85215d9138ce57e501e742ad561460b9f08df73de4299bec8a6caffec743711f

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe
Size

344KB
MD5

98482feaf9eb3d76a570fb5749b9cdec
SHA1

4cc36f3ea4dde25dfcb1a216ad95b39cf859c09f
SHA256

85215d9138ce57e501e742ad561460b9f08df73de4299bec8a6caffec743711f
SHA512

e9fb4e971949ab1c53eab8c846af963795bf4be1bd8dfb80566a67004805bc1c205a794b24f624cb3f5d4c6bdaf182a55c2a02957b07ccac0e42c90a612d589e
SSDEEP

3072:mEGh0oIlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG6lqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{816A3E92-47FA-4094-ACB4-C1923E93584C}\stubpath = "C:\\Windows\\{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe"	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}	{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7C382C9-47A5-4842-A6EC-ABBCA7AB46AA}\stubpath = "C:\\Windows\\{C7C382C9-47A5-4842-A6EC-ABBCA7AB46AA}.exe"	{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7EF37CC-EB2E-4753-B307-FDB106068EDE}	{31EF21A1-7061-4859-A358-D19F5852926E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BFA478D-3D7D-4ba0-A339-112246C1223F}	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{300553E8-F2BD-4bba-8C86-65BF99A91E7B}\stubpath = "C:\\Windows\\{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe"	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31EF21A1-7061-4859-A358-D19F5852926E}	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7EF37CC-EB2E-4753-B307-FDB106068EDE}\stubpath = "C:\\Windows\\{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe"	{31EF21A1-7061-4859-A358-D19F5852926E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}\stubpath = "C:\\Windows\\{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe"	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}\stubpath = "C:\\Windows\\{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe"	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}\stubpath = "C:\\Windows\\{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}.exe"	{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3471A138-E46C-4204-BD59-2D85F9646E35}	2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D68BA0B-B7B6-4e47-8949-65AADBE39816}	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{816A3E92-47FA-4094-ACB4-C1923E93584C}	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D68BA0B-B7B6-4e47-8949-65AADBE39816}\stubpath = "C:\\Windows\\{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe"	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{300553E8-F2BD-4bba-8C86-65BF99A91E7B}	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31EF21A1-7061-4859-A358-D19F5852926E}\stubpath = "C:\\Windows\\{31EF21A1-7061-4859-A358-D19F5852926E}.exe"	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BFA478D-3D7D-4ba0-A339-112246C1223F}\stubpath = "C:\\Windows\\{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe"	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7C382C9-47A5-4842-A6EC-ABBCA7AB46AA}	{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3471A138-E46C-4204-BD59-2D85F9646E35}\stubpath = "C:\\Windows\\{3471A138-E46C-4204-BD59-2D85F9646E35}.exe"	2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}\stubpath = "C:\\Windows\\{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe"	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe

Executes dropped EXE 12 IoCs

pid	Process
764	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe
4488	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe
2980	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe
4800	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe
3364	{31EF21A1-7061-4859-A358-D19F5852926E}.exe
2320	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe
4460	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe
2456	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe
3792	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe
2348	{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe
1776	{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}.exe
5016	{C7C382C9-47A5-4842-A6EC-ABBCA7AB46AA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe
File created	C:\Windows\{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe
File created	C:\Windows\{31EF21A1-7061-4859-A358-D19F5852926E}.exe	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe
File created	C:\Windows\{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe
File created	C:\Windows\{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe
File created	C:\Windows\{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe
File created	C:\Windows\{C7C382C9-47A5-4842-A6EC-ABBCA7AB46AA}.exe	{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}.exe
File created	C:\Windows\{3471A138-E46C-4204-BD59-2D85F9646E35}.exe	2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe
File created	C:\Windows\{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe
File created	C:\Windows\{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe	{31EF21A1-7061-4859-A358-D19F5852926E}.exe
File created	C:\Windows\{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe
File created	C:\Windows\{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}.exe	{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7C382C9-47A5-4842-A6EC-ABBCA7AB46AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{31EF21A1-7061-4859-A358-D19F5852926E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1956	2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe
Token: SeIncBasePriorityPrivilege	764	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe
Token: SeIncBasePriorityPrivilege	4488	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe
Token: SeIncBasePriorityPrivilege	2980	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe
Token: SeIncBasePriorityPrivilege	4800	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe
Token: SeIncBasePriorityPrivilege	3364	{31EF21A1-7061-4859-A358-D19F5852926E}.exe
Token: SeIncBasePriorityPrivilege	2320	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe
Token: SeIncBasePriorityPrivilege	4460	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe
Token: SeIncBasePriorityPrivilege	2456	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe
Token: SeIncBasePriorityPrivilege	3792	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe
Token: SeIncBasePriorityPrivilege	2348	{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe
Token: SeIncBasePriorityPrivilege	1776	{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 764	1956	2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe	94
PID 1956 wrote to memory of 764	1956	2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe	94
PID 1956 wrote to memory of 764	1956	2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe	94
PID 1956 wrote to memory of 1248	1956	2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe	95
PID 1956 wrote to memory of 1248	1956	2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe	95
PID 1956 wrote to memory of 1248	1956	2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe	95
PID 764 wrote to memory of 4488	764	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe	96
PID 764 wrote to memory of 4488	764	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe	96
PID 764 wrote to memory of 4488	764	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe	96
PID 764 wrote to memory of 3060	764	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe	97
PID 764 wrote to memory of 3060	764	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe	97
PID 764 wrote to memory of 3060	764	{3471A138-E46C-4204-BD59-2D85F9646E35}.exe	97
PID 4488 wrote to memory of 2980	4488	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe	100
PID 4488 wrote to memory of 2980	4488	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe	100
PID 4488 wrote to memory of 2980	4488	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe	100
PID 4488 wrote to memory of 4528	4488	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe	101
PID 4488 wrote to memory of 4528	4488	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe	101
PID 4488 wrote to memory of 4528	4488	{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe	101
PID 2980 wrote to memory of 4800	2980	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe	102
PID 2980 wrote to memory of 4800	2980	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe	102
PID 2980 wrote to memory of 4800	2980	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe	102
PID 2980 wrote to memory of 2276	2980	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe	103
PID 2980 wrote to memory of 2276	2980	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe	103
PID 2980 wrote to memory of 2276	2980	{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe	103
PID 4800 wrote to memory of 3364	4800	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe	104
PID 4800 wrote to memory of 3364	4800	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe	104
PID 4800 wrote to memory of 3364	4800	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe	104
PID 4800 wrote to memory of 548	4800	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe	105
PID 4800 wrote to memory of 548	4800	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe	105
PID 4800 wrote to memory of 548	4800	{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe	105
PID 3364 wrote to memory of 2320	3364	{31EF21A1-7061-4859-A358-D19F5852926E}.exe	106
PID 3364 wrote to memory of 2320	3364	{31EF21A1-7061-4859-A358-D19F5852926E}.exe	106
PID 3364 wrote to memory of 2320	3364	{31EF21A1-7061-4859-A358-D19F5852926E}.exe	106
PID 3364 wrote to memory of 4352	3364	{31EF21A1-7061-4859-A358-D19F5852926E}.exe	107
PID 3364 wrote to memory of 4352	3364	{31EF21A1-7061-4859-A358-D19F5852926E}.exe	107
PID 3364 wrote to memory of 4352	3364	{31EF21A1-7061-4859-A358-D19F5852926E}.exe	107
PID 2320 wrote to memory of 4460	2320	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe	108
PID 2320 wrote to memory of 4460	2320	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe	108
PID 2320 wrote to memory of 4460	2320	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe	108
PID 2320 wrote to memory of 4720	2320	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe	109
PID 2320 wrote to memory of 4720	2320	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe	109
PID 2320 wrote to memory of 4720	2320	{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe	109
PID 4460 wrote to memory of 2456	4460	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe	110
PID 4460 wrote to memory of 2456	4460	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe	110
PID 4460 wrote to memory of 2456	4460	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe	110
PID 4460 wrote to memory of 4824	4460	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe	111
PID 4460 wrote to memory of 4824	4460	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe	111
PID 4460 wrote to memory of 4824	4460	{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe	111
PID 2456 wrote to memory of 3792	2456	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe	112
PID 2456 wrote to memory of 3792	2456	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe	112
PID 2456 wrote to memory of 3792	2456	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe	112
PID 2456 wrote to memory of 1836	2456	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe	113
PID 2456 wrote to memory of 1836	2456	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe	113
PID 2456 wrote to memory of 1836	2456	{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe	113
PID 3792 wrote to memory of 2348	3792	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe	114
PID 3792 wrote to memory of 2348	3792	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe	114
PID 3792 wrote to memory of 2348	3792	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe	114
PID 3792 wrote to memory of 1264	3792	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe	115
PID 3792 wrote to memory of 1264	3792	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe	115
PID 3792 wrote to memory of 1264	3792	{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe	115
PID 2348 wrote to memory of 1776	2348	{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe	116
PID 2348 wrote to memory of 1776	2348	{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe	116
PID 2348 wrote to memory of 1776	2348	{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe	116
PID 2348 wrote to memory of 4456	2348	{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_98482feaf9eb3d76a570fb5749b9cdec_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\{3471A138-E46C-4204-BD59-2D85F9646E35}.exe
  C:\Windows\{3471A138-E46C-4204-BD59-2D85F9646E35}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe
    C:\Windows\{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe
      C:\Windows\{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe
        
        C:\Windows\{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Windows\{31EF21A1-7061-4859-A358-D19F5852926E}.exe
        
        C:\Windows\{31EF21A1-7061-4859-A358-D19F5852926E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe
        
        C:\Windows\{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe
        
        C:\Windows\{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe
        
        C:\Windows\{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe
        
        C:\Windows\{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe
        
        C:\Windows\{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}.exe
        
        C:\Windows\{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\{C7C382C9-47A5-4842-A6EC-ABBCA7AB46AA}.exe
        
        C:\Windows\{C7C382C9-47A5-4842-A6EC-ABBCA7AB46AA}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73D76~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{835D0~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{816A3~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D9E0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BFA4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7EF3~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31EF2~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CDF4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30055~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6D68B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3471A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2BFA478D-3D7D-4ba0-A339-112246C1223F}.exe

Filesize
344KB

MD5
a81cb21b2fb3694dcc5128e57f2627d3

SHA1
e054c074d036401aaebe12d1e0486a1cd426cc61

SHA256
cd0df23be8074c15c4ce31ffb6c092503fb54e1d8196e20c2f2fcd8f6951833d

SHA512
762ca4ccd8738ac5e1c5636a72e6245b701176080c8fa0f672d767a13597b369719482d08784fe5f1df7b33e88adca8db22b7b82bb6dece9c4efe1afc3128241

Download Submit
C:\Windows\{300553E8-F2BD-4bba-8C86-65BF99A91E7B}.exe

Filesize
344KB

MD5
9d18d4d3b97b19a3ee8276003b0551b7

SHA1
702d2e0297d65bfbaca20917b7ecd61307fc7726

SHA256
5411e923ef32bb3d074af04bfefe132ad1f01efe417c916370cde75890ee1412

SHA512
5ad672621c33636ef934e2c75f74327eb1593a8026c5735019312e4036979fdf70b06f9f811d5f516fe10bfeaf16c16a874e222b208059c2231cbf5a95e52699

Download Submit
C:\Windows\{31EF21A1-7061-4859-A358-D19F5852926E}.exe

Filesize
344KB

MD5
97c4f4dac4e7b9bca9bd23c136464cd0

SHA1
9db47f44b797c7e393cf1d9b8ae8d0ea3940e3ab

SHA256
5384cf75c65439b4a3be25beb4ec64199360fb3449fa5ae369bb8d74b92e5f70

SHA512
c4c90caf6c4662ae044ea7b492f3e7e670fbad2ec005ecf28ca18e7a9104cacf9a85442245d7d529d1cd374f53c6f26cdd2520d03dfb7daaee19b7d005cdb312

Download Submit
C:\Windows\{3471A138-E46C-4204-BD59-2D85F9646E35}.exe

Filesize
344KB

MD5
9a7ccd1c378d0d613c7f41eb9bf5245d

SHA1
ac53fa6a1bda50bc1074c80955243da432faac32

SHA256
f105b229354960c67903f60664dbd6f1c11ef0f729f1d34ee6ae47fda380e348

SHA512
a26a3ad3c0c6fa0535836a9c2b6f6fb318c8c5220a03ad543ece32c0013ec31c061bff42bcff477efac1427b3123a148201621829ce3fcbafa6804bc7519fd7f

Download Submit
C:\Windows\{3D9E009A-E1EE-4e11-9784-2AD98FD0FA95}.exe

Filesize
344KB

MD5
eab340f896ac214fb62d12ebd6808e01

SHA1
b023dc66d84e3c14ff376a28859cdc34576231fe

SHA256
2afb98242b75ce382ce135498845bc69bb2b45eaa75612f0eab2c064baf9e9aa

SHA512
6ac4d9a28cf7aed1f05b28adc1efecb9a51f5d734aec6c367ab43d93ce9ec0bd66b259df6066247742ed72201403f06e834336d92ade3fec4b1313f07f609581

Download Submit
C:\Windows\{6D68BA0B-B7B6-4e47-8949-65AADBE39816}.exe

Filesize
344KB

MD5
0906d869107dfb8e283fd27f2ee2cb84

SHA1
592a958729f5c24123b1b7ddb844108390132bce

SHA256
431b56a544fc4727f239ba795f27b6813f511460ba619ec51260bb3b48329a93

SHA512
968a918e8fa223aa3fac0a5f724afe70785c9cec036acee638f2d1431e262137d4795eb37cfd64cb47ca7cfd58fea5c0d1b0f723abfce3bc7fad82ed00f79f31

Download Submit
C:\Windows\{73D76F9F-8CED-47d6-9BAC-36572D32A4E3}.exe

Filesize
344KB

MD5
cb8aefe459c0262ea14031ba186be7cc

SHA1
3bbe884b9b0abd6113be4fa4eed592aa193a6d44

SHA256
00ce090d368af27e8cddf952c94c0cd6ac0528260862e37cee10f6c300726b63

SHA512
56a14c49b0583461d114cd5f97620a1e6cb817b5dfe9f6ab5ffb42869f52203ca5d5b181f87338eb47749966ae04fd2ebc10d888c72754e50ecb059f8411ea74

Download Submit
C:\Windows\{7CDF400B-01CD-4b55-B3A7-176CFB6BF07E}.exe

Filesize
344KB

MD5
82785f330b10ab001cda3af19afc1cd2

SHA1
244dada979c5da0b528ba015b0728802e9ed65f4

SHA256
b9f6b4f8ac5a944e851905ae59bc447e84be1cc5422b4f08e4d733b2c6b88c17

SHA512
24d84a3961cb4666efde5b5771a1bbb0b9a5ea42c876cbf2fcb77bfe7c15247ed62fdfdd73ea0580b6c8fc088412302390db2fb4607143f0ca326f07eaf64b2f

Download Submit
C:\Windows\{816A3E92-47FA-4094-ACB4-C1923E93584C}.exe

Filesize
344KB

MD5
a06af84e3ae93d37ce5e51286be36aae

SHA1
037a315ffc31f351170979145fda68e8a91d0ed0

SHA256
d28d2aa4f6a0be7beb0a3a7e47bea6203cf77cf0d5b788e8c23959036719c6e3

SHA512
92d24b6833e1ce903ada0a61054b8364a31532c8dfb70f30e91ffc82b0cd4f8272377aa9aea7f06506c7817e617d2be11bfa97133ce91b0374e7af28846c760f

Download Submit
C:\Windows\{835D0DA1-81A1-4c06-A8C0-F69A5EEFFF0D}.exe

Filesize
344KB

MD5
fcef0224db6895943118ac705ff53ce4

SHA1
449901ef0f6ac046f199cf27858f6d2cab26a3b7

SHA256
b61392dc60be31754646eea2a866366786eb6368a997a380041e64986c054ef4

SHA512
7753377ecaa6c01b67392027f85f7f06cc2300950a393d821700e83b01dae236c37ea94623b1850ebbf1354ddd0293ced0992c99cd5f08dcaede25df9538f15c

Download Submit
C:\Windows\{C7C382C9-47A5-4842-A6EC-ABBCA7AB46AA}.exe

Filesize
344KB

MD5
307fce4bc3b1f56e3e6e01d04efc9e2d

SHA1
c1c2a005cfc5822b15fd603c842234ed384b0639

SHA256
f7fee7af010f3b24358b645e8cabf7cc5aadd0d3cb1b9d1d5b0c504ac6eac72e

SHA512
b5882e10756ae97dab5f21eb28515baa2386853151e6ee5dd8432e1b5bd7d1d6b9c9e1a5e3e455fc4270a9fc9a3f365010a6c6df6df785ee0b0daea78dae8fd1

Download Submit
C:\Windows\{E7EF37CC-EB2E-4753-B307-FDB106068EDE}.exe

Filesize
344KB

MD5
87129604a29c92a44d0b84cbb389333c

SHA1
f936468a1806a231380cfbffae65c6ecf38632a6

SHA256
7e52184dedc367351f443b84893a489ffbf98cee33f036a1d679afae6b8ec96e

SHA512
ecf844944f46074dd1ca975c6efa4fdfabae48329dded89d51e00438164603664ad501829f879b623bcbac56105eee4eef500f66096eb3ee51e121473f4e41da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads