a0165a1385a7950111a7ee42941e53a7f7fc7f0f356f56028cf14a374c5a8bc0

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe
Size

192KB
MD5

0246314457f40f57bc5c43c68c988a65
SHA1

320d5a586cc2620d07821f47e6b37e9678919e72
SHA256

a0165a1385a7950111a7ee42941e53a7f7fc7f0f356f56028cf14a374c5a8bc0
SHA512

8b844d53c6e719a695092e89ecc0422d3158f5d4e392600c5ab74988720119a0359739e7d9f0e17eb40486bad42fd890ef9ee1df92e87973f4bd838724bafcea
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oAl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}\stubpath = "C:\\Windows\\{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe"	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{416E8120-2D97-42b2-8D5A-F899573A0DC7}	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{416E8120-2D97-42b2-8D5A-F899573A0DC7}\stubpath = "C:\\Windows\\{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe"	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BD54D96-0578-4a76-973A-61E88A3942CB}\stubpath = "C:\\Windows\\{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe"	2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}\stubpath = "C:\\Windows\\{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe"	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}	{7F71B05E-E8D0-449b-9756-65244D161849}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B94ABFFB-812C-4231-BB27-BA21E9504752}\stubpath = "C:\\Windows\\{B94ABFFB-812C-4231-BB27-BA21E9504752}.exe"	{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}\stubpath = "C:\\Windows\\{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe"	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B94ABFFB-812C-4231-BB27-BA21E9504752}	{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B4126AD-B372-4f48-950C-01033B9AA32B}	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B4126AD-B372-4f48-950C-01033B9AA32B}\stubpath = "C:\\Windows\\{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe"	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F71B05E-E8D0-449b-9756-65244D161849}	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}\stubpath = "C:\\Windows\\{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe"	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}	{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BD54D96-0578-4a76-973A-61E88A3942CB}	2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F71B05E-E8D0-449b-9756-65244D161849}\stubpath = "C:\\Windows\\{7F71B05E-E8D0-449b-9756-65244D161849}.exe"	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D18DD50-0235-479b-9EA2-84E6426C95DC}	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}\stubpath = "C:\\Windows\\{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe"	{7F71B05E-E8D0-449b-9756-65244D161849}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D18DD50-0235-479b-9EA2-84E6426C95DC}\stubpath = "C:\\Windows\\{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe"	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}\stubpath = "C:\\Windows\\{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}.exe"	{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe

Executes dropped EXE 12 IoCs

pid	Process
2696	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe
3656	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe
2272	{7F71B05E-E8D0-449b-9756-65244D161849}.exe
2916	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe
5072	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe
4992	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe
2560	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe
3808	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe
4044	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe
2300	{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe
528	{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}.exe
4552	{B94ABFFB-812C-4231-BB27-BA21E9504752}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe
File created	C:\Windows\{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe
File created	C:\Windows\{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe
File created	C:\Windows\{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe
File created	C:\Windows\{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe	2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe
File created	C:\Windows\{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe
File created	C:\Windows\{7F71B05E-E8D0-449b-9756-65244D161849}.exe	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe
File created	C:\Windows\{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe
File created	C:\Windows\{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}.exe	{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe
File created	C:\Windows\{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe	{7F71B05E-E8D0-449b-9756-65244D161849}.exe
File created	C:\Windows\{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe
File created	C:\Windows\{B94ABFFB-812C-4231-BB27-BA21E9504752}.exe	{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B94ABFFB-812C-4231-BB27-BA21E9504752}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F71B05E-E8D0-449b-9756-65244D161849}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3980	2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2696	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe
Token: SeIncBasePriorityPrivilege	3656	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe
Token: SeIncBasePriorityPrivilege	2272	{7F71B05E-E8D0-449b-9756-65244D161849}.exe
Token: SeIncBasePriorityPrivilege	2916	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe
Token: SeIncBasePriorityPrivilege	5072	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe
Token: SeIncBasePriorityPrivilege	4992	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe
Token: SeIncBasePriorityPrivilege	2560	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe
Token: SeIncBasePriorityPrivilege	3808	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe
Token: SeIncBasePriorityPrivilege	4044	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe
Token: SeIncBasePriorityPrivilege	2300	{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe
Token: SeIncBasePriorityPrivilege	528	{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 2696	3980	2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe	89
PID 3980 wrote to memory of 2696	3980	2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe	89
PID 3980 wrote to memory of 2696	3980	2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe	89
PID 3980 wrote to memory of 3252	3980	2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe	90
PID 3980 wrote to memory of 3252	3980	2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe	90
PID 3980 wrote to memory of 3252	3980	2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe	90
PID 2696 wrote to memory of 3656	2696	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe	91
PID 2696 wrote to memory of 3656	2696	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe	91
PID 2696 wrote to memory of 3656	2696	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe	91
PID 2696 wrote to memory of 5084	2696	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe	92
PID 2696 wrote to memory of 5084	2696	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe	92
PID 2696 wrote to memory of 5084	2696	{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe	92
PID 3656 wrote to memory of 2272	3656	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe	95
PID 3656 wrote to memory of 2272	3656	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe	95
PID 3656 wrote to memory of 2272	3656	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe	95
PID 3656 wrote to memory of 3996	3656	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe	96
PID 3656 wrote to memory of 3996	3656	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe	96
PID 3656 wrote to memory of 3996	3656	{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe	96
PID 2272 wrote to memory of 2916	2272	{7F71B05E-E8D0-449b-9756-65244D161849}.exe	97
PID 2272 wrote to memory of 2916	2272	{7F71B05E-E8D0-449b-9756-65244D161849}.exe	97
PID 2272 wrote to memory of 2916	2272	{7F71B05E-E8D0-449b-9756-65244D161849}.exe	97
PID 2272 wrote to memory of 1872	2272	{7F71B05E-E8D0-449b-9756-65244D161849}.exe	98
PID 2272 wrote to memory of 1872	2272	{7F71B05E-E8D0-449b-9756-65244D161849}.exe	98
PID 2272 wrote to memory of 1872	2272	{7F71B05E-E8D0-449b-9756-65244D161849}.exe	98
PID 2916 wrote to memory of 5072	2916	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe	99
PID 2916 wrote to memory of 5072	2916	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe	99
PID 2916 wrote to memory of 5072	2916	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe	99
PID 2916 wrote to memory of 5044	2916	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe	100
PID 2916 wrote to memory of 5044	2916	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe	100
PID 2916 wrote to memory of 5044	2916	{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe	100
PID 5072 wrote to memory of 4992	5072	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe	101
PID 5072 wrote to memory of 4992	5072	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe	101
PID 5072 wrote to memory of 4992	5072	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe	101
PID 5072 wrote to memory of 1572	5072	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe	102
PID 5072 wrote to memory of 1572	5072	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe	102
PID 5072 wrote to memory of 1572	5072	{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe	102
PID 4992 wrote to memory of 2560	4992	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe	103
PID 4992 wrote to memory of 2560	4992	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe	103
PID 4992 wrote to memory of 2560	4992	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe	103
PID 4992 wrote to memory of 4320	4992	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe	104
PID 4992 wrote to memory of 4320	4992	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe	104
PID 4992 wrote to memory of 4320	4992	{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe	104
PID 2560 wrote to memory of 3808	2560	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe	105
PID 2560 wrote to memory of 3808	2560	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe	105
PID 2560 wrote to memory of 3808	2560	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe	105
PID 2560 wrote to memory of 4832	2560	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe	106
PID 2560 wrote to memory of 4832	2560	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe	106
PID 2560 wrote to memory of 4832	2560	{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe	106
PID 3808 wrote to memory of 4044	3808	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe	107
PID 3808 wrote to memory of 4044	3808	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe	107
PID 3808 wrote to memory of 4044	3808	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe	107
PID 3808 wrote to memory of 2656	3808	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe	108
PID 3808 wrote to memory of 2656	3808	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe	108
PID 3808 wrote to memory of 2656	3808	{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe	108
PID 4044 wrote to memory of 2300	4044	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe	109
PID 4044 wrote to memory of 2300	4044	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe	109
PID 4044 wrote to memory of 2300	4044	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe	109
PID 4044 wrote to memory of 1276	4044	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe	110
PID 4044 wrote to memory of 1276	4044	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe	110
PID 4044 wrote to memory of 1276	4044	{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe	110
PID 2300 wrote to memory of 528	2300	{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe	111
PID 2300 wrote to memory of 528	2300	{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe	111
PID 2300 wrote to memory of 528	2300	{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe	111
PID 2300 wrote to memory of 548	2300	{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_0246314457f40f57bc5c43c68c988a65_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe
  C:\Windows\{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe
    C:\Windows\{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\{7F71B05E-E8D0-449b-9756-65244D161849}.exe
      C:\Windows\{7F71B05E-E8D0-449b-9756-65244D161849}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe
        
        C:\Windows\{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe
        
        C:\Windows\{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe
        
        C:\Windows\{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe
        
        C:\Windows\{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe
        
        C:\Windows\{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe
        
        C:\Windows\{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe
        
        C:\Windows\{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}.exe
        
        C:\Windows\{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
        
        C:\Windows\{B94ABFFB-812C-4231-BB27-BA21E9504752}.exe
        
        C:\Windows\{B94ABFFB-812C-4231-BB27-BA21E9504752}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E9D4~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B412~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE3EA~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1399E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{416E8~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F52DE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D18D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C17C0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F71B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D96CD~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8BD54~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1399E7A5-1C57-4ef7-A0A7-5DB518A4EDD9}.exe

Filesize
192KB

MD5
57f989e44518d23c6a47066e8ef6fd2f

SHA1
66ff8f2943070e057d39052ad7bef263630f7a65

SHA256
0e981bade52df34ef594c22f481ebce934a63a8e5d285f0543a2a5f29650530b

SHA512
b60cf197f630cf9156487d3fe3b064a16415272dfa58e2e698cf45bb754ce394c08f0b24113fa22927a117fc232ad72c1b6c8d18d366fc85b35a10e628270bfa

Download Submit
C:\Windows\{1D18DD50-0235-479b-9EA2-84E6426C95DC}.exe

Filesize
192KB

MD5
ecf9d4e46cc58cdd1caf10d14b20f8cd

SHA1
fbf59eec2b0f63785529a21e3fede2363b2b4d07

SHA256
fce994ad634d2f0d6ff334d3042448c11bac3bb9b4df9047fb09014a23e06982

SHA512
570f6139674b9a987082d51aa7f21d17e9db4ea6ef3da2c501149a60abe2e01d42307d01a9de7f44fdbf76530decd9b3f35dd5e3c61150f0a136956fa754ac47

Download Submit
C:\Windows\{416E8120-2D97-42b2-8D5A-F899573A0DC7}.exe

Filesize
192KB

MD5
425f4cc8b63c440641584ab6218d0021

SHA1
998f42258ffbc6471fc0f148733153d0589d8a48

SHA256
03399760ae6cd5183e1e5ff8cfd69f254f3c8e29575bbc85bbf146eea1f1f7a8

SHA512
db5e25304555fdefebeb3f012b79649e63f3835a5a1a3e9ed9a34e4ab6172a3b09ac1b24b3b6b086e4e58b8293c1f9537c7e0fd2b67e9edd88d769c9b0162e43

Download Submit
C:\Windows\{4B4126AD-B372-4f48-950C-01033B9AA32B}.exe

Filesize
192KB

MD5
1786e0beffbca5f61d445cbbff02d7fa

SHA1
59e8ee19e956d1db563f31de7b939bc85866ca01

SHA256
8afa089088a76946e076e4927d93c31c472778318e74627356e8aaed6d03c39b

SHA512
53282651bfcb0f93c002240af3e0d177b6ed5b2238f5f3ed591fad73cd0f02b0d1bef881d306730cd861eacf9640aec87da21adc8b752aacb1dff585ad31cf8e

Download Submit
C:\Windows\{7F71B05E-E8D0-449b-9756-65244D161849}.exe

Filesize
192KB

MD5
4d62e189535473c358befd9c4fb51a29

SHA1
866c124504830631e7c3152bde5203c0ec1f89ab

SHA256
f2f37dec1de562951140328a5a04048dbd395b2532de9f2fa45ae07455a1406a

SHA512
e0f15861197fbe91ca35165d792fbf5eefc42dde67df44820bd89242c9f09e4001be70970ca71d6d93a45be1a398f4ba70671ef365d8bc0efee5e55ccbb724cb

Download Submit
C:\Windows\{8BD54D96-0578-4a76-973A-61E88A3942CB}.exe

Filesize
192KB

MD5
6ffb1d4e73278beaade4caba14114637

SHA1
87a1e68a96928d7c2beb48b020db8ab68b830db2

SHA256
0f1f1613fb02cbe7baef8acdc55f43d681df3b54574dbb1ecf88b8de4e6bec2f

SHA512
68ddb222e05ea99c27cffed7cc74b2ae1bca2257368f38ca4429c4937f5ddc36df0a4a481f09c96047d3affecece551a9c6ab2c5c3cbe7f0801c65672d6e93e7

Download Submit
C:\Windows\{8E9D4C39-A26E-40ac-B5AE-C8AAA38EB47A}.exe

Filesize
192KB

MD5
4d4c9f22c804dcc786d8498e128f7103

SHA1
ba96c0e111eff32fa00cc1012bdc2eedb84b631b

SHA256
e333c08670a331ee2155bf320e929b0f3d6724929f209d5c552dffabc3bd9c0d

SHA512
a2e43638dbd2cc4dea7a31556bd4b45443b7699eaffd6d62c69b0d0b1e17a7d255186e9ad07bd60711c3ee318cd5c84763f4e6dc8887d70233e91a159f8c6551

Download Submit
C:\Windows\{B94ABFFB-812C-4231-BB27-BA21E9504752}.exe

Filesize
192KB

MD5
ce1105912dd0b22f1b5079ee9a374544

SHA1
700706b470901008cf43a1b74ab570ebe5d198e3

SHA256
5accfe1c305afec9e2fc853dd5c54192c4eefac6d77e1fb4de339ad67f04c70f

SHA512
e787b946a8aea645b855b118eef42919bb73ff9602192baf171d486af6ed8bdc3649f7e921b2d728dccb301e8ce944667c28249e6331394e85a160c28b400f6d

Download Submit
C:\Windows\{C17C0D8E-30B8-4b8d-ACA2-395B6C3B5C0D}.exe

Filesize
192KB

MD5
bcdac360485a0a63c9fb2d33b4d6f1a3

SHA1
11f194f894a2abaf42718277ea638e26eb93590e

SHA256
be58ca62eb6cf2f0e0d25471179de4972e9e8bb9465ae2fade4754de647b410b

SHA512
6d80615a787f08626db742d58a20c1d1fc5d136adb042c6626a8041f6bd0d2832906eacb37ead7c72f9500262e061609015553ad5ad302eff053d50b235d321e

Download Submit
C:\Windows\{CE3EA676-8D38-4b82-B05E-6B67AC97CFE1}.exe

Filesize
192KB

MD5
829679226b55a40048253826252a94e7

SHA1
9eb4ac568ef75d524621b836aa24fbdb2438beca

SHA256
d33baaac20e67491809d60d95e582da2b5fbdc575c97ffb10500bb936a4ed0fc

SHA512
e211e57aefe513ac32bcecf04e93ba80fa35a6ac473245dd53e58e42006e1a67882f15b4daa6b5cc1d82856669f9fbf35d819bea90f2e6a726fb46c97df2f382

Download Submit
C:\Windows\{D96CD73F-5F54-448b-81E9-5C07BF2D6B89}.exe

Filesize
192KB

MD5
4df55f1a242e507ceb6010da3937dd7b

SHA1
f156a0a56efee622aefaffdd09714fedcd86ed86

SHA256
e03ccd65ef12c1a364f5d3fa16719587561d2e1ead4b70683f6b95b764526688

SHA512
7035c67ed52d1bbf44bc952594816938e0eba40aaed37a9a12758b319130caa67f6444249fb98bf9e9adb60c03cd84acc1306eb525187e7a8a3e93b078b31724

Download Submit
C:\Windows\{F52DEF77-8ADB-479d-81C1-B1228C40F7EE}.exe

Filesize
192KB

MD5
67f159b55969beb42707872ed8f356d6

SHA1
e942e62fe2c8ea8e900fbbca14230b7f19f6a5d5

SHA256
d96e4eac5a99d0a3e37dad85ff0d4c1b8003d97fa0f24d3e785ccbb58c5fbeb5

SHA512
5db6a630f62dde3147b8bde8928a16f69f7f54f8d75207d6947128f1cba409044c9f813e81ef679c7156a6b26178446b060b9f78684146c3830a62cf0dab4bda

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads