6d420a1a7d721b9bb8175a4828edb3f6b0ed04f692ca6e7b4dabbef003f82024

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
Size

168KB
MD5

e26310f449d2286501cb0201d06b4463
SHA1

68c3ff4555b531cca09f9fe1ab41391ecb5999a2
SHA256

6d420a1a7d721b9bb8175a4828edb3f6b0ed04f692ca6e7b4dabbef003f82024
SHA512

ffc0b32a7f80ce8fe76b79c6f5583f3b436ce64959dc90e8739f2ab5718523be4177fe14e6bfac861b92f84a27b4430420c3610dca82a446e0b46dbb01ca5b6b
SSDEEP

1536:1EGh0o4lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o4lqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}\stubpath = "C:\\Windows\\{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe"	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD85BE7B-2414-4383-8345-793001B5A831}\stubpath = "C:\\Windows\\{AD85BE7B-2414-4383-8345-793001B5A831}.exe"	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6790E7E-F96E-41d1-A450-24922BC904AC}	{AD85BE7B-2414-4383-8345-793001B5A831}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E68FB54E-2AD6-4965-9095-338C27A59C91}	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E68FB54E-2AD6-4965-9095-338C27A59C91}\stubpath = "C:\\Windows\\{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe"	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5146C168-166B-4d94-BDA4-522BE4642F4F}	{C64CC72E-09C5-4dbf-B399-C987CF2B5013}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}\stubpath = "C:\\Windows\\{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe"	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}\stubpath = "C:\\Windows\\{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe"	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5146C168-166B-4d94-BDA4-522BE4642F4F}\stubpath = "C:\\Windows\\{5146C168-166B-4d94-BDA4-522BE4642F4F}.exe"	{C64CC72E-09C5-4dbf-B399-C987CF2B5013}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C64CC72E-09C5-4dbf-B399-C987CF2B5013}\stubpath = "C:\\Windows\\{C64CC72E-09C5-4dbf-B399-C987CF2B5013}.exe"	{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}\stubpath = "C:\\Windows\\{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe"	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}\stubpath = "C:\\Windows\\{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe"	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD85BE7B-2414-4383-8345-793001B5A831}	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6790E7E-F96E-41d1-A450-24922BC904AC}\stubpath = "C:\\Windows\\{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe"	{AD85BE7B-2414-4383-8345-793001B5A831}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}\stubpath = "C:\\Windows\\{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe"	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}\stubpath = "C:\\Windows\\{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe"	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C64CC72E-09C5-4dbf-B399-C987CF2B5013}	{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe

Executes dropped EXE 12 IoCs

pid	Process
384	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe
860	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe
4036	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe
2524	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe
2356	{AD85BE7B-2414-4383-8345-793001B5A831}.exe
4220	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe
4304	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe
4372	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe
3408	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe
1488	{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe
4460	{C64CC72E-09C5-4dbf-B399-C987CF2B5013}.exe
4500	{5146C168-166B-4d94-BDA4-522BE4642F4F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AD85BE7B-2414-4383-8345-793001B5A831}.exe	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe
File created	C:\Windows\{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe
File created	C:\Windows\{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe
File created	C:\Windows\{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
File created	C:\Windows\{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe
File created	C:\Windows\{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe	{AD85BE7B-2414-4383-8345-793001B5A831}.exe
File created	C:\Windows\{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe
File created	C:\Windows\{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe
File created	C:\Windows\{C64CC72E-09C5-4dbf-B399-C987CF2B5013}.exe	{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe
File created	C:\Windows\{5146C168-166B-4d94-BDA4-522BE4642F4F}.exe	{C64CC72E-09C5-4dbf-B399-C987CF2B5013}.exe
File created	C:\Windows\{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe
File created	C:\Windows\{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C64CC72E-09C5-4dbf-B399-C987CF2B5013}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5146C168-166B-4d94-BDA4-522BE4642F4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD85BE7B-2414-4383-8345-793001B5A831}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1044	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
Token: SeIncBasePriorityPrivilege	384	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe
Token: SeIncBasePriorityPrivilege	860	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe
Token: SeIncBasePriorityPrivilege	4036	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe
Token: SeIncBasePriorityPrivilege	2524	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe
Token: SeIncBasePriorityPrivilege	2356	{AD85BE7B-2414-4383-8345-793001B5A831}.exe
Token: SeIncBasePriorityPrivilege	4220	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe
Token: SeIncBasePriorityPrivilege	4304	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe
Token: SeIncBasePriorityPrivilege	4372	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe
Token: SeIncBasePriorityPrivilege	3408	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe
Token: SeIncBasePriorityPrivilege	1488	{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe
Token: SeIncBasePriorityPrivilege	4460	{C64CC72E-09C5-4dbf-B399-C987CF2B5013}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 384	1044	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	94
PID 1044 wrote to memory of 384	1044	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	94
PID 1044 wrote to memory of 384	1044	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	94
PID 1044 wrote to memory of 3608	1044	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	95
PID 1044 wrote to memory of 3608	1044	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	95
PID 1044 wrote to memory of 3608	1044	2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe	95
PID 384 wrote to memory of 860	384	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe	96
PID 384 wrote to memory of 860	384	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe	96
PID 384 wrote to memory of 860	384	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe	96
PID 384 wrote to memory of 1996	384	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe	97
PID 384 wrote to memory of 1996	384	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe	97
PID 384 wrote to memory of 1996	384	{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe	97
PID 860 wrote to memory of 4036	860	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe	100
PID 860 wrote to memory of 4036	860	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe	100
PID 860 wrote to memory of 4036	860	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe	100
PID 860 wrote to memory of 2476	860	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe	101
PID 860 wrote to memory of 2476	860	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe	101
PID 860 wrote to memory of 2476	860	{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe	101
PID 4036 wrote to memory of 2524	4036	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe	102
PID 4036 wrote to memory of 2524	4036	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe	102
PID 4036 wrote to memory of 2524	4036	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe	102
PID 4036 wrote to memory of 2908	4036	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe	103
PID 4036 wrote to memory of 2908	4036	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe	103
PID 4036 wrote to memory of 2908	4036	{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe	103
PID 2524 wrote to memory of 2356	2524	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe	104
PID 2524 wrote to memory of 2356	2524	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe	104
PID 2524 wrote to memory of 2356	2524	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe	104
PID 2524 wrote to memory of 1020	2524	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe	105
PID 2524 wrote to memory of 1020	2524	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe	105
PID 2524 wrote to memory of 1020	2524	{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe	105
PID 2356 wrote to memory of 4220	2356	{AD85BE7B-2414-4383-8345-793001B5A831}.exe	106
PID 2356 wrote to memory of 4220	2356	{AD85BE7B-2414-4383-8345-793001B5A831}.exe	106
PID 2356 wrote to memory of 4220	2356	{AD85BE7B-2414-4383-8345-793001B5A831}.exe	106
PID 2356 wrote to memory of 1388	2356	{AD85BE7B-2414-4383-8345-793001B5A831}.exe	107
PID 2356 wrote to memory of 1388	2356	{AD85BE7B-2414-4383-8345-793001B5A831}.exe	107
PID 2356 wrote to memory of 1388	2356	{AD85BE7B-2414-4383-8345-793001B5A831}.exe	107
PID 4220 wrote to memory of 4304	4220	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe	108
PID 4220 wrote to memory of 4304	4220	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe	108
PID 4220 wrote to memory of 4304	4220	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe	108
PID 4220 wrote to memory of 1608	4220	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe	109
PID 4220 wrote to memory of 1608	4220	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe	109
PID 4220 wrote to memory of 1608	4220	{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe	109
PID 4304 wrote to memory of 4372	4304	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe	110
PID 4304 wrote to memory of 4372	4304	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe	110
PID 4304 wrote to memory of 4372	4304	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe	110
PID 4304 wrote to memory of 2052	4304	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe	111
PID 4304 wrote to memory of 2052	4304	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe	111
PID 4304 wrote to memory of 2052	4304	{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe	111
PID 4372 wrote to memory of 3408	4372	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe	112
PID 4372 wrote to memory of 3408	4372	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe	112
PID 4372 wrote to memory of 3408	4372	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe	112
PID 4372 wrote to memory of 448	4372	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe	113
PID 4372 wrote to memory of 448	4372	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe	113
PID 4372 wrote to memory of 448	4372	{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe	113
PID 3408 wrote to memory of 1488	3408	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe	114
PID 3408 wrote to memory of 1488	3408	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe	114
PID 3408 wrote to memory of 1488	3408	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe	114
PID 3408 wrote to memory of 4184	3408	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe	115
PID 3408 wrote to memory of 4184	3408	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe	115
PID 3408 wrote to memory of 4184	3408	{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe	115
PID 1488 wrote to memory of 4460	1488	{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe	116
PID 1488 wrote to memory of 4460	1488	{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe	116
PID 1488 wrote to memory of 4460	1488	{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe	116
PID 1488 wrote to memory of 1700	1488	{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_e26310f449d2286501cb0201d06b4463_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe
  C:\Windows\{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe
    C:\Windows\{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe
      C:\Windows\{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Windows\{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe
        
        C:\Windows\{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\{AD85BE7B-2414-4383-8345-793001B5A831}.exe
        
        C:\Windows\{AD85BE7B-2414-4383-8345-793001B5A831}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe
        
        C:\Windows\{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe
        
        C:\Windows\{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe
        
        C:\Windows\{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe
        
        C:\Windows\{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe
        
        C:\Windows\{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{C64CC72E-09C5-4dbf-B399-C987CF2B5013}.exe
        
        C:\Windows\{C64CC72E-09C5-4dbf-B399-C987CF2B5013}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Windows\{5146C168-166B-4d94-BDA4-522BE4642F4F}.exe
        
        C:\Windows\{5146C168-166B-4d94-BDA4-522BE4642F4F}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C64CC~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BB64~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E68FB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE30D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{194F4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6790~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD85B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D99B7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CF3D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F7A63~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1627A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1627A0A5-E5CE-4f08-BFF3-B9A791AF7228}.exe

Filesize
168KB

MD5
cc9fd76b0a68f48b458636e91850afd3

SHA1
286014317185d917ad766ee886d61e62ade34251

SHA256
15f903f0f19e24902e9ff81c1f52d3400370d6af4f84eae6684872290b191608

SHA512
1a6bc2174b220edd06e033e6e003ea240d101a497b7a40b4e176c08334591b4f496655cd611f5b82b36db49acc925b7ae888f85f3f1bf56dac40a2b7db42414b

Download Submit
C:\Windows\{194F4EEE-7AC2-4c11-BE99-B5144ACBD0AE}.exe

Filesize
168KB

MD5
241618fecdab5c4e0bee75376087c44d

SHA1
05050ecfabd1e48d98bfdfb8aa4569c5432bc779

SHA256
de4c8d1bd8bf12999706b6faad3e0abc36c33e0aac376cefdf73f4b49b2bc8a1

SHA512
ef0d1b714e3bd53c0745ca76a3eba0d2ca5c80bdeb72446070580dfa224691b6efe343b3313ac94c922e059c009f7972cedc9fd535ff7c545211c6ba971fee61

Download Submit
C:\Windows\{2CF3D749-5BD7-47ca-86F9-B3BC76C0447D}.exe

Filesize
168KB

MD5
2977d92c269ab89718420e0559720be5

SHA1
a2815db3200df6228f9d33bfb51fddf0851388ee

SHA256
cd74e2ecdef73390c3ba270004827ec622a54f3314a6818cd48aba912b11e533

SHA512
41dd93d6b87cacd7fd8a6244ea968be600135fd294d0fa185329ecba1f49efa392847b718172051d9b6ffe1cdfbee24fab67306018efc0e130f58e569a17be80

Download Submit
C:\Windows\{5146C168-166B-4d94-BDA4-522BE4642F4F}.exe

Filesize
168KB

MD5
2e8511424119fc0405aad5a5bc8407e1

SHA1
cb8ab1607aae69f70cad7e49076bc727b43ce733

SHA256
b2e9c4d105ae815534b49dc25a41c076d195bb94a203b78c910f4c3ff614d282

SHA512
af3f4bd726ee4894726bb504a6860e4c1f703b83d450af24fb7f70a1f257835174d7caaa5708dfef38f51d24b8f4324af163e533b62209fb9964077dc4a73239

Download Submit
C:\Windows\{5BB641B9-D3D9-46f0-9C53-641BE997E8DF}.exe

Filesize
168KB

MD5
b0ca3293f9a28d18194508ab744db758

SHA1
70aecfa93ff8e02d89b12a78aa7fc9260a31b285

SHA256
6ddeef0caca8c60e954735fe1fb2d5c4cc7334deaef8df62f4acf7fd730a1821

SHA512
9f46e4dc7534bceb91d29d7f2136333a10e1be366709627db89e7baee9a8e5466c42e68ff54272d8763f15ddb9b2ef41ce618a0159baae81407459ff805c0b7d

Download Submit
C:\Windows\{AD85BE7B-2414-4383-8345-793001B5A831}.exe

Filesize
168KB

MD5
38602e704a3ee8742c9f7fa493db9f35

SHA1
57928bcb11ffbf46e7f501d1b292a099e31cebe8

SHA256
98d1e91ffbba1e3699e08c5602906257ff7242096f90a9f618e2de47be3020cb

SHA512
dd0f61893b08e6b5d7ce04a58193212d9c4b1132d6ee9ccc15582165e56450ae6dc4494714301550f448a08bf99dcfaae95761d342da72d5b5b39b2c9bd0f645

Download Submit
C:\Windows\{B6790E7E-F96E-41d1-A450-24922BC904AC}.exe

Filesize
168KB

MD5
be33207aace4149615a4f82c53eadd90

SHA1
e1ac65b7dfc4eed862e8c169686b294e2b0797bf

SHA256
556c247199c5a6f1b7f47a99825650f5caa4c3b08396efdb6c9252868a003e26

SHA512
192c81ba1b56d335a7556fc0ec2a298d0cbefb92e3cfaa0c184f9394891224f720f837010ccec8509ed8c1853e843d20945522786afc176395939d82574b302c

Download Submit
C:\Windows\{C64CC72E-09C5-4dbf-B399-C987CF2B5013}.exe

Filesize
168KB

MD5
de5de0315cb549cdd0dec230d18b5d9a

SHA1
d1eb341eb73375b60884f2e0b89f67d2881f7c39

SHA256
4d0e464164f03377df8bdbb1372a1bad5f411f0e1c5c6aa4f1cda459eb02b62b

SHA512
64ebeb37ada250cf7f290035b4dfb7c28322366c8742787e0b13c427fb8a638dba1f86a5731a8e26a1c1968bc530414dcc8054c5e1479afc3bc036cd320d50a6

Download Submit
C:\Windows\{D99B7C59-B12F-4a1a-913E-F6386E4A8CA4}.exe

Filesize
168KB

MD5
f5a24ec0ed7d405c6e47bd1bd000850e

SHA1
94df7f679be07f69765e16f1a401753d30b2eb13

SHA256
b490f5647883448e1dc46de6c837698186e74633784366956fdc96e02bd1c978

SHA512
4d0123dda112d0179746c0e05230238c8f627423cd756fe1f9aefd3443bae91b1782c37177b4da2f39d140b149b86ddd1c820dfe6bbc60eb6295e3d1e4230ae7

Download Submit
C:\Windows\{E68FB54E-2AD6-4965-9095-338C27A59C91}.exe

Filesize
168KB

MD5
ca04dbfa6e59bcad43ebaed7bfbc038e

SHA1
454c954ba40d1710a710334a231862d87941a429

SHA256
7053e202d155c7de71a77a7f1de996b24e7a49e2cd222cb6b6a89be5c3bdaf6f

SHA512
d78c00bc0879ca1aebf4d485bbda5ac79aa366d9df1177c2ade05ef3626020d8c88269252e4864be340b6053794a7c6f4a3aa7cc15f339d363ee7cf8f575ad64

Download Submit
C:\Windows\{F7A63B40-FB03-4746-B4B6-7CA8B7E9237B}.exe

Filesize
168KB

MD5
c3c0635a6aad843a196669ae5f2f1eb1

SHA1
92ba141c8bc35d7be1b4a347793ad38e31813d2e

SHA256
24003f67552060f60dc5ac1dee1e3271a6c2a73b811fa7d4bd0a93cb533271ca

SHA512
cf5f347f1cd3ff7c831c81564653acc5a15e901ebb944836fb67b10a6bf76dc958a93834b724fd5a0d61bcaf469fb2777f272c6946ea74b90e28ccb1d4ff28a0

Download Submit
C:\Windows\{FE30DFB3-FE4F-434a-B66C-C3EFF2DAF47B}.exe

Filesize
168KB

MD5
482c60689b0364be75287331bb3316aa

SHA1
e8d87c5373111aa241e0113bd0198ac001df69df

SHA256
d145db34e0d28a3b4292dc5e788323aacd14689f05408ef9fb3eff009717a6ee

SHA512
b9ef619336830061f7a4ddd74cb02255346b5fd6719ce2a186f2380e8eb7c29d67a79e6d41ef7e676d36e73eb4a4f88b841c231a0c4a62eaf0aa4e825376de02

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads