4ff4b137e5699132c4e1dc0dbf4e5a438384d0dcf5274a8bbaa2fef294e56b72

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe
Size

180KB
MD5

355e874600855f9bf304b72ccdd34240
SHA1

3527e1ed4562dfddcc62eabd6162e5ac16ca7409
SHA256

4ff4b137e5699132c4e1dc0dbf4e5a438384d0dcf5274a8bbaa2fef294e56b72
SHA512

81f383ffc191c50d51824ff549f394304719868d1c483eeb63fb2bffa0331ea33f63d363fca014b26c57ed295834cce43d8b03efee605b79dffa70327770e873
SSDEEP

3072:jEGh0oilfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGgl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF9356EC-26C0-49a3-BE46-3B7B2907477D}\stubpath = "C:\\Windows\\{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe"	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEEF295A-DF43-4644-B4F3-7766AA2E730E}	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF292DCA-7742-464e-B841-E9A372F3FDCD}	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABE5DD30-472E-4146-A25C-39BBC97113E9}	2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}\stubpath = "C:\\Windows\\{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe"	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}\stubpath = "C:\\Windows\\{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe"	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DEA2BCD-7231-4b28-927F-A7F24C59462A}	{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEEF295A-DF43-4644-B4F3-7766AA2E730E}\stubpath = "C:\\Windows\\{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe"	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF292DCA-7742-464e-B841-E9A372F3FDCD}\stubpath = "C:\\Windows\\{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe"	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F3DAA32-803B-43d7-A757-583F25F19CD6}\stubpath = "C:\\Windows\\{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe"	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF9356EC-26C0-49a3-BE46-3B7B2907477D}	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19EA7112-556C-4326-8B39-83DAA2F149CF}\stubpath = "C:\\Windows\\{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe"	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8195E9D-DCF6-4687-8EEF-1E29428C944B}\stubpath = "C:\\Windows\\{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe"	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DEA2BCD-7231-4b28-927F-A7F24C59462A}\stubpath = "C:\\Windows\\{2DEA2BCD-7231-4b28-927F-A7F24C59462A}.exe"	{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{398BE015-4132-4cdc-86C0-ECD26D60DE34}	{2DEA2BCD-7231-4b28-927F-A7F24C59462A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABE5DD30-472E-4146-A25C-39BBC97113E9}\stubpath = "C:\\Windows\\{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe"	2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}\stubpath = "C:\\Windows\\{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe"	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8195E9D-DCF6-4687-8EEF-1E29428C944B}	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F3DAA32-803B-43d7-A757-583F25F19CD6}	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{398BE015-4132-4cdc-86C0-ECD26D60DE34}\stubpath = "C:\\Windows\\{398BE015-4132-4cdc-86C0-ECD26D60DE34}.exe"	{2DEA2BCD-7231-4b28-927F-A7F24C59462A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19EA7112-556C-4326-8B39-83DAA2F149CF}	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4644	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe
1300	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe
1516	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe
5000	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe
1808	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe
864	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe
4532	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe
1360	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe
1324	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe
2268	{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe
392	{2DEA2BCD-7231-4b28-927F-A7F24C59462A}.exe
2732	{398BE015-4132-4cdc-86C0-ECD26D60DE34}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe	2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe
File created	C:\Windows\{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe
File created	C:\Windows\{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe
File created	C:\Windows\{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe
File created	C:\Windows\{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe
File created	C:\Windows\{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe
File created	C:\Windows\{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe
File created	C:\Windows\{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe
File created	C:\Windows\{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe
File created	C:\Windows\{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe
File created	C:\Windows\{2DEA2BCD-7231-4b28-927F-A7F24C59462A}.exe	{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe
File created	C:\Windows\{398BE015-4132-4cdc-86C0-ECD26D60DE34}.exe	{2DEA2BCD-7231-4b28-927F-A7F24C59462A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DEA2BCD-7231-4b28-927F-A7F24C59462A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{398BE015-4132-4cdc-86C0-ECD26D60DE34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3196	2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4644	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe
Token: SeIncBasePriorityPrivilege	1300	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe
Token: SeIncBasePriorityPrivilege	1516	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe
Token: SeIncBasePriorityPrivilege	5000	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe
Token: SeIncBasePriorityPrivilege	1808	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe
Token: SeIncBasePriorityPrivilege	864	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe
Token: SeIncBasePriorityPrivilege	4532	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe
Token: SeIncBasePriorityPrivilege	1360	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe
Token: SeIncBasePriorityPrivilege	1324	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe
Token: SeIncBasePriorityPrivilege	2268	{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe
Token: SeIncBasePriorityPrivilege	392	{2DEA2BCD-7231-4b28-927F-A7F24C59462A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 4644	3196	2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe	87
PID 3196 wrote to memory of 4644	3196	2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe	87
PID 3196 wrote to memory of 4644	3196	2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe	87
PID 3196 wrote to memory of 3460	3196	2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe	88
PID 3196 wrote to memory of 3460	3196	2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe	88
PID 3196 wrote to memory of 3460	3196	2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe	88
PID 4644 wrote to memory of 1300	4644	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe	96
PID 4644 wrote to memory of 1300	4644	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe	96
PID 4644 wrote to memory of 1300	4644	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe	96
PID 4644 wrote to memory of 4948	4644	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe	97
PID 4644 wrote to memory of 4948	4644	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe	97
PID 4644 wrote to memory of 4948	4644	{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe	97
PID 1300 wrote to memory of 1516	1300	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe	100
PID 1300 wrote to memory of 1516	1300	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe	100
PID 1300 wrote to memory of 1516	1300	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe	100
PID 1300 wrote to memory of 2992	1300	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe	101
PID 1300 wrote to memory of 2992	1300	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe	101
PID 1300 wrote to memory of 2992	1300	{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe	101
PID 1516 wrote to memory of 5000	1516	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe	102
PID 1516 wrote to memory of 5000	1516	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe	102
PID 1516 wrote to memory of 5000	1516	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe	102
PID 1516 wrote to memory of 4540	1516	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe	103
PID 1516 wrote to memory of 4540	1516	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe	103
PID 1516 wrote to memory of 4540	1516	{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe	103
PID 5000 wrote to memory of 1808	5000	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe	104
PID 5000 wrote to memory of 1808	5000	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe	104
PID 5000 wrote to memory of 1808	5000	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe	104
PID 5000 wrote to memory of 3868	5000	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe	105
PID 5000 wrote to memory of 3868	5000	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe	105
PID 5000 wrote to memory of 3868	5000	{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe	105
PID 1808 wrote to memory of 864	1808	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe	106
PID 1808 wrote to memory of 864	1808	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe	106
PID 1808 wrote to memory of 864	1808	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe	106
PID 1808 wrote to memory of 2560	1808	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe	107
PID 1808 wrote to memory of 2560	1808	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe	107
PID 1808 wrote to memory of 2560	1808	{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe	107
PID 864 wrote to memory of 4532	864	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe	108
PID 864 wrote to memory of 4532	864	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe	108
PID 864 wrote to memory of 4532	864	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe	108
PID 864 wrote to memory of 3212	864	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe	109
PID 864 wrote to memory of 3212	864	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe	109
PID 864 wrote to memory of 3212	864	{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe	109
PID 4532 wrote to memory of 1360	4532	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe	110
PID 4532 wrote to memory of 1360	4532	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe	110
PID 4532 wrote to memory of 1360	4532	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe	110
PID 4532 wrote to memory of 336	4532	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe	111
PID 4532 wrote to memory of 336	4532	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe	111
PID 4532 wrote to memory of 336	4532	{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe	111
PID 1360 wrote to memory of 1324	1360	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe	112
PID 1360 wrote to memory of 1324	1360	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe	112
PID 1360 wrote to memory of 1324	1360	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe	112
PID 1360 wrote to memory of 3416	1360	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe	113
PID 1360 wrote to memory of 3416	1360	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe	113
PID 1360 wrote to memory of 3416	1360	{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe	113
PID 1324 wrote to memory of 2268	1324	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe	114
PID 1324 wrote to memory of 2268	1324	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe	114
PID 1324 wrote to memory of 2268	1324	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe	114
PID 1324 wrote to memory of 3528	1324	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe	115
PID 1324 wrote to memory of 3528	1324	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe	115
PID 1324 wrote to memory of 3528	1324	{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe	115
PID 2268 wrote to memory of 392	2268	{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe	116
PID 2268 wrote to memory of 392	2268	{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe	116
PID 2268 wrote to memory of 392	2268	{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe	116
PID 2268 wrote to memory of 3348	2268	{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_355e874600855f9bf304b72ccdd34240_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe
  C:\Windows\{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe
    C:\Windows\{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe
      C:\Windows\{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe
        
        C:\Windows\{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - C:\Windows\{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe
        
        C:\Windows\{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe
        
        C:\Windows\{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe
        
        C:\Windows\{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe
        
        C:\Windows\{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe
        
        C:\Windows\{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe
        
        C:\Windows\{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{2DEA2BCD-7231-4b28-927F-A7F24C59462A}.exe
        
        C:\Windows\{2DEA2BCD-7231-4b28-927F-A7F24C59462A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\{398BE015-4132-4cdc-86C0-ECD26D60DE34}.exe
        
        C:\Windows\{398BE015-4132-4cdc-86C0-ECD26D60DE34}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DEA2~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F3DA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF292~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8195~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19EA7~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEEF2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF935~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D55FE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{640A7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{60190~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ABE5D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19EA7112-556C-4326-8B39-83DAA2F149CF}.exe

Filesize
180KB

MD5
212dd9e39dd60485dd90709247d2e912

SHA1
7d8208b673598b5a7783e7a421b2715c73091ae0

SHA256
73ebd07eedba0fd814047b0a60023dd25c5974dc05a365c310ed08e41cf2d2ef

SHA512
f16bc4793c66e93fc4c18c2faade1b5e06ecceba5229f70fd7f78cbdeb9ddcf349cbfd7e6f8a37e3270755999403234a756fbbc84848d6ef52f077c382c73859

Download Submit
C:\Windows\{2DEA2BCD-7231-4b28-927F-A7F24C59462A}.exe

Filesize
180KB

MD5
ccf58151064fec22e8f0a880251f6ad8

SHA1
a39f1652244d8182f2676a874e6972cef5d4ef2b

SHA256
f99cd2a8b747e8272ac61436cdad89c40c452760826d4d6826a0f78868001635

SHA512
8b33ae76c25e7b60f1e65415902ccf233230fdb2e7544dc74247dda079f4c119d24fcc23cea4e482980deacdce7cab5f947a609a350a095fea4b196a6667f5c0

Download Submit
C:\Windows\{398BE015-4132-4cdc-86C0-ECD26D60DE34}.exe

Filesize
180KB

MD5
15ddc6f0ad2ac4c9322d76fbd9f6a1cc

SHA1
ff17bad7b73879df3ef4cad39fb62e6530282cee

SHA256
f773cf8f7dcaffc35a80c907fe0b28105247394712588b4a24573137e375992c

SHA512
16dbe979e8e03c7aced89e88b5ca7a8ac39ef9882750eea790d778503b362e7c2299d9968ca5cfd10dbdda493848cfb57105b1bb4f4e340876858a44e5c00f3f

Download Submit
C:\Windows\{5F3DAA32-803B-43d7-A757-583F25F19CD6}.exe

Filesize
180KB

MD5
6cbed80de91151b2abd9a0a17f2112b7

SHA1
03e8a1093facd597c546bf1c4f4de170da0609d7

SHA256
169e8a72bfc43a30ad4c451767ce5b7ce576cfbca05874dc7048bde6746111a8

SHA512
40b1771d46e40defc5bf7d6e9752c3a2010b3e4f7d3ae4644a88f452d2df9d7cdf56c692c7cb19d853d08ae05063d15db229fe370152b96fb09b11bd135a84ba

Download Submit
C:\Windows\{601908E8-3B80-4e07-ACB8-DACBFBA4AFD6}.exe

Filesize
180KB

MD5
e7c2bb70d3da9447a1ce5bba15c03665

SHA1
28f1f936c96aa0606448c8f989c1d93478531367

SHA256
af53b14d282de4762bf45bdc796943017c8fca067985ef66535e8f5f87695148

SHA512
0c368ea789a60989848cf6a20bb269a65d6f6378ee7799dd1adecde8b5889c373d7150bbf50845d67a25008869e29f16246edb7bbe7de72b3fd255f9af9507d3

Download Submit
C:\Windows\{640A7C13-ED31-4dc5-8DCD-BEECD6674C26}.exe

Filesize
180KB

MD5
11a221875a23f4bf22734a65fb6aa845

SHA1
cb66afa8df343d71d80b96e081fcb30345591740

SHA256
66fb06077fb52fad881d686ac5668b67c9ddeb2be99f5fd0f8ee04d1d2557649

SHA512
9258ffd7610726589d1c6df72a33882cd921533f48f7004157056886874c98c9333605bb3fff7bb01e8b941cf24643dd66704b61c166312b82adc578432aa6a8

Download Submit
C:\Windows\{ABE5DD30-472E-4146-A25C-39BBC97113E9}.exe

Filesize
180KB

MD5
aab91062edbbe1b39e82acb771625fd2

SHA1
f91fbe37282b7c6eef3f4e1c25f3647b187023c7

SHA256
66ab7bfb0f839446126fbc220268cfdc1b74ac218801f41f3a665d6ddda93930

SHA512
a7df9df4359c6ddcb55bdcd0c83de39c050c05be6727321bcc9d70c670dfc766e85ae1ba614756bd5d29e6f19f79fb726991fa13f14b0d202471f9ddcdf8685e

Download Submit
C:\Windows\{D55FE882-E0A8-41a9-933D-2A3BD73B8A98}.exe

Filesize
180KB

MD5
45149798cec281440819f7b5722111bc

SHA1
979f9bb0800b08f0ad154a3a701dbc996371aad5

SHA256
83e9981338f559d4a8a60d2f73e9b03d3844cd1cc7f96938a12ade7dad159b05

SHA512
123d024b51cbe6c7ce4dc5fce4bf2d57dffcd170b97d3aa855dcc0b28583e90f8b176ae468faca797020e3ebac6ca9b2d7a6564de566270901dbaaa0629c1cf8

Download Submit
C:\Windows\{D8195E9D-DCF6-4687-8EEF-1E29428C944B}.exe

Filesize
180KB

MD5
bf459426a67e1cec86803a839838f576

SHA1
d45d1b272b6107cccaecdc6f8b28ff9dd3f9a70e

SHA256
feb16459b97bfd4e4ceff86c047c4d28d89ef467ea83f352f8eaf2d7e1f1b8f8

SHA512
5e7f3ba46c425ca19f3942ca40be401bfdaa1c182bd2d69cfeb0244c5aaf766af3e22b1e99900c7db719ddd62f9b344ca240941fab951a5512c9705f9ae1c94a

Download Submit
C:\Windows\{EEEF295A-DF43-4644-B4F3-7766AA2E730E}.exe

Filesize
180KB

MD5
5519383d15e69706b5391169db6b4dfb

SHA1
cadd52e22726cf4e2e97c8476416ab02bc61cac0

SHA256
8374aefabecc1a41846bba0fe076e6b0390ac5838521ff703d2b4a51c5753a6d

SHA512
5d937ef4033ff6ff075602688722d567cef2e04b70e344dc87eac45cbb9afefa67d891b4cb2d6999551239c1ecd68ec136080a6c42d3b26dc4b229b074b51b28

Download Submit
C:\Windows\{EF9356EC-26C0-49a3-BE46-3B7B2907477D}.exe

Filesize
180KB

MD5
690530ffc8f3f872acce925df0cae365

SHA1
a6eb87347ea06a771c11db14da63ab7190c0d0a7

SHA256
8ef333261a6d2617c22f1079f7e6d81e9f8063a45e03bdbedaa76c65b09ac9a9

SHA512
c2bd1bc1d26b6bdcada3cd53e87cc23a4cf56fa3f7bb4b290710cf35951d081ba6613bb2fd688cd760113e372a6679634ca8702d4bc7a0a19347be8c70fd3791

Download Submit
C:\Windows\{FF292DCA-7742-464e-B841-E9A372F3FDCD}.exe

Filesize
180KB

MD5
fe781ad1868cde4eae58a177651f5444

SHA1
e4e80f357bbff40ed1efca88e98a594323ed45b2

SHA256
fadfbbfa68340a3ed24d9fc7f5dcef1a57719b40998a51a64aca915c12bee280

SHA512
4570af98f72d1694cdbd4b426dfa35b4b69211c4c07f7f5f39de951a90144dbc8ff82f5ceb8b1a2a5b002e90c98c53d0cd130028a27b38e8eed6b18287ae895e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads