fc89de18632cda35e8ba70a93a19ea3fb04fb734169bc704371e5dcc8c55d057

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe
Size

344KB
MD5

1b8e72116f8b31fd62aa3fdaf659dd2e
SHA1

eb2cc04ba9b56124ac79ba2a2576b1445d76d622
SHA256

fc89de18632cda35e8ba70a93a19ea3fb04fb734169bc704371e5dcc8c55d057
SHA512

d5d80d887812d4f59ece1336bfe82d0d6817c514bb2b7ec55b11f7e0275980c9f74a92d2fe1ad6b221f3f838ab8cab3c2d2e9292de51e00cbdd741b31a0b921c
SSDEEP

3072:mEGh0oDlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGZlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052C02C3-C2B0-4089-94FB-D255F15F45F9}\stubpath = "C:\\Windows\\{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe"	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49DB46D5-81FD-4099-BD87-B0A96D408CF7}\stubpath = "C:\\Windows\\{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe"	{23758275-B929-467a-AA17-EFFE1670294E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052C02C3-C2B0-4089-94FB-D255F15F45F9}	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14C90249-76D1-4141-B915-87D7769FF9CD}	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EBD0AD-D49D-4f0e-92A5-E67534244543}	{81A83906-D198-4859-8E81-6073C8D1D386}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A133D45-1179-41ac-B9A4-A9B420BBD51A}	{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23758275-B929-467a-AA17-EFFE1670294E}	2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49DB46D5-81FD-4099-BD87-B0A96D408CF7}	{23758275-B929-467a-AA17-EFFE1670294E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9051738F-026F-4c68-B308-0433E7E48478}	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9051738F-026F-4c68-B308-0433E7E48478}\stubpath = "C:\\Windows\\{9051738F-026F-4c68-B308-0433E7E48478}.exe"	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92077B88-BD0A-4121-B47F-437E7E753A35}	{9051738F-026F-4c68-B308-0433E7E48478}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}\stubpath = "C:\\Windows\\{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe"	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}\stubpath = "C:\\Windows\\{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe"	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23758275-B929-467a-AA17-EFFE1670294E}\stubpath = "C:\\Windows\\{23758275-B929-467a-AA17-EFFE1670294E}.exe"	2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81A83906-D198-4859-8E81-6073C8D1D386}	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB38F526-2FD4-4308-942A-6AD55B8F754B}\stubpath = "C:\\Windows\\{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe"	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92077B88-BD0A-4121-B47F-437E7E753A35}\stubpath = "C:\\Windows\\{92077B88-BD0A-4121-B47F-437E7E753A35}.exe"	{9051738F-026F-4c68-B308-0433E7E48478}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14C90249-76D1-4141-B915-87D7769FF9CD}\stubpath = "C:\\Windows\\{14C90249-76D1-4141-B915-87D7769FF9CD}.exe"	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81A83906-D198-4859-8E81-6073C8D1D386}\stubpath = "C:\\Windows\\{81A83906-D198-4859-8E81-6073C8D1D386}.exe"	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EBD0AD-D49D-4f0e-92A5-E67534244543}\stubpath = "C:\\Windows\\{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe"	{81A83906-D198-4859-8E81-6073C8D1D386}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A133D45-1179-41ac-B9A4-A9B420BBD51A}\stubpath = "C:\\Windows\\{3A133D45-1179-41ac-B9A4-A9B420BBD51A}.exe"	{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB38F526-2FD4-4308-942A-6AD55B8F754B}	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe

Executes dropped EXE 12 IoCs

pid	Process
2296	{23758275-B929-467a-AA17-EFFE1670294E}.exe
4808	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe
2268	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe
3192	{9051738F-026F-4c68-B308-0433E7E48478}.exe
3944	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe
4856	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe
3144	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe
4120	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe
1812	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe
3064	{81A83906-D198-4859-8E81-6073C8D1D386}.exe
3288	{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe
4108	{3A133D45-1179-41ac-B9A4-A9B420BBD51A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe
File created	C:\Windows\{14C90249-76D1-4141-B915-87D7769FF9CD}.exe	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe
File created	C:\Windows\{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe	{81A83906-D198-4859-8E81-6073C8D1D386}.exe
File created	C:\Windows\{92077B88-BD0A-4121-B47F-437E7E753A35}.exe	{9051738F-026F-4c68-B308-0433E7E48478}.exe
File created	C:\Windows\{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe
File created	C:\Windows\{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe
File created	C:\Windows\{81A83906-D198-4859-8E81-6073C8D1D386}.exe	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe
File created	C:\Windows\{23758275-B929-467a-AA17-EFFE1670294E}.exe	2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe
File created	C:\Windows\{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe	{23758275-B929-467a-AA17-EFFE1670294E}.exe
File created	C:\Windows\{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe
File created	C:\Windows\{9051738F-026F-4c68-B308-0433E7E48478}.exe	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe
File created	C:\Windows\{3A133D45-1179-41ac-B9A4-A9B420BBD51A}.exe	{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A133D45-1179-41ac-B9A4-A9B420BBD51A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{23758275-B929-467a-AA17-EFFE1670294E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9051738F-026F-4c68-B308-0433E7E48478}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81A83906-D198-4859-8E81-6073C8D1D386}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2000	2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2296	{23758275-B929-467a-AA17-EFFE1670294E}.exe
Token: SeIncBasePriorityPrivilege	4808	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe
Token: SeIncBasePriorityPrivilege	2268	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe
Token: SeIncBasePriorityPrivilege	3192	{9051738F-026F-4c68-B308-0433E7E48478}.exe
Token: SeIncBasePriorityPrivilege	3944	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe
Token: SeIncBasePriorityPrivilege	4856	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe
Token: SeIncBasePriorityPrivilege	3144	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe
Token: SeIncBasePriorityPrivilege	4120	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe
Token: SeIncBasePriorityPrivilege	1812	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe
Token: SeIncBasePriorityPrivilege	3064	{81A83906-D198-4859-8E81-6073C8D1D386}.exe
Token: SeIncBasePriorityPrivilege	3288	{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2296	2000	2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe	94
PID 2000 wrote to memory of 2296	2000	2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe	94
PID 2000 wrote to memory of 2296	2000	2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe	94
PID 2000 wrote to memory of 3020	2000	2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe	95
PID 2000 wrote to memory of 3020	2000	2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe	95
PID 2000 wrote to memory of 3020	2000	2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe	95
PID 2296 wrote to memory of 4808	2296	{23758275-B929-467a-AA17-EFFE1670294E}.exe	96
PID 2296 wrote to memory of 4808	2296	{23758275-B929-467a-AA17-EFFE1670294E}.exe	96
PID 2296 wrote to memory of 4808	2296	{23758275-B929-467a-AA17-EFFE1670294E}.exe	96
PID 2296 wrote to memory of 4432	2296	{23758275-B929-467a-AA17-EFFE1670294E}.exe	97
PID 2296 wrote to memory of 4432	2296	{23758275-B929-467a-AA17-EFFE1670294E}.exe	97
PID 2296 wrote to memory of 4432	2296	{23758275-B929-467a-AA17-EFFE1670294E}.exe	97
PID 4808 wrote to memory of 2268	4808	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe	100
PID 4808 wrote to memory of 2268	4808	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe	100
PID 4808 wrote to memory of 2268	4808	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe	100
PID 4808 wrote to memory of 1160	4808	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe	101
PID 4808 wrote to memory of 1160	4808	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe	101
PID 4808 wrote to memory of 1160	4808	{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe	101
PID 2268 wrote to memory of 3192	2268	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe	102
PID 2268 wrote to memory of 3192	2268	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe	102
PID 2268 wrote to memory of 3192	2268	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe	102
PID 2268 wrote to memory of 2384	2268	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe	103
PID 2268 wrote to memory of 2384	2268	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe	103
PID 2268 wrote to memory of 2384	2268	{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe	103
PID 3192 wrote to memory of 3944	3192	{9051738F-026F-4c68-B308-0433E7E48478}.exe	104
PID 3192 wrote to memory of 3944	3192	{9051738F-026F-4c68-B308-0433E7E48478}.exe	104
PID 3192 wrote to memory of 3944	3192	{9051738F-026F-4c68-B308-0433E7E48478}.exe	104
PID 3192 wrote to memory of 2780	3192	{9051738F-026F-4c68-B308-0433E7E48478}.exe	105
PID 3192 wrote to memory of 2780	3192	{9051738F-026F-4c68-B308-0433E7E48478}.exe	105
PID 3192 wrote to memory of 2780	3192	{9051738F-026F-4c68-B308-0433E7E48478}.exe	105
PID 3944 wrote to memory of 4856	3944	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe	106
PID 3944 wrote to memory of 4856	3944	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe	106
PID 3944 wrote to memory of 4856	3944	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe	106
PID 3944 wrote to memory of 4796	3944	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe	107
PID 3944 wrote to memory of 4796	3944	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe	107
PID 3944 wrote to memory of 4796	3944	{92077B88-BD0A-4121-B47F-437E7E753A35}.exe	107
PID 4856 wrote to memory of 3144	4856	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe	108
PID 4856 wrote to memory of 3144	4856	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe	108
PID 4856 wrote to memory of 3144	4856	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe	108
PID 4856 wrote to memory of 2960	4856	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe	109
PID 4856 wrote to memory of 2960	4856	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe	109
PID 4856 wrote to memory of 2960	4856	{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe	109
PID 3144 wrote to memory of 4120	3144	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe	110
PID 3144 wrote to memory of 4120	3144	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe	110
PID 3144 wrote to memory of 4120	3144	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe	110
PID 3144 wrote to memory of 3404	3144	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe	111
PID 3144 wrote to memory of 3404	3144	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe	111
PID 3144 wrote to memory of 3404	3144	{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe	111
PID 4120 wrote to memory of 1812	4120	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe	112
PID 4120 wrote to memory of 1812	4120	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe	112
PID 4120 wrote to memory of 1812	4120	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe	112
PID 4120 wrote to memory of 2936	4120	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe	113
PID 4120 wrote to memory of 2936	4120	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe	113
PID 4120 wrote to memory of 2936	4120	{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe	113
PID 1812 wrote to memory of 3064	1812	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe	114
PID 1812 wrote to memory of 3064	1812	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe	114
PID 1812 wrote to memory of 3064	1812	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe	114
PID 1812 wrote to memory of 2676	1812	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe	115
PID 1812 wrote to memory of 2676	1812	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe	115
PID 1812 wrote to memory of 2676	1812	{14C90249-76D1-4141-B915-87D7769FF9CD}.exe	115
PID 3064 wrote to memory of 3288	3064	{81A83906-D198-4859-8E81-6073C8D1D386}.exe	116
PID 3064 wrote to memory of 3288	3064	{81A83906-D198-4859-8E81-6073C8D1D386}.exe	116
PID 3064 wrote to memory of 3288	3064	{81A83906-D198-4859-8E81-6073C8D1D386}.exe	116
PID 3064 wrote to memory of 4068	3064	{81A83906-D198-4859-8E81-6073C8D1D386}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_1b8e72116f8b31fd62aa3fdaf659dd2e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\{23758275-B929-467a-AA17-EFFE1670294E}.exe
  C:\Windows\{23758275-B929-467a-AA17-EFFE1670294E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe
    C:\Windows\{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe
      C:\Windows\{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\{9051738F-026F-4c68-B308-0433E7E48478}.exe
        
        C:\Windows\{9051738F-026F-4c68-B308-0433E7E48478}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3192
      - C:\Windows\{92077B88-BD0A-4121-B47F-437E7E753A35}.exe
        
        C:\Windows\{92077B88-BD0A-4121-B47F-437E7E753A35}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe
        
        C:\Windows\{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe
        
        C:\Windows\{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe
        
        C:\Windows\{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\{14C90249-76D1-4141-B915-87D7769FF9CD}.exe
        
        C:\Windows\{14C90249-76D1-4141-B915-87D7769FF9CD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{81A83906-D198-4859-8E81-6073C8D1D386}.exe
        
        C:\Windows\{81A83906-D198-4859-8E81-6073C8D1D386}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe
        
        C:\Windows\{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\{3A133D45-1179-41ac-B9A4-A9B420BBD51A}.exe
        
        C:\Windows\{3A133D45-1179-41ac-B9A4-A9B420BBD51A}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4EBD~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81A83~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14C90~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9027~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{797AE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{052C0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92077~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90517~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB38F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{49DB4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{23758~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{052C02C3-C2B0-4089-94FB-D255F15F45F9}.exe

Filesize
344KB

MD5
46d4ba440b676ff565cf1b5e2d83a56d

SHA1
8a6185a6d61d675993e5d41ea17c73f394d04347

SHA256
a17746d356b47f6b6fc71e08d663437299d3c60584a16bd5cd7897fef5c24776

SHA512
390210e0f0688c078947aca64edba377712606f57f4e3d19b43ea576a4b113a0a7211d9953e447041f506d66ec45d671e806b6ec81ddb81936c585fec7ebbf99

Download Submit
C:\Windows\{14C90249-76D1-4141-B915-87D7769FF9CD}.exe

Filesize
344KB

MD5
f3cbe638a5a9dffb57e7f1d6f4f0a0d7

SHA1
3e9898d23a366131b094a931c28145f2f4be4a4b

SHA256
33cf63d0f0c594f2659cb61ff0a98c8ffd21ef421bc6836baeb852b3246a7c3b

SHA512
b698445b020f7dc89d442d13d2905a0f658a969ddae6017851f7384b12615d94aec3b67e0cd5125618affd26fadc147027bd1edeac2734121087e00bcccc0247

Download Submit
C:\Windows\{23758275-B929-467a-AA17-EFFE1670294E}.exe

Filesize
344KB

MD5
8711d47869837a8bad45ae72ec24433e

SHA1
74cec228e48a466a202b4da7b64b0b56079f1327

SHA256
d1546a6995f58975cdbfdfd2d7b3a2c4c8da5633ce0ea9bb289cbca3601d43d6

SHA512
bff7134b3881070ad2e73d56a3660eb2332b00156f8ab6c4092eab18d071ef6fe8d02f1f88d41b5af5bc0a6d77568216968c28a3f6b2c057f4554f806bf7edd1

Download Submit
C:\Windows\{3A133D45-1179-41ac-B9A4-A9B420BBD51A}.exe

Filesize
344KB

MD5
f9e48cebb38e0dff942995e621030ea1

SHA1
e4e77a51db0384a3fcfbb99bc50319c99a4290c9

SHA256
9be2f61e3637cd7aabfcac354ba8e18ab71bd9a47d358819996d73b45a2bcb36

SHA512
b8dc710f749203605b0ef6be57a5a3cd1b8b6d643c597aa8eb6bcbc5fdda1c5b128ab10ca7239bfd035553d1d1e7692f9707919978f71c4a86f42d83f80c911d

Download Submit
C:\Windows\{49DB46D5-81FD-4099-BD87-B0A96D408CF7}.exe

Filesize
344KB

MD5
101a24bcb50af09274e543e8d1676a47

SHA1
909e92aa7c57ed97fa254cbd35a1d1f3e075d70f

SHA256
5a2f10e0d2702ec412602134c4e5024acd04aee55c56fdff343ca6024e4f3f52

SHA512
e0483a13dd8639e8bee86df8c93414031193478c2c47e9023d4c8be373fb4f4e9278060631798a58476a8680e58cdc4e669d2e1a2508c99fe1cb0eb69f1fd114

Download Submit
C:\Windows\{797AEEBB-2E5D-4cc0-94F2-8377921F71D9}.exe

Filesize
344KB

MD5
df94e6e90207bc62d04f8dae1039218d

SHA1
6f0e1305ce7c5739c3e56e85df5ca4a35d6eeba2

SHA256
76c08a6fa3aa67d338f139d8b4058d169fc53e21bffe78771c89807b3833179e

SHA512
a82f889d030d75cfbb59a385808a0037803ba1a112ea005c01ae4d6f5e941fc6e5dfeb1048270c428a8f837f0413bc5a968d5973be60e794143b93bfc0c8c9e9

Download Submit
C:\Windows\{81A83906-D198-4859-8E81-6073C8D1D386}.exe

Filesize
344KB

MD5
91ecbcf5222c05980e8287ead3666fda

SHA1
1aa2c2b47f21cbb2f4ff893012ca675e0ddc5dbd

SHA256
6bc1d26c051846bff89802f66e040a30a838c1fe05f20b5f33bad12e0533d387

SHA512
e4fbb1723b0acd906d4a4abae07c3f3acff63b7ceff2ec3cb3c4363ffe936a161c8774bb824bbc6f3e155327f2dcf9c5b25b0a4c6c7ef7de014818513f5196c8

Download Submit
C:\Windows\{9051738F-026F-4c68-B308-0433E7E48478}.exe

Filesize
344KB

MD5
77ce5b42a31ab4a072d3029c77071b5e

SHA1
500ac3c11b462b4d2f41327c40014bda65b2fde1

SHA256
ac9db809ed7c31eae414d67db9ec3b5df384e49a544585fc7edf1f62b168fd12

SHA512
b28756e203f0b448fb9c48a96887bce04cc9b982acc9ecf6a07b66ef4fce8cda09ce6dbe18c55056d5215dd5bc08c6fb049d9efc53feeadf54d4d0ff7ec0d15b

Download Submit
C:\Windows\{92077B88-BD0A-4121-B47F-437E7E753A35}.exe

Filesize
344KB

MD5
61377d5ab0beac45d9dcea21c520fd41

SHA1
1fef8877d39b2a04ba5413e35a82d5024e35f0db

SHA256
e588059f590ab3bfd762cfb951e9b5dcb55b745b2dc114b34a3013f684a0b3d3

SHA512
c21af2c81e6aa24615ef13e880abaf8f1b95f70457318a45428e824ec616ca3521d89a22c01fde596f1f50b5376ea1797228af2c0b07f7aae1ec18815d426c7a

Download Submit
C:\Windows\{C4EBD0AD-D49D-4f0e-92A5-E67534244543}.exe

Filesize
344KB

MD5
20310c1fcd0a286757485f2ceb7525ab

SHA1
ef5f03f6fc11191b93e9f9625f806bf37a94a123

SHA256
5a901839e1181dd05d7300cd5b1f5b93cbd16ff710ac76ae3892d1119d793595

SHA512
978537eba88d19fbb9f3ba0535764d05b8b66cd6bdaeb1924e1f36351e76e2ed340b88afae8e6805c09c1c677c7f2c50cdadf6ac6ca98fac3f90af1578c32a46

Download Submit
C:\Windows\{E9027215-55B6-4a94-A2BD-5F9BA38AAAB9}.exe

Filesize
344KB

MD5
4c2f2a34bf98988405551c5adeb23c95

SHA1
6120e09577cda135adde387bb92a95410a7aa733

SHA256
70389410996913d291d84d86cfaa12ff0797e30251e18eb90e05f17d7c7d72c5

SHA512
e234ef2be97b52639e9bfa4338dfeb91bcfd538755d77cff235cfdfbba79cb58726c8336172359187e7e951e1d15f4e80fead5a50a4a2975b69656b9cbcaebc4

Download Submit
C:\Windows\{FB38F526-2FD4-4308-942A-6AD55B8F754B}.exe

Filesize
344KB

MD5
4baa2d259eb346e9467e9eec76c75a94

SHA1
e26d2ba92f1df9f65dc14c22d0f5396a642858e9

SHA256
56b3b75ab0e3d8bd4b911692b9048834effe9ca75ec65e1273cf7918aed02c43

SHA512
5f8196ddc92792a4af709abbb2d9a4d28d63fa4a07cd3e43435030f48f374067af9f36b3af8a8a27b3579a877d693e866f93849f3c141b47bc403ee0963cfcbe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads