6c5355b9777a613afc3f782e388a22107319a071d2638dea7c99eea3b4651ac7

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe
Size

380KB
MD5

562e3fc141efd8db0bea8c8ce8d418cf
SHA1

68ea48c58f0e02c7c854457909ff7c83c9c61e89
SHA256

6c5355b9777a613afc3f782e388a22107319a071d2638dea7c99eea3b4651ac7
SHA512

cb851394f871abfecdb592924c30776604cefe0b9872094788f41617d7535087a6ef24b60d157b5a4eb1d5716461952b07db8bd536f0502cf3e7bae29181efc1
SSDEEP

3072:mEGh0oSlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGwl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}\stubpath = "C:\\Windows\\{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe"	{27359C08-856A-409b-A86D-D19D83F08B27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B9154AB-ED58-4eba-8B98-DCF64E411430}	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8AEAD32-3F7E-4b1b-A5CF-6D5413EE47F8}	{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27359C08-856A-409b-A86D-D19D83F08B27}	2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}\stubpath = "C:\\Windows\\{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe"	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FE36D88-AD4F-4623-B9C0-71451AAA6382}	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FE36D88-AD4F-4623-B9C0-71451AAA6382}\stubpath = "C:\\Windows\\{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe"	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}	{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8AEAD32-3F7E-4b1b-A5CF-6D5413EE47F8}\stubpath = "C:\\Windows\\{D8AEAD32-3F7E-4b1b-A5CF-6D5413EE47F8}.exe"	{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89C52F16-000B-4c1c-8A07-34160DC67F55}\stubpath = "C:\\Windows\\{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe"	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EF70496-2113-4a82-B5B4-21A6C66F415C}	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EF70496-2113-4a82-B5B4-21A6C66F415C}\stubpath = "C:\\Windows\\{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe"	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}\stubpath = "C:\\Windows\\{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}.exe"	{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{589601C5-DE61-4a30-B09D-A27CEC0A51D0}\stubpath = "C:\\Windows\\{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe"	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27359C08-856A-409b-A86D-D19D83F08B27}\stubpath = "C:\\Windows\\{27359C08-856A-409b-A86D-D19D83F08B27}.exe"	2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}	{27359C08-856A-409b-A86D-D19D83F08B27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89C52F16-000B-4c1c-8A07-34160DC67F55}	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{815E473E-9F9C-48f5-9CFB-F8D482C5889F}	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{815E473E-9F9C-48f5-9CFB-F8D482C5889F}\stubpath = "C:\\Windows\\{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe"	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}\stubpath = "C:\\Windows\\{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe"	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{589601C5-DE61-4a30-B09D-A27CEC0A51D0}	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B9154AB-ED58-4eba-8B98-DCF64E411430}\stubpath = "C:\\Windows\\{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe"	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe

Executes dropped EXE 12 IoCs

pid	Process
4692	{27359C08-856A-409b-A86D-D19D83F08B27}.exe
524	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe
2012	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe
3296	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe
4836	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe
4856	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe
1612	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe
208	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe
3508	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe
4764	{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe
1244	{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}.exe
4260	{D8AEAD32-3F7E-4b1b-A5CF-6D5413EE47F8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{27359C08-856A-409b-A86D-D19D83F08B27}.exe	2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe
File created	C:\Windows\{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe
File created	C:\Windows\{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe
File created	C:\Windows\{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe
File created	C:\Windows\{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe
File created	C:\Windows\{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}.exe	{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe
File created	C:\Windows\{D8AEAD32-3F7E-4b1b-A5CF-6D5413EE47F8}.exe	{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}.exe
File created	C:\Windows\{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe	{27359C08-856A-409b-A86D-D19D83F08B27}.exe
File created	C:\Windows\{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe
File created	C:\Windows\{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe
File created	C:\Windows\{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe
File created	C:\Windows\{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27359C08-856A-409b-A86D-D19D83F08B27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8AEAD32-3F7E-4b1b-A5CF-6D5413EE47F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4260	2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4692	{27359C08-856A-409b-A86D-D19D83F08B27}.exe
Token: SeIncBasePriorityPrivilege	524	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe
Token: SeIncBasePriorityPrivilege	2012	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe
Token: SeIncBasePriorityPrivilege	3296	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe
Token: SeIncBasePriorityPrivilege	4836	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe
Token: SeIncBasePriorityPrivilege	4856	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe
Token: SeIncBasePriorityPrivilege	1612	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe
Token: SeIncBasePriorityPrivilege	208	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe
Token: SeIncBasePriorityPrivilege	3508	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe
Token: SeIncBasePriorityPrivilege	4764	{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe
Token: SeIncBasePriorityPrivilege	1244	{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 4692	4260	2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe	93
PID 4260 wrote to memory of 4692	4260	2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe	93
PID 4260 wrote to memory of 4692	4260	2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe	93
PID 4260 wrote to memory of 664	4260	2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe	94
PID 4260 wrote to memory of 664	4260	2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe	94
PID 4260 wrote to memory of 664	4260	2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe	94
PID 4692 wrote to memory of 524	4692	{27359C08-856A-409b-A86D-D19D83F08B27}.exe	95
PID 4692 wrote to memory of 524	4692	{27359C08-856A-409b-A86D-D19D83F08B27}.exe	95
PID 4692 wrote to memory of 524	4692	{27359C08-856A-409b-A86D-D19D83F08B27}.exe	95
PID 4692 wrote to memory of 4464	4692	{27359C08-856A-409b-A86D-D19D83F08B27}.exe	96
PID 4692 wrote to memory of 4464	4692	{27359C08-856A-409b-A86D-D19D83F08B27}.exe	96
PID 4692 wrote to memory of 4464	4692	{27359C08-856A-409b-A86D-D19D83F08B27}.exe	96
PID 524 wrote to memory of 2012	524	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe	99
PID 524 wrote to memory of 2012	524	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe	99
PID 524 wrote to memory of 2012	524	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe	99
PID 524 wrote to memory of 1744	524	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe	100
PID 524 wrote to memory of 1744	524	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe	100
PID 524 wrote to memory of 1744	524	{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe	100
PID 2012 wrote to memory of 3296	2012	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe	101
PID 2012 wrote to memory of 3296	2012	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe	101
PID 2012 wrote to memory of 3296	2012	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe	101
PID 2012 wrote to memory of 2140	2012	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe	102
PID 2012 wrote to memory of 2140	2012	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe	102
PID 2012 wrote to memory of 2140	2012	{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe	102
PID 3296 wrote to memory of 4836	3296	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe	103
PID 3296 wrote to memory of 4836	3296	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe	103
PID 3296 wrote to memory of 4836	3296	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe	103
PID 3296 wrote to memory of 2660	3296	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe	104
PID 3296 wrote to memory of 2660	3296	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe	104
PID 3296 wrote to memory of 2660	3296	{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe	104
PID 4836 wrote to memory of 4856	4836	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe	105
PID 4836 wrote to memory of 4856	4836	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe	105
PID 4836 wrote to memory of 4856	4836	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe	105
PID 4836 wrote to memory of 4792	4836	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe	106
PID 4836 wrote to memory of 4792	4836	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe	106
PID 4836 wrote to memory of 4792	4836	{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe	106
PID 4856 wrote to memory of 1612	4856	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe	107
PID 4856 wrote to memory of 1612	4856	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe	107
PID 4856 wrote to memory of 1612	4856	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe	107
PID 4856 wrote to memory of 3412	4856	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe	108
PID 4856 wrote to memory of 3412	4856	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe	108
PID 4856 wrote to memory of 3412	4856	{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe	108
PID 1612 wrote to memory of 208	1612	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe	109
PID 1612 wrote to memory of 208	1612	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe	109
PID 1612 wrote to memory of 208	1612	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe	109
PID 1612 wrote to memory of 1336	1612	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe	110
PID 1612 wrote to memory of 1336	1612	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe	110
PID 1612 wrote to memory of 1336	1612	{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe	110
PID 208 wrote to memory of 3508	208	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe	111
PID 208 wrote to memory of 3508	208	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe	111
PID 208 wrote to memory of 3508	208	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe	111
PID 208 wrote to memory of 4048	208	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe	112
PID 208 wrote to memory of 4048	208	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe	112
PID 208 wrote to memory of 4048	208	{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe	112
PID 3508 wrote to memory of 4764	3508	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe	113
PID 3508 wrote to memory of 4764	3508	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe	113
PID 3508 wrote to memory of 4764	3508	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe	113
PID 3508 wrote to memory of 2944	3508	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe	114
PID 3508 wrote to memory of 2944	3508	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe	114
PID 3508 wrote to memory of 2944	3508	{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe	114
PID 4764 wrote to memory of 1244	4764	{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe	115
PID 4764 wrote to memory of 1244	4764	{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe	115
PID 4764 wrote to memory of 1244	4764	{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe	115
PID 4764 wrote to memory of 2236	4764	{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_562e3fc141efd8db0bea8c8ce8d418cf_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\{27359C08-856A-409b-A86D-D19D83F08B27}.exe
  C:\Windows\{27359C08-856A-409b-A86D-D19D83F08B27}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe
    C:\Windows\{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe
      C:\Windows\{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe
        
        C:\Windows\{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3296
      - C:\Windows\{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe
        
        C:\Windows\{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe
        
        C:\Windows\{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe
        
        C:\Windows\{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe
        
        C:\Windows\{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe
        
        C:\Windows\{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe
        
        C:\Windows\{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}.exe
        
        C:\Windows\{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\{D8AEAD32-3F7E-4b1b-A5CF-6D5413EE47F8}.exe
        
        C:\Windows\{D8AEAD32-3F7E-4b1b-A5CF-6D5413EE47F8}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6ECD1~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B915~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EF70~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58960~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C8B3~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{815E4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FE36~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C39C0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89C52~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6F617~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{27359~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{27359C08-856A-409b-A86D-D19D83F08B27}.exe

Filesize
380KB

MD5
47c6a310235916152803c0c847947b86

SHA1
293021fca480f5762d22a00ebbeca03fe655d040

SHA256
4b1336b103b06b059c65ebe90288bb8b887e0b7ff81b911be562176a6f9b0865

SHA512
c05e569e06f0fb6e8fe64ca285a7ea487325cf5aa6c4c7291e00574c8f8885670b3cf6402d414451d78ea1191ddf1041623ad8177a09f131a56249c3e84a83fb

Download Submit
C:\Windows\{2B9154AB-ED58-4eba-8B98-DCF64E411430}.exe

Filesize
380KB

MD5
fe8c5afebaa8c06189816663098eea1d

SHA1
a839685cde2418c472c591465ae464014664fb09

SHA256
e5153fcc417a93f3de2652d623ae1e51fc938c1f38a7956aaa690183f96efc18

SHA512
ef4391ebd1bc6ea04418975a7a5b009b45446438422a7eb63b28b864314d0ea99716e8386820df1932121f7c56a82614a1381882ec1b5738b445c993bb603cfa

Download Submit
C:\Windows\{4C8B3C8A-1BBF-407d-BC91-1F1892E80C5D}.exe

Filesize
380KB

MD5
4a1f1745b013219576956c147290969b

SHA1
36968682624b83d33818e4298171ec37b283a251

SHA256
16670857e705dc07cd96f9f7d3e08245e9fc87cd26415bf0d342a1121e6f66f7

SHA512
9bb6bc1dd124ff3a5be0a05184efa58d4aab4447b676d3a359471b668a6b28097315b95f1220d9ceca39d0bd3762463101996d3e57c7288d41d2350cbbefc5ee

Download Submit
C:\Windows\{589601C5-DE61-4a30-B09D-A27CEC0A51D0}.exe

Filesize
380KB

MD5
2e003baadcaf0b2fc20aa8066f3624d0

SHA1
9a529fdbec5b67192cd7b128bbefa8d24e803f7a

SHA256
413d32811b338ced7d390e59d77d86fb9e152e72ca50e461b470069b39148471

SHA512
f2f1bb738ef5194c3777735a2f42bcfd574f39637ab0260d9839d1a11ef87b59a34670dd4ad62111ee1a4b9cb298420820a53ba5cc94a29dd559a3d632b4f08e

Download Submit
C:\Windows\{6ECD13E7-26A9-47a6-BAF4-085B1540BB94}.exe

Filesize
380KB

MD5
85710b9557db8b31114ea64db937c632

SHA1
a55e084d353fd114c92035743aef34dbc9d7d69d

SHA256
380682fc8a04275ed75df1207e693c28c00ddecef504e660c125fe59fc52342e

SHA512
d38e4ce45e29fb8ba994c045a967a815b4c941fd705b3545751b094c8887cddabed09b8afe3623f1eecd3a622a4b21eb67ca1e162e6812e19d5b6f918c7821f7

Download Submit
C:\Windows\{6EF70496-2113-4a82-B5B4-21A6C66F415C}.exe

Filesize
380KB

MD5
f2217a1d824b6da607129c3bc23da341

SHA1
e77530449ea3398bd23353e2d64b628f910a0dac

SHA256
65b161730b0a97a7cbae20f2b17c5c7d6c79be9fd2b3d2df7e925460db356001

SHA512
58a87f8392f98d50885e794c68fbd132d56a020445d3d32e4ff35f45a2b9aab036004ba47b18cff656a5b263443f76aedea78dbd384b6640e36047d05077efc1

Download Submit
C:\Windows\{6F61784D-21C7-411c-B2CC-ACBEE96DE2FF}.exe

Filesize
380KB

MD5
979d8e760d6679df83b08018c624ff18

SHA1
2bd47b9d0658702a327ff74a810208f8b58be51b

SHA256
8e416f40b71af37fd0dc4f98ab8ee0b71bc4f3794b0d3099ebbf18ac4b4e1543

SHA512
fc621e3250a813ba1a1d428fbcc42214620e0c74c10bb21fdf0dba83190d6b20ecf972e641f826429dc7c36a16f725e52eb8224f40a37cce8f93228116ab232d

Download Submit
C:\Windows\{815E473E-9F9C-48f5-9CFB-F8D482C5889F}.exe

Filesize
380KB

MD5
a95d31f8db8ccae3ae89a8a0f219f474

SHA1
322dd89eb23eb5d7c6fc6600e8a3913f2272c48b

SHA256
a5a5f2b079b74057c87d9ee6feab1f9882a4f08f1857a9fc95d99eb4c7b9e488

SHA512
d068c231f80f2cbc653abea3e1a5a49ec3d26062c8e41a3f1cf18142ad3a3c8817a3f4ad09e311792114c87af4eb118636691c63154bf904f63c14c6a6b091de

Download Submit
C:\Windows\{89C52F16-000B-4c1c-8A07-34160DC67F55}.exe

Filesize
380KB

MD5
5f77f5e6446015f7c164e142b078db4e

SHA1
7943f8fefff180ae23f2ad82884aa1464f2b4a12

SHA256
e39eb1d18ed9519e3ad28833fe8aeae0bb548119224811115f553fa6a436f057

SHA512
99ae31a8753195d3ec35f7f54c5049c7b587e2dfb91d7f1ef9337c5f4967e89e4d38e588f060f36ff556b6f53ca5ab55f56f2a697a1af959892fc64ccf70ea6c

Download Submit
C:\Windows\{9FE36D88-AD4F-4623-B9C0-71451AAA6382}.exe

Filesize
380KB

MD5
c53f23e2db7a106fd760464d28526723

SHA1
9c045fde29fbd0857a37b90ef4582bf4d6117aa6

SHA256
60b059bf94407a8773c9d0c4f7e16dc220c81842ef2021aea678dc7e6de35401

SHA512
3192ea6fcac739d299ea6b7328e9dfce91542f92e7df7d9b282ec7158d43b738f81b3945a3ccb01f63c2b09df7abc9df22b0a70c124dd2cc865e15e148f942ca

Download Submit
C:\Windows\{C39C0FB6-4D20-4fb7-8EAD-1BAB27D0193F}.exe

Filesize
380KB

MD5
916439b472ead649f1674ebaade60c04

SHA1
1d080bf2ff9f2b5133f5077063495fb6d7d48dd4

SHA256
8afd0e16991d6d0bb95f9e075de2b13b95574981c61c73aa148e99c4c1030c70

SHA512
b1bfd57dd6a47b3d564c26693fdd766f807834070847fa25fceec557cca86006739d8bd767b4395dda5820fffc4eac79e46aecfccb93980116fd70609cd33c17

Download Submit
C:\Windows\{D8AEAD32-3F7E-4b1b-A5CF-6D5413EE47F8}.exe

Filesize
380KB

MD5
087f431073f5780366253504f46b8f85

SHA1
6d1b8173c6c609443841f6236045abc0146dbad8

SHA256
8066979eabc5a152099ae2c5c631436d5f6011f0fa544bb999a157fc432c9851

SHA512
714f9e96ea7cf890093317f579a369d29518377aaf047e9846931507f0bb96a7b3b6a0d17329984e6fb37f97a952a4d2981076cf6767957d0ce302b6687bcda5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads