88f7929f8ab9d49bc4548e6558268256cc061e740cb1e43eb1385c99b4f7b2c2

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe
Size

168KB
MD5

60956583459dc0982ee2f8364c846998
SHA1

fed8dfe36c09baa3b82fc35c1df3d7df531d7179
SHA256

88f7929f8ab9d49bc4548e6558268256cc061e740cb1e43eb1385c99b4f7b2c2
SHA512

af169a9cdc3b4e1936c7cb3a3ce4739024bcfcfe2cb5856e6c40ad7fafc81e0192d32b6e8804403d8f41c411eeb4539f25bc29e9e2bc3e19562a348e739b7a5a
SSDEEP

1536:1EGh0oOlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oOlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A850C4C7-1079-4788-9CB5-810D901DBC2A}	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}\stubpath = "C:\\Windows\\{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}.exe"	{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D60AFD8D-3713-4d36-9A97-4ECCBADA39FC}	{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15802D93-62C3-4e30-B1FC-EC2082B70480}\stubpath = "C:\\Windows\\{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe"	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE2842D6-D3E8-4f84-BA31-B601C41AE400}\stubpath = "C:\\Windows\\{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe"	2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC0F4E71-8D82-4d70-A938-4F070D3EE186}\stubpath = "C:\\Windows\\{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe"	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E3706DA-2D6C-4655-A82B-8871118E5E51}	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E3706DA-2D6C-4655-A82B-8871118E5E51}\stubpath = "C:\\Windows\\{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe"	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D673DC4-B23B-4961-9242-02A5F155DDD4}	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15802D93-62C3-4e30-B1FC-EC2082B70480}	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E271A53-4D80-4740-9A18-15F6147DB2A1}\stubpath = "C:\\Windows\\{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe"	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04109FF7-53B9-4f21-9E30-69ABC94904BA}	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D60AFD8D-3713-4d36-9A97-4ECCBADA39FC}\stubpath = "C:\\Windows\\{D60AFD8D-3713-4d36-9A97-4ECCBADA39FC}.exe"	{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}	{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE2842D6-D3E8-4f84-BA31-B601C41AE400}	2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC0F4E71-8D82-4d70-A938-4F070D3EE186}	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D673DC4-B23B-4961-9242-02A5F155DDD4}\stubpath = "C:\\Windows\\{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe"	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A850C4C7-1079-4788-9CB5-810D901DBC2A}\stubpath = "C:\\Windows\\{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe"	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71248123-5C36-4b57-B2AB-CEDC6763EA82}\stubpath = "C:\\Windows\\{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe"	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E271A53-4D80-4740-9A18-15F6147DB2A1}	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04109FF7-53B9-4f21-9E30-69ABC94904BA}\stubpath = "C:\\Windows\\{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe"	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}\stubpath = "C:\\Windows\\{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe"	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71248123-5C36-4b57-B2AB-CEDC6763EA82}	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe

Executes dropped EXE 12 IoCs

pid	Process
1688	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe
5016	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe
3068	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe
3120	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe
3816	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe
5020	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe
3060	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe
5080	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe
4504	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe
2216	{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe
708	{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}.exe
1684	{D60AFD8D-3713-4d36-9A97-4ECCBADA39FC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe
File created	C:\Windows\{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe
File created	C:\Windows\{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe
File created	C:\Windows\{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe	2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe
File created	C:\Windows\{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe
File created	C:\Windows\{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe
File created	C:\Windows\{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe
File created	C:\Windows\{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe
File created	C:\Windows\{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe
File created	C:\Windows\{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}.exe	{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe
File created	C:\Windows\{D60AFD8D-3713-4d36-9A97-4ECCBADA39FC}.exe	{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}.exe
File created	C:\Windows\{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D60AFD8D-3713-4d36-9A97-4ECCBADA39FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5104	2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1688	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe
Token: SeIncBasePriorityPrivilege	5016	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe
Token: SeIncBasePriorityPrivilege	3068	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe
Token: SeIncBasePriorityPrivilege	3120	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe
Token: SeIncBasePriorityPrivilege	3816	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe
Token: SeIncBasePriorityPrivilege	5020	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe
Token: SeIncBasePriorityPrivilege	3060	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe
Token: SeIncBasePriorityPrivilege	5080	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe
Token: SeIncBasePriorityPrivilege	4504	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe
Token: SeIncBasePriorityPrivilege	2216	{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe
Token: SeIncBasePriorityPrivilege	708	{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 1688	5104	2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe	94
PID 5104 wrote to memory of 1688	5104	2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe	94
PID 5104 wrote to memory of 1688	5104	2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe	94
PID 5104 wrote to memory of 3568	5104	2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe	95
PID 5104 wrote to memory of 3568	5104	2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe	95
PID 5104 wrote to memory of 3568	5104	2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe	95
PID 1688 wrote to memory of 5016	1688	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe	96
PID 1688 wrote to memory of 5016	1688	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe	96
PID 1688 wrote to memory of 5016	1688	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe	96
PID 1688 wrote to memory of 3680	1688	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe	97
PID 1688 wrote to memory of 3680	1688	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe	97
PID 1688 wrote to memory of 3680	1688	{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe	97
PID 5016 wrote to memory of 3068	5016	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe	100
PID 5016 wrote to memory of 3068	5016	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe	100
PID 5016 wrote to memory of 3068	5016	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe	100
PID 5016 wrote to memory of 1628	5016	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe	101
PID 5016 wrote to memory of 1628	5016	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe	101
PID 5016 wrote to memory of 1628	5016	{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe	101
PID 3068 wrote to memory of 3120	3068	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe	102
PID 3068 wrote to memory of 3120	3068	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe	102
PID 3068 wrote to memory of 3120	3068	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe	102
PID 3068 wrote to memory of 764	3068	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe	103
PID 3068 wrote to memory of 764	3068	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe	103
PID 3068 wrote to memory of 764	3068	{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe	103
PID 3120 wrote to memory of 3816	3120	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe	104
PID 3120 wrote to memory of 3816	3120	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe	104
PID 3120 wrote to memory of 3816	3120	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe	104
PID 3120 wrote to memory of 3484	3120	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe	105
PID 3120 wrote to memory of 3484	3120	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe	105
PID 3120 wrote to memory of 3484	3120	{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe	105
PID 3816 wrote to memory of 5020	3816	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe	106
PID 3816 wrote to memory of 5020	3816	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe	106
PID 3816 wrote to memory of 5020	3816	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe	106
PID 3816 wrote to memory of 2748	3816	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe	107
PID 3816 wrote to memory of 2748	3816	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe	107
PID 3816 wrote to memory of 2748	3816	{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe	107
PID 5020 wrote to memory of 3060	5020	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe	108
PID 5020 wrote to memory of 3060	5020	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe	108
PID 5020 wrote to memory of 3060	5020	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe	108
PID 5020 wrote to memory of 2536	5020	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe	109
PID 5020 wrote to memory of 2536	5020	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe	109
PID 5020 wrote to memory of 2536	5020	{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe	109
PID 3060 wrote to memory of 5080	3060	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe	110
PID 3060 wrote to memory of 5080	3060	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe	110
PID 3060 wrote to memory of 5080	3060	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe	110
PID 3060 wrote to memory of 3340	3060	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe	111
PID 3060 wrote to memory of 3340	3060	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe	111
PID 3060 wrote to memory of 3340	3060	{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe	111
PID 5080 wrote to memory of 4504	5080	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe	112
PID 5080 wrote to memory of 4504	5080	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe	112
PID 5080 wrote to memory of 4504	5080	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe	112
PID 5080 wrote to memory of 3940	5080	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe	113
PID 5080 wrote to memory of 3940	5080	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe	113
PID 5080 wrote to memory of 3940	5080	{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe	113
PID 4504 wrote to memory of 2216	4504	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe	114
PID 4504 wrote to memory of 2216	4504	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe	114
PID 4504 wrote to memory of 2216	4504	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe	114
PID 4504 wrote to memory of 1716	4504	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe	115
PID 4504 wrote to memory of 1716	4504	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe	115
PID 4504 wrote to memory of 1716	4504	{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe	115
PID 2216 wrote to memory of 708	2216	{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe	116
PID 2216 wrote to memory of 708	2216	{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe	116
PID 2216 wrote to memory of 708	2216	{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe	116
PID 2216 wrote to memory of 3064	2216	{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_60956583459dc0982ee2f8364c846998_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe
  C:\Windows\{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe
    C:\Windows\{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe
      C:\Windows\{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe
        
        C:\Windows\{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3120
      - C:\Windows\{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe
        
        C:\Windows\{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe
        
        C:\Windows\{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe
        
        C:\Windows\{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe
        
        C:\Windows\{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe
        
        C:\Windows\{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe
        
        C:\Windows\{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}.exe
        
        C:\Windows\{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Windows\{D60AFD8D-3713-4d36-9A97-4ECCBADA39FC}.exe
        
        C:\Windows\{D60AFD8D-3713-4d36-9A97-4ECCBADA39FC}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC0FF~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04109~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E271~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71248~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A850C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15802~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D673~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7885E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E370~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BC0F4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EE284~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04109FF7-53B9-4f21-9E30-69ABC94904BA}.exe

Filesize
168KB

MD5
b91dcb38a4d87886e1c93a527ada8c3f

SHA1
6ddab40f0f98823f6d5ed67e8aa0cc43b3a24630

SHA256
48f2ea43d914e0460eabdb6162a06f765c69343169d01d3658c40ae2e7c0ae3d

SHA512
95f7da0ef0f2cd5b17f4dbbe2c9c1d97545e9a0baf2043067244c773339dbc563508c18e8a24bf13106dedbef6dc71edf04ef8d13dfdf57e1580941e7b640953

Download Submit
C:\Windows\{15802D93-62C3-4e30-B1FC-EC2082B70480}.exe

Filesize
168KB

MD5
78d436a540ecb40fc832bdecf91fe2a0

SHA1
01fa0f81439dabe15468242caa4177e471dcb0f3

SHA256
28a6999d117f466835dbfc8bb00c8db8ece0429778f35ac67051bea635002220

SHA512
0b285d7be4433ecd3decbad1389cdf2097bf71ba145e401b67b0b10565b8f4e6cb66a8c3b6c228b1a6524ee870193465031d677fff457c0146be745f14757c4a

Download Submit
C:\Windows\{1D673DC4-B23B-4961-9242-02A5F155DDD4}.exe

Filesize
168KB

MD5
d0ed8f6292fc73251e2181161a86744e

SHA1
b82f3ef629b958771c39a79ab65cd0f0bb48a9f5

SHA256
9ea7c4ab50a1b955f5733b79113197c9d697eca3974ed525a21f120a63c64d9c

SHA512
d72485ec626f3c33bc79403e70bbe10e744ddda10576cf4f9ebb31c67ded404c8a692d068b00a605524ab57798214ffef7a5c4fa5088cbd35ca57c0bad81acaf

Download Submit
C:\Windows\{2E271A53-4D80-4740-9A18-15F6147DB2A1}.exe

Filesize
168KB

MD5
edd3971fa0663ff7c7cd410d7e72894e

SHA1
d0e6ebfda16361015727567ed34ceede14d795c2

SHA256
7e312b7089bb7b7745854006b726171c6c2d3cc55fc5c9c410a5aca355b1c4f6

SHA512
db8eccca5107ea1e382b58af3d8868f94334ba1a0263698fe4505f0af3988f8efe8e97acf3dcde74f5121cababeaecf8271f44ca1b9316a22290bd0f788617fa

Download Submit
C:\Windows\{3E3706DA-2D6C-4655-A82B-8871118E5E51}.exe

Filesize
168KB

MD5
83be1dbd41b9201009a20ad56b3fc095

SHA1
63435412ddd435bf5da567b14f095bae369eaa73

SHA256
3a1b96966b483bd37d68a96bdf4199c6db87f59356efcf05315195dee8572153

SHA512
d6a0c31f077dfb21f27e7f0f6c955a7cb304b7a963a3df650fdca42becd22ff46dd614ad6d72029ed2168dfb1f52308e1dcf281b11f55128a940c14a8b0a1aaf

Download Submit
C:\Windows\{71248123-5C36-4b57-B2AB-CEDC6763EA82}.exe

Filesize
168KB

MD5
45c0ad5b990da3178c21cdcf9d34efc6

SHA1
6dccdf4c23689c1f4ea9fad28900496449d1b168

SHA256
3575e0bf3d5dd3e7e637f590f315b36c09b1aea4511d34c94a0e7a1abce602b7

SHA512
554ca0c7026db45f13df04b03d203a6e8c35726813f221c5b39ea694ebdbdcada14f8c1a84719516c9b32b84c758d1bd360941f557cd419f72577f32c9ff9a56

Download Submit
C:\Windows\{7885E6EA-7EF0-42bd-8826-5F5A775F84B3}.exe

Filesize
168KB

MD5
d833091e7ed187a01952cd704e1c4b90

SHA1
a302644542384b0b526905c4a39a95d46e1e8902

SHA256
04f960aba9cdc15627d6f60f380a20dca3da4de1676b53699d6192a446df333f

SHA512
da0430c4d405f78a7c8ba9c67335a51a5b27fe3a08a5f712570da9766ab369056b6abf41e54c9b6efa48cd9e75a3f909c75ce48939e9f4b6166183284f529cf0

Download Submit
C:\Windows\{A850C4C7-1079-4788-9CB5-810D901DBC2A}.exe

Filesize
168KB

MD5
10f8e1ca0a752d31ec3f6b346d0beaa2

SHA1
4221de411d032e5120c537e977e9dede3b365105

SHA256
4d24174bff1cc18d56d2647b97e96942d53c7367222b44d6e6824151444a85dd

SHA512
b57854f11e481d8482acdf39e2f26978e5251d98f623e5afd9c109adc91e43227cd03ca3e96eeeb6178a3307ada1ea175160f7af0f582038a8704ed29a338b0d

Download Submit
C:\Windows\{BC0F4E71-8D82-4d70-A938-4F070D3EE186}.exe

Filesize
168KB

MD5
e86fc4c50b9ce4c7b5e16fc699b92103

SHA1
2e9f1b5bbc068f718fb591fcf6bb5929930cedaf

SHA256
f2543fdfdc7f15a24ee44d971dfe08f3021f557e86b753255e183654f5614c6e

SHA512
fa0400c3e9ad7d8b5fc2ea24fbc9cfd3187963fc3b9efa594de0ec8cd2e2d3ce7e1c32eea73d3f5c97c438b3673acc50755a115f6a2e5d4355d19948eae732d3

Download Submit
C:\Windows\{D60AFD8D-3713-4d36-9A97-4ECCBADA39FC}.exe

Filesize
168KB

MD5
7acaa2ac70eaa06e3299cb50d0999c0d

SHA1
905ee90cfdd3d101c3d65f9d96172857fc71f029

SHA256
a49c07554c2b6825c5fd06de2addfd1904581af51825f5c46f5304b7bd2658bd

SHA512
986023f10e347e9f496198b8792340d5ef8993a0afc84e468f4e6909816b29aab6d5ef59041b5c5ce87f0827d3e5694bfd99ad5563c07d63226f543865d52d89

Download Submit
C:\Windows\{EE2842D6-D3E8-4f84-BA31-B601C41AE400}.exe

Filesize
168KB

MD5
8f2396719248b470dbcdf30228bd4514

SHA1
5536682169e5fd283ff16a693821ace6c73aeb67

SHA256
65bf853c6d51200f32a59f15e6b74c7122d229b9048fb7bbb952bcfc3bcfc122

SHA512
de7cd6bacf7e26464e3f3bd5f87e2c2efb0a8858c7f11243bb698012c7b820d92b545f2c917182902ca005245d5f5b901d43300672dcdec805d7fbcf3f7f4d8f

Download Submit
C:\Windows\{FC0FF948-A0E6-4519-829E-7AAC2E2D2AE5}.exe

Filesize
168KB

MD5
b230d6bedb1a75966972e50b2e12af8b

SHA1
2af9c87b86a862965a18e87e8b0a986e05e160af

SHA256
14609a00764abf82f3272b703350c012f8346635a068eff05617623c60b82612

SHA512
cf9d891eb1058561189ddc9c7384b3bcd5603b6e758339d5cc0d29779074d0e71f49adbc52c6e71deee5a05742d07c10ddb55a3a7d9af503a0845985878c2675

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads