fc586aea901d331d1e9579ca921203e25ff3f3a4f560bc6357621362ba763920

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 03:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe
Size

168KB
MD5

50c2f92e85649b813ed0c8e7d6a689b7
SHA1

2cba6bf5c61d1a8fdd1925a77c415dec6cb2745d
SHA256

fc586aea901d331d1e9579ca921203e25ff3f3a4f560bc6357621362ba763920
SHA512

420c1e557229732e95252f30eefc20fa3598f40570ad4db3115eaa3d1d6bf6eeca54f1e4435c0e1a7228c3ac90893e0a102bc9fcdb1e88053dff1008370cab80
SSDEEP

1536:1EGh0orli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orliOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1794C616-437F-4d87-B4FF-84FE81887126}\stubpath = "C:\\Windows\\{1794C616-437F-4d87-B4FF-84FE81887126}.exe"	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C8787F8-D08D-4c72-8530-010B24DD9713}	{1794C616-437F-4d87-B4FF-84FE81887126}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}	{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}	2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}\stubpath = "C:\\Windows\\{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe"	2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1794C616-437F-4d87-B4FF-84FE81887126}	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD27AF60-E29F-4658-997B-08988CBB5E41}	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91EF5C60-0946-401a-AE2E-64AD9379A261}	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91EF5C60-0946-401a-AE2E-64AD9379A261}\stubpath = "C:\\Windows\\{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe"	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45B64BC7-634B-4247-9227-2510F77DEDE3}	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}\stubpath = "C:\\Windows\\{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe"	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD27AF60-E29F-4658-997B-08988CBB5E41}\stubpath = "C:\\Windows\\{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe"	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}\stubpath = "C:\\Windows\\{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe"	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C44214C-A710-4588-9222-00AC6F138370}\stubpath = "C:\\Windows\\{9C44214C-A710-4588-9222-00AC6F138370}.exe"	{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C44214C-A710-4588-9222-00AC6F138370}	{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E45171B6-48E8-433e-982A-30874E00F67C}	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E45171B6-48E8-433e-982A-30874E00F67C}\stubpath = "C:\\Windows\\{E45171B6-48E8-433e-982A-30874E00F67C}.exe"	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}	{E45171B6-48E8-433e-982A-30874E00F67C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}\stubpath = "C:\\Windows\\{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe"	{E45171B6-48E8-433e-982A-30874E00F67C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45B64BC7-634B-4247-9227-2510F77DEDE3}\stubpath = "C:\\Windows\\{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe"	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C8787F8-D08D-4c72-8530-010B24DD9713}\stubpath = "C:\\Windows\\{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe"	{1794C616-437F-4d87-B4FF-84FE81887126}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}\stubpath = "C:\\Windows\\{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}.exe"	{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe

Executes dropped EXE 12 IoCs

pid	Process
1760	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe
1072	{E45171B6-48E8-433e-982A-30874E00F67C}.exe
5040	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe
400	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe
2456	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe
1672	{1794C616-437F-4d87-B4FF-84FE81887126}.exe
4868	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe
2052	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe
3260	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe
744	{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe
4600	{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}.exe
5068	{9C44214C-A710-4588-9222-00AC6F138370}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe	2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe
File created	C:\Windows\{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe	{E45171B6-48E8-433e-982A-30874E00F67C}.exe
File created	C:\Windows\{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe
File created	C:\Windows\{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe
File created	C:\Windows\{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe
File created	C:\Windows\{9C44214C-A710-4588-9222-00AC6F138370}.exe	{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}.exe
File created	C:\Windows\{E45171B6-48E8-433e-982A-30874E00F67C}.exe	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe
File created	C:\Windows\{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe
File created	C:\Windows\{1794C616-437F-4d87-B4FF-84FE81887126}.exe	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe
File created	C:\Windows\{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe	{1794C616-437F-4d87-B4FF-84FE81887126}.exe
File created	C:\Windows\{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe
File created	C:\Windows\{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}.exe	{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C44214C-A710-4588-9222-00AC6F138370}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E45171B6-48E8-433e-982A-30874E00F67C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1794C616-437F-4d87-B4FF-84FE81887126}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4120	2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1760	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe
Token: SeIncBasePriorityPrivilege	1072	{E45171B6-48E8-433e-982A-30874E00F67C}.exe
Token: SeIncBasePriorityPrivilege	5040	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe
Token: SeIncBasePriorityPrivilege	400	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe
Token: SeIncBasePriorityPrivilege	2456	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe
Token: SeIncBasePriorityPrivilege	1672	{1794C616-437F-4d87-B4FF-84FE81887126}.exe
Token: SeIncBasePriorityPrivilege	4868	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe
Token: SeIncBasePriorityPrivilege	2052	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe
Token: SeIncBasePriorityPrivilege	3260	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe
Token: SeIncBasePriorityPrivilege	744	{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe
Token: SeIncBasePriorityPrivilege	4600	{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 1760	4120	2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe	94
PID 4120 wrote to memory of 1760	4120	2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe	94
PID 4120 wrote to memory of 1760	4120	2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe	94
PID 4120 wrote to memory of 4900	4120	2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe	95
PID 4120 wrote to memory of 4900	4120	2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe	95
PID 4120 wrote to memory of 4900	4120	2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe	95
PID 1760 wrote to memory of 1072	1760	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe	96
PID 1760 wrote to memory of 1072	1760	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe	96
PID 1760 wrote to memory of 1072	1760	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe	96
PID 1760 wrote to memory of 364	1760	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe	97
PID 1760 wrote to memory of 364	1760	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe	97
PID 1760 wrote to memory of 364	1760	{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe	97
PID 1072 wrote to memory of 5040	1072	{E45171B6-48E8-433e-982A-30874E00F67C}.exe	100
PID 1072 wrote to memory of 5040	1072	{E45171B6-48E8-433e-982A-30874E00F67C}.exe	100
PID 1072 wrote to memory of 5040	1072	{E45171B6-48E8-433e-982A-30874E00F67C}.exe	100
PID 1072 wrote to memory of 3168	1072	{E45171B6-48E8-433e-982A-30874E00F67C}.exe	101
PID 1072 wrote to memory of 3168	1072	{E45171B6-48E8-433e-982A-30874E00F67C}.exe	101
PID 1072 wrote to memory of 3168	1072	{E45171B6-48E8-433e-982A-30874E00F67C}.exe	101
PID 5040 wrote to memory of 400	5040	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe	102
PID 5040 wrote to memory of 400	5040	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe	102
PID 5040 wrote to memory of 400	5040	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe	102
PID 5040 wrote to memory of 5112	5040	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe	103
PID 5040 wrote to memory of 5112	5040	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe	103
PID 5040 wrote to memory of 5112	5040	{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe	103
PID 400 wrote to memory of 2456	400	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe	104
PID 400 wrote to memory of 2456	400	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe	104
PID 400 wrote to memory of 2456	400	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe	104
PID 400 wrote to memory of 4524	400	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe	105
PID 400 wrote to memory of 4524	400	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe	105
PID 400 wrote to memory of 4524	400	{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe	105
PID 2456 wrote to memory of 1672	2456	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe	106
PID 2456 wrote to memory of 1672	2456	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe	106
PID 2456 wrote to memory of 1672	2456	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe	106
PID 2456 wrote to memory of 3084	2456	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe	107
PID 2456 wrote to memory of 3084	2456	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe	107
PID 2456 wrote to memory of 3084	2456	{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe	107
PID 1672 wrote to memory of 4868	1672	{1794C616-437F-4d87-B4FF-84FE81887126}.exe	108
PID 1672 wrote to memory of 4868	1672	{1794C616-437F-4d87-B4FF-84FE81887126}.exe	108
PID 1672 wrote to memory of 4868	1672	{1794C616-437F-4d87-B4FF-84FE81887126}.exe	108
PID 1672 wrote to memory of 4988	1672	{1794C616-437F-4d87-B4FF-84FE81887126}.exe	109
PID 1672 wrote to memory of 4988	1672	{1794C616-437F-4d87-B4FF-84FE81887126}.exe	109
PID 1672 wrote to memory of 4988	1672	{1794C616-437F-4d87-B4FF-84FE81887126}.exe	109
PID 4868 wrote to memory of 2052	4868	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe	110
PID 4868 wrote to memory of 2052	4868	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe	110
PID 4868 wrote to memory of 2052	4868	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe	110
PID 4868 wrote to memory of 3200	4868	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe	111
PID 4868 wrote to memory of 3200	4868	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe	111
PID 4868 wrote to memory of 3200	4868	{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe	111
PID 2052 wrote to memory of 3260	2052	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe	112
PID 2052 wrote to memory of 3260	2052	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe	112
PID 2052 wrote to memory of 3260	2052	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe	112
PID 2052 wrote to memory of 3032	2052	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe	113
PID 2052 wrote to memory of 3032	2052	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe	113
PID 2052 wrote to memory of 3032	2052	{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe	113
PID 3260 wrote to memory of 744	3260	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe	114
PID 3260 wrote to memory of 744	3260	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe	114
PID 3260 wrote to memory of 744	3260	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe	114
PID 3260 wrote to memory of 1872	3260	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe	115
PID 3260 wrote to memory of 1872	3260	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe	115
PID 3260 wrote to memory of 1872	3260	{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe	115
PID 744 wrote to memory of 4600	744	{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe	116
PID 744 wrote to memory of 4600	744	{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe	116
PID 744 wrote to memory of 4600	744	{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe	116
PID 744 wrote to memory of 4092	744	{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-06_50c2f92e85649b813ed0c8e7d6a689b7_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe
  C:\Windows\{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\{E45171B6-48E8-433e-982A-30874E00F67C}.exe
    C:\Windows\{E45171B6-48E8-433e-982A-30874E00F67C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe
      C:\Windows\{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe
        
        C:\Windows\{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe
        
        C:\Windows\{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\{1794C616-437F-4d87-B4FF-84FE81887126}.exe
        
        C:\Windows\{1794C616-437F-4d87-B4FF-84FE81887126}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe
        
        C:\Windows\{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe
        
        C:\Windows\{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe
        
        C:\Windows\{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe
        
        C:\Windows\{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}.exe
        
        C:\Windows\{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
        
        C:\Windows\{9C44214C-A710-4588-9222-00AC6F138370}.exe
        
        C:\Windows\{9C44214C-A710-4588-9222-00AC6F138370}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5558D~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F535D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91EF5~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD27A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C878~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1794C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AB13~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45B64~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEEF4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E4517~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B80BA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1794C616-437F-4d87-B4FF-84FE81887126}.exe

Filesize
168KB

MD5
77ef92feeaf059913e0bf223250a4cb3

SHA1
52afcf185a3cc71a976819e299c4ca6974b460e8

SHA256
f838c47298cd00dbde6a83ebc842d2407e1184e2e55a635b3b8b5be609d9a366

SHA512
e8a48927860c1a27307e3291e59dbdcb3750c12bc341a8995e5f8fbb2fb7c150bd71c24bd51b34c262886f2cb34eb274683171b8b861bab4e6bb6c78d008568f

Download Submit
C:\Windows\{2AB135C3-EA8D-43f7-997D-1510BF2FA4F3}.exe

Filesize
168KB

MD5
85c6a80ed6b582f61ceb38def6a58e9a

SHA1
ed8516a96b3f9b167ffffdd41c72b96cd655ea31

SHA256
24087b9c51b0ceb0fb08dbac8e53dad0862e7c5fd57ada567e785d4978dfd841

SHA512
ae56c6cfae908f4c258acd5d515191e811c9206dcd391a7db3c5ee17c87299693010b792f5e595e838c11b22c61708acfad4af0203a4f1463f71ddfd2c65ea8d

Download Submit
C:\Windows\{45B64BC7-634B-4247-9227-2510F77DEDE3}.exe

Filesize
168KB

MD5
39ce57744363375f22f8ba80e91985af

SHA1
65569a15e254ab5afce3e9f686d87fd516431f12

SHA256
c54760371b5fb1fa8cafd594fea69be818bcd967d898c6a99970515cdd0106e1

SHA512
8196d7efb2c4bf5e56b4779f297797e7c7b6cae5886fbf8deaccea08b2d374dbf5b31437d04125ea0d6c75868d6eedeab6b54163ff20b57e8f0c190daf64bde8

Download Submit
C:\Windows\{5558D3D9-5914-4eb7-8364-9F0D4E3836A1}.exe

Filesize
168KB

MD5
bd9d5b64e4689ab0fa7d6083a3260d35

SHA1
113004c4ee63db35b55092b1bd46b7e933dcc9f8

SHA256
650d7811a44841834f509bc2a4ef78d62574492745e2ef24eb73559cf75ccdcb

SHA512
5da0c7d771f312e586f9a56b4741b3a2420a2b73592d63c7ce2cb7cc4df911058f53b63c86acea7c2ceb10ad0785591618a4db59102acd3970edcbbe7021be71

Download Submit
C:\Windows\{91EF5C60-0946-401a-AE2E-64AD9379A261}.exe

Filesize
168KB

MD5
ccd9d0fae9ad1d82c480584e3bfb3690

SHA1
0b8137448dde7c96371c788538541326cf2e3d62

SHA256
a5c9f3271af295e8d16eec52b2e0b1327961025a3855083898b5092b5f4c5ce4

SHA512
c57adb53e8842c22cc0b9be133d98deb32feabf9ac60a6743081cb2daeb79d2ac682446a1c17c8b56f374f59c1e28ce9e3b5fab8af6f87eece2c81a3048ae83a

Download Submit
C:\Windows\{9C44214C-A710-4588-9222-00AC6F138370}.exe

Filesize
168KB

MD5
c3fcc5a1c8607e1178a357480a92e4d8

SHA1
d88f35efd5034b4ec6ba7606aba9ee93536a821e

SHA256
fe7dd3edb11194bad773499180540555aa3de533d19304545c4b731f5194efb9

SHA512
b97be8740453d9436d3c5a6f93e561eb40b0e7bdcdf4632655e3444c91961ba2a07f67330d4dc7ffd1170dd34dfde4668905f8146c615487b4af6443ab6f60c6

Download Submit
C:\Windows\{9C8787F8-D08D-4c72-8530-010B24DD9713}.exe

Filesize
168KB

MD5
740d39551cff03b67faee113f6ffd1b4

SHA1
4bee9217133c3e4398aaced7b8a3d032495bdfd3

SHA256
440405c2c2a3291fa93756cde6346e910ecf5629875fb6133cb9c2c8b1d12262

SHA512
ef5b63dff67b017fa38b82a88b4128b24ce6fc66e2a6d89fa004890bf76546c54beac91a2ea9db1ec4637339d66589ef5ecdfcbd1946995fd12d80125c59df7b

Download Submit
C:\Windows\{B80BAB8A-520B-41ba-81A8-A13C1D80B3BD}.exe

Filesize
168KB

MD5
1c1a853d9c0bd858e9c25ae73b6c01e6

SHA1
099e13c97119e292e80dd4db518a3592c32b2b25

SHA256
a437135387b75448759e35f27f0ca8fbfc1d363862044afca1c561a99669895f

SHA512
489c02201987153a32843052550112cbbafcae4b061de9a8df4243179bf5b83a0e4d05bf55ed0cd809fcb8b958f72946ba8cdb8f5a7f2954cc177c1fb4ad8c7c

Download Submit
C:\Windows\{DD27AF60-E29F-4658-997B-08988CBB5E41}.exe

Filesize
168KB

MD5
f79c7dcaf0c084e86bf7f59b21ed6bab

SHA1
ba36eeddbae4d623e33f6a4cbe014bb4d2a1214d

SHA256
ff5c164c3f93780f60bafe049a6b1cf12a616f4eb2f1dfc41581c5437acef6be

SHA512
5d8e7de12810d21422d3b4c74b3b770b4d789113202e6d384c2686da75898411912f18043fcf61e8219ef25c62fe079b9d6062708485c53c86be80c4ece9aa38

Download Submit
C:\Windows\{E45171B6-48E8-433e-982A-30874E00F67C}.exe

Filesize
168KB

MD5
07119981a65e508a7d313d4edaaf8098

SHA1
9e2a783645dcfd07579d713bb65a930a3476eae8

SHA256
3a8413de7fb56f7fc1ffd8e9fa8df131b1c66135508ab960612b8faf4b991fec

SHA512
438a3638d20f25210c395975d4612a660321b9ca3320cf542d25fb53050beb4f920cb0648d281ac0c0116da357563cfcee278a61feba07448f514d3167f8af5f

Download Submit
C:\Windows\{EEEF4750-8CAA-413c-B8CB-35EDC7C26B8A}.exe

Filesize
168KB

MD5
410ae87fbea455dec20e5eda9128859e

SHA1
89ec26c1bcf3a33658da962a022bc98cf9fe4f0c

SHA256
ad0f89e468880f34b1246f298d715db76f96b0c6fa1f43e90e1b2c15ebd4f86c

SHA512
88c0cbb69cb8f7e5d0deba3363707d5eed88ce36ed6b465528839f26b8533d857bb10bc7f356fd9965669e9003603dc254805ff20f326fa69da410f44111ff97

Download Submit
C:\Windows\{F535D0D9-B055-4fa4-937D-BD8B6F86D52A}.exe

Filesize
168KB

MD5
0e604140bc11451fa63af14e26f61cde

SHA1
e1427f060adbcc9e522e9804dc009fac771b352c

SHA256
b86cc4f08d1e976e28ec81215f1770e97711aa6f473cd5c77832da9f8b2dcd4d

SHA512
7f842080ce87ff7b077e4e9c10dfe5d65b8e2b129e2e55c52413dfb0afeceef3d8591f4e03740602c7765a02421ce6df779d9079181e74f9f0baef23f4e54715

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads