200fbe8959cf6942da7c6dbe7783a9f927512fc0c9d3602b612f506f900183cc

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 16:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe
Size

344KB
MD5

fbe7f80ee0e90ce5933bd87b50b7af12
SHA1

6adfd1432b962ba9d5adc65043d48cb63b3fbd02
SHA256

200fbe8959cf6942da7c6dbe7783a9f927512fc0c9d3602b612f506f900183cc
SHA512

4a3719c638783634efd6eacdfaa3fa41cdedb6b7cd6c064499fb5dd061c172baf986cc661bb1fa2ea06995c9373b456ccb7b3b953a6942ce801ecb3e340c703e
SSDEEP

3072:mEGh0oflEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG5lqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DBF8241-2291-4a25-8EFD-49566DE4801E}	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C321B94E-9193-4c6c-9E9C-DA8E295510F1}	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C321B94E-9193-4c6c-9E9C-DA8E295510F1}\stubpath = "C:\\Windows\\{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe"	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{354B1CD5-8E20-4163-9DC4-94773A3B7779}	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC86064-BD81-4fab-93BA-03602A373039}\stubpath = "C:\\Windows\\{ABC86064-BD81-4fab-93BA-03602A373039}.exe"	{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}\stubpath = "C:\\Windows\\{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe"	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54EC0EBF-9392-422c-8F47-216A71E3065B}\stubpath = "C:\\Windows\\{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe"	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8243159A-827C-443d-B653-9D5BB463CDF3}	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4049CF32-F57F-49c3-A029-258310DB07E6}\stubpath = "C:\\Windows\\{4049CF32-F57F-49c3-A029-258310DB07E6}.exe"	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}\stubpath = "C:\\Windows\\{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe"	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64A24758-4A40-45b6-AA14-FFFE26060196}\stubpath = "C:\\Windows\\{64A24758-4A40-45b6-AA14-FFFE26060196}.exe"	{ABC86064-BD81-4fab-93BA-03602A373039}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C54A7716-F7FC-4609-B57E-165C7569E93D}	2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C54A7716-F7FC-4609-B57E-165C7569E93D}\stubpath = "C:\\Windows\\{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe"	2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}\stubpath = "C:\\Windows\\{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe"	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{354B1CD5-8E20-4163-9DC4-94773A3B7779}\stubpath = "C:\\Windows\\{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe"	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4049CF32-F57F-49c3-A029-258310DB07E6}	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54EC0EBF-9392-422c-8F47-216A71E3065B}	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DBF8241-2291-4a25-8EFD-49566DE4801E}\stubpath = "C:\\Windows\\{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe"	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8243159A-827C-443d-B653-9D5BB463CDF3}\stubpath = "C:\\Windows\\{8243159A-827C-443d-B653-9D5BB463CDF3}.exe"	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC86064-BD81-4fab-93BA-03602A373039}	{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64A24758-4A40-45b6-AA14-FFFE26060196}	{ABC86064-BD81-4fab-93BA-03602A373039}.exe

Executes dropped EXE 12 IoCs

pid	Process
1588	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe
8	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe
2968	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe
4816	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe
5020	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe
4844	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe
1620	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe
1044	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe
4968	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe
2840	{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe
3068	{ABC86064-BD81-4fab-93BA-03602A373039}.exe
3048	{64A24758-4A40-45b6-AA14-FFFE26060196}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe
File created	C:\Windows\{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe
File created	C:\Windows\{4049CF32-F57F-49c3-A029-258310DB07E6}.exe	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe
File created	C:\Windows\{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe
File created	C:\Windows\{64A24758-4A40-45b6-AA14-FFFE26060196}.exe	{ABC86064-BD81-4fab-93BA-03602A373039}.exe
File created	C:\Windows\{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe	2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe
File created	C:\Windows\{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe
File created	C:\Windows\{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe
File created	C:\Windows\{ABC86064-BD81-4fab-93BA-03602A373039}.exe	{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe
File created	C:\Windows\{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe
File created	C:\Windows\{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe
File created	C:\Windows\{8243159A-827C-443d-B653-9D5BB463CDF3}.exe	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ABC86064-BD81-4fab-93BA-03602A373039}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64A24758-4A40-45b6-AA14-FFFE26060196}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4460	2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1588	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe
Token: SeIncBasePriorityPrivilege	8	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe
Token: SeIncBasePriorityPrivilege	2968	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe
Token: SeIncBasePriorityPrivilege	4816	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe
Token: SeIncBasePriorityPrivilege	5020	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe
Token: SeIncBasePriorityPrivilege	4844	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe
Token: SeIncBasePriorityPrivilege	1620	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe
Token: SeIncBasePriorityPrivilege	1044	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe
Token: SeIncBasePriorityPrivilege	4968	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe
Token: SeIncBasePriorityPrivilege	2840	{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe
Token: SeIncBasePriorityPrivilege	3068	{ABC86064-BD81-4fab-93BA-03602A373039}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 1588	4460	2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe	94
PID 4460 wrote to memory of 1588	4460	2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe	94
PID 4460 wrote to memory of 1588	4460	2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe	94
PID 4460 wrote to memory of 3668	4460	2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe	95
PID 4460 wrote to memory of 3668	4460	2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe	95
PID 4460 wrote to memory of 3668	4460	2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe	95
PID 1588 wrote to memory of 8	1588	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe	96
PID 1588 wrote to memory of 8	1588	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe	96
PID 1588 wrote to memory of 8	1588	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe	96
PID 1588 wrote to memory of 4272	1588	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe	97
PID 1588 wrote to memory of 4272	1588	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe	97
PID 1588 wrote to memory of 4272	1588	{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe	97
PID 8 wrote to memory of 2968	8	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe	100
PID 8 wrote to memory of 2968	8	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe	100
PID 8 wrote to memory of 2968	8	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe	100
PID 8 wrote to memory of 4208	8	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe	101
PID 8 wrote to memory of 4208	8	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe	101
PID 8 wrote to memory of 4208	8	{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe	101
PID 2968 wrote to memory of 4816	2968	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe	102
PID 2968 wrote to memory of 4816	2968	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe	102
PID 2968 wrote to memory of 4816	2968	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe	102
PID 2968 wrote to memory of 4624	2968	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe	103
PID 2968 wrote to memory of 4624	2968	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe	103
PID 2968 wrote to memory of 4624	2968	{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe	103
PID 4816 wrote to memory of 5020	4816	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe	104
PID 4816 wrote to memory of 5020	4816	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe	104
PID 4816 wrote to memory of 5020	4816	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe	104
PID 4816 wrote to memory of 3268	4816	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe	105
PID 4816 wrote to memory of 3268	4816	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe	105
PID 4816 wrote to memory of 3268	4816	{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe	105
PID 5020 wrote to memory of 4844	5020	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe	106
PID 5020 wrote to memory of 4844	5020	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe	106
PID 5020 wrote to memory of 4844	5020	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe	106
PID 5020 wrote to memory of 2832	5020	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe	107
PID 5020 wrote to memory of 2832	5020	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe	107
PID 5020 wrote to memory of 2832	5020	{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe	107
PID 4844 wrote to memory of 1620	4844	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe	108
PID 4844 wrote to memory of 1620	4844	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe	108
PID 4844 wrote to memory of 1620	4844	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe	108
PID 4844 wrote to memory of 2888	4844	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe	109
PID 4844 wrote to memory of 2888	4844	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe	109
PID 4844 wrote to memory of 2888	4844	{8243159A-827C-443d-B653-9D5BB463CDF3}.exe	109
PID 1620 wrote to memory of 1044	1620	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe	110
PID 1620 wrote to memory of 1044	1620	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe	110
PID 1620 wrote to memory of 1044	1620	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe	110
PID 1620 wrote to memory of 5096	1620	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe	111
PID 1620 wrote to memory of 5096	1620	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe	111
PID 1620 wrote to memory of 5096	1620	{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe	111
PID 1044 wrote to memory of 4968	1044	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe	112
PID 1044 wrote to memory of 4968	1044	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe	112
PID 1044 wrote to memory of 4968	1044	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe	112
PID 1044 wrote to memory of 1840	1044	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe	113
PID 1044 wrote to memory of 1840	1044	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe	113
PID 1044 wrote to memory of 1840	1044	{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe	113
PID 4968 wrote to memory of 2840	4968	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe	114
PID 4968 wrote to memory of 2840	4968	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe	114
PID 4968 wrote to memory of 2840	4968	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe	114
PID 4968 wrote to memory of 1032	4968	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe	115
PID 4968 wrote to memory of 1032	4968	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe	115
PID 4968 wrote to memory of 1032	4968	{4049CF32-F57F-49c3-A029-258310DB07E6}.exe	115
PID 2840 wrote to memory of 3068	2840	{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe	116
PID 2840 wrote to memory of 3068	2840	{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe	116
PID 2840 wrote to memory of 3068	2840	{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe	116
PID 2840 wrote to memory of 4460	2840	{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_fbe7f80ee0e90ce5933bd87b50b7af12_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe
  C:\Windows\{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe
    C:\Windows\{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe
      C:\Windows\{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe
        
        C:\Windows\{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Windows\{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe
        
        C:\Windows\{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\{8243159A-827C-443d-B653-9D5BB463CDF3}.exe
        
        C:\Windows\{8243159A-827C-443d-B653-9D5BB463CDF3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe
        
        C:\Windows\{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe
        
        C:\Windows\{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\{4049CF32-F57F-49c3-A029-258310DB07E6}.exe
        
        C:\Windows\{4049CF32-F57F-49c3-A029-258310DB07E6}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe
        
        C:\Windows\{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{ABC86064-BD81-4fab-93BA-03602A373039}.exe
        
        C:\Windows\{ABC86064-BD81-4fab-93BA-03602A373039}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\{64A24758-4A40-45b6-AA14-FFFE26060196}.exe
        
        C:\Windows\{64A24758-4A40-45b6-AA14-FFFE26060196}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABC86~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91486~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4049C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{354B1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C321B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82431~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC0FC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DBF8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54EC0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4B2AE~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C54A7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DBF8241-2291-4a25-8EFD-49566DE4801E}.exe

Filesize
344KB

MD5
a6beb06f9817068e96fb098e2dd7cdc2

SHA1
d568a12df0e6cb02174480c7fb084af606abc2d7

SHA256
d4b4fbd14163b16f9c7224b55f8af9f6f31a525abf0229947ae8e250ca599fc3

SHA512
f9f47c354dfcabee938663c821a4d94006b4afe09cf9057255e64f8baa04dc56932d43d37212fdc21e327fce0beba9667f9dc351f489f876ff20af3474573417

Download Submit
C:\Windows\{354B1CD5-8E20-4163-9DC4-94773A3B7779}.exe

Filesize
344KB

MD5
fc9c42de036990014d13d49aef6d2110

SHA1
07c5d0fd76d1f8b2302ff752953c96d2f45227e3

SHA256
d6aa6e180c01cd7f645343a05091f1da4e96a3c0157742418dd5003bbe693f0d

SHA512
93018756e9aabb9204e7c9a0bd637b5a876037478a7ef306b4d9cdd75d54dedef35848ffce5d59cb0b312f953639bc4c41631e245b0bc8a9625a7f0c4b26b808

Download Submit
C:\Windows\{4049CF32-F57F-49c3-A029-258310DB07E6}.exe

Filesize
344KB

MD5
81d89a331b838b899ba0ebcaf3f3c6aa

SHA1
696ef059e01847c9d40c51ac095fb5de7c3d7fb6

SHA256
e0542d8792237e9295b5cc575a60cbb8be56ba7d20f9c6118bf17e2577007368

SHA512
966c84e6bbb5d98fcf58bee60d1249ee02c40872d9949af63d9707cbbe99fcc3fd1f6d9762e1479599174bcccfbfccc2e88ee4bf1cea5cf84854e6e93552a38d

Download Submit
C:\Windows\{4B2AE584-85E9-4668-B7F0-863F2FD2ABE6}.exe

Filesize
344KB

MD5
c68b3302db6b2d7a8451aaf3b74b8ee9

SHA1
ff68cb1ed42007ed76bc866bf0e96da037144244

SHA256
96c57b021e95760dad701b2713e7b6192a8a31d242711c4163bdcd592e119f4e

SHA512
1b78460da5c229e4add84bf187724c4b9a2b6287445d0c885a9f97c2f4ad1c0e9242dc212a5f50ae263b0f466a646b79591721baca6d7aed40dbb9662f77ca30

Download Submit
C:\Windows\{54EC0EBF-9392-422c-8F47-216A71E3065B}.exe

Filesize
344KB

MD5
a5e4564ec9e6e690a36db3a8a1852236

SHA1
364818961f470e2dbdc767ee05dfcb14c4556308

SHA256
0837d86ede0cd3ffa257a06f5cdc2a6e766e03dcb45fbe699a00cf0c601b4ecb

SHA512
091048e10c49cfcf1b6ab1acd568905fab7d7044273273f1613eb25e447def3046c77e3f982b78f4c0aec73dc4c583bd80c1c2037daa2eade9a8c97f9c62e972

Download Submit
C:\Windows\{64A24758-4A40-45b6-AA14-FFFE26060196}.exe

Filesize
344KB

MD5
0fda26b9baf7ae7537cd93bee2f7539f

SHA1
7be1421a3a232515ba0eb12eed8f6736c72305b1

SHA256
727634a51f583cefb57faa1de453bbe001d6e518c0e3dca712be7e55818bb68a

SHA512
85543b3b198a3b1baca20c5231a170a1e931d9d2cfc2fa41f4eee9a7f41fee2fd429bf492ab15dbf8fef978215e41dee6cfb56491ab1184e96a2d3032792a86f

Download Submit
C:\Windows\{8243159A-827C-443d-B653-9D5BB463CDF3}.exe

Filesize
344KB

MD5
3a5939c0862f70f42a50c77ee8a08820

SHA1
32c6d2c2811acbe9ed8a2eaaccdfff1aac44d587

SHA256
1cc36d322d7265771971368f01e61c3c427d2f09829c5dbfc9fba1f895fd8511

SHA512
38d8d1e702e7cb9756193365f3a28a11175f243f2d8aa20a2799533c047f7cf8382aff24a750dc8ffacbea2771bbad36b3095528d474601bf26f3855212f918c

Download Submit
C:\Windows\{91486AC5-C570-445c-B2C7-30F4FC0CBB1A}.exe

Filesize
344KB

MD5
bf63076dc23f9cb1e5c8292b58986aec

SHA1
8eb5ee3d6509cec94b7358cbd2f9a560af5613be

SHA256
413275670c080c0abc579cf8b95e44b6583090d4c1e8cdfa74a210615a4162ad

SHA512
0f9d4b42d94abfdda8df93cf2a3c6f3c1fd588daa7f6bef01b64ff6aeac1191c94b78897491ce8aa110d5eb5b8f3da57c550dfe07458dc095aae88b322de42ab

Download Submit
C:\Windows\{ABC86064-BD81-4fab-93BA-03602A373039}.exe

Filesize
344KB

MD5
cdfc3f4affab93c81cc42020f392bfef

SHA1
4ce62674376200ec1bdb9d52985fe0f689deee64

SHA256
4c94aa24b068c7dc8ba66db5be6b4785ed7cbc56da67d0404ae84c9cefe09eaa

SHA512
23112a681d79996df5b54138f6412296ca2954e395c652770aef35e069a4698392bf5c3c1b2242182951bcd8a0b17a73653c6bbb8e44eca75b506b390811b15d

Download Submit
C:\Windows\{C321B94E-9193-4c6c-9E9C-DA8E295510F1}.exe

Filesize
344KB

MD5
862683141bdbfdbbc7af032eda98aef1

SHA1
19e2490a929a5aee5387090c429cff28dcb95d19

SHA256
b03dc506f73ba87c195ec69a52d7aa553d44d92575782c8d726a95f18ce62839

SHA512
0c7c16103cfc764ef6bb8909fb152d2db735862d7368c86003377d1760b0d43eb04b0a7869ace0af4085b40f87b96f583860df740ffeadb80d74c7124dd2ef88

Download Submit
C:\Windows\{C54A7716-F7FC-4609-B57E-165C7569E93D}.exe

Filesize
344KB

MD5
be23584117a158f63b1d5ba64018da25

SHA1
5ccafda8ec43ffb1899302e04cb70965026a1a28

SHA256
003e7a765439fe0531733609efffe2cfe62a7c1d19fe866c17581b564d8821c2

SHA512
a29d7d9380980651b8524b73f32fcdb3d3bca944ccc05a4c1e99be1c3fc1021b6a7f8e1919e2047d8d726f5568f125381ba02ea2e8f800204a1794b1f5b319d3

Download Submit
C:\Windows\{CC0FC7DA-677A-468d-BDDA-70A47E7D0F54}.exe

Filesize
344KB

MD5
f4f658f17ae057f27708fad1c8470668

SHA1
6ca626c216f2ecd73a69f523ef9f9c633cd4a4d3

SHA256
a46a210ac21b7491285b20216c29e30ddc2dc0e8a07e2ce80b8c5ab4559977c1

SHA512
b6d5abb269f11693f0ef09fb393bb8aa6f0f1832ea05aed0a9753fc9bc73a1c47eeff82dc4485d1399e0e7796bbe9ab5cb0c87a702244bf9c6c48f13796d9550

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads