6080af27a518c45c5cdc85ab8c51f38dd0a7f8c796a849a45551cfe985f63847

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe
Size

204KB
MD5

45648b4e24f5d1aba1ddb0229390c34e
SHA1

a368fd42fa0159712636e5d2eac6a38d9c9062a5
SHA256

6080af27a518c45c5cdc85ab8c51f38dd0a7f8c796a849a45551cfe985f63847
SHA512

fe40b94a90d88d25204e52c8df824034f94556a0dbbb52cdbd4d87d2d31ea504c49ce4283ad72ca8a30a47c81912ddbd5e08e07baef953c6638c097e9d140369
SSDEEP

1536:1EGh0ovl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ovl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A213F86A-9907-4f68-AAA8-415DD4B55304}	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A2040D2-BABE-4784-AA30-E668A272AC31}\stubpath = "C:\\Windows\\{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe"	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}\stubpath = "C:\\Windows\\{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe"	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7D44066-2810-49fc-8B19-389302CB4130}	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89433528-3356-49bc-9B6F-BCC44AAFAD81}	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9B651B2-F358-4ebf-B64D-159E6F587CE0}\stubpath = "C:\\Windows\\{C9B651B2-F358-4ebf-B64D-159E6F587CE0}.exe"	{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C9577DB-4CC9-4881-A642-36EAC2D1F318}\stubpath = "C:\\Windows\\{4C9577DB-4CC9-4881-A642-36EAC2D1F318}.exe"	{C9B651B2-F358-4ebf-B64D-159E6F587CE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}	2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}\stubpath = "C:\\Windows\\{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe"	2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7D44066-2810-49fc-8B19-389302CB4130}\stubpath = "C:\\Windows\\{F7D44066-2810-49fc-8B19-389302CB4130}.exe"	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4526AA77-1DB7-4bc4-84AB-640806B34401}	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9B651B2-F358-4ebf-B64D-159E6F587CE0}	{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C9577DB-4CC9-4881-A642-36EAC2D1F318}	{C9B651B2-F358-4ebf-B64D-159E6F587CE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}\stubpath = "C:\\Windows\\{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe"	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}	{F7D44066-2810-49fc-8B19-389302CB4130}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A213F86A-9907-4f68-AAA8-415DD4B55304}\stubpath = "C:\\Windows\\{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe"	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4526AA77-1DB7-4bc4-84AB-640806B34401}\stubpath = "C:\\Windows\\{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe"	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A2040D2-BABE-4784-AA30-E668A272AC31}	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}\stubpath = "C:\\Windows\\{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe"	{F7D44066-2810-49fc-8B19-389302CB4130}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}\stubpath = "C:\\Windows\\{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe"	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89433528-3356-49bc-9B6F-BCC44AAFAD81}\stubpath = "C:\\Windows\\{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe"	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe

Executes dropped EXE 12 IoCs

pid	Process
3680	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe
1136	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe
4572	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe
2284	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe
2828	{F7D44066-2810-49fc-8B19-389302CB4130}.exe
1452	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe
776	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe
3612	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe
2756	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe
856	{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe
2788	{C9B651B2-F358-4ebf-B64D-159E6F587CE0}.exe
5048	{4C9577DB-4CC9-4881-A642-36EAC2D1F318}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe	{F7D44066-2810-49fc-8B19-389302CB4130}.exe
File created	C:\Windows\{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe
File created	C:\Windows\{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe
File created	C:\Windows\{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe
File created	C:\Windows\{C9B651B2-F358-4ebf-B64D-159E6F587CE0}.exe	{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe
File created	C:\Windows\{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe	2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe
File created	C:\Windows\{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe
File created	C:\Windows\{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe
File created	C:\Windows\{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe
File created	C:\Windows\{F7D44066-2810-49fc-8B19-389302CB4130}.exe	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe
File created	C:\Windows\{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe
File created	C:\Windows\{4C9577DB-4CC9-4881-A642-36EAC2D1F318}.exe	{C9B651B2-F358-4ebf-B64D-159E6F587CE0}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C9577DB-4CC9-4881-A642-36EAC2D1F318}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9B651B2-F358-4ebf-B64D-159E6F587CE0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7D44066-2810-49fc-8B19-389302CB4130}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	224	2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3680	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe
Token: SeIncBasePriorityPrivilege	1136	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe
Token: SeIncBasePriorityPrivilege	4572	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe
Token: SeIncBasePriorityPrivilege	2284	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe
Token: SeIncBasePriorityPrivilege	2828	{F7D44066-2810-49fc-8B19-389302CB4130}.exe
Token: SeIncBasePriorityPrivilege	1452	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe
Token: SeIncBasePriorityPrivilege	776	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe
Token: SeIncBasePriorityPrivilege	3612	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe
Token: SeIncBasePriorityPrivilege	2756	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe
Token: SeIncBasePriorityPrivilege	856	{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe
Token: SeIncBasePriorityPrivilege	2788	{C9B651B2-F358-4ebf-B64D-159E6F587CE0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 3680	224	2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe	94
PID 224 wrote to memory of 3680	224	2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe	94
PID 224 wrote to memory of 3680	224	2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe	94
PID 224 wrote to memory of 1320	224	2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe	95
PID 224 wrote to memory of 1320	224	2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe	95
PID 224 wrote to memory of 1320	224	2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe	95
PID 3680 wrote to memory of 1136	3680	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe	96
PID 3680 wrote to memory of 1136	3680	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe	96
PID 3680 wrote to memory of 1136	3680	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe	96
PID 3680 wrote to memory of 2592	3680	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe	97
PID 3680 wrote to memory of 2592	3680	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe	97
PID 3680 wrote to memory of 2592	3680	{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe	97
PID 1136 wrote to memory of 4572	1136	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe	100
PID 1136 wrote to memory of 4572	1136	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe	100
PID 1136 wrote to memory of 4572	1136	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe	100
PID 1136 wrote to memory of 3316	1136	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe	101
PID 1136 wrote to memory of 3316	1136	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe	101
PID 1136 wrote to memory of 3316	1136	{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe	101
PID 4572 wrote to memory of 2284	4572	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe	102
PID 4572 wrote to memory of 2284	4572	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe	102
PID 4572 wrote to memory of 2284	4572	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe	102
PID 4572 wrote to memory of 4512	4572	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe	103
PID 4572 wrote to memory of 4512	4572	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe	103
PID 4572 wrote to memory of 4512	4572	{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe	103
PID 2284 wrote to memory of 2828	2284	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe	104
PID 2284 wrote to memory of 2828	2284	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe	104
PID 2284 wrote to memory of 2828	2284	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe	104
PID 2284 wrote to memory of 4288	2284	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe	105
PID 2284 wrote to memory of 4288	2284	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe	105
PID 2284 wrote to memory of 4288	2284	{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe	105
PID 2828 wrote to memory of 1452	2828	{F7D44066-2810-49fc-8B19-389302CB4130}.exe	106
PID 2828 wrote to memory of 1452	2828	{F7D44066-2810-49fc-8B19-389302CB4130}.exe	106
PID 2828 wrote to memory of 1452	2828	{F7D44066-2810-49fc-8B19-389302CB4130}.exe	106
PID 2828 wrote to memory of 1248	2828	{F7D44066-2810-49fc-8B19-389302CB4130}.exe	107
PID 2828 wrote to memory of 1248	2828	{F7D44066-2810-49fc-8B19-389302CB4130}.exe	107
PID 2828 wrote to memory of 1248	2828	{F7D44066-2810-49fc-8B19-389302CB4130}.exe	107
PID 1452 wrote to memory of 776	1452	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe	108
PID 1452 wrote to memory of 776	1452	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe	108
PID 1452 wrote to memory of 776	1452	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe	108
PID 1452 wrote to memory of 4788	1452	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe	109
PID 1452 wrote to memory of 4788	1452	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe	109
PID 1452 wrote to memory of 4788	1452	{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe	109
PID 776 wrote to memory of 3612	776	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe	110
PID 776 wrote to memory of 3612	776	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe	110
PID 776 wrote to memory of 3612	776	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe	110
PID 776 wrote to memory of 2896	776	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe	111
PID 776 wrote to memory of 2896	776	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe	111
PID 776 wrote to memory of 2896	776	{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe	111
PID 3612 wrote to memory of 2756	3612	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe	112
PID 3612 wrote to memory of 2756	3612	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe	112
PID 3612 wrote to memory of 2756	3612	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe	112
PID 3612 wrote to memory of 2712	3612	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe	113
PID 3612 wrote to memory of 2712	3612	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe	113
PID 3612 wrote to memory of 2712	3612	{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe	113
PID 2756 wrote to memory of 856	2756	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe	114
PID 2756 wrote to memory of 856	2756	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe	114
PID 2756 wrote to memory of 856	2756	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe	114
PID 2756 wrote to memory of 3520	2756	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe	115
PID 2756 wrote to memory of 3520	2756	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe	115
PID 2756 wrote to memory of 3520	2756	{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe	115
PID 856 wrote to memory of 2788	856	{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe	116
PID 856 wrote to memory of 2788	856	{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe	116
PID 856 wrote to memory of 2788	856	{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe	116
PID 856 wrote to memory of 1884	856	{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-09_45648b4e24f5d1aba1ddb0229390c34e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe
  C:\Windows\{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe
    C:\Windows\{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe
      C:\Windows\{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe
        
        C:\Windows\{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\{F7D44066-2810-49fc-8B19-389302CB4130}.exe
        
        C:\Windows\{F7D44066-2810-49fc-8B19-389302CB4130}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe
        
        C:\Windows\{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe
        
        C:\Windows\{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe
        
        C:\Windows\{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe
        
        C:\Windows\{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe
        
        C:\Windows\{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\{C9B651B2-F358-4ebf-B64D-159E6F587CE0}.exe
        
        C:\Windows\{C9B651B2-F358-4ebf-B64D-159E6F587CE0}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\{4C9577DB-4CC9-4881-A642-36EAC2D1F318}.exe
        
        C:\Windows\{4C9577DB-4CC9-4881-A642-36EAC2D1F318}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9B65~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4526A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89433~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E81B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A213F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4166~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7D44~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FBDD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A204~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{44E66~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F7A98~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2A2040D2-BABE-4784-AA30-E668A272AC31}.exe

Filesize
204KB

MD5
44bc14ddd0e501b46993ae7d3398ad4b

SHA1
4b11245699fb92805c73afdc9ca1ae1169435318

SHA256
f82e8d465244a1f8b338139157cc7370ec039a3189d1bb170ff251567668f5d1

SHA512
8c8105fef08176a0ea21104b9adcbf9a31f6f2c4f4c3da7974023fdff777f3f8be4b13cfd08b09ba646adb5dc5f7fcb216a5e38814e9ed137ed6ae1c634b24d9

Download Submit
C:\Windows\{44E66FFC-6D86-47de-B2B1-DC45A6EA5782}.exe

Filesize
204KB

MD5
c42963035f87226a605be327f659db99

SHA1
bab8e509339f8a75f6bb6ad9c3bb8364da6cf453

SHA256
6dd4d337c9074b37be3ad3b9aa9a30e084bf12554bad5dac1d45fe6b9c3b3efb

SHA512
81f2ee99b68164927b7900053a337388ed1ad8372d2af645e45df92c30aa2d9c24105362dbf4e62e95453a1f2d24487a7008afcf049789cf7c15656f200ab891

Download Submit
C:\Windows\{4526AA77-1DB7-4bc4-84AB-640806B34401}.exe

Filesize
204KB

MD5
6699c5c29b8b7b82db30ec1b7cf7a843

SHA1
0e4b784cd7649d722b1692ad29bb164a0c9635a0

SHA256
d0ee3c288e4b960ac34f76ce0607e6410b3f697dcaff9dd86e6a72a930f62ca5

SHA512
c9ed8fd54ef66ee6a31719811d39c21a4825bb3899e04430b40facb341dd96c959f01c8e5a7b0a5933b213c469413fd0e207c325aa4d77582d01a53904dc0785

Download Submit
C:\Windows\{4C9577DB-4CC9-4881-A642-36EAC2D1F318}.exe

Filesize
204KB

MD5
091e85686b863004f0ebea4503a08d44

SHA1
935834cd8a344e2d7c21c4322b5c103b18313d76

SHA256
3f9cc6658a8de172a8ba9ce245b9ba4033d4940fbeb73a89903c5b0a3597eda2

SHA512
58c363111b55e60bf3f3131003f6bd75f44723a36b9d9169ab220ae91c27c24fa43ec2216e9cc6d8583fb9d6e866279c8b269bf8a83180d8d0ba43bdcc791755

Download Submit
C:\Windows\{6FBDD011-F66A-4d9e-A702-6D55F3FA6661}.exe

Filesize
204KB

MD5
d289368b6d43953128485df7b1e0b76b

SHA1
c71c5c9a576e8560c9dc46b19a095967f7057ca4

SHA256
4afc6a487ee71b9763720c54fe620ddd61b1d25c67e461193bd61cecab454ed2

SHA512
e628ef58c21189ddc210537c6400022451a7f7d069e9eaa5a0aa824b932da2fd807d08085a29bf19d819b0da14913c1f38f0000b529f2103dd0d1b070326d5c4

Download Submit
C:\Windows\{89433528-3356-49bc-9B6F-BCC44AAFAD81}.exe

Filesize
204KB

MD5
aef9d411aed5dab4a1ba0bd1694445e8

SHA1
f77e8c043e0f4968e6e46131977b1c46f476bdae

SHA256
e9599b32b3b685f992a33d844cff7c342093ba5576555fb12499a53b2a064eec

SHA512
fedc74dc3789afb7e6d8d7bef34fe2780e0d232ba826026b2aa328f76b41b0ba3aecc73592648d84cccb264d1f96396b99c297d60e3968e0f305b73f71fa4912

Download Submit
C:\Windows\{9E81B390-9C99-40d3-B547-DFF93D5E0FC7}.exe

Filesize
204KB

MD5
d66cf83f68f0d688da7ccf15c61e7c91

SHA1
d44ef9620984bcecd2a5b7dd913b2e4348048a4f

SHA256
448011d18f0fb56a5dbabad86a354e5d908fe50eac2ededf654484f886c1dfdd

SHA512
13ff0bccd16cbe1cd4e8b4407a61ddfc822e25cc6b0f8a4e6accfebbf1ab4173df361da1dd0b1730abd4417ebc46685ed63f17738f855fdda15f101a3d00b828

Download Submit
C:\Windows\{A213F86A-9907-4f68-AAA8-415DD4B55304}.exe

Filesize
204KB

MD5
809295564fad5f25b32f01a936c006c5

SHA1
d0c6b0c1a5961db538d6ffd794b234e38370aa50

SHA256
63a5c39e6f3d9efd795c548d42923eaaecf97f88aaf9a8f413cbdecf4a509622

SHA512
c60e6ad590ed3fea1aa8682860a9ebe17522161781f63b1e9427f71aa423773bfd5283f74d49fe0d1a044d1096a6a03623a86c309c416673bac72826039d6e47

Download Submit
C:\Windows\{A4166AFA-BD14-40cd-95E3-9F76F0AA97EF}.exe

Filesize
204KB

MD5
18d74019a18764e8f67279ae457b8be4

SHA1
c6bfec6924e8b1add4a9d33d91e5f2cf93f358bc

SHA256
3d9d8b01cf62977b2817b9b80188dfd69b097212e7f123af160f59aa7966e13c

SHA512
994e00942e646d6d388f6a71cb64047e1f984c783dfc853c407d1fedbc7ab8f9fa13d33bba48fe91af51471bf5db56fcf2cb9a6dd99ad278df19b533b80ef521

Download Submit
C:\Windows\{C9B651B2-F358-4ebf-B64D-159E6F587CE0}.exe

Filesize
204KB

MD5
3e0128bdc941b4cf6368563e8b8e396d

SHA1
263d0546e4d284226665fbc1a9b8229420fd0609

SHA256
812fedcdfbad8efaa57f19e5065b3e6295cd9f21706c44ed4b73636f234f2a4d

SHA512
4dc080105e5b984a17d708f8ba6dac0179095f85820468eea913b03503739dca1ef65d4a8da4a4534c878e028bc69518c4edfad456519030010e705c974d7702

Download Submit
C:\Windows\{F7A98BC3-C96D-421c-9D0B-F9B92F975BB0}.exe

Filesize
204KB

MD5
f6e4fac651b4dab750abe7ba79679579

SHA1
df2ef9322ebac85eb26a1eaa1eac9c499dae3971

SHA256
394cbf4bd98e2eb6a29d27439a2357869470311b6ee81a1305060764c08160d0

SHA512
9728817ac1d3ddf8797ae7a001f48ae24fec48b52159670fd6bcbb5a8e092f6630fa5a02252bbffb86fd90e8add99b18faabed088479b7605500cab91585dddd

Download Submit
C:\Windows\{F7D44066-2810-49fc-8B19-389302CB4130}.exe

Filesize
204KB

MD5
7ce1751bfc69b3cf7991fa7fac375a00

SHA1
f4cdf7e761ab04882cd7216753bd929d2da3bd0e

SHA256
98d0b14fd5eb139e5244e75dbceff5e257d5b7947ffc49b536fbdab78d49b780

SHA512
0ff73259585c3af2bd25eeb213caf702f448dcba36af89f4b77a54c9f5f85367face57f0033c2c544729f3e86e8c07868f174e64f5fe1ad9d8a04399df9660db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads