4727c7673a09808f86857badd41fd1aafad23160fe941660b55721c9f0197f81

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
Size

372KB
MD5

c3b2a327060de7bc2385784b0a4a24ab
SHA1

8d6065a96394f3be52d82ce5f482087115f09715
SHA256

4727c7673a09808f86857badd41fd1aafad23160fe941660b55721c9f0197f81
SHA512

8c4b0dc8221cb86417958cac25b6f19710b2d7999b5c60358a9a75a370066143ce03d6f676563858f6be742d5d933a02ba582a23492038a6702bdf28bafe02c4
SSDEEP

3072:CEGh0oCmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGZl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB7512B1-857E-411c-80B1-F8DF61B799FE}\stubpath = "C:\\Windows\\{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe"	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}\stubpath = "C:\\Windows\\{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe"	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}	{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{651B5BAB-CE49-40c7-94AA-F94638BF826B}\stubpath = "C:\\Windows\\{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe"	{9F25130F-B360-4847-B240-1853AED167A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26BA1475-C579-404c-A8F7-BE4D96DE1135}	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB7512B1-857E-411c-80B1-F8DF61B799FE}	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDB7F45F-5B50-4d2b-AABC-551C4073254C}	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA017463-96B1-433d-ADDD-3E3498E4C4AC}\stubpath = "C:\\Windows\\{AA017463-96B1-433d-ADDD-3E3498E4C4AC}.exe"	{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}\stubpath = "C:\\Windows\\{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe"	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}\stubpath = "C:\\Windows\\{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe"	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26BA1475-C579-404c-A8F7-BE4D96DE1135}\stubpath = "C:\\Windows\\{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe"	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A0BF97-B032-4e6c-911F-521169E044DB}	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}\stubpath = "C:\\Windows\\{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}.exe"	{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{651B5BAB-CE49-40c7-94AA-F94638BF826B}	{9F25130F-B360-4847-B240-1853AED167A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}\stubpath = "C:\\Windows\\{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe"	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDB7F45F-5B50-4d2b-AABC-551C4073254C}\stubpath = "C:\\Windows\\{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe"	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA017463-96B1-433d-ADDD-3E3498E4C4AC}	{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21A0BF97-B032-4e6c-911F-521169E044DB}\stubpath = "C:\\Windows\\{21A0BF97-B032-4e6c-911F-521169E044DB}.exe"	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F25130F-B360-4847-B240-1853AED167A5}	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F25130F-B360-4847-B240-1853AED167A5}\stubpath = "C:\\Windows\\{9F25130F-B360-4847-B240-1853AED167A5}.exe"	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe

Executes dropped EXE 12 IoCs

pid	Process
4836	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe
1764	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe
3584	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe
2288	{9F25130F-B360-4847-B240-1853AED167A5}.exe
1516	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe
812	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe
2488	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe
4264	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe
3236	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe
2912	{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe
464	{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}.exe
4928	{AA017463-96B1-433d-ADDD-3E3498E4C4AC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe
File created	C:\Windows\{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe
File created	C:\Windows\{AA017463-96B1-433d-ADDD-3E3498E4C4AC}.exe	{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}.exe
File created	C:\Windows\{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe
File created	C:\Windows\{21A0BF97-B032-4e6c-911F-521169E044DB}.exe	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe
File created	C:\Windows\{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe	{9F25130F-B360-4847-B240-1853AED167A5}.exe
File created	C:\Windows\{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe
File created	C:\Windows\{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe
File created	C:\Windows\{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe
File created	C:\Windows\{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}.exe	{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe
File created	C:\Windows\{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
File created	C:\Windows\{9F25130F-B360-4847-B240-1853AED167A5}.exe	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F25130F-B360-4847-B240-1853AED167A5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA017463-96B1-433d-ADDD-3E3498E4C4AC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4344	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4836	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe
Token: SeIncBasePriorityPrivilege	1764	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe
Token: SeIncBasePriorityPrivilege	3584	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe
Token: SeIncBasePriorityPrivilege	2288	{9F25130F-B360-4847-B240-1853AED167A5}.exe
Token: SeIncBasePriorityPrivilege	1516	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe
Token: SeIncBasePriorityPrivilege	812	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe
Token: SeIncBasePriorityPrivilege	2488	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe
Token: SeIncBasePriorityPrivilege	4264	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe
Token: SeIncBasePriorityPrivilege	3236	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe
Token: SeIncBasePriorityPrivilege	2912	{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe
Token: SeIncBasePriorityPrivilege	464	{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4836	4344	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	92
PID 4344 wrote to memory of 4836	4344	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	92
PID 4344 wrote to memory of 4836	4344	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	92
PID 4344 wrote to memory of 972	4344	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	93
PID 4344 wrote to memory of 972	4344	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	93
PID 4344 wrote to memory of 972	4344	2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe	93
PID 4836 wrote to memory of 1764	4836	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe	94
PID 4836 wrote to memory of 1764	4836	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe	94
PID 4836 wrote to memory of 1764	4836	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe	94
PID 4836 wrote to memory of 2524	4836	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe	95
PID 4836 wrote to memory of 2524	4836	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe	95
PID 4836 wrote to memory of 2524	4836	{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe	95
PID 1764 wrote to memory of 3584	1764	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe	98
PID 1764 wrote to memory of 3584	1764	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe	98
PID 1764 wrote to memory of 3584	1764	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe	98
PID 1764 wrote to memory of 3668	1764	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe	99
PID 1764 wrote to memory of 3668	1764	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe	99
PID 1764 wrote to memory of 3668	1764	{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe	99
PID 3584 wrote to memory of 2288	3584	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe	100
PID 3584 wrote to memory of 2288	3584	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe	100
PID 3584 wrote to memory of 2288	3584	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe	100
PID 3584 wrote to memory of 4180	3584	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe	101
PID 3584 wrote to memory of 4180	3584	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe	101
PID 3584 wrote to memory of 4180	3584	{21A0BF97-B032-4e6c-911F-521169E044DB}.exe	101
PID 2288 wrote to memory of 1516	2288	{9F25130F-B360-4847-B240-1853AED167A5}.exe	102
PID 2288 wrote to memory of 1516	2288	{9F25130F-B360-4847-B240-1853AED167A5}.exe	102
PID 2288 wrote to memory of 1516	2288	{9F25130F-B360-4847-B240-1853AED167A5}.exe	102
PID 2288 wrote to memory of 4144	2288	{9F25130F-B360-4847-B240-1853AED167A5}.exe	103
PID 2288 wrote to memory of 4144	2288	{9F25130F-B360-4847-B240-1853AED167A5}.exe	103
PID 2288 wrote to memory of 4144	2288	{9F25130F-B360-4847-B240-1853AED167A5}.exe	103
PID 1516 wrote to memory of 812	1516	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe	104
PID 1516 wrote to memory of 812	1516	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe	104
PID 1516 wrote to memory of 812	1516	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe	104
PID 1516 wrote to memory of 644	1516	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe	105
PID 1516 wrote to memory of 644	1516	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe	105
PID 1516 wrote to memory of 644	1516	{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe	105
PID 812 wrote to memory of 2488	812	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe	106
PID 812 wrote to memory of 2488	812	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe	106
PID 812 wrote to memory of 2488	812	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe	106
PID 812 wrote to memory of 4064	812	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe	107
PID 812 wrote to memory of 4064	812	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe	107
PID 812 wrote to memory of 4064	812	{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe	107
PID 2488 wrote to memory of 4264	2488	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe	108
PID 2488 wrote to memory of 4264	2488	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe	108
PID 2488 wrote to memory of 4264	2488	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe	108
PID 2488 wrote to memory of 5020	2488	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe	109
PID 2488 wrote to memory of 5020	2488	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe	109
PID 2488 wrote to memory of 5020	2488	{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe	109
PID 4264 wrote to memory of 3236	4264	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe	110
PID 4264 wrote to memory of 3236	4264	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe	110
PID 4264 wrote to memory of 3236	4264	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe	110
PID 4264 wrote to memory of 4524	4264	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe	111
PID 4264 wrote to memory of 4524	4264	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe	111
PID 4264 wrote to memory of 4524	4264	{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe	111
PID 3236 wrote to memory of 2912	3236	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe	112
PID 3236 wrote to memory of 2912	3236	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe	112
PID 3236 wrote to memory of 2912	3236	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe	112
PID 3236 wrote to memory of 3084	3236	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe	113
PID 3236 wrote to memory of 3084	3236	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe	113
PID 3236 wrote to memory of 3084	3236	{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe	113
PID 2912 wrote to memory of 464	2912	{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe	114
PID 2912 wrote to memory of 464	2912	{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe	114
PID 2912 wrote to memory of 464	2912	{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe	114
PID 2912 wrote to memory of 3700	2912	{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-15_c3b2a327060de7bc2385784b0a4a24ab_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe
  C:\Windows\{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe
    C:\Windows\{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\{21A0BF97-B032-4e6c-911F-521169E044DB}.exe
      C:\Windows\{21A0BF97-B032-4e6c-911F-521169E044DB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3584
    - - C:\Windows\{9F25130F-B360-4847-B240-1853AED167A5}.exe
        
        C:\Windows\{9F25130F-B360-4847-B240-1853AED167A5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Windows\{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe
        
        C:\Windows\{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe
        
        C:\Windows\{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe
        
        C:\Windows\{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe
        
        C:\Windows\{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe
        
        C:\Windows\{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe
        
        C:\Windows\{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}.exe
        
        C:\Windows\{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\{AA017463-96B1-433d-ADDD-3E3498E4C4AC}.exe
        
        C:\Windows\{AA017463-96B1-433d-ADDD-3E3498E4C4AC}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4894F~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDB7F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59DDA~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4845E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB751~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26BA1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{651B5~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F251~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21A0B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{74F7F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CCE5A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21A0BF97-B032-4e6c-911F-521169E044DB}.exe

Filesize
372KB

MD5
ad28e9334fec492dd34cce7d0511d07f

SHA1
6aa00ac401e7f5cdc4d61f8d5c1836cf16593f80

SHA256
166e9c691dff73740b6fe60929b952da503aae85deb6dff4e7c71ea8f36ec556

SHA512
2f4ecc0753ac79dcab67ce8eda3346b398424087b28b67cbaaf7a3b1b61fd1a352cf310f342261a9f8f132d108a20075373e10d4265a512fcbec274e24af101c

Download Submit
C:\Windows\{26BA1475-C579-404c-A8F7-BE4D96DE1135}.exe

Filesize
372KB

MD5
bccb18ff4d78c9049c2a1d1f5fd0d609

SHA1
f7ba4f12e1aca98f05aae1e649689e07dcd79132

SHA256
6b7b619ec167123a673de41eab2ddc2e693eddca8767d520cd781601234c6b40

SHA512
c69593c7a9cbefc383757f25aacbf70c76351e1ad5226049daf6397318517fa69b54c18ec77e08606fcf86629191ba91fd54f9e4479bcfd91adcc8953112f0b6

Download Submit
C:\Windows\{4845E796-ACAE-4345-BD7B-4DE2FA4058EA}.exe

Filesize
372KB

MD5
b3d72f5ae5c499e5f68a1caff35cffdd

SHA1
9b7f203d8866a7d75d39607c778e9ff0009fef21

SHA256
dc073e969cd8d704bfca69d53a9188241ee28f340e081a27c116e6ecc95135d9

SHA512
0ffabd40cf7047eb7c013894babbeee1a04c547b370f738672d52194dc8098aa4b870270852ba6fca5b2ae288e0e68fbb698ea9698e0cecb8611f922b7efe526

Download Submit
C:\Windows\{4894F75D-3DD9-4e77-9CF2-AA28FEF43034}.exe

Filesize
372KB

MD5
da3bd07f3a27b39563e688c50aab4b2e

SHA1
07691d436de83483f851effdc888aa60dd616282

SHA256
95a026775cdb6bda95df91041b8967aa24d67a7f38821465f47fc7c200b27f49

SHA512
bcfde0eda6b298d3da973547efbe1eeeb8e953509f3b082c40e462b8956c1b9a40f3eb17f074c9027afbeaf0e5dd9bba0f58eede1e485f91ff0243b3ca8ed24e

Download Submit
C:\Windows\{59DDACAE-5D96-401c-BD7C-828F54EB2CA1}.exe

Filesize
372KB

MD5
5e4872e2edc445c236d1ee8d9b82fc4d

SHA1
93ead829b85ae4128fec6a16c5b5ccb75a823b54

SHA256
3f24eea9aeeffac7227d074d872919011b4ddc14d44fd4089ba2b0f341960e08

SHA512
b04c78d48b3297921c2d504c25215eeed4b3737e0cce03097d71633946955b61df88fa4335cb42c044c4ddfadac4a041bab700f736659fe5e352e2fbaf6bbcd2

Download Submit
C:\Windows\{651B5BAB-CE49-40c7-94AA-F94638BF826B}.exe

Filesize
372KB

MD5
1a09add408cc75f71a1a47542ce2a62c

SHA1
b221eec46d5469004a3de56fa1d15640a14eae13

SHA256
a41307e1d06109ba574afd77c00283fbf467b255f77fe9532d23d91136fc1aea

SHA512
8db8723157aa78a8d1dad69c668af8221b5219476bd8b237bf80542cf29755f159806417cdb59bcc43de7cd110726a404cf84f2d202d53060b79dc7b43f9cb0c

Download Submit
C:\Windows\{74F7FC6E-A4F9-47ab-89DC-3EEB4A5D793A}.exe

Filesize
372KB

MD5
6574aa5e1343d0ecf1ddb4369cca497f

SHA1
d17040b698fb054d6ce51e635477ea3bbfb206c0

SHA256
0c5058584c4fdcbd010c6419d9cb4dda9c7f89adcd5cd0faaff56094a22f3c1f

SHA512
a5d77412c6662ebc65a0af6583238a1f9003a96fe6f4468598158b410bb7e9c2a3714f18bc0f66106d7f9f398a3839fcaad5161dc8669cb54000ad6d5898866a

Download Submit
C:\Windows\{9F25130F-B360-4847-B240-1853AED167A5}.exe

Filesize
372KB

MD5
7a8ea7b0085f2a49e4a65a3084fd907c

SHA1
fe28e341446943f8bb165955c429ef64f4dc98fa

SHA256
7767b5d6f43d0bfcc75fb3816c0679022340c1e37f8bcd77c824234f819d6bf7

SHA512
e9271d907f6af0e1efbc80a77015e0068c77250d17e6ade3a09f2c6f868c6de5e6d1a0b6b42a5589c0829d57b6cd8f4d8039e327ff664af863f3a489b5b56f72

Download Submit
C:\Windows\{AA017463-96B1-433d-ADDD-3E3498E4C4AC}.exe

Filesize
372KB

MD5
00b065397902f24734db70a750bb2300

SHA1
894b951179f58447cca1a94e54d088d118fa1ed1

SHA256
ffb890bb76f31125605730442f4bf5c1e99298101a7bab4fe758ae99b80939cc

SHA512
3d9fdf8a018740f5d8b2a69eb05642c3ca01f113dd81e48e6153ad1925a498e7937db224dfcbf669af85a9c431638db130e9455b62b519be519ab2485f86aae5

Download Submit
C:\Windows\{CCE5A2E1-8E8D-434a-B4F0-1E2B853EB0FF}.exe

Filesize
372KB

MD5
9bd3507a9ba3d4905e9d40f130cc8098

SHA1
90a5ebfff7d54c06aebb80de10ae4f9246800923

SHA256
d98fe9b5d39944144962d3940bf6c03a3ec88eae70db623526527a893245fe74

SHA512
82890a623602deadc509e71d99c7a4e1038918e478d11b7369b57e8d13b0309a1286f5548bd908c352daeeda69f28dc86258c08d834863aed336f5db028644b4

Download Submit
C:\Windows\{CDB7F45F-5B50-4d2b-AABC-551C4073254C}.exe

Filesize
372KB

MD5
1edbdf04ac9ec934394e617b1af01e71

SHA1
7bdc77efc90698ead30a9dec5159010686519170

SHA256
99d52082a92935e24c5b6d6497378f5f00bdcb77f039153973f57de63f2f9059

SHA512
0a80c30cbcd9999007da84c96448fc6bc0514f8d182c1a9fddc6a0f0cbf6b9636042c52c3ac332fd108aa18ff855e81551da1bb5acf4d7ee1c320d9e13b51456

Download Submit
C:\Windows\{EB7512B1-857E-411c-80B1-F8DF61B799FE}.exe

Filesize
372KB

MD5
d420cada96cd3178c2e366973fa0e93b

SHA1
8859ded093fd46a1dc18bbd2a908e296954be676

SHA256
1bd74546c02c934b3c785602d17da9687a1f4d35728d84295c222e221819bb0e

SHA512
823c83b4de6887c0715d9929ba98886a791eef4e4ea41151d79da618b4c44a8e58d76333300e5e5e2ee5fc2257c0b51f1745d09281778656176280e1ee5ed554

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads