591018a3d12bc7bbe98ff48623d2b4a6c23e72fa1cbd610d1814ce581c80b41b

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
Size

204KB
MD5

e35965126b7ed6a8723a41c4598ea358
SHA1

73397af636e0bd9d37144deb7ec14674539001e8
SHA256

591018a3d12bc7bbe98ff48623d2b4a6c23e72fa1cbd610d1814ce581c80b41b
SHA512

c7db4a5414272a58c6b84a0eae34c0b1b9f1f37c7ac7fc445194d6256b06fe8a03f20eb2b69c19e58e858e488886ea13bdfd89efdb6f384590612381b28af4db
SSDEEP

1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o9l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}\stubpath = "C:\\Windows\\{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe"	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D90E0742-744F-461f-BB8F-8939E7FBE193}\stubpath = "C:\\Windows\\{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe"	{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73590DDA-E985-4020-885C-B10D4D567ECE}	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73590DDA-E985-4020-885C-B10D4D567ECE}\stubpath = "C:\\Windows\\{73590DDA-E985-4020-885C-B10D4D567ECE}.exe"	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478BA865-27C2-459a-9BA2-44DFE1956F68}	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}	{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}\stubpath = "C:\\Windows\\{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}.exe"	{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA008894-2AE4-49e6-BC45-5F18AA4F2894}	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB8BD89-FB46-4e94-81C1-00E8D8797509}	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB8BD89-FB46-4e94-81C1-00E8D8797509}\stubpath = "C:\\Windows\\{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe"	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{500DEB13-542B-4110-AA29-BAF8F2633FCF}\stubpath = "C:\\Windows\\{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe"	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7463451-429B-4093-A65C-B6EC5B620446}	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}	{C7463451-429B-4093-A65C-B6EC5B620446}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8449476-605F-42f1-AD9F-0FDE8EC9E862}	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA008894-2AE4-49e6-BC45-5F18AA4F2894}\stubpath = "C:\\Windows\\{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe"	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F0E991D-D10A-4b4d-AC77-07FC32397976}	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F0E991D-D10A-4b4d-AC77-07FC32397976}\stubpath = "C:\\Windows\\{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe"	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8449476-605F-42f1-AD9F-0FDE8EC9E862}\stubpath = "C:\\Windows\\{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe"	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{478BA865-27C2-459a-9BA2-44DFE1956F68}\stubpath = "C:\\Windows\\{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe"	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D90E0742-744F-461f-BB8F-8939E7FBE193}	{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{500DEB13-542B-4110-AA29-BAF8F2633FCF}	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7463451-429B-4093-A65C-B6EC5B620446}\stubpath = "C:\\Windows\\{C7463451-429B-4093-A65C-B6EC5B620446}.exe"	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}\stubpath = "C:\\Windows\\{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe"	{C7463451-429B-4093-A65C-B6EC5B620446}.exe

Executes dropped EXE 12 IoCs

pid	Process
184	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe
2188	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe
3140	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe
4228	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe
404	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe
2980	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe
660	{C7463451-429B-4093-A65C-B6EC5B620446}.exe
3500	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe
3488	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe
536	{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe
2932	{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe
2724	{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe
File created	C:\Windows\{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe
File created	C:\Windows\{73590DDA-E985-4020-885C-B10D4D567ECE}.exe	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe
File created	C:\Windows\{C7463451-429B-4093-A65C-B6EC5B620446}.exe	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe
File created	C:\Windows\{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe
File created	C:\Windows\{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}.exe	{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe
File created	C:\Windows\{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
File created	C:\Windows\{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe
File created	C:\Windows\{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe
File created	C:\Windows\{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe	{C7463451-429B-4093-A65C-B6EC5B620446}.exe
File created	C:\Windows\{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe
File created	C:\Windows\{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe	{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C7463451-429B-4093-A65C-B6EC5B620446}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1668	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
Token: SeIncBasePriorityPrivilege	184	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe
Token: SeIncBasePriorityPrivilege	2188	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe
Token: SeIncBasePriorityPrivilege	3140	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe
Token: SeIncBasePriorityPrivilege	4228	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe
Token: SeIncBasePriorityPrivilege	404	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe
Token: SeIncBasePriorityPrivilege	2980	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe
Token: SeIncBasePriorityPrivilege	660	{C7463451-429B-4093-A65C-B6EC5B620446}.exe
Token: SeIncBasePriorityPrivilege	3500	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe
Token: SeIncBasePriorityPrivilege	3488	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe
Token: SeIncBasePriorityPrivilege	536	{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe
Token: SeIncBasePriorityPrivilege	2932	{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 184	1668	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	93
PID 1668 wrote to memory of 184	1668	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	93
PID 1668 wrote to memory of 184	1668	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	93
PID 1668 wrote to memory of 4012	1668	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	94
PID 1668 wrote to memory of 4012	1668	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	94
PID 1668 wrote to memory of 4012	1668	2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe	94
PID 184 wrote to memory of 2188	184	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe	95
PID 184 wrote to memory of 2188	184	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe	95
PID 184 wrote to memory of 2188	184	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe	95
PID 184 wrote to memory of 3792	184	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe	96
PID 184 wrote to memory of 3792	184	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe	96
PID 184 wrote to memory of 3792	184	{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe	96
PID 2188 wrote to memory of 3140	2188	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe	99
PID 2188 wrote to memory of 3140	2188	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe	99
PID 2188 wrote to memory of 3140	2188	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe	99
PID 2188 wrote to memory of 4052	2188	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe	100
PID 2188 wrote to memory of 4052	2188	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe	100
PID 2188 wrote to memory of 4052	2188	{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe	100
PID 3140 wrote to memory of 4228	3140	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe	101
PID 3140 wrote to memory of 4228	3140	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe	101
PID 3140 wrote to memory of 4228	3140	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe	101
PID 3140 wrote to memory of 1516	3140	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe	102
PID 3140 wrote to memory of 1516	3140	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe	102
PID 3140 wrote to memory of 1516	3140	{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe	102
PID 4228 wrote to memory of 404	4228	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe	103
PID 4228 wrote to memory of 404	4228	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe	103
PID 4228 wrote to memory of 404	4228	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe	103
PID 4228 wrote to memory of 4544	4228	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe	104
PID 4228 wrote to memory of 4544	4228	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe	104
PID 4228 wrote to memory of 4544	4228	{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe	104
PID 404 wrote to memory of 2980	404	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe	105
PID 404 wrote to memory of 2980	404	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe	105
PID 404 wrote to memory of 2980	404	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe	105
PID 404 wrote to memory of 4000	404	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe	106
PID 404 wrote to memory of 4000	404	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe	106
PID 404 wrote to memory of 4000	404	{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe	106
PID 2980 wrote to memory of 660	2980	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe	107
PID 2980 wrote to memory of 660	2980	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe	107
PID 2980 wrote to memory of 660	2980	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe	107
PID 2980 wrote to memory of 1216	2980	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe	108
PID 2980 wrote to memory of 1216	2980	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe	108
PID 2980 wrote to memory of 1216	2980	{73590DDA-E985-4020-885C-B10D4D567ECE}.exe	108
PID 660 wrote to memory of 3500	660	{C7463451-429B-4093-A65C-B6EC5B620446}.exe	109
PID 660 wrote to memory of 3500	660	{C7463451-429B-4093-A65C-B6EC5B620446}.exe	109
PID 660 wrote to memory of 3500	660	{C7463451-429B-4093-A65C-B6EC5B620446}.exe	109
PID 660 wrote to memory of 5044	660	{C7463451-429B-4093-A65C-B6EC5B620446}.exe	110
PID 660 wrote to memory of 5044	660	{C7463451-429B-4093-A65C-B6EC5B620446}.exe	110
PID 660 wrote to memory of 5044	660	{C7463451-429B-4093-A65C-B6EC5B620446}.exe	110
PID 3500 wrote to memory of 3488	3500	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe	111
PID 3500 wrote to memory of 3488	3500	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe	111
PID 3500 wrote to memory of 3488	3500	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe	111
PID 3500 wrote to memory of 4840	3500	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe	112
PID 3500 wrote to memory of 4840	3500	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe	112
PID 3500 wrote to memory of 4840	3500	{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe	112
PID 3488 wrote to memory of 536	3488	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe	113
PID 3488 wrote to memory of 536	3488	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe	113
PID 3488 wrote to memory of 536	3488	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe	113
PID 3488 wrote to memory of 796	3488	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe	114
PID 3488 wrote to memory of 796	3488	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe	114
PID 3488 wrote to memory of 796	3488	{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe	114
PID 536 wrote to memory of 2932	536	{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe	115
PID 536 wrote to memory of 2932	536	{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe	115
PID 536 wrote to memory of 2932	536	{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe	115
PID 536 wrote to memory of 2784	536	{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_e35965126b7ed6a8723a41c4598ea358_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe
  C:\Windows\{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:184
- - C:\Windows\{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe
    C:\Windows\{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe
      C:\Windows\{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Windows\{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe
        
        C:\Windows\{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Windows\{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe
        
        C:\Windows\{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{73590DDA-E985-4020-885C-B10D4D567ECE}.exe
        
        C:\Windows\{73590DDA-E985-4020-885C-B10D4D567ECE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{C7463451-429B-4093-A65C-B6EC5B620446}.exe
        
        C:\Windows\{C7463451-429B-4093-A65C-B6EC5B620446}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe
        
        C:\Windows\{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe
        
        C:\Windows\{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe
        
        C:\Windows\{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe
        
        C:\Windows\{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}.exe
        
        C:\Windows\{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D90E0~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{478BA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8449~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D57C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7463~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73590~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{500DE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFB8B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F0E9~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FA008~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B3E35~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{478BA865-27C2-459a-9BA2-44DFE1956F68}.exe

Filesize
204KB

MD5
f1d415bc67f863156148547296adb6ae

SHA1
106e315158848f7a664f2abc95895bfd4a12a081

SHA256
65d94c323360564478d46d6b084e5f68c39174bddb1df7988d01473d777dfb02

SHA512
4c44eb27311767a5e00a8bdfd2d4c69aafd7801108633b311099d4800a0e9e003353e2f26156a40fa763fd36f484e12199bf69e6e2f8f44ec6c4c15697e4cf05

Download Submit
C:\Windows\{500DEB13-542B-4110-AA29-BAF8F2633FCF}.exe

Filesize
204KB

MD5
eaebc0b4deb94bf8b01a3474f6071381

SHA1
ce2c02d0c0221a9ad3e9cc88bd6ba58c232f6969

SHA256
299c2e93c06eb6b4c25012965d77c2f883f92e9462a02ecdfab25954b7eb0abf

SHA512
456007ef6f8093fc844015252c48e487d93ddcb25f1cebad15661d826023ded412407612915fe00004d4e7b317f18a0198963f1b9457c3ffdbe34000fa4e6f33

Download Submit
C:\Windows\{73590DDA-E985-4020-885C-B10D4D567ECE}.exe

Filesize
204KB

MD5
34ed627d6bd2cf8742f2bb777a5e0797

SHA1
dd2155cd5002173f57013b646950fb19aa1c58db

SHA256
667e4a44da41975312704c609accdad78e8a346ba6864fb03cb0512fab978782

SHA512
c6a14baf351ff26649a98817222ff66e19f11556d71bba29f2d39a705d30d5cfec1fd51279d78cf1af8c8cd4357dc2d23eb7b07d7acb01a4fbc4af7c07ce66d9

Download Submit
C:\Windows\{7D57CC75-E812-4ed4-9511-7A3EEAFB0A43}.exe

Filesize
204KB

MD5
9b5d8958c5ae768730226c41e0686b4c

SHA1
92baf30ec23020fd8f89f13b1370161645a873ff

SHA256
3b48d3143f52de58b4238d6890bcf7df453dd543ec463cac74c718be37abf8fe

SHA512
85a68774e4f3903d39be9abf621940633e8dc6f51b73856d9e0cfaf18613dca66cedbbe85ef1cf749f94875b04aba337832342ba84e2fa064f993f7e61876885

Download Submit
C:\Windows\{8F0E991D-D10A-4b4d-AC77-07FC32397976}.exe

Filesize
204KB

MD5
11e55f9d7245bc1a3c85b4d52e3aa41b

SHA1
eb06e58f3bae45a2fe55eb42864cde1447ae77f4

SHA256
a1cb27c0ab0306ddc8a77d3a8eae20846eb19664055853547ef6c7d3d2838539

SHA512
841fafbdbbe41c23db7accf23dbf5f208af9afcf9388b3734c15d49936aa6ae1a9ecbe2d1eca7a752f08ba1dcfd9dab45c82b310f85e3596728be134bf772160

Download Submit
C:\Windows\{ADCD2FFE-877B-4894-BD6C-5AA659C679B2}.exe

Filesize
204KB

MD5
90968da675dfdcb52bbc17c5a9581f4e

SHA1
98b4c9b53f7d721c306b0ff2ba72cb95d4b0f727

SHA256
ec1ed8b22cacbecf7345b7fee4b563da7c56891e75226e4b9fad72380b964e91

SHA512
6301a093e7c72c5ac3a34326acc1d1de0566fbffdddfbfa6d9b6726ec076db613535559fcc6025f6de75193d29390163fc06a43b45f267a6cff5fcc3f5321680

Download Submit
C:\Windows\{AFB8BD89-FB46-4e94-81C1-00E8D8797509}.exe

Filesize
204KB

MD5
8fffc6c681501f1ceba34e620f455995

SHA1
d186af0a93ffb59ec39d49ce95e1737368159917

SHA256
843f806ab76d6ec739281d5693fd952a6d0e48038e190d0b1b57c8d3f939c32b

SHA512
d0eccbc4d296a246e2afa6e06aef867f67d91e48bf82af7d15d575e5f809ad875ff77daf24f08f60778bedbb7c17671504f6dc825d2b612c21d24759781b4d3b

Download Submit
C:\Windows\{B3E35E6A-B81A-4195-8905-07A3B4DEED3F}.exe

Filesize
204KB

MD5
437456a9e7ae3707db140a0c80e4378a

SHA1
e52cb584eead2ebe1770f4c5fd533689a920770c

SHA256
42173d1fadcf23072606c8a25cf8e5d59e269c362f070a80204dea453a88cf0f

SHA512
9ee967c2b0bd441642fce8a36eba194b77dd78fbd772fc96a854206730d5744bad132194075b695eab0b44bf93a900f99d499938e32759937c03877fbd99d450

Download Submit
C:\Windows\{C7463451-429B-4093-A65C-B6EC5B620446}.exe

Filesize
204KB

MD5
6d056932dabd32d0aa35892e7e2c2d2f

SHA1
c44200866f32e05457be303d6d635fa0a58cebc6

SHA256
b20916f633c33d0af5378e350768a58120d0beb6d49b6b684f74ad40901e0e26

SHA512
94ed8190597ac586ba24c3b12e648db384485899416a11899688a2eabbd20dbb476902de0069224e4224cc02f8144f6819dbda61fd7c4d166e87388fb3c88e21

Download Submit
C:\Windows\{D90E0742-744F-461f-BB8F-8939E7FBE193}.exe

Filesize
204KB

MD5
2793da2e452137ba5a0e5b351b0fa7ef

SHA1
8934dc096fd311e29d5f5c7b368d2c5e21ff17a2

SHA256
fd082d113a61b1d87c257f58a69740263a0d632c41d69275027202c0a8473ec9

SHA512
7942176e4257752a0c810b01ccfd7f60ae5e1f64682bdd6ba60805e1596f6839eb627df05ae2e414ddf7acb659243901ed9bb2ba5f3247037138ac1b46f5a5c5

Download Submit
C:\Windows\{E8449476-605F-42f1-AD9F-0FDE8EC9E862}.exe

Filesize
204KB

MD5
3b9fcac7475b47d921267581efe1ba84

SHA1
444aed7439e5eec8943b35f39dbfea4f1d5923c9

SHA256
409b4113a53ce1c4f3b006fbb53a0d499c355f2860a221c9ac6bc347eb7ba704

SHA512
0b66b9425a9e47b35bc670d2a3eeb3a23453b88b85ce7edb88f6c0ce09d8db4193c9c8d74dc91177556a99092bb4dd26b113c4514ffd8017cb809aed37ffcfe1

Download Submit
C:\Windows\{FA008894-2AE4-49e6-BC45-5F18AA4F2894}.exe

Filesize
204KB

MD5
0c59fee8c2cfb92d94038b1695dca6a7

SHA1
bc440ab92d736f9d4b762140ac35fa580f856655

SHA256
9c3b85a0c8b9a7bd52ab499d172f360d9a490b41d9bc7b4fa5dc2418efc38b01

SHA512
93bc0ba0791f39b67238b31764a4d413c27e413305d011ae331a09cce8e9ee024f55b375d566ab6bfffec6d59fb5bf8c5c23471b41233fbfc9bd1b8cb610e182

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads