CB762F8-6D82-444a-8CD8-726341D79DCA}	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}\stubpath = "C:\\Windows\\{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe"	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{920FC977-DE36-4985-8F20-A9C4D3CB671C}\stubpath = "C:\\Windows\\{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe"	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B433F96-3EA7-4726-9320-86E3019E786B}\stubpath = "C:\\Windows\\{0B433F96-3EA7-4726-9320-86E3019E786B}.exe"	{5AC607E5-3593-441d-85A5-0527E536F93E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CB762F8-6D82-444a-8CD8-726341D79DCA}\stubpath = "C:\\Windows\\{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe"	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AC607E5-3593-441d-85A5-0527E536F93E}	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3456	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe
4116	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe
680	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe
4728	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe
3464	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe
4376	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe
2268	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe
1872	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe
2240	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe
460	{5AC607E5-3593-441d-85A5-0527E536F93E}.exe
2052	{0B433F96-3EA7-4726-9320-86E3019E786B}.exe
2656	{667F8F8A-903A-4417-B1B3-07442D0EE1A1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
File created	C:\Windows\{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe
File created	C:\Windows\{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe
File created	C:\Windows\{5AC607E5-3593-441d-85A5-0527E536F93E}.exe	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe
File created	C:\Windows\{0B433F96-3EA7-4726-9320-86E3019E786B}.exe	{5AC607E5-3593-441d-85A5-0527E536F93E}.exe
File created	C:\Windows\{667F8F8A-903A-4417-B1B3-07442D0EE1A1}.exe	{0B433F96-3EA7-4726-9320-86E3019E786B}.exe
File created	C:\Windows\{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe
File created	C:\Windows\{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe
File created	C:\Windows\{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe
File created	C:\Windows\{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe
File created	C:\Windows\{404F839C-1092-4c23-8465-D73F5D722AEA}.exe	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe
File created	C:\Windows\{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B433F96-3EA7-4726-9320-86E3019E786B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{667F8F8A-903A-4417-B1B3-07442D0EE1A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5AC607E5-3593-441d-85A5-0527E536F93E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4820	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3456	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe
Token: SeIncBasePriorityPrivilege	4116	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe
Token: SeIncBasePriorityPrivilege	680	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe
Token: SeIncBasePriorityPrivilege	4728	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe
Token: SeIncBasePriorityPrivilege	3464	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe
Token: SeIncBasePriorityPrivilege	4376	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe
Token: SeIncBasePriorityPrivilege	2268	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe
Token: SeIncBasePriorityPrivilege	1872	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe
Token: SeIncBasePriorityPrivilege	2240	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe
Token: SeIncBasePriorityPrivilege	460	{5AC607E5-3593-441d-85A5-0527E536F93E}.exe
Token: SeIncBasePriorityPrivilege	2052	{0B433F96-3EA7-4726-9320-86E3019E786B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 3456	4820	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	92
PID 4820 wrote to memory of 3456	4820	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	92
PID 4820 wrote to memory of 3456	4820	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	92
PID 4820 wrote to memory of 3224	4820	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	93
PID 4820 wrote to memory of 3224	4820	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	93
PID 4820 wrote to memory of 3224	4820	2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe	93
PID 3456 wrote to memory of 4116	3456	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe	96
PID 3456 wrote to memory of 4116	3456	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe	96
PID 3456 wrote to memory of 4116	3456	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe	96
PID 3456 wrote to memory of 1564	3456	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe	97
PID 3456 wrote to memory of 1564	3456	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe	97
PID 3456 wrote to memory of 1564	3456	{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe	97
PID 4116 wrote to memory of 680	4116	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe	100
PID 4116 wrote to memory of 680	4116	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe	100
PID 4116 wrote to memory of 680	4116	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe	100
PID 4116 wrote to memory of 4888	4116	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe	101
PID 4116 wrote to memory of 4888	4116	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe	101
PID 4116 wrote to memory of 4888	4116	{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe	101
PID 680 wrote to memory of 4728	680	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe	102
PID 680 wrote to memory of 4728	680	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe	102
PID 680 wrote to memory of 4728	680	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe	102
PID 680 wrote to memory of 2028	680	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe	103
PID 680 wrote to memory of 2028	680	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe	103
PID 680 wrote to memory of 2028	680	{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe	103
PID 4728 wrote to memory of 3464	4728	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe	104
PID 4728 wrote to memory of 3464	4728	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe	104
PID 4728 wrote to memory of 3464	4728	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe	104
PID 4728 wrote to memory of 3860	4728	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe	105
PID 4728 wrote to memory of 3860	4728	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe	105
PID 4728 wrote to memory of 3860	4728	{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe	105
PID 3464 wrote to memory of 4376	3464	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe	106
PID 3464 wrote to memory of 4376	3464	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe	106
PID 3464 wrote to memory of 4376	3464	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe	106
PID 3464 wrote to memory of 4380	3464	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe	107
PID 3464 wrote to memory of 4380	3464	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe	107
PID 3464 wrote to memory of 4380	3464	{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe	107
PID 4376 wrote to memory of 2268	4376	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe	108
PID 4376 wrote to memory of 2268	4376	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe	108
PID 4376 wrote to memory of 2268	4376	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe	108
PID 4376 wrote to memory of 1256	4376	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe	109
PID 4376 wrote to memory of 1256	4376	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe	109
PID 4376 wrote to memory of 1256	4376	{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe	109
PID 2268 wrote to memory of 1872	2268	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe	110
PID 2268 wrote to memory of 1872	2268	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe	110
PID 2268 wrote to memory of 1872	2268	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe	110
PID 2268 wrote to memory of 3868	2268	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe	111
PID 2268 wrote to memory of 3868	2268	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe	111
PID 2268 wrote to memory of 3868	2268	{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe	111
PID 1872 wrote to memory of 2240	1872	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe	112
PID 1872 wrote to memory of 2240	1872	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe	112
PID 1872 wrote to memory of 2240	1872	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe	112
PID 1872 wrote to memory of 1956	1872	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe	113
PID 1872 wrote to memory of 1956	1872	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe	113
PID 1872 wrote to memory of 1956	1872	{404F839C-1092-4c23-8465-D73F5D722AEA}.exe	113
PID 2240 wrote to memory of 460	2240	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe	114
PID 2240 wrote to memory of 460	2240	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe	114
PID 2240 wrote to memory of 460	2240	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe	114
PID 2240 wrote to memory of 1040	2240	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe	115
PID 2240 wrote to memory of 1040	2240	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe	115
PID 2240 wrote to memory of 1040	2240	{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe	115
PID 460 wrote to memory of 2052	460	{5AC607E5-3593-441d-85A5-0527E536F93E}.exe	116
PID 460 wrote to memory of 2052	460	{5AC607E5-3593-441d-85A5-0527E536F93E}.exe	116
PID 460 wrote to memory of 2052	460	{5AC607E5-3593-441d-85A5-0527E536F93E}.exe	116
PID 460 wrote to memory of 2548	460	{5AC607E5-3593-441d-85A5-0527E536F93E}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-05_cca048eb7b923d08382dc52a055590c1_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe
  C:\Windows\{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe
    C:\Windows\{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe
      C:\Windows\{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:680
    - - C:\Windows\{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe
        
        C:\Windows\{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
      - C:\Windows\{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe
        
        C:\Windows\{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe
        
        C:\Windows\{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe
        
        C:\Windows\{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{404F839C-1092-4c23-8465-D73F5D722AEA}.exe
        
        C:\Windows\{404F839C-1092-4c23-8465-D73F5D722AEA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe
        
        C:\Windows\{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\{5AC607E5-3593-441d-85A5-0527E536F93E}.exe
        
        C:\Windows\{5AC607E5-3593-441d-85A5-0527E536F93E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\{0B433F96-3EA7-4726-9320-86E3019E786B}.exe
        
        C:\Windows\{0B433F96-3EA7-4726-9320-86E3019E786B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{667F8F8A-903A-4417-B1B3-07442D0EE1A1}.exe
        
        C:\Windows\{667F8F8A-903A-4417-B1B3-07442D0EE1A1}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B433~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AC60~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5362~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{404F8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{920FC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA4E7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CB76~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EB11~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF693~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AD5BC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{085A3~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{085A3C3C-01B7-431b-9561-094CC9BA7B41}.exe

Filesize
380KB

MD5
8c58bbd7af19166afa5667aebe7483e9

SHA1
68100c6b2f2c33a626ef0d81ecc2c2a6d69c085c

SHA256
c0e841aacd5e54e4b9e558761073529a745057b24d19173402e84a2841ec8262

SHA512
740727e513efb37ec8ec2884ee77903ff12c4c7dec641e1963426bc014c0def002a62abd97a0d5e3370d25c4cd0e4583d3188440105db92f3950028460775016

Download Submit
C:\Windows\{0B433F96-3EA7-4726-9320-86E3019E786B}.exe

Filesize
380KB

MD5
e57f542f76344c8eb844397a6abd5262

SHA1
6765d6a886d31331682283096b8efbfc5391ccd8

SHA256
f1efeabd41e5b53b06f88d8fd6e821e84c5b6781db7b4db7f55f539c41d3ffb9

SHA512
ecfb80abd2e69f7c5fb79beb414465cc043cb25c5b309ff3a7e89cfdde6b836451105470ecb197a2033db8e8cbfdb81911eb804badb3c0a2936c486326f6613a

Download Submit
C:\Windows\{0CB762F8-6D82-444a-8CD8-726341D79DCA}.exe

Filesize
380KB

MD5
0571309f13b88e50ad0e09c9bebc9928

SHA1
e6cf1f4beb97ed3653ab341e42a07627ea02fe2c

SHA256
fece895b55ff60c953d79ecc4469e4d523007bf888cff123dc6b247c88401190

SHA512
3f227a8ab6d60ab22c1c2386e05471b3a1a2413e3f841f788e9323814aefd9cbcd1414463c371756bbc287caa7f1d7712f27a3ba4bf9b8a214b9c73f35cb406e

Download Submit
C:\Windows\{404F839C-1092-4c23-8465-D73F5D722AEA}.exe

Filesize
380KB

MD5
6fef675977306d8e0f9c4c5fcde2a5d0

SHA1
572c5e9d9e4c1fde2a25da57ecc75471d2d31f93

SHA256
f174feecf73590ed40ead87d2633bbbae0e8f9cfadf3e4950d73e3c271382c4b

SHA512
907f2b13dc105e86a919c06d40d2f0be503e9381b51c4aa67bcdbdac485cb9a1f65ac1bfbb36b429344907e006d65a49dd78d7844714f0cc1d09d627ddf092ee

Download Submit
C:\Windows\{5AC607E5-3593-441d-85A5-0527E536F93E}.exe

Filesize
380KB

MD5
0588e7875558923f2a91c43a221f94d0

SHA1
1aaea9fb2616d5c4dbe3c19108071795533412d1

SHA256
b2b22386b0b8e6ac947aab379ae399860e33787758ea8bb28d1dd12bb998bb19

SHA512
c659b2728caee12cb51f575d9facb9d70c36fffbacf58f130b1140f9e0eaee206a026e758c04dc1d00ca650058208febf3530bd29d89e7b2967df6c33b9af84d

Download Submit
C:\Windows\{5EB11B11-20D6-4be1-86F2-A13CD2979223}.exe

Filesize
380KB

MD5
6563d7539d7eea3925ab7d9b55e0550f

SHA1
54a465ee97eed786c2e6af3bd0823d2faa8a4810

SHA256
f1393a296fc715165bc97028dc4cac734e144494179338823e27f3c0045a6e58

SHA512
aafc6f98e1b80e756cb473abfdd9b100755393fe42411571fb0a540c6b96f3d37d2a3350e7ea2eec44fb635b969d0f3c2acde57c2b73110635d8a2d360ae6115

Download Submit
C:\Windows\{667F8F8A-903A-4417-B1B3-07442D0EE1A1}.exe

Filesize
380KB

MD5
8b78106a4f80842a7b84bbefb1ad066c

SHA1
d8eec38b6f663116ad9f18a46b6a923fdc175ac4

SHA256
f1554fbd08afe98c2b130043c08e56a84fe81a05513f86354efd8828d41efa2a

SHA512
a660247fb08ff592e114828502ad39df49cddca4bfde72a97ff776de0c47d78d4dc0a03d74f2645c37077176bd4e7e0523e3209c924a1e1495770928486a6f8c

Download Submit
C:\Windows\{920FC977-DE36-4985-8F20-A9C4D3CB671C}.exe

Filesize
380KB

MD5
9671cfa6eff503c9188956c051d0bc34

SHA1
9d42b39d846a8b8c1403cf54e90ba6d3a8fcf29d

SHA256
a099054d1f446eaf3c7c947f8e973f3da8a0253235be1ccead3586eb9b7e662a

SHA512
9b585d0fb68306d51d5e0c8ae1bffa81bfc70ecf9eb8430e36d1ee954c13c16cdebd31d9b2e456ac2f56896dbc1ef25074c539308f95b9207af173c48f1cedcb

Download Submit
C:\Windows\{AD5BC3E5-EA4A-42f7-BFD2-F482E11B413C}.exe

Filesize
380KB

MD5
4007c731e535aeefb0658cb375af5cf8

SHA1
2393fb434aa5aa40ef9cbde9577cc3b4aa1cdfe0

SHA256
a1b15c507abedc1f04c967b06c49862ea6abd00435f44991847ff115d741a709

SHA512
3f13589ef7279a68c4bf28695e0e711f176b85f0778894f48cba4768ce7fce0216379eeae6ed783ae5ec52504d9558bc9b200dc2c8ba02b2d074d474dbe753f8

Download Submit
C:\Windows\{D5362A4B-3412-49bf-AF12-EB44C56B49A1}.exe

Filesize
380KB

MD5
d975394e30a5266c2ff2b3c558493dc5

SHA1
2ba297d874e21698ca00a75299c11f251955e345

SHA256
ee350f6650b62262ba7315f575b5701f4061814af422608795cb1488d26e87aa

SHA512
cf666f674764969685e6c3aba232212ae0fce32cd508a3a2f0e1101332a0cf703038c14c847691dd10ecf9620d4b487bbfd005f41799962ad2a0e00ff7c53c4e

Download Submit
C:\Windows\{EF6931D0-A72A-4dce-A514-04F368B22A44}.exe

Filesize
380KB

MD5
d9cbd746e5ac2779ab79956aaa4078ee

SHA1
e4a1f98536ce1ee1a270309d5aff114d567fb1c7

SHA256
919b3c7a393b8937d533c19f98de9d5329486c79f523926dada35592ad50f455

SHA512
813261ddac0e97b7979014ace5e56d0f475f0064b95730fed5be0f9c728d918f300a84442fbd526f0ccc15b793523d00688e355fa6bf00ce0e6b164ea0d0e23b

Download Submit
C:\Windows\{FA4E7DD9-DC30-4a98-8CB1-871BE9C7FE8D}.exe

Filesize
380KB

MD5
6592fdf4316845bf853ce6c11290241c

SHA1
15d8cbbf9b1f394fd3acf9c33e3954f1feafe746

SHA256
06ae07086b4edc2fafe0d24300d697832f4b3a2c8c37f4d752bee02e5aa16027

SHA512
ff21413943337830d00f29c114e3b68bda3dfb398247563219f668df78691c5cfe743da189cabeacd418829546760a9c6ab55034500079bfe5d50fe8f6f85ad9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads