8d984b1d51599164494fef7eb42084cbb1ad7d2b51c20276612bfce607b026bc

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
Size

168KB
MD5

e7c18d74621e422be60148fd517eed27
SHA1

ad3e7c27d080c728ed3cb96dcd0dab499d4ea413
SHA256

8d984b1d51599164494fef7eb42084cbb1ad7d2b51c20276612bfce607b026bc
SHA512

03e4f61ffc0ade98c9a66db74fcbe3dd34f74d111497467746bfbc3bb04ce296762e73e6955e374e010cc6455d299839deaf629487812ef402a469b38ca6e72e
SSDEEP

1536:1EGh0oHlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oHlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}\stubpath = "C:\\Windows\\{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe"	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}\stubpath = "C:\\Windows\\{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe"	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}\stubpath = "C:\\Windows\\{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe"	{46E76773-C148-424d-A518-7F5B3D75C590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5838920D-70A7-4ce2-BC8E-94811FEB60C0}\stubpath = "C:\\Windows\\{5838920D-70A7-4ce2-BC8E-94811FEB60C0}.exe"	{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C70B513-0467-4c8a-96B0-5A8533EB3C54}\stubpath = "C:\\Windows\\{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe"	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A5678E4-513E-42da-AAF5-4D146D2779C0}\stubpath = "C:\\Windows\\{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe"	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39145E55-8120-4d1d-94FE-D9A2721F47CF}	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}\stubpath = "C:\\Windows\\{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe"	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46E76773-C148-424d-A518-7F5B3D75C590}	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5838920D-70A7-4ce2-BC8E-94811FEB60C0}	{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}\stubpath = "C:\\Windows\\{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe"	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39145E55-8120-4d1d-94FE-D9A2721F47CF}\stubpath = "C:\\Windows\\{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe"	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46E76773-C148-424d-A518-7F5B3D75C590}\stubpath = "C:\\Windows\\{46E76773-C148-424d-A518-7F5B3D75C590}.exe"	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C70B513-0467-4c8a-96B0-5A8533EB3C54}	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A5678E4-513E-42da-AAF5-4D146D2779C0}	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}	{46E76773-C148-424d-A518-7F5B3D75C590}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7EADA48-94DB-47d2-97C5-DD32E9F9CF8C}\stubpath = "C:\\Windows\\{D7EADA48-94DB-47d2-97C5-DD32E9F9CF8C}.exe"	{5838920D-70A7-4ce2-BC8E-94811FEB60C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}\stubpath = "C:\\Windows\\{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe"	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7EADA48-94DB-47d2-97C5-DD32E9F9CF8C}	{5838920D-70A7-4ce2-BC8E-94811FEB60C0}.exe

Executes dropped EXE 12 IoCs

pid	Process
216	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe
716	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe
4128	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe
4472	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe
3356	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe
4344	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe
2028	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe
4400	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe
2460	{46E76773-C148-424d-A518-7F5B3D75C590}.exe
3684	{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe
3572	{5838920D-70A7-4ce2-BC8E-94811FEB60C0}.exe
4124	{D7EADA48-94DB-47d2-97C5-DD32E9F9CF8C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe
File created	C:\Windows\{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe
File created	C:\Windows\{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe
File created	C:\Windows\{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe
File created	C:\Windows\{5838920D-70A7-4ce2-BC8E-94811FEB60C0}.exe	{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe
File created	C:\Windows\{D7EADA48-94DB-47d2-97C5-DD32E9F9CF8C}.exe	{5838920D-70A7-4ce2-BC8E-94811FEB60C0}.exe
File created	C:\Windows\{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
File created	C:\Windows\{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe
File created	C:\Windows\{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe
File created	C:\Windows\{46E76773-C148-424d-A518-7F5B3D75C590}.exe	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe
File created	C:\Windows\{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe	{46E76773-C148-424d-A518-7F5B3D75C590}.exe
File created	C:\Windows\{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D7EADA48-94DB-47d2-97C5-DD32E9F9CF8C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5838920D-70A7-4ce2-BC8E-94811FEB60C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{46E76773-C148-424d-A518-7F5B3D75C590}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3688	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
Token: SeIncBasePriorityPrivilege	216	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe
Token: SeIncBasePriorityPrivilege	716	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe
Token: SeIncBasePriorityPrivilege	4128	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe
Token: SeIncBasePriorityPrivilege	4472	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe
Token: SeIncBasePriorityPrivilege	3356	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe
Token: SeIncBasePriorityPrivilege	4344	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe
Token: SeIncBasePriorityPrivilege	2028	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe
Token: SeIncBasePriorityPrivilege	4400	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe
Token: SeIncBasePriorityPrivilege	2460	{46E76773-C148-424d-A518-7F5B3D75C590}.exe
Token: SeIncBasePriorityPrivilege	3684	{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe
Token: SeIncBasePriorityPrivilege	3572	{5838920D-70A7-4ce2-BC8E-94811FEB60C0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 216	3688	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	93
PID 3688 wrote to memory of 216	3688	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	93
PID 3688 wrote to memory of 216	3688	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	93
PID 3688 wrote to memory of 2660	3688	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	94
PID 3688 wrote to memory of 2660	3688	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	94
PID 3688 wrote to memory of 2660	3688	2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe	94
PID 216 wrote to memory of 716	216	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe	95
PID 216 wrote to memory of 716	216	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe	95
PID 216 wrote to memory of 716	216	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe	95
PID 216 wrote to memory of 1028	216	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe	96
PID 216 wrote to memory of 1028	216	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe	96
PID 216 wrote to memory of 1028	216	{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe	96
PID 716 wrote to memory of 4128	716	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe	99
PID 716 wrote to memory of 4128	716	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe	99
PID 716 wrote to memory of 4128	716	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe	99
PID 716 wrote to memory of 2688	716	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe	100
PID 716 wrote to memory of 2688	716	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe	100
PID 716 wrote to memory of 2688	716	{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe	100
PID 4128 wrote to memory of 4472	4128	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe	101
PID 4128 wrote to memory of 4472	4128	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe	101
PID 4128 wrote to memory of 4472	4128	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe	101
PID 4128 wrote to memory of 1412	4128	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe	102
PID 4128 wrote to memory of 1412	4128	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe	102
PID 4128 wrote to memory of 1412	4128	{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe	102
PID 4472 wrote to memory of 3356	4472	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe	103
PID 4472 wrote to memory of 3356	4472	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe	103
PID 4472 wrote to memory of 3356	4472	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe	103
PID 4472 wrote to memory of 4052	4472	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe	104
PID 4472 wrote to memory of 4052	4472	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe	104
PID 4472 wrote to memory of 4052	4472	{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe	104
PID 3356 wrote to memory of 4344	3356	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe	105
PID 3356 wrote to memory of 4344	3356	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe	105
PID 3356 wrote to memory of 4344	3356	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe	105
PID 3356 wrote to memory of 2348	3356	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe	106
PID 3356 wrote to memory of 2348	3356	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe	106
PID 3356 wrote to memory of 2348	3356	{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe	106
PID 4344 wrote to memory of 2028	4344	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe	107
PID 4344 wrote to memory of 2028	4344	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe	107
PID 4344 wrote to memory of 2028	4344	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe	107
PID 4344 wrote to memory of 844	4344	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe	108
PID 4344 wrote to memory of 844	4344	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe	108
PID 4344 wrote to memory of 844	4344	{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe	108
PID 2028 wrote to memory of 4400	2028	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe	109
PID 2028 wrote to memory of 4400	2028	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe	109
PID 2028 wrote to memory of 4400	2028	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe	109
PID 2028 wrote to memory of 2176	2028	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe	110
PID 2028 wrote to memory of 2176	2028	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe	110
PID 2028 wrote to memory of 2176	2028	{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe	110
PID 4400 wrote to memory of 2460	4400	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe	111
PID 4400 wrote to memory of 2460	4400	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe	111
PID 4400 wrote to memory of 2460	4400	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe	111
PID 4400 wrote to memory of 3412	4400	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe	112
PID 4400 wrote to memory of 3412	4400	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe	112
PID 4400 wrote to memory of 3412	4400	{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe	112
PID 2460 wrote to memory of 3684	2460	{46E76773-C148-424d-A518-7F5B3D75C590}.exe	113
PID 2460 wrote to memory of 3684	2460	{46E76773-C148-424d-A518-7F5B3D75C590}.exe	113
PID 2460 wrote to memory of 3684	2460	{46E76773-C148-424d-A518-7F5B3D75C590}.exe	113
PID 2460 wrote to memory of 5020	2460	{46E76773-C148-424d-A518-7F5B3D75C590}.exe	114
PID 2460 wrote to memory of 5020	2460	{46E76773-C148-424d-A518-7F5B3D75C590}.exe	114
PID 2460 wrote to memory of 5020	2460	{46E76773-C148-424d-A518-7F5B3D75C590}.exe	114
PID 3684 wrote to memory of 3572	3684	{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe	115
PID 3684 wrote to memory of 3572	3684	{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe	115
PID 3684 wrote to memory of 3572	3684	{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe	115
PID 3684 wrote to memory of 220	3684	{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-06_e7c18d74621e422be60148fd517eed27_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe
  C:\Windows\{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe
    C:\Windows\{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Windows\{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe
      C:\Windows\{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Windows\{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe
        
        C:\Windows\{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Windows\{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe
        
        C:\Windows\{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe
        
        C:\Windows\{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe
        
        C:\Windows\{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe
        
        C:\Windows\{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{46E76773-C148-424d-A518-7F5B3D75C590}.exe
        
        C:\Windows\{46E76773-C148-424d-A518-7F5B3D75C590}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe
        
        C:\Windows\{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\{5838920D-70A7-4ce2-BC8E-94811FEB60C0}.exe
        
        C:\Windows\{5838920D-70A7-4ce2-BC8E-94811FEB60C0}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Windows\{D7EADA48-94DB-47d2-97C5-DD32E9F9CF8C}.exe
        
        C:\Windows\{D7EADA48-94DB-47d2-97C5-DD32E9F9CF8C}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58389~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71B9F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46E76~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EE8B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE159~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1C26~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{897C8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39145~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A567~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{410F3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9C70B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{39145E55-8120-4d1d-94FE-D9A2721F47CF}.exe

Filesize
168KB

MD5
c91a2b7c2be673404ac20ba77caf35a9

SHA1
0735f2b509b5e69da1774a9ba02af8c517aa0859

SHA256
c9d1d54d2c1d5908bc13aee4dee49e616a522b3d27a8e165979d6abc95ea437f

SHA512
06ccadbd0bee9270283f84f7c80ecdd7e7f7fce893a95f25046db20eeb80989ddb85ee701cf2346bce35eef1ff55d346ce46dda8237349ca74076743c736534a

Download Submit
C:\Windows\{410F3D9B-9A0D-4ded-91CC-63FDEA81925C}.exe

Filesize
168KB

MD5
29feceedb2b3461f189591b53f3ec9ae

SHA1
3d2d56b51375babd0de749c1b1780f9738d35ce9

SHA256
3e63d57753d0f1816461ab4e197bea61defb377edb8ea9626b22474587eb701e

SHA512
ab0e88e3cd3aed8e725145b3b4b87bffead909fe9781b9f97b547003e11781f0403ab23d0f46e83e2d57ae7aadea58af21fce203ed78d458753904a8e55a7ab4

Download Submit
C:\Windows\{46E76773-C148-424d-A518-7F5B3D75C590}.exe

Filesize
168KB

MD5
e95f51b2761c064f897d73233dbae119

SHA1
9fde45cb2c895b38a62c3131ec8a8bfb5837de02

SHA256
1063d285ab5708b7c4708bdec4cc89bd03821149efefd7d0ce92f61e73be68d1

SHA512
777905a0472be49bad765d9e05d139fddc20db4af06d48e0a9dacb3669d8dea36923097653ec257f17d9cb962d9ac26ebff16a689980482aa66cd1a365aa9e5b

Download Submit
C:\Windows\{5838920D-70A7-4ce2-BC8E-94811FEB60C0}.exe

Filesize
168KB

MD5
0a32b9c25719326c11dea42a7caa25a0

SHA1
37b084029fc42f49d41bb3be4de1990e699556ea

SHA256
020acd184397c49e788418c66497ef68fb37c1f4bef4289e466b8ac6bff1ecfa

SHA512
3028afd28e27b0c58b50f503e4164da7a3552443d1c1a364f3946bdd572d4019c939f23ff5a798785b96467f3231d286a431de3e16659098f8bb38e20d032d43

Download Submit
C:\Windows\{5A5678E4-513E-42da-AAF5-4D146D2779C0}.exe

Filesize
168KB

MD5
8ccc5c18d938c6d22b078332690ed413

SHA1
b1d96d50b7bf259d09400617cbaf10e48b757ec4

SHA256
adbbe52e690b9d7a524c5604a4cb371be3075c6e5117f0f47532e671dd67bdd0

SHA512
c6276eb0046e9502e1c63cdd812659656da596c3520cd1d5cc97a929aa5323a022d34b0707c7c8086f57aecf990bca82c5aba2eb7eac61c8825a66a8f82e50d9

Download Submit
C:\Windows\{71B9F29B-9B8B-4dba-8781-5B25CAF167AE}.exe

Filesize
168KB

MD5
0e5e2d67d6dfe36e9d1e821983cdc654

SHA1
a4f3abf93e566a17727f617ab4f844eeb1262c44

SHA256
aff430f2cade2b4f68c4a1fe77b177012072bc1770d7b050144e00badbf20380

SHA512
101b1733f3b2f18469913b7e48b248428dbf7a6ac19e5b873f91cc8b276abd0cd65c723d8e43c64cf9a4440c432ceaa093f0e9cea27aee8958e99a3960cd083e

Download Submit
C:\Windows\{7EE8B8EA-2C19-4a49-9D76-7448617AFB22}.exe

Filesize
168KB

MD5
f3403d94d09c5468e8dbde4e89781c80

SHA1
0f185201230918d5099440438d42a7b21075b160

SHA256
d6b64f8c47a9284d2342155cb2e5f7d50ca969bbbe1d12dbdc04f322e25b530a

SHA512
2624ee0bd66f8692d0d765cda718838957ac94b167f0ec27f90429047713929f4e0278977152e983066235e68f43fca0cf747b7fd49497773f314caf33a7ecd8

Download Submit
C:\Windows\{897C8A7F-B95F-45eb-B922-8DE4FE4E5AC4}.exe

Filesize
168KB

MD5
b9bdcd0dd4a85753032ba15289886320

SHA1
317e31ddf1e499f97bbceefd7ec1ead4d9c0fd93

SHA256
e2e0e31e722c4be14dbe1ff4daced4720c45ede99a8d44bb9ddd4abbc2fca0f8

SHA512
3fa9fd3493857ae8125917279e518e5c34e0b2ac16f3799e59a973f627e21e76400dc3153d7121465eb1705dc9a42ab660567165f787f0123dd877ccdc631df9

Download Submit
C:\Windows\{9C70B513-0467-4c8a-96B0-5A8533EB3C54}.exe

Filesize
168KB

MD5
2ff3041b23d2df6978d012518171bc09

SHA1
516475e6e8a15e0dc3a3516fdf2734dcbc553e4e

SHA256
1a4b998055457b187f1e725a868837a6cc1febf640a671fdd7bf5e8f92304fea

SHA512
5e5b811d2dcee805564185dd229a5c1c06aefe2f5a80c76155099988c61315114db8c7644559f48789cf7d3b09c403a92a4b496d4f47fb62357052641a68fd3b

Download Submit
C:\Windows\{D7EADA48-94DB-47d2-97C5-DD32E9F9CF8C}.exe

Filesize
168KB

MD5
ca2a4d5bb599fc333515b84e04761761

SHA1
782d85e8cdd1bbcc1a3de1cc9572f88a1ad27c7b

SHA256
d2c13c22b03774e5cd778fa2c13abfbad0d9ca336ded64e2a93171389caea1dd

SHA512
42a9472a06f3796560900c9aca4e6234a56c22690c816e9799d1d8b718cc6f5c7d7e174c427e279a3b222dd1a084ea866ed52cddeaa3f8e5f5021aa2d1a81724

Download Submit
C:\Windows\{E1C26D90-EDEA-42f2-80AA-F3A719346E5C}.exe

Filesize
168KB

MD5
bb1c8e1dc93adc395fbaf790940b94cc

SHA1
6ba5f384b1bb67af0d6c0a9205e30d43bb9184a7

SHA256
0bf8dc78701547922d23aca2471328559062ed1fcca7db627389df69c2eac1c3

SHA512
a0f47dbde6b83cd41b36cdadddc3590144300cb4e2aa55e92cd7369c99cc7e0c39680ce2c7f37562a68e72dcbfeeaa8d2136d71d47011ba9325e0583f80c1b73

Download Submit
C:\Windows\{EE159CD9-44C6-4b15-9A43-F7E2E9D5433F}.exe

Filesize
168KB

MD5
f678e1c1afd2d00dcf909fc9a9a4414d

SHA1
9b8768e8914286051dd61d519d7cc77467c85b33

SHA256
f868880c51f2381da8960de198c54a23a807f097c70af9f60fd6d80c21679048

SHA512
00350a9d166b3870fd6a18dce6be1f03f23c1b4d2b54147f62139126a39420ebe15e1f046a353338bb95d629a90472f113f80dcbeb2300ce92c680fb44391126

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads