f3c5f9b098f5eca3b7e65c066ae7e67f501789c6a1c399f131debc5f731555b4

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe
Size

408KB
MD5

7fe84c240802c1025cad86455dad9617
SHA1

567f72831799e01077f929628b73cd36cf2fdcd8
SHA256

f3c5f9b098f5eca3b7e65c066ae7e67f501789c6a1c399f131debc5f731555b4
SHA512

68cfd63baddce2b291b143c53070d8eef3e2c9d827f0983668dd9afb24a38c79a40b475a919a9154d87daa318d17dff3b82121ac2b9c1c147d4a6348b77716ce
SSDEEP

3072:CEGh0oil3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGEldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E38F196A-A6F3-433e-A304-A7CE55B88EBF}	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2724BFEE-ACA3-4567-8898-BAA212A8624C}	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}\stubpath = "C:\\Windows\\{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe"	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{783EA066-0BD9-4773-B63A-807B076EE57C}	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{783EA066-0BD9-4773-B63A-807B076EE57C}\stubpath = "C:\\Windows\\{783EA066-0BD9-4773-B63A-807B076EE57C}.exe"	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}\stubpath = "C:\\Windows\\{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe"	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16CC225E-50B0-47e1-AE26-7FA19A4B8577}\stubpath = "C:\\Windows\\{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe"	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E38F196A-A6F3-433e-A304-A7CE55B88EBF}\stubpath = "C:\\Windows\\{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe"	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1629CC26-AC4C-4f89-A7F5-77FA44779313}	2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1629CC26-AC4C-4f89-A7F5-77FA44779313}\stubpath = "C:\\Windows\\{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe"	2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361EF863-1465-4d5d-A95B-AE833A26D5C2}\stubpath = "C:\\Windows\\{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe"	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38640732-AFE8-4147-985B-57DC01DE3C92}\stubpath = "C:\\Windows\\{38640732-AFE8-4147-985B-57DC01DE3C92}.exe"	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16CC225E-50B0-47e1-AE26-7FA19A4B8577}	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361EF863-1465-4d5d-A95B-AE833A26D5C2}	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65E160C1-292F-4f73-A32D-9A5CC858044B}	{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2724BFEE-ACA3-4567-8898-BAA212A8624C}\stubpath = "C:\\Windows\\{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe"	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}\stubpath = "C:\\Windows\\{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe"	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65E160C1-292F-4f73-A32D-9A5CC858044B}\stubpath = "C:\\Windows\\{65E160C1-292F-4f73-A32D-9A5CC858044B}.exe"	{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D71EB23-8C5A-42d2-9810-2D04689A79EC}	{65E160C1-292F-4f73-A32D-9A5CC858044B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D71EB23-8C5A-42d2-9810-2D04689A79EC}\stubpath = "C:\\Windows\\{1D71EB23-8C5A-42d2-9810-2D04689A79EC}.exe"	{65E160C1-292F-4f73-A32D-9A5CC858044B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38640732-AFE8-4147-985B-57DC01DE3C92}	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe

Executes dropped EXE 12 IoCs

pid	Process
4056	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe
2196	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe
1428	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe
3860	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe
796	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe
3620	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe
1312	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe
1212	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe
2320	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe
4584	{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe
4636	{65E160C1-292F-4f73-A32D-9A5CC858044B}.exe
4476	{1D71EB23-8C5A-42d2-9810-2D04689A79EC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe
File created	C:\Windows\{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe
File created	C:\Windows\{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe	2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe
File created	C:\Windows\{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe
File created	C:\Windows\{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe
File created	C:\Windows\{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe
File created	C:\Windows\{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe
File created	C:\Windows\{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe
File created	C:\Windows\{65E160C1-292F-4f73-A32D-9A5CC858044B}.exe	{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe
File created	C:\Windows\{1D71EB23-8C5A-42d2-9810-2D04689A79EC}.exe	{65E160C1-292F-4f73-A32D-9A5CC858044B}.exe
File created	C:\Windows\{783EA066-0BD9-4773-B63A-807B076EE57C}.exe	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe
File created	C:\Windows\{38640732-AFE8-4147-985B-57DC01DE3C92}.exe	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65E160C1-292F-4f73-A32D-9A5CC858044B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1D71EB23-8C5A-42d2-9810-2D04689A79EC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3580	2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4056	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe
Token: SeIncBasePriorityPrivilege	2196	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe
Token: SeIncBasePriorityPrivilege	1428	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe
Token: SeIncBasePriorityPrivilege	3860	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe
Token: SeIncBasePriorityPrivilege	796	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe
Token: SeIncBasePriorityPrivilege	3620	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe
Token: SeIncBasePriorityPrivilege	1312	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe
Token: SeIncBasePriorityPrivilege	1212	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe
Token: SeIncBasePriorityPrivilege	2320	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe
Token: SeIncBasePriorityPrivilege	4584	{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe
Token: SeIncBasePriorityPrivilege	4636	{65E160C1-292F-4f73-A32D-9A5CC858044B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 4056	3580	2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe	89
PID 3580 wrote to memory of 4056	3580	2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe	89
PID 3580 wrote to memory of 4056	3580	2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe	89
PID 3580 wrote to memory of 324	3580	2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe	90
PID 3580 wrote to memory of 324	3580	2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe	90
PID 3580 wrote to memory of 324	3580	2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe	90
PID 4056 wrote to memory of 2196	4056	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe	91
PID 4056 wrote to memory of 2196	4056	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe	91
PID 4056 wrote to memory of 2196	4056	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe	91
PID 4056 wrote to memory of 3248	4056	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe	92
PID 4056 wrote to memory of 3248	4056	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe	92
PID 4056 wrote to memory of 3248	4056	{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe	92
PID 2196 wrote to memory of 1428	2196	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe	95
PID 2196 wrote to memory of 1428	2196	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe	95
PID 2196 wrote to memory of 1428	2196	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe	95
PID 2196 wrote to memory of 2848	2196	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe	96
PID 2196 wrote to memory of 2848	2196	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe	96
PID 2196 wrote to memory of 2848	2196	{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe	96
PID 1428 wrote to memory of 3860	1428	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe	97
PID 1428 wrote to memory of 3860	1428	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe	97
PID 1428 wrote to memory of 3860	1428	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe	97
PID 1428 wrote to memory of 2492	1428	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe	98
PID 1428 wrote to memory of 2492	1428	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe	98
PID 1428 wrote to memory of 2492	1428	{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe	98
PID 3860 wrote to memory of 796	3860	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe	99
PID 3860 wrote to memory of 796	3860	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe	99
PID 3860 wrote to memory of 796	3860	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe	99
PID 3860 wrote to memory of 3292	3860	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe	100
PID 3860 wrote to memory of 3292	3860	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe	100
PID 3860 wrote to memory of 3292	3860	{783EA066-0BD9-4773-B63A-807B076EE57C}.exe	100
PID 796 wrote to memory of 3620	796	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe	101
PID 796 wrote to memory of 3620	796	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe	101
PID 796 wrote to memory of 3620	796	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe	101
PID 796 wrote to memory of 1964	796	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe	102
PID 796 wrote to memory of 1964	796	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe	102
PID 796 wrote to memory of 1964	796	{38640732-AFE8-4147-985B-57DC01DE3C92}.exe	102
PID 3620 wrote to memory of 1312	3620	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe	103
PID 3620 wrote to memory of 1312	3620	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe	103
PID 3620 wrote to memory of 1312	3620	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe	103
PID 3620 wrote to memory of 2160	3620	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe	104
PID 3620 wrote to memory of 2160	3620	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe	104
PID 3620 wrote to memory of 2160	3620	{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe	104
PID 1312 wrote to memory of 1212	1312	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe	105
PID 1312 wrote to memory of 1212	1312	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe	105
PID 1312 wrote to memory of 1212	1312	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe	105
PID 1312 wrote to memory of 1772	1312	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe	106
PID 1312 wrote to memory of 1772	1312	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe	106
PID 1312 wrote to memory of 1772	1312	{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe	106
PID 1212 wrote to memory of 2320	1212	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe	107
PID 1212 wrote to memory of 2320	1212	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe	107
PID 1212 wrote to memory of 2320	1212	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe	107
PID 1212 wrote to memory of 2264	1212	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe	108
PID 1212 wrote to memory of 2264	1212	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe	108
PID 1212 wrote to memory of 2264	1212	{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe	108
PID 2320 wrote to memory of 4584	2320	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe	109
PID 2320 wrote to memory of 4584	2320	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe	109
PID 2320 wrote to memory of 4584	2320	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe	109
PID 2320 wrote to memory of 4864	2320	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe	110
PID 2320 wrote to memory of 4864	2320	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe	110
PID 2320 wrote to memory of 4864	2320	{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe	110
PID 4584 wrote to memory of 4636	4584	{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe	111
PID 4584 wrote to memory of 4636	4584	{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe	111
PID 4584 wrote to memory of 4636	4584	{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe	111
PID 4584 wrote to memory of 2340	4584	{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_7fe84c240802c1025cad86455dad9617_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe
  C:\Windows\{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe
    C:\Windows\{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe
      C:\Windows\{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\{783EA066-0BD9-4773-B63A-807B076EE57C}.exe
        
        C:\Windows\{783EA066-0BD9-4773-B63A-807B076EE57C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3860
      - C:\Windows\{38640732-AFE8-4147-985B-57DC01DE3C92}.exe
        
        C:\Windows\{38640732-AFE8-4147-985B-57DC01DE3C92}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe
        
        C:\Windows\{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe
        
        C:\Windows\{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe
        
        C:\Windows\{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe
        
        C:\Windows\{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe
        
        C:\Windows\{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\{65E160C1-292F-4f73-A32D-9A5CC858044B}.exe
        
        C:\Windows\{65E160C1-292F-4f73-A32D-9A5CC858044B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
        
        C:\Windows\{1D71EB23-8C5A-42d2-9810-2D04689A79EC}.exe
        
        C:\Windows\{1D71EB23-8C5A-42d2-9810-2D04689A79EC}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65E16~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{361EF~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E38F1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7D7C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16CC2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{411DC~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38640~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{783EA~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E77B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2724B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1629C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1629CC26-AC4C-4f89-A7F5-77FA44779313}.exe

Filesize
408KB

MD5
43b0031aae4de420806f36765993f8b5

SHA1
bfc240a7b5c34766db44107464619161a409e10d

SHA256
a7c5de514471db64b036169071ecd7fa16682b93895d9e08b31d6a0d4d5fe01d

SHA512
75c75e69cb4c0e55e171968bddc36c41c05ba71e1defd83eb6fbf699d3131120959a14604022f8f180a8bd11a70a0e2036f3897390a945af7788e5e6f9637538

Download Submit
C:\Windows\{16CC225E-50B0-47e1-AE26-7FA19A4B8577}.exe

Filesize
408KB

MD5
ea4c441af3336b435c07375d21fc1a87

SHA1
941642d2de133a9f863d9b653c77b03453253554

SHA256
0dfa20956028e3a674a683c53766cf975bc9e239c89f9e72ef9795dc7b9ce5b6

SHA512
ea41ae46ae61bc2cdd97e5efa5ef17e7b8899c9db46ba21961a1e9a79e73098c3edb41dde625ed9e1b1f3911d44b25113569f111bfc2258472653343f673fc72

Download Submit
C:\Windows\{1D71EB23-8C5A-42d2-9810-2D04689A79EC}.exe

Filesize
408KB

MD5
785ec94aece13490a99b153fa29605dd

SHA1
dc4233bd4665184e74e863444dd67c32a4185332

SHA256
f108e02bd250884a68d214893055bd71bca9f0269705fb4f7c61f0dcd4b94139

SHA512
31cd41c73edd08b60cb6eff6be0271c4c7cc7fce9176f74391a8b61533c0ce715d0b3394706d82cfee177db4ee2aef80ef7c3b22cb7b13216c7f9d3744d95b47

Download Submit
C:\Windows\{1E77B96B-2DE1-48c6-AC1A-71A60421FC15}.exe

Filesize
408KB

MD5
893d1f25fd734973ce600f5ee9a8a167

SHA1
cfe3d5f0b786f51a53b88d02b59df7c830e048a5

SHA256
9fc920985a4e7df1a1eed0718962a220e0958e03ae4aa1e4556deb4f79b4ac36

SHA512
d2fb33454960b5254942364e9f07571722d114f98c3c842773f82d4e98b57314a33fb7597da45889c4cbdf9eee819a31529ef14e3dc040be2d519c0950050beb

Download Submit
C:\Windows\{2724BFEE-ACA3-4567-8898-BAA212A8624C}.exe

Filesize
408KB

MD5
26f6bbcb6a6f2d82d8c1422dd769fdca

SHA1
0a64bbaf78eeb8a8fbb98e709c9da9baea5ee146

SHA256
3d7bc4acb69cbe49495f03e64880d5e969b27dff337764cdb0c2fa49ec6505a7

SHA512
bbc14b669e76c88bd24dc85a8c5d04632a75e7790c0b38b8678f39fc99890715ff95efbbf5aedcae6a8b51ab7b4096c03465326e861641d532540a692db76022

Download Submit
C:\Windows\{361EF863-1465-4d5d-A95B-AE833A26D5C2}.exe

Filesize
408KB

MD5
0c56745381b60f5981360e3db9235e14

SHA1
e3cf8d8ed20ed5adbc032069a6294ee7b28d5bda

SHA256
a84464d81458834e48527c7e504e79c3ee7fcc8e50d29b1c01177bae6a885d30

SHA512
6d37e53646964cde4ad58c726c862d1076eea2fcf7209b77cc52f8b903811c7d34f96e960faea3fe90b7c593eaec9b619912317b8a7f4d37da200d18cc7cde3b

Download Submit
C:\Windows\{38640732-AFE8-4147-985B-57DC01DE3C92}.exe

Filesize
408KB

MD5
8411e229649fbfe8cfb8ba32851ccd1d

SHA1
19382be2ff1898531a77f727a6b4097b573def98

SHA256
6001e540c1b92150c8ee5c2b9756c6b24c7775d7deea8f00916cd3512fd4a1ab

SHA512
0930ec7333895727646ea99c3b5ee314303021670051c164ef79a555dc23073e1ca79a157f3942f22a63647ae435cdc9954b58ab542a6668cd4e4ccbf7fa1d4b

Download Submit
C:\Windows\{411DC3CB-7DB0-4058-A9D5-6DFDBC7A320E}.exe

Filesize
408KB

MD5
3ce085f2106d6b87b9176fd1584c7cb6

SHA1
7f08134440c913880bc3f73c7317eb2415547efa

SHA256
73a513f5c95f59821c58fd0d28db16f184842d6ef71420bc8224dd9962622f69

SHA512
0e951b69b69e1e8bfc0c8cda115563b9cea736bba4fe21ac31918c6a0ceb086b13d935f83ae65dead9d4b17484c0007ab85cef3b45595168b1f01a3145e82b61

Download Submit
C:\Windows\{65E160C1-292F-4f73-A32D-9A5CC858044B}.exe

Filesize
408KB

MD5
a52ce5d7a000f560cb5ce48ca07707f4

SHA1
fc191ddc8d303afe5c1f2247947068acd14c66e0

SHA256
831529b5b3eb49393c82b3c93d43a96274db097a1d0f62a0f52c97e1b2adbd14

SHA512
ea4bee42ce44c9cb5bcc4a2002bde6452c2c275f3a31c6b1959936ae9768ddef6115488e9b1b642a23c72188f1c29678a2ed7a6bb44be62354ccd8347f07cace

Download Submit
C:\Windows\{783EA066-0BD9-4773-B63A-807B076EE57C}.exe

Filesize
408KB

MD5
653545205d5146ebec54de4cdd4d3a6c

SHA1
135ce2fefe9491cb82e5526510e43741f2dae172

SHA256
4d36f873c8a6d483b3718fbd7d1dd12088112557541d441945b67d1186cc7bd0

SHA512
a986924e1deb4e561891de5cbec39a8dd6573fd49db9db439d7645db49f378dd8f56fe34b24655acdb5e093845386e9956dd6b53d43c6926cf55c0dd66c393d3

Download Submit
C:\Windows\{E38F196A-A6F3-433e-A304-A7CE55B88EBF}.exe

Filesize
408KB

MD5
210b3ff8bb67c4958a11f9f191d00243

SHA1
854c6f3f553e99adbd656d561a7c32a6211336f3

SHA256
8e388e7d168d7fccf00e93bab27448069cd3f2898afc86fbe6a3001862829caf

SHA512
cf910e4fbcf3b7efa83913db2ff52487d5c5ae60c4decc342c1fd2ec1eefc28852dff172f1fd9bf8494cdaf13e466260727d0d2c47b7a061500184cd99495c2f

Download Submit
C:\Windows\{E7D7C06A-1D60-4a0d-81B7-C8F019F15B3C}.exe

Filesize
408KB

MD5
c4809541bd7d0a1b8e132b8c61c95878

SHA1
c8321423b3cf033f95da44bc79b7f5e3a03f9b13

SHA256
7be26904eccdf922df48c5063c17c344da67aafbe25bb3cecf73734a5cb4b024

SHA512
b37e8df6a6877c925f08b2de9b86595b5c979e546a0f5c562b4d191c2f6370fbb63ce08e200d95fe58e76a94762467d27f7d9a9daa3a19a09e9e0746849d7e33

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads