b46273efaa9f02a0ed52e6f2b799c044eef877acac1eba48c6a3f81a9df28ad4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe
Size

197KB
MD5

8b971919b01c8649045830ae916cd701
SHA1

970ed62f490f850aa61d911b8ff54fd59b0c1c09
SHA256

b46273efaa9f02a0ed52e6f2b799c044eef877acac1eba48c6a3f81a9df28ad4
SHA512

bbb26974159f3b9936c90231e71b6cb9f39a501e442d7ca98e1964834392f6ee1684e19163b10e16061997b68cec5d5552a3521627cc3c1f1b435e37fadea2a4
SSDEEP

3072:jEGh0oVl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGrlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{779166F1-963A-4a19-B262-5984A906625F}	{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{001D5BA2-F216-4690-9010-0C28B9446F9A}	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{001D5BA2-F216-4690-9010-0C28B9446F9A}\stubpath = "C:\\Windows\\{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe"	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC39859A-1F47-49e7-8601-154D12EB68D2}	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}\stubpath = "C:\\Windows\\{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe"	{54D87F12-6C55-4146-B1C4-69522D298446}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94678900-1991-485a-8BD9-2E69CF3E0BFC}	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2982237-A62D-4f40-9935-A7B1E687909F}	2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{396A7FD5-56FE-416d-9FC8-EEDED5450A26}\stubpath = "C:\\Windows\\{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe"	{33765A41-4D9D-4640-A275-340E20482237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D87F12-6C55-4146-B1C4-69522D298446}\stubpath = "C:\\Windows\\{54D87F12-6C55-4146-B1C4-69522D298446}.exe"	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33765A41-4D9D-4640-A275-340E20482237}	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33765A41-4D9D-4640-A275-340E20482237}\stubpath = "C:\\Windows\\{33765A41-4D9D-4640-A275-340E20482237}.exe"	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{396A7FD5-56FE-416d-9FC8-EEDED5450A26}	{33765A41-4D9D-4640-A275-340E20482237}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC39859A-1F47-49e7-8601-154D12EB68D2}\stubpath = "C:\\Windows\\{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe"	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D87F12-6C55-4146-B1C4-69522D298446}	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9429E361-AA9E-4e2c-88EB-32E01568033E}	{779166F1-963A-4a19-B262-5984A906625F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9429E361-AA9E-4e2c-88EB-32E01568033E}\stubpath = "C:\\Windows\\{9429E361-AA9E-4e2c-88EB-32E01568033E}.exe"	{779166F1-963A-4a19-B262-5984A906625F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2982237-A62D-4f40-9935-A7B1E687909F}\stubpath = "C:\\Windows\\{A2982237-A62D-4f40-9935-A7B1E687909F}.exe"	2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}\stubpath = "C:\\Windows\\{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe"	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}	{54D87F12-6C55-4146-B1C4-69522D298446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94678900-1991-485a-8BD9-2E69CF3E0BFC}\stubpath = "C:\\Windows\\{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe"	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}\stubpath = "C:\\Windows\\{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe"	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{779166F1-963A-4a19-B262-5984A906625F}\stubpath = "C:\\Windows\\{779166F1-963A-4a19-B262-5984A906625F}.exe"	{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe

Executes dropped EXE 12 IoCs

pid	Process
2328	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe
3052	{33765A41-4D9D-4640-A275-340E20482237}.exe
2084	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe
1996	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe
1928	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe
1608	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe
4900	{54D87F12-6C55-4146-B1C4-69522D298446}.exe
1644	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe
4544	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe
1256	{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe
736	{779166F1-963A-4a19-B262-5984A906625F}.exe
3120	{9429E361-AA9E-4e2c-88EB-32E01568033E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{33765A41-4D9D-4640-A275-340E20482237}.exe	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe
File created	C:\Windows\{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe	{33765A41-4D9D-4640-A275-340E20482237}.exe
File created	C:\Windows\{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe
File created	C:\Windows\{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe
File created	C:\Windows\{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe
File created	C:\Windows\{779166F1-963A-4a19-B262-5984A906625F}.exe	{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe
File created	C:\Windows\{A2982237-A62D-4f40-9935-A7B1E687909F}.exe	2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe
File created	C:\Windows\{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe
File created	C:\Windows\{54D87F12-6C55-4146-B1C4-69522D298446}.exe	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe
File created	C:\Windows\{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe	{54D87F12-6C55-4146-B1C4-69522D298446}.exe
File created	C:\Windows\{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe
File created	C:\Windows\{9429E361-AA9E-4e2c-88EB-32E01568033E}.exe	{779166F1-963A-4a19-B262-5984A906625F}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9429E361-AA9E-4e2c-88EB-32E01568033E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{779166F1-963A-4a19-B262-5984A906625F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54D87F12-6C55-4146-B1C4-69522D298446}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{33765A41-4D9D-4640-A275-340E20482237}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4852	2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2328	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe
Token: SeIncBasePriorityPrivilege	3052	{33765A41-4D9D-4640-A275-340E20482237}.exe
Token: SeIncBasePriorityPrivilege	2084	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe
Token: SeIncBasePriorityPrivilege	1996	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe
Token: SeIncBasePriorityPrivilege	1928	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe
Token: SeIncBasePriorityPrivilege	1608	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe
Token: SeIncBasePriorityPrivilege	4900	{54D87F12-6C55-4146-B1C4-69522D298446}.exe
Token: SeIncBasePriorityPrivilege	1644	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe
Token: SeIncBasePriorityPrivilege	4544	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe
Token: SeIncBasePriorityPrivilege	1256	{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe
Token: SeIncBasePriorityPrivilege	736	{779166F1-963A-4a19-B262-5984A906625F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 2328	4852	2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe	93
PID 4852 wrote to memory of 2328	4852	2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe	93
PID 4852 wrote to memory of 2328	4852	2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe	93
PID 4852 wrote to memory of 2388	4852	2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe	94
PID 4852 wrote to memory of 2388	4852	2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe	94
PID 4852 wrote to memory of 2388	4852	2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe	94
PID 2328 wrote to memory of 3052	2328	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe	95
PID 2328 wrote to memory of 3052	2328	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe	95
PID 2328 wrote to memory of 3052	2328	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe	95
PID 2328 wrote to memory of 2740	2328	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe	96
PID 2328 wrote to memory of 2740	2328	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe	96
PID 2328 wrote to memory of 2740	2328	{A2982237-A62D-4f40-9935-A7B1E687909F}.exe	96
PID 3052 wrote to memory of 2084	3052	{33765A41-4D9D-4640-A275-340E20482237}.exe	99
PID 3052 wrote to memory of 2084	3052	{33765A41-4D9D-4640-A275-340E20482237}.exe	99
PID 3052 wrote to memory of 2084	3052	{33765A41-4D9D-4640-A275-340E20482237}.exe	99
PID 3052 wrote to memory of 4364	3052	{33765A41-4D9D-4640-A275-340E20482237}.exe	100
PID 3052 wrote to memory of 4364	3052	{33765A41-4D9D-4640-A275-340E20482237}.exe	100
PID 3052 wrote to memory of 4364	3052	{33765A41-4D9D-4640-A275-340E20482237}.exe	100
PID 2084 wrote to memory of 1996	2084	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe	101
PID 2084 wrote to memory of 1996	2084	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe	101
PID 2084 wrote to memory of 1996	2084	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe	101
PID 2084 wrote to memory of 4116	2084	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe	102
PID 2084 wrote to memory of 4116	2084	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe	102
PID 2084 wrote to memory of 4116	2084	{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe	102
PID 1996 wrote to memory of 1928	1996	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe	103
PID 1996 wrote to memory of 1928	1996	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe	103
PID 1996 wrote to memory of 1928	1996	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe	103
PID 1996 wrote to memory of 1560	1996	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe	104
PID 1996 wrote to memory of 1560	1996	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe	104
PID 1996 wrote to memory of 1560	1996	{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe	104
PID 1928 wrote to memory of 1608	1928	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe	105
PID 1928 wrote to memory of 1608	1928	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe	105
PID 1928 wrote to memory of 1608	1928	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe	105
PID 1928 wrote to memory of 5076	1928	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe	106
PID 1928 wrote to memory of 5076	1928	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe	106
PID 1928 wrote to memory of 5076	1928	{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe	106
PID 1608 wrote to memory of 4900	1608	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe	107
PID 1608 wrote to memory of 4900	1608	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe	107
PID 1608 wrote to memory of 4900	1608	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe	107
PID 1608 wrote to memory of 4380	1608	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe	108
PID 1608 wrote to memory of 4380	1608	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe	108
PID 1608 wrote to memory of 4380	1608	{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe	108
PID 4900 wrote to memory of 1644	4900	{54D87F12-6C55-4146-B1C4-69522D298446}.exe	109
PID 4900 wrote to memory of 1644	4900	{54D87F12-6C55-4146-B1C4-69522D298446}.exe	109
PID 4900 wrote to memory of 1644	4900	{54D87F12-6C55-4146-B1C4-69522D298446}.exe	109
PID 4900 wrote to memory of 2208	4900	{54D87F12-6C55-4146-B1C4-69522D298446}.exe	110
PID 4900 wrote to memory of 2208	4900	{54D87F12-6C55-4146-B1C4-69522D298446}.exe	110
PID 4900 wrote to memory of 2208	4900	{54D87F12-6C55-4146-B1C4-69522D298446}.exe	110
PID 1644 wrote to memory of 4544	1644	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe	111
PID 1644 wrote to memory of 4544	1644	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe	111
PID 1644 wrote to memory of 4544	1644	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe	111
PID 1644 wrote to memory of 4724	1644	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe	112
PID 1644 wrote to memory of 4724	1644	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe	112
PID 1644 wrote to memory of 4724	1644	{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe	112
PID 4544 wrote to memory of 1256	4544	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe	113
PID 4544 wrote to memory of 1256	4544	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe	113
PID 4544 wrote to memory of 1256	4544	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe	113
PID 4544 wrote to memory of 4828	4544	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe	114
PID 4544 wrote to memory of 4828	4544	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe	114
PID 4544 wrote to memory of 4828	4544	{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe	114
PID 1256 wrote to memory of 736	1256	{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe	115
PID 1256 wrote to memory of 736	1256	{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe	115
PID 1256 wrote to memory of 736	1256	{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe	115
PID 1256 wrote to memory of 3468	1256	{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_8b971919b01c8649045830ae916cd701_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\{A2982237-A62D-4f40-9935-A7B1E687909F}.exe
  C:\Windows\{A2982237-A62D-4f40-9935-A7B1E687909F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\{33765A41-4D9D-4640-A275-340E20482237}.exe
    C:\Windows\{33765A41-4D9D-4640-A275-340E20482237}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe
      C:\Windows\{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe
        
        C:\Windows\{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe
        
        C:\Windows\{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe
        
        C:\Windows\{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\{54D87F12-6C55-4146-B1C4-69522D298446}.exe
        
        C:\Windows\{54D87F12-6C55-4146-B1C4-69522D298446}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe
        
        C:\Windows\{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe
        
        C:\Windows\{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe
        
        C:\Windows\{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\{779166F1-963A-4a19-B262-5984A906625F}.exe
        
        C:\Windows\{779166F1-963A-4a19-B262-5984A906625F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
        
        C:\Windows\{9429E361-AA9E-4e2c-88EB-32E01568033E}.exe
        
        C:\Windows\{9429E361-AA9E-4e2c-88EB-32E01568033E}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77916~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE58C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94678~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA45F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54D87~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC398~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E539~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{001D5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{396A7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{33765~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A2982~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{001D5BA2-F216-4690-9010-0C28B9446F9A}.exe

Filesize
197KB

MD5
613975986d0a46e0891329642f6588f2

SHA1
68401b55d48542fc124350cadae9c5bee73b0cd9

SHA256
544a8632a5fee6c1b414d04da3198c1ab2a8bc0541f37832c57991beec0f93f1

SHA512
e18d63ebc84d0f6c9298611fdce0f421f54e3a89b7b90eddb6cac300eb7b923bf5fccbcad83bb8670990f210a26a59506fd98452de6a6c313a6c2dd866790245

Download Submit
C:\Windows\{33765A41-4D9D-4640-A275-340E20482237}.exe

Filesize
197KB

MD5
e23def5735db9ed5bb176d8d8de06fc7

SHA1
4f989b028f5a231871574f9cc1a9f5f4ae981162

SHA256
8bebf1f039355d5174730bbf6bce8bb028e673542bda204c86ad237620077751

SHA512
3391517568d5d6d0d02940ed61dab6d4e64fb9ffc32ae4f4ec7d216bce4a5e42c315e6ea2151e1b4ec8e8bcc2d795e89cc237c17949faf6bc0c0c377c1ceeacf

Download Submit
C:\Windows\{396A7FD5-56FE-416d-9FC8-EEDED5450A26}.exe

Filesize
197KB

MD5
4b24e60259f47edf8c1fbac7f091956a

SHA1
05bb02bfbd9fb599399f134d418359c59ef11d64

SHA256
369181c52e68632ababce61e1812ec3dc84c42d3e4a9bb2205a8982a332a620c

SHA512
f1a1d9f9e354b4f2714381bb14bd311622f5c61e3812165ef52b4af9c19fe0038da37a1ad6b131cbac29e2cb2c67a35829892e263b17fd56336a6e964bcae571

Download Submit
C:\Windows\{54D87F12-6C55-4146-B1C4-69522D298446}.exe

Filesize
197KB

MD5
2c40253afdf8fe82b206a6af8af2b6c5

SHA1
c722f108d39840c8f201732f6c950e1f8e05817c

SHA256
f325923254754ff7e438aaf680de7a673a9bbb76123b659c2b89158a1dd38b74

SHA512
60d133379dddd45c2ce90103f0fde7370db416d3b41aae0f30396ce4f0a7caaf32d999c343c60ba2f0bf0f0bff385b973fd89a9011cf7fdc17881f02b8d0bf6f

Download Submit
C:\Windows\{779166F1-963A-4a19-B262-5984A906625F}.exe

Filesize
197KB

MD5
23c3ae6b476635197cd0879ff1c8a5ff

SHA1
3561a5704f1659652345be95d751aeb60d5b3a9d

SHA256
bb903bddae13e7f742836bf98a3cb87f1b30549ee89f23dfc34b7c3deaabbef0

SHA512
7e44f781ba774c0761036eb1ec3226f6a0a095626fd60d5bee23c4be5bc15619966faf3a1a92461783d547aafaf038c8cec4a0cbcf6165eb0cafca1476492f2e

Download Submit
C:\Windows\{8E539767-0FA9-4125-A25C-BFDD3F2AFD9E}.exe

Filesize
197KB

MD5
704a777dc8fc7b9da0ced0b69f746d15

SHA1
f3d4adbadc7bd7eac51a96d374826129ca32baa5

SHA256
8c40686745e8b0e5b1e92172f938f237f3041be0c58cafd5014c7b5a65feffc5

SHA512
5fd383ea75c37d2fb61f8cfb0fe69ae35c3ab5b287a3e78474fdfab5646a7f3bbb5f2ca7e4884eaa3f81d36af92d5fdbee8387d223076f64f6c051bd2994da9c

Download Submit
C:\Windows\{9429E361-AA9E-4e2c-88EB-32E01568033E}.exe

Filesize
197KB

MD5
04f4221fd7c9800f4c9d60cada118630

SHA1
32c03a77d20f2e8d4064966b24268eeaaa6c1a7d

SHA256
9e8979675714916295485207046c1a15cb593286463ab09923db2340d9e487e7

SHA512
33d3be4d621fecfe3ed77205aa702daf0b0e22d6df1d3062906ece2bd018cab4148be3d4fc07cc92956f91c55fc5dcf969d2f8d723a7c4e961b1c2296a55cc9b

Download Submit
C:\Windows\{94678900-1991-485a-8BD9-2E69CF3E0BFC}.exe

Filesize
197KB

MD5
43c3352aa887d1e23904b48562b5dcbd

SHA1
9bac65a499aff2689d5f0fa7157463995f2b0d3e

SHA256
c887c37340c5dd18eae6dac00597925c44da05369c6c28fe6388530272d353d9

SHA512
5b499549328f3c901ff3b7054b635dc5bfe8800f4dc3dabe604a9d13f0c15fae759c503fb598aa614d47e5711cb0a17e6795c8b7c7238b979552b85dcc4a2368

Download Submit
C:\Windows\{A2982237-A62D-4f40-9935-A7B1E687909F}.exe

Filesize
197KB

MD5
4427882c1a2838a6b4ebc9e84eac7af9

SHA1
a1daf49ab2ac86fbc0f3e3de0566d3da7baf02bd

SHA256
f7573e92e7369d1cc402dddade260919b6a24551eba76fed1b630e7888d43729

SHA512
b877f17d52339306a98fd664a26cfe19218ecf7739bd70e302f18b996ad3e979aa744f9c78bdd4ac10dc38ba0bea01475a2718333b3e22ddc12b993bb39b0bb7

Download Submit
C:\Windows\{AA45F9FC-14D1-443f-AA1D-E0D8A179C6AE}.exe

Filesize
197KB

MD5
735ac073c7d6e074f12ba6fd91bdc571

SHA1
d25c6263dcc0897b08918125c8d338119593164d

SHA256
a28929feb8a8d6da4115321c29787950d9c37f7581701b68de97edfa986e94c2

SHA512
69b5d35b80c06e827f4a8f49a35c40ed6b2e155aa212deecb3fab1b43406bd962a967a8693cddef72c8cc207e8c19e69acb7a800b09a16ebe6ecf6995f42f9e5

Download Submit
C:\Windows\{EE58C0F2-6CE4-42a8-95F7-07E5E922B81A}.exe

Filesize
197KB

MD5
f5a063eec734dc9a69cf73d00c37c321

SHA1
e3a9aba629bd5f43949cfb282704228c1074279c

SHA256
03c03d460ff95823cd0a275269371dca89e0f376ab56732c5a419f4157be13f7

SHA512
409cfb82d2da43ae09bfe4c9d7eb91146315e1e465d44a6fcfa552a7310f450321609571ef0e8dcae045db289b37b19a404f510b219aaaa8b6bd8b4b0a7caf05

Download Submit
C:\Windows\{FC39859A-1F47-49e7-8601-154D12EB68D2}.exe

Filesize
197KB

MD5
f4fd445540a6c874509ee125216b3765

SHA1
da5ba02c7fcaaf4db0cfff15aa5e965156a616f8

SHA256
63a15900b2efd1c9de0278b2f7bd36abc90817b4c910ec82f5ec43e68a0978ed

SHA512
c239d21a2c2a104f79cef1852e4f1959abe85e908c3c6ddd0f86d52d376de5bc8ddf01c07886e607e241d1ab298048aea4e1e52eee351e5a8b922b611953da84

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads