6fd9d1ee1d88bf26a5388b9c764c78ebf6436e64d26742f6f87c64e71e6b5ff1

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe
Size

197KB
MD5

e377422afe0a36ad197cf64aed09fb65
SHA1

18521ae7a5710a01c2b395940062ee4f66329cbd
SHA256

6fd9d1ee1d88bf26a5388b9c764c78ebf6436e64d26742f6f87c64e71e6b5ff1
SHA512

2f0ac3092e71f571a401f18e790fae3f31f128a1d31bb7d2293455d8cbc09959387fdd1d407dfa1790750e8ee4f11d90be82d27b21ac52f9d847784945e11fe3
SSDEEP

3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGNlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{331F185D-7B9E-4727-B469-4743550E590B}\stubpath = "C:\\Windows\\{331F185D-7B9E-4727-B469-4743550E590B}.exe"	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{116CADC9-471E-4095-A6DC-42F04EC317F4}\stubpath = "C:\\Windows\\{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe"	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F1CC354-E9D5-4633-B864-6B2D77BDE529}	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4931F2F4-9225-46d5-82ED-D18EB2590884}	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}	{331F185D-7B9E-4727-B469-4743550E590B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AF68AE3-F535-48f4-818B-8464D206749B}	2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77385453-709B-46a9-BF03-E6E2860310FC}\stubpath = "C:\\Windows\\{77385453-709B-46a9-BF03-E6E2860310FC}.exe"	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}\stubpath = "C:\\Windows\\{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe"	{77385453-709B-46a9-BF03-E6E2860310FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE991E68-07B5-40a8-9269-3EC459FF5E62}	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F1CC354-E9D5-4633-B864-6B2D77BDE529}\stubpath = "C:\\Windows\\{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe"	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE991E68-07B5-40a8-9269-3EC459FF5E62}\stubpath = "C:\\Windows\\{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe"	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{283F26BB-7F7F-439a-898B-9F92550C40E7}\stubpath = "C:\\Windows\\{283F26BB-7F7F-439a-898B-9F92550C40E7}.exe"	{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}\stubpath = "C:\\Windows\\{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe"	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77385453-709B-46a9-BF03-E6E2860310FC}	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}	{77385453-709B-46a9-BF03-E6E2860310FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{116CADC9-471E-4095-A6DC-42F04EC317F4}	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{331F185D-7B9E-4727-B469-4743550E590B}	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}\stubpath = "C:\\Windows\\{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}.exe"	{331F185D-7B9E-4727-B469-4743550E590B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{283F26BB-7F7F-439a-898B-9F92550C40E7}	{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AF68AE3-F535-48f4-818B-8464D206749B}\stubpath = "C:\\Windows\\{4AF68AE3-F535-48f4-818B-8464D206749B}.exe"	2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4931F2F4-9225-46d5-82ED-D18EB2590884}\stubpath = "C:\\Windows\\{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe"	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}\stubpath = "C:\\Windows\\{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe"	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe

Executes dropped EXE 12 IoCs

pid	Process
4512	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe
208	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe
1180	{77385453-709B-46a9-BF03-E6E2860310FC}.exe
3152	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe
1424	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe
4896	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe
4592	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe
220	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe
2208	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe
5048	{331F185D-7B9E-4727-B469-4743550E590B}.exe
1436	{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}.exe
4296	{283F26BB-7F7F-439a-898B-9F92550C40E7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{283F26BB-7F7F-439a-898B-9F92550C40E7}.exe	{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}.exe
File created	C:\Windows\{4AF68AE3-F535-48f4-818B-8464D206749B}.exe	2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe
File created	C:\Windows\{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe
File created	C:\Windows\{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe
File created	C:\Windows\{331F185D-7B9E-4727-B469-4743550E590B}.exe	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe
File created	C:\Windows\{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe
File created	C:\Windows\{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe
File created	C:\Windows\{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}.exe	{331F185D-7B9E-4727-B469-4743550E590B}.exe
File created	C:\Windows\{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe
File created	C:\Windows\{77385453-709B-46a9-BF03-E6E2860310FC}.exe	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe
File created	C:\Windows\{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe	{77385453-709B-46a9-BF03-E6E2860310FC}.exe
File created	C:\Windows\{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77385453-709B-46a9-BF03-E6E2860310FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{283F26BB-7F7F-439a-898B-9F92550C40E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{331F185D-7B9E-4727-B469-4743550E590B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3620	2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4512	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe
Token: SeIncBasePriorityPrivilege	208	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe
Token: SeIncBasePriorityPrivilege	1180	{77385453-709B-46a9-BF03-E6E2860310FC}.exe
Token: SeIncBasePriorityPrivilege	3152	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe
Token: SeIncBasePriorityPrivilege	1424	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe
Token: SeIncBasePriorityPrivilege	4896	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe
Token: SeIncBasePriorityPrivilege	4592	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe
Token: SeIncBasePriorityPrivilege	220	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe
Token: SeIncBasePriorityPrivilege	2208	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe
Token: SeIncBasePriorityPrivilege	5048	{331F185D-7B9E-4727-B469-4743550E590B}.exe
Token: SeIncBasePriorityPrivilege	1436	{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 4512	3620	2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe	94
PID 3620 wrote to memory of 4512	3620	2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe	94
PID 3620 wrote to memory of 4512	3620	2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe	94
PID 3620 wrote to memory of 3312	3620	2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe	95
PID 3620 wrote to memory of 3312	3620	2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe	95
PID 3620 wrote to memory of 3312	3620	2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe	95
PID 4512 wrote to memory of 208	4512	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe	96
PID 4512 wrote to memory of 208	4512	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe	96
PID 4512 wrote to memory of 208	4512	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe	96
PID 4512 wrote to memory of 3364	4512	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe	97
PID 4512 wrote to memory of 3364	4512	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe	97
PID 4512 wrote to memory of 3364	4512	{4AF68AE3-F535-48f4-818B-8464D206749B}.exe	97
PID 208 wrote to memory of 1180	208	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe	100
PID 208 wrote to memory of 1180	208	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe	100
PID 208 wrote to memory of 1180	208	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe	100
PID 208 wrote to memory of 5064	208	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe	101
PID 208 wrote to memory of 5064	208	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe	101
PID 208 wrote to memory of 5064	208	{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe	101
PID 1180 wrote to memory of 3152	1180	{77385453-709B-46a9-BF03-E6E2860310FC}.exe	102
PID 1180 wrote to memory of 3152	1180	{77385453-709B-46a9-BF03-E6E2860310FC}.exe	102
PID 1180 wrote to memory of 3152	1180	{77385453-709B-46a9-BF03-E6E2860310FC}.exe	102
PID 1180 wrote to memory of 5052	1180	{77385453-709B-46a9-BF03-E6E2860310FC}.exe	103
PID 1180 wrote to memory of 5052	1180	{77385453-709B-46a9-BF03-E6E2860310FC}.exe	103
PID 1180 wrote to memory of 5052	1180	{77385453-709B-46a9-BF03-E6E2860310FC}.exe	103
PID 3152 wrote to memory of 1424	3152	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe	104
PID 3152 wrote to memory of 1424	3152	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe	104
PID 3152 wrote to memory of 1424	3152	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe	104
PID 3152 wrote to memory of 1368	3152	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe	105
PID 3152 wrote to memory of 1368	3152	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe	105
PID 3152 wrote to memory of 1368	3152	{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe	105
PID 1424 wrote to memory of 4896	1424	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe	106
PID 1424 wrote to memory of 4896	1424	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe	106
PID 1424 wrote to memory of 4896	1424	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe	106
PID 1424 wrote to memory of 3612	1424	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe	107
PID 1424 wrote to memory of 3612	1424	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe	107
PID 1424 wrote to memory of 3612	1424	{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe	107
PID 4896 wrote to memory of 4592	4896	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe	108
PID 4896 wrote to memory of 4592	4896	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe	108
PID 4896 wrote to memory of 4592	4896	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe	108
PID 4896 wrote to memory of 3304	4896	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe	109
PID 4896 wrote to memory of 3304	4896	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe	109
PID 4896 wrote to memory of 3304	4896	{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe	109
PID 4592 wrote to memory of 220	4592	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe	110
PID 4592 wrote to memory of 220	4592	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe	110
PID 4592 wrote to memory of 220	4592	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe	110
PID 4592 wrote to memory of 3100	4592	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe	111
PID 4592 wrote to memory of 3100	4592	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe	111
PID 4592 wrote to memory of 3100	4592	{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe	111
PID 220 wrote to memory of 2208	220	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe	112
PID 220 wrote to memory of 2208	220	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe	112
PID 220 wrote to memory of 2208	220	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe	112
PID 220 wrote to memory of 1944	220	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe	113
PID 220 wrote to memory of 1944	220	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe	113
PID 220 wrote to memory of 1944	220	{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe	113
PID 2208 wrote to memory of 5048	2208	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe	114
PID 2208 wrote to memory of 5048	2208	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe	114
PID 2208 wrote to memory of 5048	2208	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe	114
PID 2208 wrote to memory of 2560	2208	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe	115
PID 2208 wrote to memory of 2560	2208	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe	115
PID 2208 wrote to memory of 2560	2208	{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe	115
PID 5048 wrote to memory of 1436	5048	{331F185D-7B9E-4727-B469-4743550E590B}.exe	116
PID 5048 wrote to memory of 1436	5048	{331F185D-7B9E-4727-B469-4743550E590B}.exe	116
PID 5048 wrote to memory of 1436	5048	{331F185D-7B9E-4727-B469-4743550E590B}.exe	116
PID 5048 wrote to memory of 3284	5048	{331F185D-7B9E-4727-B469-4743550E590B}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_e377422afe0a36ad197cf64aed09fb65_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\{4AF68AE3-F535-48f4-818B-8464D206749B}.exe
  C:\Windows\{4AF68AE3-F535-48f4-818B-8464D206749B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe
    C:\Windows\{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\{77385453-709B-46a9-BF03-E6E2860310FC}.exe
      C:\Windows\{77385453-709B-46a9-BF03-E6E2860310FC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe
        
        C:\Windows\{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3152
      - C:\Windows\{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe
        
        C:\Windows\{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe
        
        C:\Windows\{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe
        
        C:\Windows\{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe
        
        C:\Windows\{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe
        
        C:\Windows\{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{331F185D-7B9E-4727-B469-4743550E590B}.exe
        
        C:\Windows\{331F185D-7B9E-4727-B469-4743550E590B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}.exe
        
        C:\Windows\{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\{283F26BB-7F7F-439a-898B-9F92550C40E7}.exe
        
        C:\Windows\{283F26BB-7F7F-439a-898B-9F92550C40E7}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76964~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{331F1~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1610~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4931F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE991~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F1CC~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{116CA~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4BB7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77385~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CB74D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4AF68~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{116CADC9-471E-4095-A6DC-42F04EC317F4}.exe

Filesize
197KB

MD5
987ae65d5f5b1c826d68e9bbb9a01b4b

SHA1
3da27e7c88591552929bfe1912820f6bc53fd244

SHA256
c9e30395c54aee9504672e325d42425c8d011516e6a560c17d5cbf7d0019c95f

SHA512
c5c3ef49c22d54be054c269eee29102566f96232db2a5dec2cdd9173ea01bc857edda497506b33e7052c84866f1f912ecb2097b238340a5b5b12afd56d97f5d3

Download Submit
C:\Windows\{283F26BB-7F7F-439a-898B-9F92550C40E7}.exe

Filesize
197KB

MD5
5473531274ad34f823f6e5e870a5e829

SHA1
325736c79eacfadfe786a677a465cc2bccd6d9b1

SHA256
c7eb8ae7a89afb9a0586ea7e223d1b3ecc819f30a5fb6b41b346a60ea9e2f64f

SHA512
7a8170ecce0366507cdbfdedf924d535f525c7a441cd544a7d1a0be984d2407ce1e8dfa5383d3b84abd7f25426288b100bd91ffdece4c97f15de420fcfc64eb0

Download Submit
C:\Windows\{331F185D-7B9E-4727-B469-4743550E590B}.exe

Filesize
197KB

MD5
aa685c9714d1a9185dbbfe34c25e5ee5

SHA1
e6d163679e33ddbf156de280d6b90d8e60df2865

SHA256
5dd2fff16aaa702d47c706680b4f439e5ee410b8e93433b80b4713c38817c2cc

SHA512
bd2aebecf7f727046cef21167173e238ccccb9069ab41443d1d4a011a765c1cec80402456fb43a509f53ddf45ab504463addfa7af67cf1c25b72b71997319d19

Download Submit
C:\Windows\{4931F2F4-9225-46d5-82ED-D18EB2590884}.exe

Filesize
197KB

MD5
c0f07eeadc3049e28f749a8a21d37131

SHA1
b2296e6b13377b639751782e73c6f834f09aab24

SHA256
4f7793ab3f2dc1f38e31062b01a79bd565db7386cbe69402b59694d22a761004

SHA512
5fa120538442d9a5f9c156eb0094e71fa8a6ea7efd216417f31eba7745e328be621d9ac2b69f87ff26f1010152dfe777b754f513a4b22d2453e0518c2ae82044

Download Submit
C:\Windows\{4AF68AE3-F535-48f4-818B-8464D206749B}.exe

Filesize
197KB

MD5
c8d6ea8f3a55c4656c64e5c264baac0e

SHA1
5c518d70526475c11a60647f2cf3c479008f78f1

SHA256
541436f2b4e1a15f29a1eaf1194efe7ac712399a1454716601387d2c17f15c15

SHA512
7c134d45fb6670c5f7f4b0dd16c5d3247e9f3fd4d592d308f5b244c6dbdbfa514be5a670861557c34c57c3f3477f2b0b2bd9e006cb3c9bc3f13727d11f26fe4d

Download Submit
C:\Windows\{7696458D-0D87-44db-9DA2-4F6BD02DC2E2}.exe

Filesize
197KB

MD5
c2d542a6283356a40c59289bcf641bb3

SHA1
a6cbc9cec23f8c22476941d6b492b78328496d71

SHA256
a43261c0fd8b1ced6eb36ea6e93a82dc6fca402f64b06b060295f112898c1698

SHA512
d42824d14d3d661d9c8569d9618b5a4d55d0f7e5af64068cc379b4296370080425042bd05879c5489df5899456cbe9e534ac1ef60e2957fa6102a4a860e075cd

Download Submit
C:\Windows\{77385453-709B-46a9-BF03-E6E2860310FC}.exe

Filesize
197KB

MD5
9e199b3fb0fbc3abb7ab8ac0df98dadf

SHA1
9929d98e0c3e83ce72761405d6952131ba9176aa

SHA256
ab2dbee103605e5c391623a48182a6c1229218d9d64495ade88d4c3f3198b8dd

SHA512
c1205de76caab3d8f487fd95fae906671855c22b18e4e2d2c62d0f5a83abe03d84c01db0af0c7584aebcf5c0af17a384b9fd524502ce43966c9844aebe8488ed

Download Submit
C:\Windows\{8F1CC354-E9D5-4633-B864-6B2D77BDE529}.exe

Filesize
197KB

MD5
1749cf96575630722548aa3c51aa10bc

SHA1
c5f6bb3ad0fe955a5a696eb8fece0ef06e28bc8f

SHA256
6c100e0a2cfde30da44da0b320350a944aeafac3ecc68ec6be39099d27892b83

SHA512
b9fed7911c53ebae90bd04df71e86b27f1946baeab6e0bce92b73c793a16f2a98596265c620dce746afcef42fbea9bd4c377cac75f07846e49a8674c82d85e3b

Download Submit
C:\Windows\{A4BB7A95-DF09-486f-9801-5ABD2C878C4F}.exe

Filesize
197KB

MD5
4877fcbf61547b2976efeab019dce335

SHA1
9331bb0830e89fb6996ac11b5e54cf407b76d0e4

SHA256
753c8d3a1594705bbaa383361c22f20cd306409ec108a9aaca2b4ad03ff46f62

SHA512
88dfaf12394dd2158e308f69652f8b581fd4e9b2a6fbf76d6956937d368c45ca8b42a765a75ca21323b937987d71c05c897afb68bf9ab2d8a0af8a8e4306225c

Download Submit
C:\Windows\{CB74D5DC-D50D-4315-BE56-02CDFA95B27B}.exe

Filesize
197KB

MD5
91e60de9792f03d17e6377302940e6a1

SHA1
e3cf55ace32bc9c1f423a13ea93f8745a8647b72

SHA256
e3168a3a2d48cfa7df89a5ffb5dcac691c7717225f94e729433b9c30e4afa1be

SHA512
74c9def01e2da8e759034894078487255cdfb95e592c54bae607bff47eb6375d27e8f73eb8b089442d82b2fc8b41c2a4b727621794ad52faa91caa5111d3529d

Download Submit
C:\Windows\{CE991E68-07B5-40a8-9269-3EC459FF5E62}.exe

Filesize
197KB

MD5
72d0b8d870fa7b4211869e77265fa5d0

SHA1
5a2a264cb09452d915032b3380e8c4773c3e0970

SHA256
5f84a5a933c9b2e5cf31609aa4423739b1ccf60e74712497b3ab84a85910601f

SHA512
dec136842df52d486b6d169cec0fdd9200f4861dbb22143c125cf29f53122e4e080ae1aaefa53bae3b82e60ba8aa9986f3f172a89400e6c8510d3f9329593f4e

Download Submit
C:\Windows\{E1610A3B-5C67-4cfd-9B74-B2AFBD3B7D84}.exe

Filesize
197KB

MD5
529161179adb3cbb632ec3a250727dae

SHA1
f922f8800d72968025798fae6f296e3ead7aa580

SHA256
6bd861bd9be7bc75031c8d51b53e698457d08c43077a14a31bdf6dfb6892b727

SHA512
93491baeba4b32185742ae2407bb4462c132150633ffb3922823779f81c93796692904997504cf2b04a2eb0c0c640d827843e3c6a9e99176064e4ab3691dd51f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads