4253c59a141646488a4f3f3e64dc6975d12d75da050d2e241c0dc6679e8204f9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
Size

380KB
MD5

9ef6e77912b5c16b893c496cde097353
SHA1

b4e04264b53a6241e7516485644cdd9861e026b1
SHA256

4253c59a141646488a4f3f3e64dc6975d12d75da050d2e241c0dc6679e8204f9
SHA512

41d52c393ed9cdaabe98ac9d2fa65d31673b8064c7f1da72402a841ecf10af78e11f947cebef226afadcd77fc96c70d8f13bd545edfc13bd9ef14c1a100aaa06
SSDEEP

3072:mEGh0o0lPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGyl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}\stubpath = "C:\\Windows\\{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe"	{89033144-32F6-4482-A115-44CE9BC3380F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73FDEEC5-397F-4316-B929-73F4C3F793E7}	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}\stubpath = "C:\\Windows\\{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe"	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58A20539-5F93-42dc-AC7A-D67C54C52D3E}\stubpath = "C:\\Windows\\{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe"	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D52EB775-E505-42c8-866C-71CD4817A6A5}	{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89033144-32F6-4482-A115-44CE9BC3380F}	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73FDEEC5-397F-4316-B929-73F4C3F793E7}\stubpath = "C:\\Windows\\{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe"	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F3D19C5-5206-47b4-B193-E57D0EBDF849}	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E6BDDB8-0236-4576-AFE3-0B5595F92349}	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E6BDDB8-0236-4576-AFE3-0B5595F92349}\stubpath = "C:\\Windows\\{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe"	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}	{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D52EB775-E505-42c8-866C-71CD4817A6A5}\stubpath = "C:\\Windows\\{D52EB775-E505-42c8-866C-71CD4817A6A5}.exe"	{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89033144-32F6-4482-A115-44CE9BC3380F}\stubpath = "C:\\Windows\\{89033144-32F6-4482-A115-44CE9BC3380F}.exe"	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F3D19C5-5206-47b4-B193-E57D0EBDF849}\stubpath = "C:\\Windows\\{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe"	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C9F09A9-96B3-4489-B362-4363E4ABE515}\stubpath = "C:\\Windows\\{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe"	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{307A0C15-5A76-4b55-BF81-BF776FDC5E29}\stubpath = "C:\\Windows\\{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe"	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}	{89033144-32F6-4482-A115-44CE9BC3380F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58A20539-5F93-42dc-AC7A-D67C54C52D3E}	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C9F09A9-96B3-4489-B362-4363E4ABE515}	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{307A0C15-5A76-4b55-BF81-BF776FDC5E29}	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1140122-8A5F-4347-8C13-D88D2B693FB9}	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1140122-8A5F-4347-8C13-D88D2B693FB9}\stubpath = "C:\\Windows\\{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe"	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}\stubpath = "C:\\Windows\\{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}.exe"	{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe

Executes dropped EXE 12 IoCs

pid	Process
2828	{89033144-32F6-4482-A115-44CE9BC3380F}.exe
3224	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe
832	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe
4388	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe
932	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe
4352	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe
4940	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe
4540	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe
2436	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe
4704	{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe
1360	{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}.exe
3280	{D52EB775-E505-42c8-866C-71CD4817A6A5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe	{89033144-32F6-4482-A115-44CE9BC3380F}.exe
File created	C:\Windows\{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe
File created	C:\Windows\{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe
File created	C:\Windows\{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe
File created	C:\Windows\{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe
File created	C:\Windows\{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}.exe	{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe
File created	C:\Windows\{89033144-32F6-4482-A115-44CE9BC3380F}.exe	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
File created	C:\Windows\{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe
File created	C:\Windows\{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe
File created	C:\Windows\{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe
File created	C:\Windows\{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe
File created	C:\Windows\{D52EB775-E505-42c8-866C-71CD4817A6A5}.exe	{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{89033144-32F6-4482-A115-44CE9BC3380F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D52EB775-E505-42c8-866C-71CD4817A6A5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4112	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2828	{89033144-32F6-4482-A115-44CE9BC3380F}.exe
Token: SeIncBasePriorityPrivilege	3224	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe
Token: SeIncBasePriorityPrivilege	832	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe
Token: SeIncBasePriorityPrivilege	4388	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe
Token: SeIncBasePriorityPrivilege	932	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe
Token: SeIncBasePriorityPrivilege	4352	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe
Token: SeIncBasePriorityPrivilege	4940	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe
Token: SeIncBasePriorityPrivilege	4540	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe
Token: SeIncBasePriorityPrivilege	2436	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe
Token: SeIncBasePriorityPrivilege	4704	{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe
Token: SeIncBasePriorityPrivilege	1360	{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 2828	4112	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	89
PID 4112 wrote to memory of 2828	4112	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	89
PID 4112 wrote to memory of 2828	4112	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	89
PID 4112 wrote to memory of 3644	4112	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	90
PID 4112 wrote to memory of 3644	4112	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	90
PID 4112 wrote to memory of 3644	4112	2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe	90
PID 2828 wrote to memory of 3224	2828	{89033144-32F6-4482-A115-44CE9BC3380F}.exe	91
PID 2828 wrote to memory of 3224	2828	{89033144-32F6-4482-A115-44CE9BC3380F}.exe	91
PID 2828 wrote to memory of 3224	2828	{89033144-32F6-4482-A115-44CE9BC3380F}.exe	91
PID 2828 wrote to memory of 4184	2828	{89033144-32F6-4482-A115-44CE9BC3380F}.exe	92
PID 2828 wrote to memory of 4184	2828	{89033144-32F6-4482-A115-44CE9BC3380F}.exe	92
PID 2828 wrote to memory of 4184	2828	{89033144-32F6-4482-A115-44CE9BC3380F}.exe	92
PID 3224 wrote to memory of 832	3224	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe	95
PID 3224 wrote to memory of 832	3224	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe	95
PID 3224 wrote to memory of 832	3224	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe	95
PID 3224 wrote to memory of 4060	3224	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe	96
PID 3224 wrote to memory of 4060	3224	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe	96
PID 3224 wrote to memory of 4060	3224	{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe	96
PID 832 wrote to memory of 4388	832	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe	97
PID 832 wrote to memory of 4388	832	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe	97
PID 832 wrote to memory of 4388	832	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe	97
PID 832 wrote to memory of 3676	832	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe	98
PID 832 wrote to memory of 3676	832	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe	98
PID 832 wrote to memory of 3676	832	{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe	98
PID 4388 wrote to memory of 932	4388	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe	99
PID 4388 wrote to memory of 932	4388	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe	99
PID 4388 wrote to memory of 932	4388	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe	99
PID 4388 wrote to memory of 4912	4388	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe	100
PID 4388 wrote to memory of 4912	4388	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe	100
PID 4388 wrote to memory of 4912	4388	{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe	100
PID 932 wrote to memory of 4352	932	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe	101
PID 932 wrote to memory of 4352	932	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe	101
PID 932 wrote to memory of 4352	932	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe	101
PID 932 wrote to memory of 3784	932	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe	102
PID 932 wrote to memory of 3784	932	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe	102
PID 932 wrote to memory of 3784	932	{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe	102
PID 4352 wrote to memory of 4940	4352	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe	103
PID 4352 wrote to memory of 4940	4352	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe	103
PID 4352 wrote to memory of 4940	4352	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe	103
PID 4352 wrote to memory of 3588	4352	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe	104
PID 4352 wrote to memory of 3588	4352	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe	104
PID 4352 wrote to memory of 3588	4352	{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe	104
PID 4940 wrote to memory of 4540	4940	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe	105
PID 4940 wrote to memory of 4540	4940	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe	105
PID 4940 wrote to memory of 4540	4940	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe	105
PID 4940 wrote to memory of 1412	4940	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe	106
PID 4940 wrote to memory of 1412	4940	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe	106
PID 4940 wrote to memory of 1412	4940	{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe	106
PID 4540 wrote to memory of 2436	4540	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe	107
PID 4540 wrote to memory of 2436	4540	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe	107
PID 4540 wrote to memory of 2436	4540	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe	107
PID 4540 wrote to memory of 3304	4540	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe	108
PID 4540 wrote to memory of 3304	4540	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe	108
PID 4540 wrote to memory of 3304	4540	{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe	108
PID 2436 wrote to memory of 4704	2436	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe	109
PID 2436 wrote to memory of 4704	2436	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe	109
PID 2436 wrote to memory of 4704	2436	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe	109
PID 2436 wrote to memory of 4656	2436	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe	110
PID 2436 wrote to memory of 4656	2436	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe	110
PID 2436 wrote to memory of 4656	2436	{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe	110
PID 4704 wrote to memory of 1360	4704	{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe	111
PID 4704 wrote to memory of 1360	4704	{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe	111
PID 4704 wrote to memory of 1360	4704	{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe	111
PID 4704 wrote to memory of 2624	4704	{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_9ef6e77912b5c16b893c496cde097353_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\{89033144-32F6-4482-A115-44CE9BC3380F}.exe
  C:\Windows\{89033144-32F6-4482-A115-44CE9BC3380F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe
    C:\Windows\{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe
      C:\Windows\{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe
        
        C:\Windows\{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe
        
        C:\Windows\{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe
        
        C:\Windows\{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe
        
        C:\Windows\{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe
        
        C:\Windows\{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe
        
        C:\Windows\{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe
        
        C:\Windows\{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}.exe
        
        C:\Windows\{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\{D52EB775-E505-42c8-866C-71CD4817A6A5}.exe
        
        C:\Windows\{D52EB775-E505-42c8-866C-71CD4817A6A5}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAA14~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1140~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{307A0~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C9F0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58A20~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E6BD~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F3D1~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBCDC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73FDE~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE0CA~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{89033~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2F3D19C5-5206-47b4-B193-E57D0EBDF849}.exe

Filesize
380KB

MD5
563f493f838dc6ac034744a6ed2f30e9

SHA1
689052d06389dfd5750663f9f7f9fe60f2af7333

SHA256
446a1767980d51ae9d19f2095e226cb784e4b1030acc06c6e17476c786815d18

SHA512
baa06b6fb2ca00d61518d8db755c8d3bec9a6b7bb760fe0084a2277a42cca0232509ea5390b5b23f43d5355246d5e3224c38c169e02647fe553d74cbfa88bd7c

Download Submit
C:\Windows\{307A0C15-5A76-4b55-BF81-BF776FDC5E29}.exe

Filesize
380KB

MD5
e1a4afbc4f91e0af1637b7c800adb4a3

SHA1
0db8b4a91cdeb25f317dded4ede633b5399bfb78

SHA256
2b42da0b566ac682e80d757955551358f1524ae96b4be63d0f9368b04a348946

SHA512
fbbd80183a910238025fa2db8e4e9defc802764fe17ab95d197e05ed5158af5b0a4d356f6884acfec63a40361ca6c67eb15a5ea85cf5abe261743768cd50ee9d

Download Submit
C:\Windows\{4C9F09A9-96B3-4489-B362-4363E4ABE515}.exe

Filesize
380KB

MD5
53b4648022d8a89c224c92a0082429ce

SHA1
ac2527a4f8f7aebac1017e9125da6873fccb40e8

SHA256
067f42f12da97ed70c74320cb95f5b8defb08c24727d55af19263f3190ce6d6d

SHA512
77b6509424b3dbe716b514bd78b34846db7e7d03e96b727ed06ee8e3b542bd83c144667fdebc3aa0c60f1f229e56ac9f4305673aa3a65d93eb47824869f4ab2e

Download Submit
C:\Windows\{58A20539-5F93-42dc-AC7A-D67C54C52D3E}.exe

Filesize
380KB

MD5
c3b67505f8b91e9ec17afd9606bf253c

SHA1
5dc21a5c6707add5d04efe5125449d2826366202

SHA256
15add23ed4b6bb64deaa6cb7097d8c86fc711d1b656e8fc4b11b5f8be8fa279f

SHA512
53ed41f2edcada5888b2a0d27d7235c70777a24c1ae8b283e172001fb72e787ffe5bd2e7482d31ccc087dfa34214fbd692b1171e9ba0fabb6eaa0e49ec856416

Download Submit
C:\Windows\{5E6BDDB8-0236-4576-AFE3-0B5595F92349}.exe

Filesize
380KB

MD5
fa95e1abe21388f5dfaad53da7bda8a6

SHA1
318618f2f7f351fe688ed2056e1a86dd71bd0a0e

SHA256
983ee2df5a405a233caaafde3108751ceb0e34100e24e8ead72ab8f9ab676cb8

SHA512
4606bdb6a4910c81cad07245bdda9ac8648c8c36cbbbe7374c083be59204923498b9a011da1abb5aac142a47c81a6d94276667f5aefbb3d74da2eb94d378c3d9

Download Submit
C:\Windows\{73FDEEC5-397F-4316-B929-73F4C3F793E7}.exe

Filesize
380KB

MD5
d798fb2198ff84cb4078ecdad7d7a84a

SHA1
ff1890b9b30a574b595a3de70921bcb11deae6f7

SHA256
1cf90c0c63f70b8026184c51fdd162f0bfd0fea6e9ec544f75f63ff3c91d015b

SHA512
1e49fcd682a02ec1749908c8947f735a99627f01594e2effce25dcfa555016280271ba916114d7e9d0f562badceb5333f2090cd9b94fd5709a351a970f18fd2f

Download Submit
C:\Windows\{89033144-32F6-4482-A115-44CE9BC3380F}.exe

Filesize
380KB

MD5
af46527296b1edadbaef1e84c75b5cd4

SHA1
6610bd4ab82ac5807d2e1f0de05d019c86e4173e

SHA256
65d9235ec12bbacb99e7550f7c3132a3ad3a4ed6ab4283ca343722aa13036c8f

SHA512
920244135b9af8d31a21a0f2e448a960ac6df3a0ef3a203af9da134268aceb5055b7cf656b127485d919f99f46f2d7bea94a1d3244d1be2f7a030cede8149268

Download Submit
C:\Windows\{AAA14BCE-0BE7-41a7-A804-E8720F9D88E2}.exe

Filesize
380KB

MD5
1f8a56e05ced245ceafefe89ed604ee2

SHA1
6b7cfa3bef9bb927479c09a5f4fc6d8394e5f8cb

SHA256
b5271c8c2d60096c71bd96cfbc2f17bde98e82986b24b8a30ce921d5bd4741a2

SHA512
497c26c681616e0ca7660ba132792961a42ba3b1cfc0ba3383e46eebb364f62c86a5367c04db704703b4c601815ca9904ce8f1f6a166ec2d8f4aa4cb5e7fdb58

Download Submit
C:\Windows\{CBCDC89C-4A9C-4c92-B9B8-D974138D0EFD}.exe

Filesize
380KB

MD5
f24168a27eeeea3cecd8933d757d21c5

SHA1
f37c0e1dc5838a84fe452c06bfc8b11fc9e6ec66

SHA256
a05855cde722eeadba6dd3bedf4dfcffdb3a417c28e61ec9d0da6aa27b6f239b

SHA512
4adabb118ccae58daeb5add06c0d231542573bb5bf621a2de963c8a4a77265e3896fc4b689c6dee17bd484fd9f86baa628a3c8671ceae69b29af7e04527d537e

Download Submit
C:\Windows\{D1140122-8A5F-4347-8C13-D88D2B693FB9}.exe

Filesize
380KB

MD5
09c18b2d1a211aec5e896bc6b89374ec

SHA1
ed7dbd318b585c70138acd3bcd2dd5d702b34d28

SHA256
90c199b96ce57f2802393b26e6e23235c32cfac391d9ea567ca0205a9b4c664e

SHA512
0b67b11455cded8896355f1c8c192600a9c57758ce00fdc476ee4223e84da765f8341592a66513a15dde20221d1841af3b86d2d43577925a2e5f471c8417fa29

Download Submit
C:\Windows\{D52EB775-E505-42c8-866C-71CD4817A6A5}.exe

Filesize
380KB

MD5
fecff988db9fb8d092af916a3ee6dc7a

SHA1
287263fb3b190766d1c80f998902ea078decc9b8

SHA256
db53b0e6b93637a364585a7e4a43eefd3d4164529c8c55a577774e5662c99b32

SHA512
bd4ad4027725a92de0dcd31c3edb3b1e2dafeaa1acd4c1f4ea3f34b5074b4f08d0e9c96401722371c4b85edc078e71b44093480e4b172895ee2003513dc499ec

Download Submit
C:\Windows\{EE0CAFA6-0FDF-42c4-A018-F61C96F20457}.exe

Filesize
380KB

MD5
66ec1708451c6f2f5071426fbbe0adf6

SHA1
836fca403d5c02f1cf4ca1f33ce22018d9758f2a

SHA256
c328069143b438cc6ad5dc00ca77fee6e364e4899d8f5c41b8abcad5c2f363f6

SHA512
14324ee2a1beead09818f1b0592af6f4d8ecef5032ebf7ec15b747c1777dc858276b85a5f53e7ea7cd9e3923e0690b224b6d0bb2cc9ab6cb41c4a0e305bc3298

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads