4204727d562c1e6a328c40c693dfacc47ee5d92ad1dd3fb8e59966658bd77fa6

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe
Size

408KB
MD5

508e14c07b710e9f09a714899e20c7d3
SHA1

706e0084d5303186cffbc27faf4b7f343fa3b341
SHA256

4204727d562c1e6a328c40c693dfacc47ee5d92ad1dd3fb8e59966658bd77fa6
SHA512

0677a59f17afd90030bb09a1e95217f673c9775e21679b356643b3af70332e15cfa2c249998f63592b6a595adca6b1c9f64d881ec67771ad1ea2123fd5ea229b
SSDEEP

3072:CEGh0oel3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGEldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}\stubpath = "C:\\Windows\\{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe"	2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CD8BC51-7CD4-4aca-A152-436C238F6F62}	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7DBB80B-52D5-4b07-AAAE-0194186780C1}	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B818FD3B-D67C-44e5-B12E-06532BA69EFB}\stubpath = "C:\\Windows\\{B818FD3B-D67C-44e5-B12E-06532BA69EFB}.exe"	{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}\stubpath = "C:\\Windows\\{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe"	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD37F122-DF1F-45e4-A0D8-466E895FB374}	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B818FD3B-D67C-44e5-B12E-06532BA69EFB}	{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}\stubpath = "C:\\Windows\\{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe"	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77221EDB-84E4-450a-AD15-0EBDE2E388F0}	{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD37F122-DF1F-45e4-A0D8-466E895FB374}\stubpath = "C:\\Windows\\{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe"	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{627D8C1D-21E0-448a-8E97-47C2E5F5975F}\stubpath = "C:\\Windows\\{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe"	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CD8BC51-7CD4-4aca-A152-436C238F6F62}\stubpath = "C:\\Windows\\{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe"	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}\stubpath = "C:\\Windows\\{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe"	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7DBB80B-52D5-4b07-AAAE-0194186780C1}\stubpath = "C:\\Windows\\{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe"	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}\stubpath = "C:\\Windows\\{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe"	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}	2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{627D8C1D-21E0-448a-8E97-47C2E5F5975F}	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}\stubpath = "C:\\Windows\\{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe"	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77221EDB-84E4-450a-AD15-0EBDE2E388F0}\stubpath = "C:\\Windows\\{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe"	{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe

Executes dropped EXE 12 IoCs

pid	Process
2332	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe
3532	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe
2456	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe
1908	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe
3964	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe
3416	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe
2448	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe
4312	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe
3868	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe
3812	{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe
1656	{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe
4384	{B818FD3B-D67C-44e5-B12E-06532BA69EFB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe
File created	C:\Windows\{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe
File created	C:\Windows\{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe
File created	C:\Windows\{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe	2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe
File created	C:\Windows\{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe
File created	C:\Windows\{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe
File created	C:\Windows\{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe
File created	C:\Windows\{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe	{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe
File created	C:\Windows\{B818FD3B-D67C-44e5-B12E-06532BA69EFB}.exe	{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe
File created	C:\Windows\{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe
File created	C:\Windows\{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe
File created	C:\Windows\{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B818FD3B-D67C-44e5-B12E-06532BA69EFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4244	2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2332	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe
Token: SeIncBasePriorityPrivilege	3532	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe
Token: SeIncBasePriorityPrivilege	2456	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe
Token: SeIncBasePriorityPrivilege	1908	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe
Token: SeIncBasePriorityPrivilege	3964	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe
Token: SeIncBasePriorityPrivilege	3416	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe
Token: SeIncBasePriorityPrivilege	2448	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe
Token: SeIncBasePriorityPrivilege	4312	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe
Token: SeIncBasePriorityPrivilege	3868	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe
Token: SeIncBasePriorityPrivilege	3812	{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe
Token: SeIncBasePriorityPrivilege	1656	{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 2332	4244	2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe	94
PID 4244 wrote to memory of 2332	4244	2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe	94
PID 4244 wrote to memory of 2332	4244	2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe	94
PID 4244 wrote to memory of 4840	4244	2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe	95
PID 4244 wrote to memory of 4840	4244	2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe	95
PID 4244 wrote to memory of 4840	4244	2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe	95
PID 2332 wrote to memory of 3532	2332	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe	96
PID 2332 wrote to memory of 3532	2332	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe	96
PID 2332 wrote to memory of 3532	2332	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe	96
PID 2332 wrote to memory of 3368	2332	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe	97
PID 2332 wrote to memory of 3368	2332	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe	97
PID 2332 wrote to memory of 3368	2332	{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe	97
PID 3532 wrote to memory of 2456	3532	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe	100
PID 3532 wrote to memory of 2456	3532	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe	100
PID 3532 wrote to memory of 2456	3532	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe	100
PID 3532 wrote to memory of 2192	3532	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe	101
PID 3532 wrote to memory of 2192	3532	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe	101
PID 3532 wrote to memory of 2192	3532	{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe	101
PID 2456 wrote to memory of 1908	2456	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe	102
PID 2456 wrote to memory of 1908	2456	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe	102
PID 2456 wrote to memory of 1908	2456	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe	102
PID 2456 wrote to memory of 2060	2456	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe	103
PID 2456 wrote to memory of 2060	2456	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe	103
PID 2456 wrote to memory of 2060	2456	{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe	103
PID 1908 wrote to memory of 3964	1908	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe	104
PID 1908 wrote to memory of 3964	1908	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe	104
PID 1908 wrote to memory of 3964	1908	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe	104
PID 1908 wrote to memory of 1664	1908	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe	105
PID 1908 wrote to memory of 1664	1908	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe	105
PID 1908 wrote to memory of 1664	1908	{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe	105
PID 3964 wrote to memory of 3416	3964	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe	106
PID 3964 wrote to memory of 3416	3964	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe	106
PID 3964 wrote to memory of 3416	3964	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe	106
PID 3964 wrote to memory of 4444	3964	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe	107
PID 3964 wrote to memory of 4444	3964	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe	107
PID 3964 wrote to memory of 4444	3964	{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe	107
PID 3416 wrote to memory of 2448	3416	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe	108
PID 3416 wrote to memory of 2448	3416	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe	108
PID 3416 wrote to memory of 2448	3416	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe	108
PID 3416 wrote to memory of 1476	3416	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe	109
PID 3416 wrote to memory of 1476	3416	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe	109
PID 3416 wrote to memory of 1476	3416	{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe	109
PID 2448 wrote to memory of 4312	2448	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe	110
PID 2448 wrote to memory of 4312	2448	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe	110
PID 2448 wrote to memory of 4312	2448	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe	110
PID 2448 wrote to memory of 4892	2448	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe	111
PID 2448 wrote to memory of 4892	2448	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe	111
PID 2448 wrote to memory of 4892	2448	{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe	111
PID 4312 wrote to memory of 3868	4312	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe	112
PID 4312 wrote to memory of 3868	4312	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe	112
PID 4312 wrote to memory of 3868	4312	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe	112
PID 4312 wrote to memory of 5096	4312	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe	113
PID 4312 wrote to memory of 5096	4312	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe	113
PID 4312 wrote to memory of 5096	4312	{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe	113
PID 3868 wrote to memory of 3812	3868	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe	114
PID 3868 wrote to memory of 3812	3868	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe	114
PID 3868 wrote to memory of 3812	3868	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe	114
PID 3868 wrote to memory of 1396	3868	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe	115
PID 3868 wrote to memory of 1396	3868	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe	115
PID 3868 wrote to memory of 1396	3868	{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe	115
PID 3812 wrote to memory of 1656	3812	{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe	116
PID 3812 wrote to memory of 1656	3812	{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe	116
PID 3812 wrote to memory of 1656	3812	{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe	116
PID 3812 wrote to memory of 2316	3812	{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-09_508e14c07b710e9f09a714899e20c7d3_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe
  C:\Windows\{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe
    C:\Windows\{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe
      C:\Windows\{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe
        
        C:\Windows\{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe
        
        C:\Windows\{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe
        
        C:\Windows\{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe
        
        C:\Windows\{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe
        
        C:\Windows\{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe
        
        C:\Windows\{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe
        
        C:\Windows\{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe
        
        C:\Windows\{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\{B818FD3B-D67C-44e5-B12E-06532BA69EFB}.exe
        
        C:\Windows\{B818FD3B-D67C-44e5-B12E-06532BA69EFB}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77221~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8676~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E0A3~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B703A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7DBB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CD8B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BC2B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{627D8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD37F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AB724~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7DC19~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CD8BC51-7CD4-4aca-A152-436C238F6F62}.exe

Filesize
408KB

MD5
c2013a34c60fdb100b6486be389fb610

SHA1
732071033d7e9cad4451bb7eb81808487cb4de0a

SHA256
2795b3fe9ed3b60a676fe5e83fef03aac13f660bac1cbb81bd0b6a7813544edf

SHA512
08bc9eeec227620ed4245c1ea4444ea6a8eb27adecf63f7e27e926c88c95ab96c6dc01c41f714b8f57f2ca0ea0e84d774ab3dd0add7c3a36e8143665e432ebba

Download Submit
C:\Windows\{3E0A3EF4-8726-4832-9CE0-F606B8EDDFBD}.exe

Filesize
408KB

MD5
20d256ac52dd388ac023d3b0fae029c1

SHA1
ecca2230ad4cf67ee84ee08d733ac61f9475e91d

SHA256
e250568ae17f5837ef02873b8fee5be19faeea7007068531033e543c20051fc4

SHA512
542390987fc7f31b7e6c6d9bab3ce6c53b4563dc27ad51c10abf3abcc9fb2bbfcb03476baccd45d873d8f87dbfe6dbe50bff1c03bd83d23f5a8897dd67259ade

Download Submit
C:\Windows\{5BC2BC47-27F3-4195-A0AF-40D6AF57A452}.exe

Filesize
408KB

MD5
cf0b25b28539899c260a3cd95501d5d0

SHA1
ec61540cfec99fb5d3226a60a10a45cce32a169e

SHA256
9d956afcc12061d4b70ee518233c241ea7c56ef599012cb80cbc9f216e207d54

SHA512
7f790e579f14b5003ade91f16e2625c5d24da6ac4c25a54d137d46f6059b3e68700c5ec7857923992aadaa8636e7d8ee5b1c5ef3fc6df93ea357db8ad1bf10a5

Download Submit
C:\Windows\{627D8C1D-21E0-448a-8E97-47C2E5F5975F}.exe

Filesize
408KB

MD5
1e1f1e53c68bb1c6e227a8d3f4316072

SHA1
49556c75a68b8121507eb829f976d1cf00ff4c40

SHA256
51e7dffa3f446dd3784c439fced35364509f18cc0ba17efcd6e2d93b00ac8107

SHA512
a09dbe73a65139ef871685a3e66013a5b0ec9009664d9e4af6b414147d77efaf4f257cbf0027ce148bdc1b6b4ebdb3012f19207ece9b7315c394f03f9c8a3dd5

Download Submit
C:\Windows\{77221EDB-84E4-450a-AD15-0EBDE2E388F0}.exe

Filesize
408KB

MD5
5b639485190521e35d18bca40c59b63e

SHA1
4a412d27ee125bef4d96d99f27cf7adb52381fbf

SHA256
b2d3063ca656dbc1c1bb9ac82a3762283e6b123631faea49b0a76fbb26d9c9a7

SHA512
5466aed1135eca0bffea2171f539eddb3ee567936ea06a27eb7c63920f58e6a24360362a1a7666a1b24c663be31e8e86a07ffae340e5765ee8396edb52405c7f

Download Submit
C:\Windows\{7DC19FAA-464E-4e9e-A7A0-98ACD48B7F5A}.exe

Filesize
408KB

MD5
0c49bf2039da325d550174715165996e

SHA1
99357fb7470d45834b0e180615adfd515bd16228

SHA256
81257806b35349a95206f8e021bb6688362234bcbd95f9530579e10ca36540db

SHA512
4a9543ce499ffc59e0a7c42f21653ba588336ead7cb8cee98ab48636a48a7a3ba80cdc287f7077478be6f8c7c40f4579a839ab4c43214b6c9025e2896884c6ce

Download Submit
C:\Windows\{A7DBB80B-52D5-4b07-AAAE-0194186780C1}.exe

Filesize
408KB

MD5
67037c7f458d96d0f6f7b4dd41f2e3f1

SHA1
a417fad0209fcf41b650072e60593d87ad866049

SHA256
d5250099fbdc269ad10cd4246fa45e812b4b90a38d707d4d8d31c540a26416d1

SHA512
92d5f073bcb705bc2c32ce4f7ec0923cc93f6e685040ea6edd08882d59241925022d9039e287bb1dc99f4e663aeef407935b2900c70054aaeee19f64c548d841

Download Submit
C:\Windows\{A8676FB6-FA4B-482f-9F1B-7F5F928E7EFC}.exe

Filesize
408KB

MD5
e57ba4c9c372d7fa7c8807d3e740a53a

SHA1
7e066ecf0713351ac8e660cadbb3ad77be452fe3

SHA256
7f6ef31baad403d63ffcb693ac226cdf2929b47b0eb9b838ca1fdac5f6edfed8

SHA512
580ec3386b62de2125f39e5b91243dfb8741ad902f2d7649617f28e5f490499fac48e4844a20993c9ef25e3808db5f5d7bee215ad5facee146957d1ed79180fe

Download Submit
C:\Windows\{AB724AB9-E98D-42c0-9337-DAE80E8D18D7}.exe

Filesize
408KB

MD5
5fa3e5f1920ddb6d4aed4699143c6ff0

SHA1
1f4529b3057e509056ead7eed1e27e62fdcc810b

SHA256
a497c34720b41ac0f5a57f3a3000bcc81df780a3b6f431e1cfa1ccd743aa08c6

SHA512
c583d0752b40cdb556dbb3319c75e8782324b760f89b0d806c67253c0e782332d936e6270167fa613a6c808b0ae57da0138c56e5e15e12d5195eb8be61f73af5

Download Submit
C:\Windows\{B703AFD2-1387-4093-A1C9-6F330CE1A1CC}.exe

Filesize
408KB

MD5
605e8c5545127b7bcdfe2bf4b41295d3

SHA1
35aa9300646fb76410dce975c573470f61e1acf1

SHA256
3fd2ba25f889cf0e4774863d136238a556e21792bfa8c9c22c298ed99e3b24d4

SHA512
95341685d8b71077c1bf04f80f206f851892df48c6448bddac4f8d66ee556ba2bae2038132ce723bb3516cc32bd298a482f7c4fb64dbcdf9be41f7997f82e6ca

Download Submit
C:\Windows\{B818FD3B-D67C-44e5-B12E-06532BA69EFB}.exe

Filesize
408KB

MD5
fed968815d753738380d62ea0114f8c7

SHA1
4a46db3fe3e6316877748251b0e1d902cff9aa19

SHA256
40ba37419d466921e3203035b449df230f1e6b97df9a2b9b435f3ad6f1927383

SHA512
fb1f5fe10f0c1ab7639799e2aa13b6cf101b7a805f9b60cc452f96cac7a96a4bc6feeef3e3c19be5b285fdd98d357eab528bffe87d57010c5fa3ede6ee6f9c60

Download Submit
C:\Windows\{DD37F122-DF1F-45e4-A0D8-466E895FB374}.exe

Filesize
408KB

MD5
e643de57062e0a985630b66ecfe5df53

SHA1
dab4fdc4fd55d2b3a4df4109b0c2be7c01f08737

SHA256
4f7d895a74b2db60ca3dba3ebcab3dbb2b7e26a35e14ae5f7d3e788a650bfb60

SHA512
acefd1d2c4af542d8a091973df20580521a7cae25d77d286b7a5ca85a48dbda9f1103b860dd6615e9959f54c5a3c6e2a06d04f077d572284da53dc67d35105c8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads