d85905b3b435782a9389e35f80cbeea9c2a574989c40ad254b7f22552a3adef0

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe
Size

197KB
MD5

684f7891cf750ef3af5c130a20d488e4
SHA1

819b4b59d82d25c16e1a293cc3b4db59e3b2ccb9
SHA256

d85905b3b435782a9389e35f80cbeea9c2a574989c40ad254b7f22552a3adef0
SHA512

d5549dfb7c465f615064470784575da38d36d64d9daf5aeecce71b578d4375bd26c9321df04890164cd1bac70648a1f43a7f27a94207e90432bdc1409bddce3a
SSDEEP

3072:jEGh0oRl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGTlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}\stubpath = "C:\\Windows\\{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe"	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}\stubpath = "C:\\Windows\\{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe"	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAE88104-BBB9-4146-89CE-56FA8DE62E41}\stubpath = "C:\\Windows\\{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe"	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83CDEAE1-E890-46e7-8A0A-93B248001AB9}	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B548D71C-9653-47d9-AA85-9150C6C496E5}	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD8B264B-7341-4a48-A258-5F158FEE50A2}\stubpath = "C:\\Windows\\{DD8B264B-7341-4a48-A258-5F158FEE50A2}.exe"	{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAE88104-BBB9-4146-89CE-56FA8DE62E41}	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4804BB75-6576-4b92-A642-04ABC2B1CE5D}	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ED22C44-3E8E-49c4-9BE5-4F658D954832}	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ED22C44-3E8E-49c4-9BE5-4F658D954832}\stubpath = "C:\\Windows\\{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe"	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD8B264B-7341-4a48-A258-5F158FEE50A2}	{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F44810BD-A126-4aa0-AD68-1E8A0BCE4B56}\stubpath = "C:\\Windows\\{F44810BD-A126-4aa0-AD68-1E8A0BCE4B56}.exe"	{DD8B264B-7341-4a48-A258-5F158FEE50A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83CDEAE1-E890-46e7-8A0A-93B248001AB9}\stubpath = "C:\\Windows\\{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe"	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}\stubpath = "C:\\Windows\\{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe"	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B548D71C-9653-47d9-AA85-9150C6C496E5}\stubpath = "C:\\Windows\\{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe"	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED6F7CB8-2221-4c26-89F1-6A278666C918}	2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED6F7CB8-2221-4c26-89F1-6A278666C918}\stubpath = "C:\\Windows\\{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe"	2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4804BB75-6576-4b92-A642-04ABC2B1CE5D}\stubpath = "C:\\Windows\\{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe"	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}\stubpath = "C:\\Windows\\{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe"	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F44810BD-A126-4aa0-AD68-1E8A0BCE4B56}	{DD8B264B-7341-4a48-A258-5F158FEE50A2}.exe

Executes dropped EXE 12 IoCs

pid	Process
3340	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe
3088	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe
2900	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe
2144	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe
4088	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe
2208	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe
4444	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe
1484	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe
2156	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe
1660	{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe
4412	{DD8B264B-7341-4a48-A258-5F158FEE50A2}.exe
3724	{F44810BD-A126-4aa0-AD68-1E8A0BCE4B56}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe
File created	C:\Windows\{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe	2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe
File created	C:\Windows\{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe
File created	C:\Windows\{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe
File created	C:\Windows\{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe
File created	C:\Windows\{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe
File created	C:\Windows\{DD8B264B-7341-4a48-A258-5F158FEE50A2}.exe	{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe
File created	C:\Windows\{F44810BD-A126-4aa0-AD68-1E8A0BCE4B56}.exe	{DD8B264B-7341-4a48-A258-5F158FEE50A2}.exe
File created	C:\Windows\{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe
File created	C:\Windows\{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe
File created	C:\Windows\{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe
File created	C:\Windows\{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F44810BD-A126-4aa0-AD68-1E8A0BCE4B56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD8B264B-7341-4a48-A258-5F158FEE50A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4776	2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3340	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe
Token: SeIncBasePriorityPrivilege	3088	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe
Token: SeIncBasePriorityPrivilege	2900	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe
Token: SeIncBasePriorityPrivilege	2144	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe
Token: SeIncBasePriorityPrivilege	4088	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe
Token: SeIncBasePriorityPrivilege	2208	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe
Token: SeIncBasePriorityPrivilege	4444	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe
Token: SeIncBasePriorityPrivilege	1484	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe
Token: SeIncBasePriorityPrivilege	2156	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe
Token: SeIncBasePriorityPrivilege	1660	{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe
Token: SeIncBasePriorityPrivilege	4412	{DD8B264B-7341-4a48-A258-5F158FEE50A2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 3340	4776	2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe	94
PID 4776 wrote to memory of 3340	4776	2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe	94
PID 4776 wrote to memory of 3340	4776	2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe	94
PID 4776 wrote to memory of 4744	4776	2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe	95
PID 4776 wrote to memory of 4744	4776	2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe	95
PID 4776 wrote to memory of 4744	4776	2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe	95
PID 3340 wrote to memory of 3088	3340	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe	96
PID 3340 wrote to memory of 3088	3340	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe	96
PID 3340 wrote to memory of 3088	3340	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe	96
PID 3340 wrote to memory of 5056	3340	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe	97
PID 3340 wrote to memory of 5056	3340	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe	97
PID 3340 wrote to memory of 5056	3340	{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe	97
PID 3088 wrote to memory of 2900	3088	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe	100
PID 3088 wrote to memory of 2900	3088	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe	100
PID 3088 wrote to memory of 2900	3088	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe	100
PID 3088 wrote to memory of 4868	3088	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe	101
PID 3088 wrote to memory of 4868	3088	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe	101
PID 3088 wrote to memory of 4868	3088	{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe	101
PID 2900 wrote to memory of 2144	2900	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe	102
PID 2900 wrote to memory of 2144	2900	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe	102
PID 2900 wrote to memory of 2144	2900	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe	102
PID 2900 wrote to memory of 1136	2900	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe	103
PID 2900 wrote to memory of 1136	2900	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe	103
PID 2900 wrote to memory of 1136	2900	{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe	103
PID 2144 wrote to memory of 4088	2144	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe	104
PID 2144 wrote to memory of 4088	2144	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe	104
PID 2144 wrote to memory of 4088	2144	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe	104
PID 2144 wrote to memory of 3576	2144	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe	105
PID 2144 wrote to memory of 3576	2144	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe	105
PID 2144 wrote to memory of 3576	2144	{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe	105
PID 4088 wrote to memory of 2208	4088	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe	106
PID 4088 wrote to memory of 2208	4088	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe	106
PID 4088 wrote to memory of 2208	4088	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe	106
PID 4088 wrote to memory of 2692	4088	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe	107
PID 4088 wrote to memory of 2692	4088	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe	107
PID 4088 wrote to memory of 2692	4088	{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe	107
PID 2208 wrote to memory of 4444	2208	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe	108
PID 2208 wrote to memory of 4444	2208	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe	108
PID 2208 wrote to memory of 4444	2208	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe	108
PID 2208 wrote to memory of 1464	2208	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe	109
PID 2208 wrote to memory of 1464	2208	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe	109
PID 2208 wrote to memory of 1464	2208	{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe	109
PID 4444 wrote to memory of 1484	4444	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe	110
PID 4444 wrote to memory of 1484	4444	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe	110
PID 4444 wrote to memory of 1484	4444	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe	110
PID 4444 wrote to memory of 1148	4444	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe	111
PID 4444 wrote to memory of 1148	4444	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe	111
PID 4444 wrote to memory of 1148	4444	{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe	111
PID 1484 wrote to memory of 2156	1484	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe	112
PID 1484 wrote to memory of 2156	1484	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe	112
PID 1484 wrote to memory of 2156	1484	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe	112
PID 1484 wrote to memory of 1564	1484	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe	113
PID 1484 wrote to memory of 1564	1484	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe	113
PID 1484 wrote to memory of 1564	1484	{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe	113
PID 2156 wrote to memory of 1660	2156	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe	114
PID 2156 wrote to memory of 1660	2156	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe	114
PID 2156 wrote to memory of 1660	2156	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe	114
PID 2156 wrote to memory of 1852	2156	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe	115
PID 2156 wrote to memory of 1852	2156	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe	115
PID 2156 wrote to memory of 1852	2156	{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe	115
PID 1660 wrote to memory of 4412	1660	{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe	116
PID 1660 wrote to memory of 4412	1660	{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe	116
PID 1660 wrote to memory of 4412	1660	{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe	116
PID 1660 wrote to memory of 3772	1660	{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-09_684f7891cf750ef3af5c130a20d488e4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe
  C:\Windows\{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe
    C:\Windows\{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe
      C:\Windows\{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe
        
        C:\Windows\{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe
        
        C:\Windows\{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe
        
        C:\Windows\{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe
        
        C:\Windows\{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe
        
        C:\Windows\{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe
        
        C:\Windows\{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe
        
        C:\Windows\{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{DD8B264B-7341-4a48-A258-5F158FEE50A2}.exe
        
        C:\Windows\{DD8B264B-7341-4a48-A258-5F158FEE50A2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\{F44810BD-A126-4aa0-AD68-1E8A0BCE4B56}.exe
        
        C:\Windows\{F44810BD-A126-4aa0-AD68-1E8A0BCE4B56}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD8B2~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B548D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3AEE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2ED22~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4804B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F257E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83CDE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAE88~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EFC6~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7A7DB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ED6F7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EFC6391-2C00-4e4f-B59E-7D0E3856105B}.exe

Filesize
197KB

MD5
4e5407fe0d76f9bcd1c5dc1a8670d044

SHA1
91205e3c9446328a1023ea2816e42b3bf5afbe7f

SHA256
74652a37fa8b84f18ca18cd408b0c8cb63d275c16affcd9abf5140e236acabe8

SHA512
7ffb41c90f4084baaa8371dc6e0e2ddf9c0c4612d307a38bb3ff4f29be09232442e76c60cdef7ac8528faa8183a397fe0261301b9102d61fd7bbb45916a9fd0c

Download Submit
C:\Windows\{2ED22C44-3E8E-49c4-9BE5-4F658D954832}.exe

Filesize
197KB

MD5
060d746761f567c5c6c28b8331a2e4b4

SHA1
8e8aac3e5f4859209b5726d4f695a1996609da40

SHA256
0e0679520667034836e46d45522e7505e7eb882646e481beba735b0b5b084180

SHA512
c20383cac68267bd1166464e96673bf477d244be18c35a1fb295974d42fa983bc7f855503da5ae9e7ab2ab52850d60436b0e0421d1afdc84e01e4f3ec2d0d102

Download Submit
C:\Windows\{4804BB75-6576-4b92-A642-04ABC2B1CE5D}.exe

Filesize
197KB

MD5
13b013ca4cc728ca55d9d7dfda0afacc

SHA1
7b32df728db69d485e39456ad0df6d892dd8918f

SHA256
f3eca29f5288a20b10b37c6a84045126553697a8ef9d50038efd07ca1671f242

SHA512
373d43b152f0abaad6204b635cf3edeff902818f919447015ea525345462a8bddf9c9e8514478a2fd26672ef875c2336dd4955786cd1892299fe4129698e324a

Download Submit
C:\Windows\{7A7DBF4A-B55C-498a-BD27-4F9802E3286B}.exe

Filesize
197KB

MD5
ff134e1bfb0852812e16896dda30293c

SHA1
536d289511df72ba5bc4809c327cb261c38d3994

SHA256
3c69e3b80c6d81cd679c4e21578bfee7ad5cd9d68c94d0ee17352a7a8d8daf5f

SHA512
87513c199979287325c48866d06f6fd3acc1c1def52e4027a9baa08838df442f1869715d02cf18442788914162ba54e1f1c355533fab522a92a2311a81e51705

Download Submit
C:\Windows\{83CDEAE1-E890-46e7-8A0A-93B248001AB9}.exe

Filesize
197KB

MD5
8f5e23f14eefc2657c0c5fe8aad56c2f

SHA1
30df33f510a2e622fd841471e5ed7a3a7b153de4

SHA256
0de214d65687b49b05de8b7d25239cbbeeb01ba16325e93f3b887f7510093567

SHA512
f7c91166049decd9dfafe710e7d9fdae9fc2b460ef83983393c274c854c41497a20f7e0831115109ba73b8307f3ec79ad2b3b6c26afaf01317288beda5bb580c

Download Submit
C:\Windows\{B548D71C-9653-47d9-AA85-9150C6C496E5}.exe

Filesize
197KB

MD5
9ef2245ef9561684aadd52cfd47d91b6

SHA1
570fc2a7de4f084556ba661f58ca2422bb4f8e3a

SHA256
6e38917546f5f91594a03df84582a91eec00f8408fad5ba18cccc74da615c91c

SHA512
092393620fc596a4b1520cff5224970d4c30c194280c1a13631f06a015a8a18f92d6aa74dc013763b0652a47298c5513ced7a718594d4cd7e7ef07131bd43fdc

Download Submit
C:\Windows\{C3AEEC6C-1B46-4dfd-B13B-DB2BE2A3473E}.exe

Filesize
197KB

MD5
18392d547d6d2c8fc1b68d55dffeaf1a

SHA1
dcdff422ff4262836f993057005c72f89653fa61

SHA256
8b511e6011714f1829acaf3d4229403ddfc7396cccb4f1ebcf24857ff474d125

SHA512
80ea505ec5b0311cd4d19f21e86794abe4b91de52d25f5ea4938623ce1b8fa0dd3d5766cac3554466154fb55783405261d2d25128bf0ee11eca2a9bcf17eb7d3

Download Submit
C:\Windows\{DAE88104-BBB9-4146-89CE-56FA8DE62E41}.exe

Filesize
197KB

MD5
afda915c4face67dc83937e47b1464a1

SHA1
6e8a28e78d6118d33344c6a69174842c331888a9

SHA256
07af549bf1af6431db4e935f61e47e9ecae8087e59cdb5dbb515d7c94aa9dd3c

SHA512
631bb8a9ffd603642d8cfa6ddcd6364a3a44da689aca1b5cdf1376b084b670720a1d85dd72f31982800ce790d7227275a8beee5bf7a32c800b75165d55e02fdc

Download Submit
C:\Windows\{DD8B264B-7341-4a48-A258-5F158FEE50A2}.exe

Filesize
197KB

MD5
10559e2945452f5c6101ccd51b23bb1e

SHA1
b2c2c85bedb1a1109662a794a3dc85ed36bc317b

SHA256
9ded393a82f72705ae16ab2d67fadcf8030460a273744ec45a9f6d3e74638462

SHA512
10fda6737ba1af1882e3b2850a365f6e591d063d6f3bf79ebe95668c6c570cad188484aa34a031c9a985aaa8c2e5613e74910b4084e590c88d09529201699ce8

Download Submit
C:\Windows\{ED6F7CB8-2221-4c26-89F1-6A278666C918}.exe

Filesize
197KB

MD5
61a346856389d746a2f2ebcc49f5be42

SHA1
0381e6736d86c17218c85cfd324a48d9fe8c26e6

SHA256
daaa88ea3e60f2a03ef2f61de4cba9b89f45c233d3709ad7189cb610498a50af

SHA512
ffd961818f4580f03c74e6953017532ccefc3f993536b3037a50de1f8bc432c324d79703c042fcebebd8a3627b61b57c8f22deeb495133ddd4101e50635438fd

Download Submit
C:\Windows\{F257E814-BBAD-44c0-9183-3E8E13EB3CB7}.exe

Filesize
197KB

MD5
1ada3548e6307cf0017dfcd2d56222c2

SHA1
a280dacad6ca1c555b3b000ee12d71fff3e6e4dd

SHA256
0b159a3dcf9a80b228b2d68d7663fdeef2c073420a189fe23ecab96eda819b27

SHA512
9ae0953dd6a792868597213e9b73b8495b5112e3aa9f91b02dcae67a3fa062f21ed9c7b6b1cf3fe51434c4adac2f77aab56d8d4368bd3d43e184693a2c063a14

Download Submit
C:\Windows\{F44810BD-A126-4aa0-AD68-1E8A0BCE4B56}.exe

Filesize
197KB

MD5
6078b74ee4b3bdb8e51e5ee690574273

SHA1
34f19392c99867dc9e08336daa225042013d5e70

SHA256
c35e4a19529d1a6dbd3f0e512a77a9a3e17050713a038a05967ed3e539b6342e

SHA512
a79b3814c9cfea28bdd61098c182ec322b8cff03f61096c80e1f6c610893249c2a0e62807d65f3051f0150db6a7dbf6b5816ea7d6c0910af2fbf12eefac2f1bb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads