024f0fb8819514f1d7532a8e97a244e63af69a071d41455b5c1e712cf02f680f

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
Size

204KB
MD5

d4afc190e704a99d43f851e26350a46c
SHA1

a8e65951bdac9c4a5370f9f01a8c589d920bf9de
SHA256

024f0fb8819514f1d7532a8e97a244e63af69a071d41455b5c1e712cf02f680f
SHA512

c62a3a5b882a780bb7d4400dc02296870c9e4c90527970a3ee10065e81338581621ffbb47b12ca4f9f60f818703587d6645947851dcbf9486a39894a5fb90656
SSDEEP

1536:1EGh0oWl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oWl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4D8460A-DC56-4225-A355-C8DC54639FF6}	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E57AE39F-7EC4-4ee3-8694-B42355B26B69}	{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E57AE39F-7EC4-4ee3-8694-B42355B26B69}\stubpath = "C:\\Windows\\{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe"	{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74013DEE-1BD3-4a79-B1C7-82C84A766D78}	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FC8DFC-046B-4d13-959F-F7CD7502C49E}	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B04924-6291-462d-BAA4-6F8B2BFEB744}	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}\stubpath = "C:\\Windows\\{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe"	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}\stubpath = "C:\\Windows\\{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe"	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B04924-6291-462d-BAA4-6F8B2BFEB744}\stubpath = "C:\\Windows\\{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe"	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}\stubpath = "C:\\Windows\\{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe"	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74013DEE-1BD3-4a79-B1C7-82C84A766D78}\stubpath = "C:\\Windows\\{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe"	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}\stubpath = "C:\\Windows\\{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe"	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15E6A3E4-68FD-45c8-8EE4-328367F264D1}\stubpath = "C:\\Windows\\{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe"	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}	{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}\stubpath = "C:\\Windows\\{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}.exe"	{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15E6A3E4-68FD-45c8-8EE4-328367F264D1}	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60FC8DFC-046B-4d13-959F-F7CD7502C49E}\stubpath = "C:\\Windows\\{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe"	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4D8460A-DC56-4225-A355-C8DC54639FF6}\stubpath = "C:\\Windows\\{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe"	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}\stubpath = "C:\\Windows\\{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe"	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe

Executes dropped EXE 12 IoCs

pid	Process
5032	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe
1352	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe
1956	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe
1636	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe
4712	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe
1020	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe
920	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe
3188	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe
2128	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe
720	{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe
768	{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe
2028	{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe
File created	C:\Windows\{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe
File created	C:\Windows\{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe
File created	C:\Windows\{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe
File created	C:\Windows\{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe
File created	C:\Windows\{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe	{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe
File created	C:\Windows\{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}.exe	{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe
File created	C:\Windows\{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
File created	C:\Windows\{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe
File created	C:\Windows\{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe
File created	C:\Windows\{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe
File created	C:\Windows\{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1676	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5032	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe
Token: SeIncBasePriorityPrivilege	1352	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe
Token: SeIncBasePriorityPrivilege	1956	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe
Token: SeIncBasePriorityPrivilege	1636	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe
Token: SeIncBasePriorityPrivilege	4712	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe
Token: SeIncBasePriorityPrivilege	1020	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe
Token: SeIncBasePriorityPrivilege	920	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe
Token: SeIncBasePriorityPrivilege	3188	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe
Token: SeIncBasePriorityPrivilege	2128	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe
Token: SeIncBasePriorityPrivilege	720	{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe
Token: SeIncBasePriorityPrivilege	768	{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 5032	1676	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	96
PID 1676 wrote to memory of 5032	1676	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	96
PID 1676 wrote to memory of 5032	1676	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	96
PID 1676 wrote to memory of 3364	1676	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	97
PID 1676 wrote to memory of 3364	1676	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	97
PID 1676 wrote to memory of 3364	1676	2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe	97
PID 5032 wrote to memory of 1352	5032	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe	98
PID 5032 wrote to memory of 1352	5032	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe	98
PID 5032 wrote to memory of 1352	5032	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe	98
PID 5032 wrote to memory of 4744	5032	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe	99
PID 5032 wrote to memory of 4744	5032	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe	99
PID 5032 wrote to memory of 4744	5032	{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe	99
PID 1352 wrote to memory of 1956	1352	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe	102
PID 1352 wrote to memory of 1956	1352	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe	102
PID 1352 wrote to memory of 1956	1352	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe	102
PID 1352 wrote to memory of 3036	1352	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe	103
PID 1352 wrote to memory of 3036	1352	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe	103
PID 1352 wrote to memory of 3036	1352	{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe	103
PID 1956 wrote to memory of 1636	1956	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe	104
PID 1956 wrote to memory of 1636	1956	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe	104
PID 1956 wrote to memory of 1636	1956	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe	104
PID 1956 wrote to memory of 2556	1956	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe	105
PID 1956 wrote to memory of 2556	1956	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe	105
PID 1956 wrote to memory of 2556	1956	{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe	105
PID 1636 wrote to memory of 4712	1636	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe	106
PID 1636 wrote to memory of 4712	1636	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe	106
PID 1636 wrote to memory of 4712	1636	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe	106
PID 1636 wrote to memory of 4708	1636	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe	107
PID 1636 wrote to memory of 4708	1636	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe	107
PID 1636 wrote to memory of 4708	1636	{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe	107
PID 4712 wrote to memory of 1020	4712	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe	108
PID 4712 wrote to memory of 1020	4712	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe	108
PID 4712 wrote to memory of 1020	4712	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe	108
PID 4712 wrote to memory of 60	4712	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe	109
PID 4712 wrote to memory of 60	4712	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe	109
PID 4712 wrote to memory of 60	4712	{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe	109
PID 1020 wrote to memory of 920	1020	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe	110
PID 1020 wrote to memory of 920	1020	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe	110
PID 1020 wrote to memory of 920	1020	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe	110
PID 1020 wrote to memory of 224	1020	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe	111
PID 1020 wrote to memory of 224	1020	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe	111
PID 1020 wrote to memory of 224	1020	{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe	111
PID 920 wrote to memory of 3188	920	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe	112
PID 920 wrote to memory of 3188	920	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe	112
PID 920 wrote to memory of 3188	920	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe	112
PID 920 wrote to memory of 3836	920	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe	113
PID 920 wrote to memory of 3836	920	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe	113
PID 920 wrote to memory of 3836	920	{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe	113
PID 3188 wrote to memory of 2128	3188	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe	114
PID 3188 wrote to memory of 2128	3188	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe	114
PID 3188 wrote to memory of 2128	3188	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe	114
PID 3188 wrote to memory of 2112	3188	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe	115
PID 3188 wrote to memory of 2112	3188	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe	115
PID 3188 wrote to memory of 2112	3188	{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe	115
PID 2128 wrote to memory of 720	2128	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe	116
PID 2128 wrote to memory of 720	2128	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe	116
PID 2128 wrote to memory of 720	2128	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe	116
PID 2128 wrote to memory of 1996	2128	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe	117
PID 2128 wrote to memory of 1996	2128	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe	117
PID 2128 wrote to memory of 1996	2128	{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe	117
PID 720 wrote to memory of 768	720	{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe	118
PID 720 wrote to memory of 768	720	{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe	118
PID 720 wrote to memory of 768	720	{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe	118
PID 720 wrote to memory of 1400	720	{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_d4afc190e704a99d43f851e26350a46c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe
  C:\Windows\{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe
    C:\Windows\{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe
      C:\Windows\{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe
        
        C:\Windows\{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe
        
        C:\Windows\{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe
        
        C:\Windows\{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe
        
        C:\Windows\{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe
        
        C:\Windows\{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe
        
        C:\Windows\{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe
        
        C:\Windows\{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe
        
        C:\Windows\{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}.exe
        
        C:\Windows\{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E57AE~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4D84~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F5F6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2B04~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60FC8~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAD71~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07023~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:60
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FEA7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15E6A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0E7A7~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{74013~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07023BE2-F1F0-4e47-B521-9CDCD8AAC1D6}.exe

Filesize
204KB

MD5
f97666836f499ed4f32485c3fd465897

SHA1
16dbcbac26b00fbad5f2cb828b0c17f1ca5373f1

SHA256
d0e2d8db1209d5fc38ceba569ad21d0572f852a8b339960c2db093036d4ed66d

SHA512
1c106a47c9a563f325fcdca7e91ad70a5032a25fef5cb43760de556fc508c53d31ac36150f16188d2655a9cc35815121ab4fdc047b682792fdf66ab94dbf76bc

Download Submit
C:\Windows\{0E7A7C8F-A529-4829-B84B-58EF3F5A9271}.exe

Filesize
204KB

MD5
073adb3d7a796c3322ae83f7bc620b13

SHA1
369016e7408f13d17536e77519dd966d4f7bca19

SHA256
102668819e14c77280ef0266999d5c264bc83ef7be85a2d1cac7b1047e55b801

SHA512
0b700757bc9c98b67cc8b24d4b662de574dbb911d4d92d51c3b34380fc608b8015e16bc3e798405eca41949fda9cc0e74fb9fde4fcf579cc43bf0959d20620c1

Download Submit
C:\Windows\{15E6A3E4-68FD-45c8-8EE4-328367F264D1}.exe

Filesize
204KB

MD5
5ffeb61256304534ade97776d665f4f6

SHA1
8b2221a612c80abda93ab3221608a1b0686f28bd

SHA256
351d13276ac701bdb5c8c978fa395c37a8bf7fb527ab343fef54e018a8b55603

SHA512
a2d9465bff21602f185b8a927d38b584a517c2daf302484aee0ef375b5115ba85b1028c8ef4385b46bd0b46c66c66a879b431c04e1b984bc57ae8c26efa703ee

Download Submit
C:\Windows\{5F5F6F23-F7DE-4b5c-90C0-4F852C590A6C}.exe

Filesize
204KB

MD5
9f1dcea78a325912c024bbde7783b6e4

SHA1
f626f9bbce23139062482fc3ba4e5ece12982fb5

SHA256
121c640328ccbe363cec064bd738e0df8de93899f40ce7f548ec8976a94e9ae8

SHA512
6afa8621000f8991a11e095cd57fd1113cfdfc90d12936952bb78df7774187e1f4330165d511f326ab581667c45492aa565f69918d8a91c9f2066a228d6e2fb2

Download Submit
C:\Windows\{60FC8DFC-046B-4d13-959F-F7CD7502C49E}.exe

Filesize
204KB

MD5
65ce619013db3f7786d6a4b4051bba0d

SHA1
2c293e6eb19771955f9164089cf413bc739720c5

SHA256
f3c6fdd83d16b8278fafef89cd2e54f640d67c4cc52c42a289f7265321afb1fc

SHA512
b3b6776150c282fa2a369770a41767d51ff1744260dc342e22ddb605beea446ca7382d3ea25731017e14ab9ffa17750c82fda4737ca1c319c5fc4956f5164a96

Download Submit
C:\Windows\{74013DEE-1BD3-4a79-B1C7-82C84A766D78}.exe

Filesize
204KB

MD5
74688fcaad20df2160a59f753a594431

SHA1
c68bd6f7eddbd50c87d33eefa8b412e0ef9aec08

SHA256
ed03449627e4bc5c5c9147594f5927d745fa06bf4d4ba0ea6d330ce05212f3c5

SHA512
0a09236314b86c9a86e72f39d5a405b569f73bce8fce4a2c0df1fbe09329ab1c425724bedb2e05d494a7d2f9e586966ae02a1a613ccf466d992ddb7e5f7e4c7f

Download Submit
C:\Windows\{9FEA7E45-09B9-4f87-8A78-C3719D1FA529}.exe

Filesize
204KB

MD5
1e26ecfd4d00f39456cb7614caccc50b

SHA1
daebf9692006f3b5ee703cb86718d36a23289c56

SHA256
f27d7a88d4af5ba70521f79b642ee9cdae24e765a5f23c9f67a3ab64ec260eba

SHA512
49172f6043354ff663a299cc35ee01a355e7d5dd8d64649f74f2e6eb0282fe60d3f55c3fae21a3350a0272c5a39af18e93737275411d0d87749ceb909c5c7927

Download Submit
C:\Windows\{A4F5E1FF-A4C5-4918-9F6E-87DCE2E7C091}.exe

Filesize
204KB

MD5
6ba2738164bb453bd5bbee0d3b0113d0

SHA1
9431b879fcc80373c00ccdbe45f3299a292e95eb

SHA256
79ac2ca75d1e50db2e2ac627b1d7b83b97312106154c733ed3001aaa9965e131

SHA512
6784694b0b417e2f60236736721c14c55e64b15229347c774e80a090559202196707cf2057fd0fd633893ce7093bfd5811cf2b4f7f61e3bd81bcc86a6bcae3b5

Download Submit
C:\Windows\{BAD7171E-6A34-4fd0-B3AA-48F8BBCDEB2B}.exe

Filesize
204KB

MD5
4a99dc5030d43099917b7fa2b1df17be

SHA1
ad354520a12b5e7e5254559ceb792664b32a9e1a

SHA256
320fe0f9ae9ee2ddd5d0b6e537c28f911cbe69380a560ef820a6814206c83917

SHA512
34c2f3d1801f9047719544d720cd0c346ea91462c2e6a1a3074932a09a987f91e604aae00a933547a82bc69b545d50f6b3f3104797161731f82dcbd9f16c623b

Download Submit
C:\Windows\{C4D8460A-DC56-4225-A355-C8DC54639FF6}.exe

Filesize
204KB

MD5
f3f925cde955bd2260131895a2a226f7

SHA1
3e20bcb836f692af14d1b1fa9b27b544d2a568c4

SHA256
a8fd62a1088644512ed49e23a51bb215cb3adeffdb6e86b043785e3af423e7f5

SHA512
6689533ac9fb3b60bb1c4edab258c2ef347e67daa8c8454ebfd42b3d93cf04814c9425fa0db6159b175074f0d5149d5142e80d7f7324378f130d71e9237d5faf

Download Submit
C:\Windows\{E57AE39F-7EC4-4ee3-8694-B42355B26B69}.exe

Filesize
204KB

MD5
30b7845ea0764c0940f55586e2d9f815

SHA1
54856275578560363b980c9b4caa47168c448562

SHA256
e17b4b642d0abaaec29a0f83a35dcf022139f1e75ed024c2c05cd5f412905438

SHA512
91683900338f4661ca1347a9055ee79289fc730301a0dce44c9537a5b2d8f749784ddb91133d74e1c483bacf1f505d35bfe1f87fadea31cc2074cb38e82a17ba

Download Submit
C:\Windows\{F2B04924-6291-462d-BAA4-6F8B2BFEB744}.exe

Filesize
204KB

MD5
b13c58d6c7215e48da03922efc5658af

SHA1
6fc2ffed880df900380d9b39f8b9582df2761c52

SHA256
51f3c8bc81d396f22fa95f0995699d30cf50afc1167dea24e9c985b5935023c5

SHA512
32458bf11b3f5e7c0fece419e73ad2b8bfefa10956dec4b29e699e78b44d3c6026df988541fab326133666d20a467ff1372b0b60f2032f9fa571a858e4c5163b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads