cb58ad2c3ea77e4cc76aa026c0f9ef2b4999d445b5f07ddf722dde04e3db8c3e

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
Size

197KB
MD5

e14a2135f733866986d32067555d385d
SHA1

bb6adda52ba3824dd5a94fc4e58327c5a10cc187
SHA256

cb58ad2c3ea77e4cc76aa026c0f9ef2b4999d445b5f07ddf722dde04e3db8c3e
SHA512

f5cb106b2a654e9b1815cb58736f3dd9f7568b6c4c0c3f630d5f2228e6d434df4df24b52eb708fef51d65353cdabb40b5a7fbefd67203ec641a27a85dd4b89f6
SSDEEP

3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGPlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D79C5228-AC99-4179-A16D-51C51FF8B6D3}\stubpath = "C:\\Windows\\{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe"	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80CED549-F805-46e5-B673-F2B006BA26D9}	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74305374-EFED-4dc2-8FF7-EE45490C0AEA}	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}\stubpath = "C:\\Windows\\{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe"	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{877B6295-372A-4057-A15A-9BFECF8E928B}\stubpath = "C:\\Windows\\{877B6295-372A-4057-A15A-9BFECF8E928B}.exe"	{607E8203-0749-4c10-B833-69068B7E5D99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}\stubpath = "C:\\Windows\\{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe"	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}\stubpath = "C:\\Windows\\{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe"	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}\stubpath = "C:\\Windows\\{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe"	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26802092-19F7-42ed-A64C-C2B5CAF43E3D}	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80CED549-F805-46e5-B673-F2B006BA26D9}\stubpath = "C:\\Windows\\{80CED549-F805-46e5-B673-F2B006BA26D9}.exe"	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74305374-EFED-4dc2-8FF7-EE45490C0AEA}\stubpath = "C:\\Windows\\{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe"	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{607E8203-0749-4c10-B833-69068B7E5D99}	{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{877B6295-372A-4057-A15A-9BFECF8E928B}	{607E8203-0749-4c10-B833-69068B7E5D99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{716A0A77-434C-4f62-B789-4ACA9630BF8A}\stubpath = "C:\\Windows\\{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe"	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D79C5228-AC99-4179-A16D-51C51FF8B6D3}	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26802092-19F7-42ed-A64C-C2B5CAF43E3D}\stubpath = "C:\\Windows\\{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe"	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}\stubpath = "C:\\Windows\\{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe"	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{607E8203-0749-4c10-B833-69068B7E5D99}\stubpath = "C:\\Windows\\{607E8203-0749-4c10-B833-69068B7E5D99}.exe"	{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{716A0A77-434C-4f62-B789-4ACA9630BF8A}	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
3976	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe
4720	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe
2340	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe
4432	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe
2812	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe
1336	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe
436	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe
2648	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe
3012	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe
4532	{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe
3976	{607E8203-0749-4c10-B833-69068B7E5D99}.exe
1928	{877B6295-372A-4057-A15A-9BFECF8E928B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe
File created	C:\Windows\{877B6295-372A-4057-A15A-9BFECF8E928B}.exe	{607E8203-0749-4c10-B833-69068B7E5D99}.exe
File created	C:\Windows\{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
File created	C:\Windows\{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe
File created	C:\Windows\{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe
File created	C:\Windows\{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe
File created	C:\Windows\{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe
File created	C:\Windows\{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe
File created	C:\Windows\{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe
File created	C:\Windows\{80CED549-F805-46e5-B673-F2B006BA26D9}.exe	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe
File created	C:\Windows\{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe
File created	C:\Windows\{607E8203-0749-4c10-B833-69068B7E5D99}.exe	{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{877B6295-372A-4057-A15A-9BFECF8E928B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{607E8203-0749-4c10-B833-69068B7E5D99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	720	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3976	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe
Token: SeIncBasePriorityPrivilege	4720	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe
Token: SeIncBasePriorityPrivilege	2340	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe
Token: SeIncBasePriorityPrivilege	4432	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe
Token: SeIncBasePriorityPrivilege	2812	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe
Token: SeIncBasePriorityPrivilege	1336	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe
Token: SeIncBasePriorityPrivilege	436	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe
Token: SeIncBasePriorityPrivilege	2648	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe
Token: SeIncBasePriorityPrivilege	3012	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe
Token: SeIncBasePriorityPrivilege	4532	{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe
Token: SeIncBasePriorityPrivilege	3976	{607E8203-0749-4c10-B833-69068B7E5D99}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 3976	720	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	94
PID 720 wrote to memory of 3976	720	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	94
PID 720 wrote to memory of 3976	720	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	94
PID 720 wrote to memory of 912	720	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	95
PID 720 wrote to memory of 912	720	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	95
PID 720 wrote to memory of 912	720	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	95
PID 3976 wrote to memory of 4720	3976	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe	96
PID 3976 wrote to memory of 4720	3976	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe	96
PID 3976 wrote to memory of 4720	3976	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe	96
PID 3976 wrote to memory of 2596	3976	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe	97
PID 3976 wrote to memory of 2596	3976	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe	97
PID 3976 wrote to memory of 2596	3976	{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe	97
PID 4720 wrote to memory of 2340	4720	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe	100
PID 4720 wrote to memory of 2340	4720	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe	100
PID 4720 wrote to memory of 2340	4720	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe	100
PID 4720 wrote to memory of 2764	4720	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe	101
PID 4720 wrote to memory of 2764	4720	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe	101
PID 4720 wrote to memory of 2764	4720	{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe	101
PID 2340 wrote to memory of 4432	2340	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe	102
PID 2340 wrote to memory of 4432	2340	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe	102
PID 2340 wrote to memory of 4432	2340	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe	102
PID 2340 wrote to memory of 3264	2340	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe	103
PID 2340 wrote to memory of 3264	2340	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe	103
PID 2340 wrote to memory of 3264	2340	{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe	103
PID 4432 wrote to memory of 2812	4432	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe	104
PID 4432 wrote to memory of 2812	4432	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe	104
PID 4432 wrote to memory of 2812	4432	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe	104
PID 4432 wrote to memory of 3600	4432	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe	105
PID 4432 wrote to memory of 3600	4432	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe	105
PID 4432 wrote to memory of 3600	4432	{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe	105
PID 2812 wrote to memory of 1336	2812	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe	106
PID 2812 wrote to memory of 1336	2812	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe	106
PID 2812 wrote to memory of 1336	2812	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe	106
PID 2812 wrote to memory of 2628	2812	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe	107
PID 2812 wrote to memory of 2628	2812	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe	107
PID 2812 wrote to memory of 2628	2812	{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe	107
PID 1336 wrote to memory of 436	1336	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe	108
PID 1336 wrote to memory of 436	1336	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe	108
PID 1336 wrote to memory of 436	1336	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe	108
PID 1336 wrote to memory of 1760	1336	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe	109
PID 1336 wrote to memory of 1760	1336	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe	109
PID 1336 wrote to memory of 1760	1336	{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe	109
PID 436 wrote to memory of 2648	436	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe	110
PID 436 wrote to memory of 2648	436	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe	110
PID 436 wrote to memory of 2648	436	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe	110
PID 436 wrote to memory of 2976	436	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe	111
PID 436 wrote to memory of 2976	436	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe	111
PID 436 wrote to memory of 2976	436	{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe	111
PID 2648 wrote to memory of 3012	2648	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe	112
PID 2648 wrote to memory of 3012	2648	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe	112
PID 2648 wrote to memory of 3012	2648	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe	112
PID 2648 wrote to memory of 4100	2648	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe	113
PID 2648 wrote to memory of 4100	2648	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe	113
PID 2648 wrote to memory of 4100	2648	{80CED549-F805-46e5-B673-F2B006BA26D9}.exe	113
PID 3012 wrote to memory of 4532	3012	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe	114
PID 3012 wrote to memory of 4532	3012	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe	114
PID 3012 wrote to memory of 4532	3012	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe	114
PID 3012 wrote to memory of 3808	3012	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe	115
PID 3012 wrote to memory of 3808	3012	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe	115
PID 3012 wrote to memory of 3808	3012	{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe	115
PID 4532 wrote to memory of 3976	4532	{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe	116
PID 4532 wrote to memory of 3976	4532	{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe	116
PID 4532 wrote to memory of 3976	4532	{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe	116
PID 4532 wrote to memory of 3272	4532	{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:720
- C:\Windows\{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe
  C:\Windows\{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe
    C:\Windows\{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe
      C:\Windows\{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe
        
        C:\Windows\{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Windows\{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe
        
        C:\Windows\{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe
        
        C:\Windows\{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe
        
        C:\Windows\{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\{80CED549-F805-46e5-B673-F2B006BA26D9}.exe
        
        C:\Windows\{80CED549-F805-46e5-B673-F2B006BA26D9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe
        
        C:\Windows\{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe
        
        C:\Windows\{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{607E8203-0749-4c10-B833-69068B7E5D99}.exe
        
        C:\Windows\{607E8203-0749-4c10-B833-69068B7E5D99}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Windows\{877B6295-372A-4057-A15A-9BFECF8E928B}.exe
        
        C:\Windows\{877B6295-372A-4057-A15A-9BFECF8E928B}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{607E8~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74305~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9FCB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80CED~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26802~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE9BE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D79C5~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8271A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7F02~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C4A13~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{716A0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{26802092-19F7-42ed-A64C-C2B5CAF43E3D}.exe

Filesize
197KB

MD5
87f725f698d0bfad2c8ca78f63d26e29

SHA1
b55bb688a8ef51b0050ce457f809a98920e0d805

SHA256
dd0d5284bc40566e56b8d767ec8b5fdf8da24466b610c77e12721a6aad40519d

SHA512
4a6d6f019744f680fb36ef48e8bf6d14d6e7da513181b7443f6b42e1827dc717f8ea7be94f32d01d2b4740f4bef07afe4273b1da2ead18bb745d161363ac1142

Download Submit
C:\Windows\{607E8203-0749-4c10-B833-69068B7E5D99}.exe

Filesize
197KB

MD5
e4f3cade7d17a3d5982906085e3d9fe5

SHA1
84a3b7b5dde1cc721b5961ca1d14abd84f25fe26

SHA256
f394ec2bd44bb25229ea5687725b89d108064a30e8a8f499ca62903ce05b67ce

SHA512
f860b27c01260460d56985c28ce293a2e67ad498d78d853c4c713ab42469b203f369cb3e9594965d6816b7c3809717308c736d82c4f8c1fc5ee88bdea08b6fd9

Download Submit
C:\Windows\{716A0A77-434C-4f62-B789-4ACA9630BF8A}.exe

Filesize
197KB

MD5
63a4869e95ceef05f045d58887534539

SHA1
e847a25e28a865fadc778ab0834eb782ab8f6c6b

SHA256
5b4dad873f29a694599bc415d0b2f7c679068d4373bf9795ddc14a388687ab22

SHA512
ce290b9289200b534a30ea9191b859fe5549f65e178431bd8a767720fed96ef5b2a0c2e00722ea02b958cf7f0447967b187ea7016f26314b980018df52141ae3

Download Submit
C:\Windows\{74305374-EFED-4dc2-8FF7-EE45490C0AEA}.exe

Filesize
197KB

MD5
c7b3c35900dc39d313e20477950820a2

SHA1
908cc8fed966cda511dd750fe8543a1a00f78796

SHA256
66417a1635dbd5a0832d9aba333c036b692f89514c789aa798acea5d1bc0df90

SHA512
991844a8f7f3a8982bb789a626a000496b6d0beffba10d8ab9f3f370806681c16c16b32caf2f1ea0825c8c906331fcc02c3ff71dd09d5f3a9e012077e979b010

Download Submit
C:\Windows\{80CED549-F805-46e5-B673-F2B006BA26D9}.exe

Filesize
197KB

MD5
80c8a51648b2007d62dc001562c8a3f6

SHA1
377ae13c10462314635d3d7d645a5621ae17c79b

SHA256
7d4f1fc55758c234ad3ba5cf1361f17390d0da5de4114a0ea4a314e80924a65d

SHA512
ff3171eb69492c797539a946dff0fc42daf89dd2edc0614ab5e12576980e211f4910ebd77e94e6fc0fdfdd2e876e5642f18924ad64ff5efccafb1df13de02f94

Download Submit
C:\Windows\{8271A7E7-C576-49b2-A19F-47ED4EFCF4A0}.exe

Filesize
197KB

MD5
54311e396b8e891de8d787fce9c3048a

SHA1
c0594222464eb5e05bcd6522bed6dbefb311b012

SHA256
0ae6d59dc87bbfc1db81e0d936b2bfcfc7c08422b707ed06a2053ec41fec46cd

SHA512
1422da8e8f2d72de2623bf21a6b6e5ccbbd609af850bcb4cc5555a37c7ddccbd89c4bb2264c47dba0b4bb994eea2aa09c6a348a836b0e6c148b3b6585ee0fad2

Download Submit
C:\Windows\{877B6295-372A-4057-A15A-9BFECF8E928B}.exe

Filesize
197KB

MD5
a9a5989ba47d369c53058a36e1056ccb

SHA1
07b2b770040b0e7d8dee981086069fdb19923246

SHA256
29de3cfe7057f119b012d8310f6051e5b1f5c7825623b5142beebe33e70da7c7

SHA512
3c6a9eee59256a678df5ca6a600bc30b260d478e64c811cad04186073318ca9ced2c2b94604b22201bc4fe2de27ea7074db43f839cabf1f30bfd472abef43a99

Download Submit
C:\Windows\{BE9BE262-D77C-4ae7-9BFF-6AAF83BACF56}.exe

Filesize
197KB

MD5
c002c50979bb1c95ff6e874a1e4ecad5

SHA1
9c60203dc1262a8daef0eb84f0072d86263694dd

SHA256
293c3f782a43960668bdde727ef20228eec8da65f6c6ffbf059f882c812738c6

SHA512
e9eff7b2f77ee86bb29fd4d24f456a219bdfeb166eab2456c87877eadf33fe44e7e570ee442881dd3e429864016a2d7844690847ab6a3aa5ae46277dea2f2ff0

Download Submit
C:\Windows\{C4A13BF8-C27A-48c2-B924-9CCD3DC2F7FF}.exe

Filesize
197KB

MD5
36191e24a8d498376fb40db8b790b3f7

SHA1
d5071b9f5cf057e6b9876adcbd9c4edd88e7b5cc

SHA256
68285091d9b14c4e4b86a2a0831e4d99d6cc9db082214332d48607abf325ef94

SHA512
be6f39defa864f132d9a9bb7826a0cffec669ae35717c335a39a79fe7c3446ba73bc36a37fb4118f62f2233f631817c2714ce0cd8ef853dd2743b35098aa9dd1

Download Submit
C:\Windows\{D79C5228-AC99-4179-A16D-51C51FF8B6D3}.exe

Filesize
197KB

MD5
0bc989a0588c51fe354722c2a729d37d

SHA1
69c9af30590f5f53c2cd440ba997484f8dbbdc54

SHA256
3f635096c8c60cf786e030c5d20ca16ff2c32ed5235ddbefc40678bf6f0ee68f

SHA512
0d0bb8b2f2f45a80f3382f003a9f7f0d73aba4ad34e465eea6ecdbe370fd16f00d8cc989f7426886eb9896288aeb282120a2f0a1bba25f572d66f2fbe63a0051

Download Submit
C:\Windows\{E9FCBF0C-638A-45d1-A99F-ECC60855F5B7}.exe

Filesize
197KB

MD5
4e1a1c74fb99d10e8270bf6d998c3ab7

SHA1
bb1087c17bde83c2e78f636feef36d1d09116ded

SHA256
0d1bd36c85f8c11bf87a25a8a98e67e166ab0ca085d18b18588b004c182bf124

SHA512
7eca9075adcc7b2d038edf493d7bfffcb1842acc0cc0fdbae232cea6d0c444536e7edb93702d80ff7710ced9b7a9897e0365d3b80698cb1a2150ed1cb3693329

Download Submit
C:\Windows\{F7F02A5E-431B-47ae-A1AD-25A08BD16D3B}.exe

Filesize
197KB

MD5
ef0e231b2a0abd7012e474bb9ef7c94b

SHA1
f9fb901ff7ee6faab871f96edf9d0ea61ab3254a

SHA256
94ca65b23601b3dfd9c4ea2dc08c19ee00978e42c055cb8722118dc6a37fcc5a

SHA512
97f0b712129a92cf8fcdf49f5fd89396076a9f90a194a5ee4bd2d9c61c8de7d67b15f7b23d41f055856b5576f9ea892fb19274beadca8046f9d97cdfbbd8708b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads