ee8aef9c0827580f22cce5bddd68c91daf0427ac9d071ea4addf13d217e36f04

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe
Size

197KB
MD5

85dbf2af3a820608c506266b00567e84
SHA1

4d531e9d3134939b23b3adfc3fee364a68ba17df
SHA256

ee8aef9c0827580f22cce5bddd68c91daf0427ac9d071ea4addf13d217e36f04
SHA512

c1ce7bf0cd65a738dad56fc36781f3b0ffaa9b3710707f013435bda91c8747743e6f457ac0d197012c8bf680ad6ef61968f1b433a7ddfc2f80e937b56c9536e6
SSDEEP

3072:jEGh0oIl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG2lEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CAF9C79-6C08-4124-914F-C880BB527977}	{7E0BA144-C3C5-401c-A968-4723AB243856}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8AB8B40-275F-4178-B1B1-10890B11578A}	2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8AB8B40-275F-4178-B1B1-10890B11578A}\stubpath = "C:\\Windows\\{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe"	2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522DF91F-9104-48c2-89EB-E95C51E9C3F5}	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54DA7A9B-9A02-4736-AB13-5672F71E45F9}\stubpath = "C:\\Windows\\{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe"	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0883385D-E695-492c-8ECA-3EDE04238299}	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}\stubpath = "C:\\Windows\\{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe"	{0883385D-E695-492c-8ECA-3EDE04238299}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CAF9C79-6C08-4124-914F-C880BB527977}\stubpath = "C:\\Windows\\{8CAF9C79-6C08-4124-914F-C880BB527977}.exe"	{7E0BA144-C3C5-401c-A968-4723AB243856}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D663020-02D7-4002-AE95-C3D326F981B0}	{8CAF9C79-6C08-4124-914F-C880BB527977}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54DA7A9B-9A02-4736-AB13-5672F71E45F9}	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0883385D-E695-492c-8ECA-3EDE04238299}\stubpath = "C:\\Windows\\{0883385D-E695-492c-8ECA-3EDE04238299}.exe"	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}	{0883385D-E695-492c-8ECA-3EDE04238299}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E0BA144-C3C5-401c-A968-4723AB243856}\stubpath = "C:\\Windows\\{7E0BA144-C3C5-401c-A968-4723AB243856}.exe"	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D663020-02D7-4002-AE95-C3D326F981B0}\stubpath = "C:\\Windows\\{1D663020-02D7-4002-AE95-C3D326F981B0}.exe"	{8CAF9C79-6C08-4124-914F-C880BB527977}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522DF91F-9104-48c2-89EB-E95C51E9C3F5}\stubpath = "C:\\Windows\\{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe"	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}\stubpath = "C:\\Windows\\{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe"	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}\stubpath = "C:\\Windows\\{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe"	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B60E729A-E400-4e84-9DEB-E27ACF83559E}	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B60E729A-E400-4e84-9DEB-E27ACF83559E}\stubpath = "C:\\Windows\\{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe"	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}\stubpath = "C:\\Windows\\{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe"	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E0BA144-C3C5-401c-A968-4723AB243856}	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe

Executes dropped EXE 12 IoCs

pid	Process
1680	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe
2164	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe
3208	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe
4380	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe
1116	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe
4960	{0883385D-E695-492c-8ECA-3EDE04238299}.exe
5104	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe
3036	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe
3940	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe
2688	{7E0BA144-C3C5-401c-A968-4723AB243856}.exe
4368	{8CAF9C79-6C08-4124-914F-C880BB527977}.exe
4456	{1D663020-02D7-4002-AE95-C3D326F981B0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe
File created	C:\Windows\{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe
File created	C:\Windows\{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe
File created	C:\Windows\{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe
File created	C:\Windows\{0883385D-E695-492c-8ECA-3EDE04238299}.exe	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe
File created	C:\Windows\{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe
File created	C:\Windows\{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe	2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe
File created	C:\Windows\{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe	{0883385D-E695-492c-8ECA-3EDE04238299}.exe
File created	C:\Windows\{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe
File created	C:\Windows\{7E0BA144-C3C5-401c-A968-4723AB243856}.exe	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe
File created	C:\Windows\{8CAF9C79-6C08-4124-914F-C880BB527977}.exe	{7E0BA144-C3C5-401c-A968-4723AB243856}.exe
File created	C:\Windows\{1D663020-02D7-4002-AE95-C3D326F981B0}.exe	{8CAF9C79-6C08-4124-914F-C880BB527977}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CAF9C79-6C08-4124-914F-C880BB527977}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D663020-02D7-4002-AE95-C3D326F981B0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0883385D-E695-492c-8ECA-3EDE04238299}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E0BA144-C3C5-401c-A968-4723AB243856}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1308	2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1680	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe
Token: SeIncBasePriorityPrivilege	2164	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe
Token: SeIncBasePriorityPrivilege	3208	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe
Token: SeIncBasePriorityPrivilege	4380	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe
Token: SeIncBasePriorityPrivilege	1116	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe
Token: SeIncBasePriorityPrivilege	4960	{0883385D-E695-492c-8ECA-3EDE04238299}.exe
Token: SeIncBasePriorityPrivilege	5104	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe
Token: SeIncBasePriorityPrivilege	3036	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe
Token: SeIncBasePriorityPrivilege	3940	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe
Token: SeIncBasePriorityPrivilege	2688	{7E0BA144-C3C5-401c-A968-4723AB243856}.exe
Token: SeIncBasePriorityPrivilege	4368	{8CAF9C79-6C08-4124-914F-C880BB527977}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1680	1308	2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe	88
PID 1308 wrote to memory of 1680	1308	2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe	88
PID 1308 wrote to memory of 1680	1308	2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe	88
PID 1308 wrote to memory of 2332	1308	2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe	89
PID 1308 wrote to memory of 2332	1308	2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe	89
PID 1308 wrote to memory of 2332	1308	2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe	89
PID 1680 wrote to memory of 2164	1680	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe	95
PID 1680 wrote to memory of 2164	1680	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe	95
PID 1680 wrote to memory of 2164	1680	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe	95
PID 1680 wrote to memory of 784	1680	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe	96
PID 1680 wrote to memory of 784	1680	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe	96
PID 1680 wrote to memory of 784	1680	{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe	96
PID 2164 wrote to memory of 3208	2164	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe	98
PID 2164 wrote to memory of 3208	2164	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe	98
PID 2164 wrote to memory of 3208	2164	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe	98
PID 2164 wrote to memory of 1608	2164	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe	99
PID 2164 wrote to memory of 1608	2164	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe	99
PID 2164 wrote to memory of 1608	2164	{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe	99
PID 3208 wrote to memory of 4380	3208	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe	100
PID 3208 wrote to memory of 4380	3208	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe	100
PID 3208 wrote to memory of 4380	3208	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe	100
PID 3208 wrote to memory of 2204	3208	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe	101
PID 3208 wrote to memory of 2204	3208	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe	101
PID 3208 wrote to memory of 2204	3208	{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe	101
PID 4380 wrote to memory of 1116	4380	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe	102
PID 4380 wrote to memory of 1116	4380	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe	102
PID 4380 wrote to memory of 1116	4380	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe	102
PID 4380 wrote to memory of 4800	4380	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe	103
PID 4380 wrote to memory of 4800	4380	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe	103
PID 4380 wrote to memory of 4800	4380	{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe	103
PID 1116 wrote to memory of 4960	1116	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe	104
PID 1116 wrote to memory of 4960	1116	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe	104
PID 1116 wrote to memory of 4960	1116	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe	104
PID 1116 wrote to memory of 2308	1116	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe	105
PID 1116 wrote to memory of 2308	1116	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe	105
PID 1116 wrote to memory of 2308	1116	{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe	105
PID 4960 wrote to memory of 5104	4960	{0883385D-E695-492c-8ECA-3EDE04238299}.exe	106
PID 4960 wrote to memory of 5104	4960	{0883385D-E695-492c-8ECA-3EDE04238299}.exe	106
PID 4960 wrote to memory of 5104	4960	{0883385D-E695-492c-8ECA-3EDE04238299}.exe	106
PID 4960 wrote to memory of 3160	4960	{0883385D-E695-492c-8ECA-3EDE04238299}.exe	107
PID 4960 wrote to memory of 3160	4960	{0883385D-E695-492c-8ECA-3EDE04238299}.exe	107
PID 4960 wrote to memory of 3160	4960	{0883385D-E695-492c-8ECA-3EDE04238299}.exe	107
PID 5104 wrote to memory of 3036	5104	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe	109
PID 5104 wrote to memory of 3036	5104	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe	109
PID 5104 wrote to memory of 3036	5104	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe	109
PID 5104 wrote to memory of 2860	5104	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe	110
PID 5104 wrote to memory of 2860	5104	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe	110
PID 5104 wrote to memory of 2860	5104	{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe	110
PID 3036 wrote to memory of 3940	3036	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe	111
PID 3036 wrote to memory of 3940	3036	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe	111
PID 3036 wrote to memory of 3940	3036	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe	111
PID 3036 wrote to memory of 1352	3036	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe	112
PID 3036 wrote to memory of 1352	3036	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe	112
PID 3036 wrote to memory of 1352	3036	{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe	112
PID 3940 wrote to memory of 2688	3940	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe	114
PID 3940 wrote to memory of 2688	3940	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe	114
PID 3940 wrote to memory of 2688	3940	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe	114
PID 3940 wrote to memory of 3656	3940	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe	115
PID 3940 wrote to memory of 3656	3940	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe	115
PID 3940 wrote to memory of 3656	3940	{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe	115
PID 2688 wrote to memory of 4368	2688	{7E0BA144-C3C5-401c-A968-4723AB243856}.exe	116
PID 2688 wrote to memory of 4368	2688	{7E0BA144-C3C5-401c-A968-4723AB243856}.exe	116
PID 2688 wrote to memory of 4368	2688	{7E0BA144-C3C5-401c-A968-4723AB243856}.exe	116
PID 2688 wrote to memory of 3508	2688	{7E0BA144-C3C5-401c-A968-4723AB243856}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_85dbf2af3a820608c506266b00567e84_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe
  C:\Windows\{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe
    C:\Windows\{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe
      C:\Windows\{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Windows\{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe
        
        C:\Windows\{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Windows\{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe
        
        C:\Windows\{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\{0883385D-E695-492c-8ECA-3EDE04238299}.exe
        
        C:\Windows\{0883385D-E695-492c-8ECA-3EDE04238299}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe
        
        C:\Windows\{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe
        
        C:\Windows\{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe
        
        C:\Windows\{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\{7E0BA144-C3C5-401c-A968-4723AB243856}.exe
        
        C:\Windows\{7E0BA144-C3C5-401c-A968-4723AB243856}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{8CAF9C79-6C08-4124-914F-C880BB527977}.exe
        
        C:\Windows\{8CAF9C79-6C08-4124-914F-C880BB527977}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Windows\{1D663020-02D7-4002-AE95-C3D326F981B0}.exe
        
        C:\Windows\{1D663020-02D7-4002-AE95-C3D326F981B0}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CAF9~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E0BA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B9ED~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B60E7~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45DCF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08833~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54DA7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12FCD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0D6D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{522DF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F8AB8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0883385D-E695-492c-8ECA-3EDE04238299}.exe

Filesize
197KB

MD5
13eedc3b128b1dbe5921f33c134a865c

SHA1
3b65e1d9096bee7693603d67171c8e6f1732ac2d

SHA256
fe59af41d07524a0844d8f4a2bc7f1b1faf4e8c38a9fe003fe5a7cf8dc20564b

SHA512
faaa6ed5e030ef17ab5c1580c1e33e6461b6442f55cd20c7139648fe838eb308c0c8af3f7c2e18d6cf0cd70047a6cb6a7ad40a3ee37ee68ca6621ab8ef652361

Download Submit
C:\Windows\{12FCD9F6-9DD0-4a99-BF50-43F86D8B9377}.exe

Filesize
197KB

MD5
8cd3d76ea9f376ae5733c16ec9a9c583

SHA1
fd6e3f73e1fb9bdc21e3138f9d081d9f275ca2f4

SHA256
0054d30961d1f07e018d27743952146b0ed01bfe17b64b74e52d0fda3a33fa34

SHA512
f361fa816be5366d6bcc26d8774a42d19ebd16707774bff563d83b32b49d6e2deec1ca0ee2eafa74f89a83b65b685d713b7037a9babc73e8c6d42d9ecfa8b288

Download Submit
C:\Windows\{1D663020-02D7-4002-AE95-C3D326F981B0}.exe

Filesize
197KB

MD5
e9797da078afb2f1062ee30b591cf39d

SHA1
b0041c73ffc857a530e78607752ddee1340854aa

SHA256
b4d9d0d9cb476378cfb5dbbf5f96e2f6ddfd8274136f115b6e7b9116511295ec

SHA512
03b103eb7cdae2e22ef4070f8a939c4cb7156dae189fdc0c56eeaee2dc1f7b7b5a1ca830d386f7fb6b6a2f08a7d3be9fa7be6307c1f650a2cf231e81c9a679ed

Download Submit
C:\Windows\{45DCF796-2ED1-4af8-9969-52FAEB08E5BE}.exe

Filesize
197KB

MD5
5a25d74d9261f5d310596c1707d5cff3

SHA1
2eeaf289505746cee08727d25a8f0a4118a96031

SHA256
acac22643ba36800d2d42da9535c78f5a98e70cdefaff5cbd6e4c10718be95ec

SHA512
bc0d8172e8f6732765142f77db32ae99240afc2affd4639f9737fd29cbc79af75b2249839ee4070d26004463f81c8df9c12bb68ccefcbd2a5fd8fcb2e4407788

Download Submit
C:\Windows\{522DF91F-9104-48c2-89EB-E95C51E9C3F5}.exe

Filesize
197KB

MD5
4bca793315fcb8cb84465a1d380d79d2

SHA1
33da4128cddab44d28fe5d96516c810047c4db28

SHA256
ffcca781a61357f1289cc278335fad8778da29e57f469ae03eb3c4179394d69d

SHA512
8e966d728b42835e7f955302bbdd6582e1c8562ff30544a57f8d7726bce1fa35fd01a33e6f2934b4b6edfa4939c455ba2c267c7db6b86a580879fbba0c8fa877

Download Submit
C:\Windows\{54DA7A9B-9A02-4736-AB13-5672F71E45F9}.exe

Filesize
197KB

MD5
112bfde6d4de735aef3f60fdc18c24a2

SHA1
1c9e18fdda4c1a7a0dc93e0b97baef54eda8da21

SHA256
f8d5ab6fecad1b84819f385eb9315dc912b4b8f5b581502ebcb5d3a51bd582e2

SHA512
87076c3b31d22ce19f1f800e15dccee1fa67961fc329fb8ee113b61e4a22d5a82408889fecc4abe33df98e5f3ccd5be2f02ecac3da1eca7700ad4751f7da482b

Download Submit
C:\Windows\{7E0BA144-C3C5-401c-A968-4723AB243856}.exe

Filesize
197KB

MD5
68acc6fd88007e4446b4500580038429

SHA1
b8c3d0ecaebb363040f759d60ef3abda6c0eb095

SHA256
8a5936a25f7721dfcee33a721b74c9e7ecebc2f97ada89ff00f8c3ef13e252c3

SHA512
963b5853a84acdc590d37d02a626bece2b27c179024a44a97dd25a1a42a76fbc5ccd1f8bba7618d48c4dee4c277e42597c167845b2225afec2062673b366a2ac

Download Submit
C:\Windows\{8CAF9C79-6C08-4124-914F-C880BB527977}.exe

Filesize
197KB

MD5
da7b11dd0d1e1e26a0b9f9c4d362a189

SHA1
80975a38fc69514d623f9870877a9ded467bd061

SHA256
f77392a6064cbdd3d982be924c571b08a6585a4f9175ef497e08816ed6a7ec34

SHA512
5ed6540548881ef824832d497b062d49be475b094281d7f681c06cffaa0838f408f6b19b23131bcb75d9fa142cb41329c54e0eef64ea5d2cb8daaa2785f7beb8

Download Submit
C:\Windows\{9B9ED9ED-101C-4b9a-9203-49C7884BBB20}.exe

Filesize
197KB

MD5
b325bdbb69b3d240fefbca1559574cb1

SHA1
54eaac93587ad12405ea35b48a590aeaa22b9618

SHA256
7ce64d06df737fb003a791976c74e554361e60309ee14825d2737f149a07dd22

SHA512
8889b930bb51eed2634b68318edcad5c4efe84239c3ea35640ac57ecef353169351cef1dd0c0f1c9b167cd24d72e58edff6d00514b2ad00a84c107aba4463f3a

Download Submit
C:\Windows\{B60E729A-E400-4e84-9DEB-E27ACF83559E}.exe

Filesize
197KB

MD5
9288d8eee73cb00fcf3077f910ca9580

SHA1
721030e3c27c5819430365509ad4ba43fda03309

SHA256
0bfada96081022280e8c2e6fae4bea2b2dbf1f8eb4106071f343731b1131e198

SHA512
111e983f13ee4bda91028779084f02a901ef10495d236b84bc0fd4f3c66a4b54848c47b875fcf79172b765d75966d40a30d36f298ed58ae365562e611fc4dc39

Download Submit
C:\Windows\{D0D6DFC5-8014-45dc-921D-41CF10CAAE53}.exe

Filesize
197KB

MD5
14ea3463fe5a0ede12cf362acd9aa3f0

SHA1
2c33f20cc8f961f93c4f483371b9cd5a423742f9

SHA256
cc0e581755eed1c575b5443b3ed02e0365e329a2577938a6bfdfab2ecd0bdc22

SHA512
2ce901f09e4c9d994f16858fe43fa250b15f2d78ddcf3ba8b5694a6ad3ea5b1a5aa074757a7c5261450fcc4d2925b4cb2aedd77b75fc79526d37440243fde21e

Download Submit
C:\Windows\{F8AB8B40-275F-4178-B1B1-10890B11578A}.exe

Filesize
197KB

MD5
314f3848a18ae00db7ae65c535a03617

SHA1
1151ba4b77fe932c003d43c77ddc8f5e9cc8b1ac

SHA256
7b18847ffadd83ab473c9cc026cf5170d7226ced491ce7f6dfb18fc0b711a1ac

SHA512
d8bacfcf64767f559278d67362eaec6b093d6a801007c428515495e48b1ccb2c1b14e811dccc5758440924f27cd436b24ce7cdd70a1776f1889cc9aa2a8b1ab3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads