2f4a1c577c116c13831e447e8fffe55952268af411c90e8bbfc3120c142eb534

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
Size

204KB
MD5

91418c6b9ad4bad03cf42bb6051fcce4
SHA1

580d721bfceae66170eb0ee77d979e1e9b02fdac
SHA256

2f4a1c577c116c13831e447e8fffe55952268af411c90e8bbfc3120c142eb534
SHA512

f95eed6ecdb2e04347cabd0b3597af203f2b023854bb4fc19f23d03a53711ae92fa7031ff26922300a21d51f03e1e856329deca26460a4c5293613721caafb86
SSDEEP

1536:1EGh0opEl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oel1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}\stubpath = "C:\\Windows\\{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe"	{054730C0-3193-4274-9BFB-1B343351882F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03C8D151-1FE6-4472-9449-52E2AD1478F1}\stubpath = "C:\\Windows\\{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe"	{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{046DC999-8A39-499e-82F0-51B80874212F}\stubpath = "C:\\Windows\\{046DC999-8A39-499e-82F0-51B80874212F}.exe"	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A94B09-9018-4e2c-89F2-4FB105807A9C}	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D31EBDC4-630C-42ed-BC22-684D9F44150B}\stubpath = "C:\\Windows\\{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe"	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{054730C0-3193-4274-9BFB-1B343351882F}\stubpath = "C:\\Windows\\{054730C0-3193-4274-9BFB-1B343351882F}.exe"	{11043178-0D35-48f5-A414-674122546CA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}	{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}\stubpath = "C:\\Windows\\{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe"	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4209080E-04E8-4662-8B8F-B682AF8B6815}\stubpath = "C:\\Windows\\{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe"	{046DC999-8A39-499e-82F0-51B80874212F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D31EBDC4-630C-42ed-BC22-684D9F44150B}	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11043178-0D35-48f5-A414-674122546CA9}	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{054730C0-3193-4274-9BFB-1B343351882F}	{11043178-0D35-48f5-A414-674122546CA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}	{054730C0-3193-4274-9BFB-1B343351882F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{046DC999-8A39-499e-82F0-51B80874212F}	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A94B09-9018-4e2c-89F2-4FB105807A9C}\stubpath = "C:\\Windows\\{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe"	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}\stubpath = "C:\\Windows\\{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe"	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11043178-0D35-48f5-A414-674122546CA9}\stubpath = "C:\\Windows\\{11043178-0D35-48f5-A414-674122546CA9}.exe"	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03C8D151-1FE6-4472-9449-52E2AD1478F1}	{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}\stubpath = "C:\\Windows\\{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}.exe"	{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4209080E-04E8-4662-8B8F-B682AF8B6815}	{046DC999-8A39-499e-82F0-51B80874212F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}\stubpath = "C:\\Windows\\{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe"	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe

Executes dropped EXE 12 IoCs

pid	Process
4716	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe
4972	{046DC999-8A39-499e-82F0-51B80874212F}.exe
1956	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe
3876	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe
4936	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe
4060	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe
3840	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe
4704	{11043178-0D35-48f5-A414-674122546CA9}.exe
432	{054730C0-3193-4274-9BFB-1B343351882F}.exe
3184	{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe
2608	{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe
320	{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{11043178-0D35-48f5-A414-674122546CA9}.exe	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe
File created	C:\Windows\{054730C0-3193-4274-9BFB-1B343351882F}.exe	{11043178-0D35-48f5-A414-674122546CA9}.exe
File created	C:\Windows\{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
File created	C:\Windows\{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe	{046DC999-8A39-499e-82F0-51B80874212F}.exe
File created	C:\Windows\{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe
File created	C:\Windows\{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe
File created	C:\Windows\{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe	{054730C0-3193-4274-9BFB-1B343351882F}.exe
File created	C:\Windows\{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe	{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe
File created	C:\Windows\{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}.exe	{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe
File created	C:\Windows\{046DC999-8A39-499e-82F0-51B80874212F}.exe	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe
File created	C:\Windows\{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe
File created	C:\Windows\{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{046DC999-8A39-499e-82F0-51B80874212F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11043178-0D35-48f5-A414-674122546CA9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{054730C0-3193-4274-9BFB-1B343351882F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1860	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4716	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe
Token: SeIncBasePriorityPrivilege	4972	{046DC999-8A39-499e-82F0-51B80874212F}.exe
Token: SeIncBasePriorityPrivilege	1956	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe
Token: SeIncBasePriorityPrivilege	3876	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe
Token: SeIncBasePriorityPrivilege	4936	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe
Token: SeIncBasePriorityPrivilege	4060	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe
Token: SeIncBasePriorityPrivilege	3840	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe
Token: SeIncBasePriorityPrivilege	4704	{11043178-0D35-48f5-A414-674122546CA9}.exe
Token: SeIncBasePriorityPrivilege	432	{054730C0-3193-4274-9BFB-1B343351882F}.exe
Token: SeIncBasePriorityPrivilege	3184	{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe
Token: SeIncBasePriorityPrivilege	2608	{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4716	1860	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	96
PID 1860 wrote to memory of 4716	1860	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	96
PID 1860 wrote to memory of 4716	1860	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	96
PID 1860 wrote to memory of 2056	1860	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	97
PID 1860 wrote to memory of 2056	1860	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	97
PID 1860 wrote to memory of 2056	1860	2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe	97
PID 4716 wrote to memory of 4972	4716	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe	98
PID 4716 wrote to memory of 4972	4716	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe	98
PID 4716 wrote to memory of 4972	4716	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe	98
PID 4716 wrote to memory of 1580	4716	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe	99
PID 4716 wrote to memory of 1580	4716	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe	99
PID 4716 wrote to memory of 1580	4716	{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe	99
PID 4972 wrote to memory of 1956	4972	{046DC999-8A39-499e-82F0-51B80874212F}.exe	102
PID 4972 wrote to memory of 1956	4972	{046DC999-8A39-499e-82F0-51B80874212F}.exe	102
PID 4972 wrote to memory of 1956	4972	{046DC999-8A39-499e-82F0-51B80874212F}.exe	102
PID 4972 wrote to memory of 5108	4972	{046DC999-8A39-499e-82F0-51B80874212F}.exe	103
PID 4972 wrote to memory of 5108	4972	{046DC999-8A39-499e-82F0-51B80874212F}.exe	103
PID 4972 wrote to memory of 5108	4972	{046DC999-8A39-499e-82F0-51B80874212F}.exe	103
PID 1956 wrote to memory of 3876	1956	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe	104
PID 1956 wrote to memory of 3876	1956	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe	104
PID 1956 wrote to memory of 3876	1956	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe	104
PID 1956 wrote to memory of 2892	1956	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe	105
PID 1956 wrote to memory of 2892	1956	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe	105
PID 1956 wrote to memory of 2892	1956	{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe	105
PID 3876 wrote to memory of 4936	3876	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe	106
PID 3876 wrote to memory of 4936	3876	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe	106
PID 3876 wrote to memory of 4936	3876	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe	106
PID 3876 wrote to memory of 964	3876	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe	107
PID 3876 wrote to memory of 964	3876	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe	107
PID 3876 wrote to memory of 964	3876	{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe	107
PID 4936 wrote to memory of 4060	4936	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe	108
PID 4936 wrote to memory of 4060	4936	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe	108
PID 4936 wrote to memory of 4060	4936	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe	108
PID 4936 wrote to memory of 824	4936	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe	109
PID 4936 wrote to memory of 824	4936	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe	109
PID 4936 wrote to memory of 824	4936	{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe	109
PID 4060 wrote to memory of 3840	4060	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe	110
PID 4060 wrote to memory of 3840	4060	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe	110
PID 4060 wrote to memory of 3840	4060	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe	110
PID 4060 wrote to memory of 2364	4060	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe	111
PID 4060 wrote to memory of 2364	4060	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe	111
PID 4060 wrote to memory of 2364	4060	{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe	111
PID 3840 wrote to memory of 4704	3840	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe	112
PID 3840 wrote to memory of 4704	3840	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe	112
PID 3840 wrote to memory of 4704	3840	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe	112
PID 3840 wrote to memory of 1804	3840	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe	113
PID 3840 wrote to memory of 1804	3840	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe	113
PID 3840 wrote to memory of 1804	3840	{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe	113
PID 4704 wrote to memory of 432	4704	{11043178-0D35-48f5-A414-674122546CA9}.exe	114
PID 4704 wrote to memory of 432	4704	{11043178-0D35-48f5-A414-674122546CA9}.exe	114
PID 4704 wrote to memory of 432	4704	{11043178-0D35-48f5-A414-674122546CA9}.exe	114
PID 4704 wrote to memory of 916	4704	{11043178-0D35-48f5-A414-674122546CA9}.exe	115
PID 4704 wrote to memory of 916	4704	{11043178-0D35-48f5-A414-674122546CA9}.exe	115
PID 4704 wrote to memory of 916	4704	{11043178-0D35-48f5-A414-674122546CA9}.exe	115
PID 432 wrote to memory of 3184	432	{054730C0-3193-4274-9BFB-1B343351882F}.exe	116
PID 432 wrote to memory of 3184	432	{054730C0-3193-4274-9BFB-1B343351882F}.exe	116
PID 432 wrote to memory of 3184	432	{054730C0-3193-4274-9BFB-1B343351882F}.exe	116
PID 432 wrote to memory of 1184	432	{054730C0-3193-4274-9BFB-1B343351882F}.exe	117
PID 432 wrote to memory of 1184	432	{054730C0-3193-4274-9BFB-1B343351882F}.exe	117
PID 432 wrote to memory of 1184	432	{054730C0-3193-4274-9BFB-1B343351882F}.exe	117
PID 3184 wrote to memory of 2608	3184	{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe	118
PID 3184 wrote to memory of 2608	3184	{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe	118
PID 3184 wrote to memory of 2608	3184	{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe	118
PID 3184 wrote to memory of 4232	3184	{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-15_91418c6b9ad4bad03cf42bb6051fcce4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe
  C:\Windows\{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\{046DC999-8A39-499e-82F0-51B80874212F}.exe
    C:\Windows\{046DC999-8A39-499e-82F0-51B80874212F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe
      C:\Windows\{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe
        
        C:\Windows\{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
      - C:\Windows\{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe
        
        C:\Windows\{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe
        
        C:\Windows\{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe
        
        C:\Windows\{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\{11043178-0D35-48f5-A414-674122546CA9}.exe
        
        C:\Windows\{11043178-0D35-48f5-A414-674122546CA9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\{054730C0-3193-4274-9BFB-1B343351882F}.exe
        
        C:\Windows\{054730C0-3193-4274-9BFB-1B343351882F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe
        
        C:\Windows\{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe
        
        C:\Windows\{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}.exe
        
        C:\Windows\{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03C8D~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9467~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05473~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11043~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D31EB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11A5A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53A94~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55DB5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42090~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{046DC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4408F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03C8D151-1FE6-4472-9449-52E2AD1478F1}.exe

Filesize
204KB

MD5
ced1bf0b4262d0e23064acce7c50279d

SHA1
dacd269db2340badae57f53ef840624bec8b727c

SHA256
67e55b68c03d2ebad42128eba6c6189a0239e8f89db93e8b53c0093307c22080

SHA512
024bd6b02e8ce5f020c19293ba5c0d989773b9376496424633c5c3d656edc08527f068255aead46c3100192c97b8e8ebdbbdc49b12eca0fb8b41feaa272b96f4

Download Submit
C:\Windows\{0454E3F9-26E5-463c-A563-8E4D9E8A9C9E}.exe

Filesize
204KB

MD5
e1c1fa7b1a73852e8a9a610844832697

SHA1
a6ccc5a7368c29c1b5ab111aff905b11273d2b9a

SHA256
6745b923a00004fbffcc160ddeecd1dae46f1d4fd4226baaa5c0ab9be96c26f5

SHA512
bcf028feec6c8f46976adb641ba69b7fb6275fed19ec2faae4087c9cad587be740170b3c56214029f8ba5e43e27c49d9958b7d333ddb5c33408120f1395942b8

Download Submit
C:\Windows\{046DC999-8A39-499e-82F0-51B80874212F}.exe

Filesize
204KB

MD5
b101c479f8408b817bc22c9be7e2fbc8

SHA1
49288f774e0fd2e49d660971b934bb27c8b9f8ea

SHA256
16143f2dfefc9a108ce4f1d6f9d0352879e379dfee0267862d1fdcbe24791d26

SHA512
0667912b8ef55750e8bb8aec76c3daecc4a03a992d5cea2fab01b55512257fe8b99405d7326717ce60ff4f8940315098590f1a0fdae85d764139d3ee07c1b518

Download Submit
C:\Windows\{054730C0-3193-4274-9BFB-1B343351882F}.exe

Filesize
204KB

MD5
55a537277bad0043e56db1f67ab7b9c1

SHA1
29de659e16710a24fcc43d3d204e5ef30cc43b6f

SHA256
e4c2d168aebbd4bc6ec555ca3e6d5152eb1e192c9e0ba110d0c9cccb158206aa

SHA512
ba91736750be554b29b3d633f1bdea4a7be1cde10f58fbebbf05c81bd0d64d21fb90f0b4ae3da31e64b2d1404de36a22d687f7acdfd5e5ecc2dcb0c2f10b7c09

Download Submit
C:\Windows\{11043178-0D35-48f5-A414-674122546CA9}.exe

Filesize
204KB

MD5
ecac3513250a7ea469113bad63ad4407

SHA1
5385416e2a951e1340dd6efc65fab47faebf3d5e

SHA256
73979d1c545d205b0fd1faf0da6b013d490ebd8d08f240a7b386f79519bdb38a

SHA512
5c7c47a36658649dfef4d6cc4cfed47a6e5a4abc4e0003dc33d252ce7cf4f7c847c60442fcdf44fe3385e6b49ff244b59a7de9fcbb9b08ae503fd05993f0c2e0

Download Submit
C:\Windows\{11A5A30F-426F-48d1-9378-EEF1DC5A3DA1}.exe

Filesize
204KB

MD5
8a653ba399e3675383d4696e98307397

SHA1
d76679a9a59c796ca8f0b4278074b327d67e88c4

SHA256
3d9c3963fe22ebd1ab3b6faf9f66f825dab26c5652f7596c9b2edab863bce1f2

SHA512
46980403f2ba4dd01e820b0c22fcfa0f036e311ce75367678be75789ef808cb04c31d84a45a979cfd512720c95f61f632364c5b718bd0bf92b429bd5aca06a23

Download Submit
C:\Windows\{4209080E-04E8-4662-8B8F-B682AF8B6815}.exe

Filesize
204KB

MD5
f96b38f186986407b297193f29c5732e

SHA1
387c86a04a1c2b3e11b79e12c7944e71328f80fc

SHA256
c21fa88b5d0b095067927c3b3d90282b5c0affc198e1ea336ebfb7ffc30da5d5

SHA512
1e6b779255f512e1582ab54b8449962a80e8e31b9a0e9b53b1ff938e6f308cc010e31aeb05aa0b56ae5b3807e22007befcdde039f1016cc65ac43bd9faab0d94

Download Submit
C:\Windows\{4408FBD3-2D03-40a2-93A0-9B3E2D371B9A}.exe

Filesize
204KB

MD5
7c4f4d357683c78b70b40a7fd2ac7d99

SHA1
f5ff1e05c25d31c474131625a2d48769ee5f899d

SHA256
e84d57008f40075d2141ada5c0a6d0972687c6fc90fc42cef6053649e75edb59

SHA512
7cc976a21310629f58dd1f4eb681ee1c4135f075ef558453b4b4dcd5689810092f2c0a51d9732495cb42b302530a99a8c0d0657a00c570dcd1e5b3059ebf20fa

Download Submit
C:\Windows\{53A94B09-9018-4e2c-89F2-4FB105807A9C}.exe

Filesize
204KB

MD5
285451dcca15b3b7c805222343c5d397

SHA1
175a385b4f684bc2d06be77d47135ecbd6b151c4

SHA256
6d9def94ad93eb2ea4b716bd57291088ea5f8ce05bc217a4b30cd40575847447

SHA512
0e39e999938a20c7a40fb1c2abb92783f2d12bac549f5782817d7f72351f03dd237cc4db756f1b3445d66a11c259cfc4609c146a8d7ad0953ab5b89918fd7652

Download Submit
C:\Windows\{55DB535F-5AF8-4edc-87E5-ABA2788FF5D4}.exe

Filesize
204KB

MD5
62035116387568a0454d45d79f846d8e

SHA1
fd235cf65c18f9ea9dc6ae83d69e7cbb7b805d2b

SHA256
f3adaee93284a3eb784806cc334e8c1720d0a8087113fc5fb0088ad372638435

SHA512
a9d15595448b72cc161c9cd03d4a347ffd157210387f097155df360b18034a2630ef99f658a861d3fa5e7e3d7588e278cd5c985a043974db82fe698d88aa8351

Download Submit
C:\Windows\{D31EBDC4-630C-42ed-BC22-684D9F44150B}.exe

Filesize
204KB

MD5
1ea500335ed5109a39728bbd553b83b7

SHA1
a8f0bd22f767cfa45bed0ace66133b77da2b4cf2

SHA256
29711746e9b70baf66c0a58a48113ecd85ae9f1c0fceeeff6961a24b9d974bf0

SHA512
e39787a61ce47aaf506e52a710f69e1922f3c7924862540ced13e788e7f74582b2faf03fc56247b4cf54b9818cc46bc958e2a69b8b242ae2e06cb3df8c302094

Download Submit
C:\Windows\{D9467BA4-4969-45b0-8084-AAB2AE1B92DB}.exe

Filesize
204KB

MD5
3ed9b987e7b58de3fca1ed2f30f5f287

SHA1
b11f4f2352a4b5b30bb4bdd76226a8c3e26ff529

SHA256
a7211ff7892d9dc0d5c98d6ac857183eacc5df63edb67ed69ff14dcdd04e17d1

SHA512
26d0682618a2f10e22ac2cc5f90ced7ca03f4da02acc0466fb35e81568a590dd023e1a1c794ae6849ffda48cdbf4e92d9a53c5720e349afd103a13aca969526a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads