f886200b767697f062a41c47ce3bf0f4afaf95075a551fed02742fbd9cc78acc

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe
Size

168KB
MD5

977c6e3221c7e41ac53e6920701758a2
SHA1

350da400d225392dcf4edbb83d18d3a9e0c92a58
SHA256

f886200b767697f062a41c47ce3bf0f4afaf95075a551fed02742fbd9cc78acc
SHA512

50ff50a5e287e109bc0ccfbb7dd3c761496eb12f9faff78c3b82027cd604e34b756ee89d451e83247bf648d9acde1a681ce0b0786b1a5ce701e83a5a7969d327
SSDEEP

1536:1EGh0ovlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ovlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8284EE8D-1FAB-4022-B974-AF9D51C2C591}\stubpath = "C:\\Windows\\{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe"	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A71B9144-E6B9-429b-9B08-736CEBCF406A}\stubpath = "C:\\Windows\\{A71B9144-E6B9-429b-9B08-736CEBCF406A}.exe"	{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C16C71E-0EFA-425f-805C-D2E18699A097}\stubpath = "C:\\Windows\\{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe"	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1739F09D-448C-4630-8A6F-24FCA425E987}	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A71B9144-E6B9-429b-9B08-736CEBCF406A}	{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CA67579-45EA-4bff-A240-96F68270087C}\stubpath = "C:\\Windows\\{3CA67579-45EA-4bff-A240-96F68270087C}.exe"	2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}\stubpath = "C:\\Windows\\{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe"	{3CA67579-45EA-4bff-A240-96F68270087C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}\stubpath = "C:\\Windows\\{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe"	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A395A8-FA31-404f-8221-8D50A2D48F0A}	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A395A8-FA31-404f-8221-8D50A2D48F0A}\stubpath = "C:\\Windows\\{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe"	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8763240-BBA0-4365-B3D5-771CF4D22D45}	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}	{3CA67579-45EA-4bff-A240-96F68270087C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}\stubpath = "C:\\Windows\\{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe"	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1739F09D-448C-4630-8A6F-24FCA425E987}\stubpath = "C:\\Windows\\{1739F09D-448C-4630-8A6F-24FCA425E987}.exe"	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C16C71E-0EFA-425f-805C-D2E18699A097}	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}\stubpath = "C:\\Windows\\{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe"	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8284EE8D-1FAB-4022-B974-AF9D51C2C591}	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8763240-BBA0-4365-B3D5-771CF4D22D45}\stubpath = "C:\\Windows\\{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe"	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FAF168A-867A-46ef-8350-F98A8215DBA6}	{A71B9144-E6B9-429b-9B08-736CEBCF406A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CA67579-45EA-4bff-A240-96F68270087C}	2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FAF168A-867A-46ef-8350-F98A8215DBA6}\stubpath = "C:\\Windows\\{9FAF168A-867A-46ef-8350-F98A8215DBA6}.exe"	{A71B9144-E6B9-429b-9B08-736CEBCF406A}.exe

Executes dropped EXE 12 IoCs

pid	Process
212	{3CA67579-45EA-4bff-A240-96F68270087C}.exe
772	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe
1784	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe
4220	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe
2440	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe
4092	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe
4040	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe
1984	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe
4020	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe
3688	{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe
2808	{A71B9144-E6B9-429b-9B08-736CEBCF406A}.exe
4852	{9FAF168A-867A-46ef-8350-F98A8215DBA6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe
File created	C:\Windows\{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe
File created	C:\Windows\{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe
File created	C:\Windows\{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe
File created	C:\Windows\{3CA67579-45EA-4bff-A240-96F68270087C}.exe	2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe
File created	C:\Windows\{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe
File created	C:\Windows\{1739F09D-448C-4630-8A6F-24FCA425E987}.exe	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe
File created	C:\Windows\{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe
File created	C:\Windows\{A71B9144-E6B9-429b-9B08-736CEBCF406A}.exe	{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe
File created	C:\Windows\{9FAF168A-867A-46ef-8350-F98A8215DBA6}.exe	{A71B9144-E6B9-429b-9B08-736CEBCF406A}.exe
File created	C:\Windows\{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe	{3CA67579-45EA-4bff-A240-96F68270087C}.exe
File created	C:\Windows\{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9FAF168A-867A-46ef-8350-F98A8215DBA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A71B9144-E6B9-429b-9B08-736CEBCF406A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CA67579-45EA-4bff-A240-96F68270087C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4436	2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	212	{3CA67579-45EA-4bff-A240-96F68270087C}.exe
Token: SeIncBasePriorityPrivilege	772	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe
Token: SeIncBasePriorityPrivilege	1784	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe
Token: SeIncBasePriorityPrivilege	4220	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe
Token: SeIncBasePriorityPrivilege	2440	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe
Token: SeIncBasePriorityPrivilege	4092	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe
Token: SeIncBasePriorityPrivilege	4040	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe
Token: SeIncBasePriorityPrivilege	1984	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe
Token: SeIncBasePriorityPrivilege	4020	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe
Token: SeIncBasePriorityPrivilege	3688	{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe
Token: SeIncBasePriorityPrivilege	2808	{A71B9144-E6B9-429b-9B08-736CEBCF406A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 212	4436	2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe	89
PID 4436 wrote to memory of 212	4436	2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe	89
PID 4436 wrote to memory of 212	4436	2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe	89
PID 4436 wrote to memory of 4988	4436	2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe	90
PID 4436 wrote to memory of 4988	4436	2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe	90
PID 4436 wrote to memory of 4988	4436	2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe	90
PID 212 wrote to memory of 772	212	{3CA67579-45EA-4bff-A240-96F68270087C}.exe	91
PID 212 wrote to memory of 772	212	{3CA67579-45EA-4bff-A240-96F68270087C}.exe	91
PID 212 wrote to memory of 772	212	{3CA67579-45EA-4bff-A240-96F68270087C}.exe	91
PID 212 wrote to memory of 4732	212	{3CA67579-45EA-4bff-A240-96F68270087C}.exe	92
PID 212 wrote to memory of 4732	212	{3CA67579-45EA-4bff-A240-96F68270087C}.exe	92
PID 212 wrote to memory of 4732	212	{3CA67579-45EA-4bff-A240-96F68270087C}.exe	92
PID 772 wrote to memory of 1784	772	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe	95
PID 772 wrote to memory of 1784	772	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe	95
PID 772 wrote to memory of 1784	772	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe	95
PID 772 wrote to memory of 2256	772	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe	96
PID 772 wrote to memory of 2256	772	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe	96
PID 772 wrote to memory of 2256	772	{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe	96
PID 1784 wrote to memory of 4220	1784	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe	97
PID 1784 wrote to memory of 4220	1784	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe	97
PID 1784 wrote to memory of 4220	1784	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe	97
PID 1784 wrote to memory of 4284	1784	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe	98
PID 1784 wrote to memory of 4284	1784	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe	98
PID 1784 wrote to memory of 4284	1784	{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe	98
PID 4220 wrote to memory of 2440	4220	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe	99
PID 4220 wrote to memory of 2440	4220	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe	99
PID 4220 wrote to memory of 2440	4220	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe	99
PID 4220 wrote to memory of 2172	4220	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe	100
PID 4220 wrote to memory of 2172	4220	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe	100
PID 4220 wrote to memory of 2172	4220	{1739F09D-448C-4630-8A6F-24FCA425E987}.exe	100
PID 2440 wrote to memory of 4092	2440	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe	101
PID 2440 wrote to memory of 4092	2440	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe	101
PID 2440 wrote to memory of 4092	2440	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe	101
PID 2440 wrote to memory of 1240	2440	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe	102
PID 2440 wrote to memory of 1240	2440	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe	102
PID 2440 wrote to memory of 1240	2440	{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe	102
PID 4092 wrote to memory of 4040	4092	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe	103
PID 4092 wrote to memory of 4040	4092	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe	103
PID 4092 wrote to memory of 4040	4092	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe	103
PID 4092 wrote to memory of 2672	4092	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe	104
PID 4092 wrote to memory of 2672	4092	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe	104
PID 4092 wrote to memory of 2672	4092	{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe	104
PID 4040 wrote to memory of 1984	4040	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe	105
PID 4040 wrote to memory of 1984	4040	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe	105
PID 4040 wrote to memory of 1984	4040	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe	105
PID 4040 wrote to memory of 1636	4040	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe	106
PID 4040 wrote to memory of 1636	4040	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe	106
PID 4040 wrote to memory of 1636	4040	{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe	106
PID 1984 wrote to memory of 4020	1984	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe	107
PID 1984 wrote to memory of 4020	1984	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe	107
PID 1984 wrote to memory of 4020	1984	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe	107
PID 1984 wrote to memory of 544	1984	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe	108
PID 1984 wrote to memory of 544	1984	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe	108
PID 1984 wrote to memory of 544	1984	{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe	108
PID 4020 wrote to memory of 3688	4020	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe	109
PID 4020 wrote to memory of 3688	4020	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe	109
PID 4020 wrote to memory of 3688	4020	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe	109
PID 4020 wrote to memory of 3172	4020	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe	110
PID 4020 wrote to memory of 3172	4020	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe	110
PID 4020 wrote to memory of 3172	4020	{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe	110
PID 3688 wrote to memory of 2808	3688	{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe	111
PID 3688 wrote to memory of 2808	3688	{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe	111
PID 3688 wrote to memory of 2808	3688	{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe	111
PID 3688 wrote to memory of 3532	3688	{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_977c6e3221c7e41ac53e6920701758a2_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\{3CA67579-45EA-4bff-A240-96F68270087C}.exe
  C:\Windows\{3CA67579-45EA-4bff-A240-96F68270087C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe
    C:\Windows\{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe
      C:\Windows\{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\{1739F09D-448C-4630-8A6F-24FCA425E987}.exe
        
        C:\Windows\{1739F09D-448C-4630-8A6F-24FCA425E987}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4220
      - C:\Windows\{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe
        
        C:\Windows\{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe
        
        C:\Windows\{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe
        
        C:\Windows\{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe
        
        C:\Windows\{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe
        
        C:\Windows\{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe
        
        C:\Windows\{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\{A71B9144-E6B9-429b-9B08-736CEBCF406A}.exe
        
        C:\Windows\{A71B9144-E6B9-429b-9B08-736CEBCF406A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\{9FAF168A-867A-46ef-8350-F98A8215DBA6}.exe
        
        C:\Windows\{9FAF168A-867A-46ef-8350-F98A8215DBA6}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A71B9~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8763~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8284E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0A39~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B77CE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D674~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C16C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1739F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBD3F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{39D18~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3CA67~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1739F09D-448C-4630-8A6F-24FCA425E987}.exe

Filesize
168KB

MD5
95d3dc440dbff55f0d6e13375b933c67

SHA1
00f0427662a51b2933b758ea5780f463fd762965

SHA256
665d272ac45624477a96d86278d3e225546beef23547cd3462ff9974d31410e6

SHA512
16370801cda72dccc9bf3e098bd91fe89025f02807cfdb7df1771186da843f409902d05cd7392957d77e9e258d29acc7643452af42a5ffd269846d00e25ed5c7

Download Submit
C:\Windows\{2D6744CC-68E6-41e6-A0E4-5E1D41DE1313}.exe

Filesize
168KB

MD5
bb7163186c40e678a0b0dd6ba61e48dc

SHA1
67f82ca5e0d2f3a237a9aab8a31a612ad2b3fa86

SHA256
99686838c84d4ec3151f22638433d92e3046f5e4859833455bffeddf0a940e1b

SHA512
e44af6a1c4207b62d71b5404c13bd6e82b93070513cfef0e58eaa85b3e3928a91fc64562b175777a8df66fb47ebf912c8715c47d7e2bd05ecb539a9804f0eae3

Download Submit
C:\Windows\{39D1863C-D70B-41d0-88C5-6BB2067ECDD1}.exe

Filesize
168KB

MD5
8c6ab56c7f98977a5da71fbca9b40566

SHA1
4b32af497dfad19973c7faa54dc065cb447fe51b

SHA256
ae474b6d2271f38f04d98438cff18b7c5465bb77f18466ad6ff8c8688cb353fa

SHA512
ea3307d153a6fdfaebac845de930d34832cce671267fdb7bb937d2679cda18f6efb2cb3381521c1b32ae778fd5f52cbac8ee7e4050d70faf9f853f2c28e845f4

Download Submit
C:\Windows\{3CA67579-45EA-4bff-A240-96F68270087C}.exe

Filesize
168KB

MD5
cd825946fcb400a86a419c4250b55a29

SHA1
0ff070b1f4a581624e4eb122f02fd846918790f2

SHA256
d15158cff200fdc0b7707d909543ac17356c068e9db94848e7cb94da3c8052fb

SHA512
91920b4b4fba5b621c085153d220b592ddd39879b474b68973d07bcbe396914311acc6356d709aadec1425f2cef5dce6286678662bd4e8e39b9fd7534d183c95

Download Submit
C:\Windows\{6C16C71E-0EFA-425f-805C-D2E18699A097}.exe

Filesize
168KB

MD5
43295cee7d4e7ce4454ed427972c6a14

SHA1
f3d4b2dba594ab1edd33af042a0bdb884292e425

SHA256
e769c5d7e516eb5963d2d8a11389fa41959963c315d3b143a8cdb4ad3faccd80

SHA512
f5b14f2d85699c7953bca77f1975133c36fd32220d2fce2de68fa1657745ad0f66c7f550a9092d427bb90b05482def0b77cda47a2041a23d222288c4bc8d727b

Download Submit
C:\Windows\{8284EE8D-1FAB-4022-B974-AF9D51C2C591}.exe

Filesize
168KB

MD5
2f48cfc2a7326279b4f3aa49cb251d1e

SHA1
c6c5ebae5e91250c7b00065d754cacf488bd9140

SHA256
a8ecc81b6a3daa162eb78ca897cb88a45088d7e9b7bbfb33c0dcf1e32797d132

SHA512
d60848454628a316fe113834119deb8c7285bb31ad4c632aea888530b3340fa34e13e8314f7d11ce49e58fd51005f879bacb8634fa53451f5b893b163b83e598

Download Submit
C:\Windows\{9FAF168A-867A-46ef-8350-F98A8215DBA6}.exe

Filesize
168KB

MD5
32daf9983b6a347df9795138391a29a6

SHA1
bdb50f470c65de8ff286e6f8dc8f92de402e890c

SHA256
834d53083b7e01295f48e7551a638a8896275d3a2a3f142c1388708dd8600985

SHA512
3b681fc00f6b751723d846e33586b200e3589ac8aee2843c1149321f7e51beb6f4eeeb2d6b4ba8ce70649ceab0d1b2d6b8dd67242bed6af2fbb7a93d21146391

Download Submit
C:\Windows\{A71B9144-E6B9-429b-9B08-736CEBCF406A}.exe

Filesize
168KB

MD5
95a95211a050fe1167d11b15aac29103

SHA1
e4265d6bbbf469197bebef33564819d3768e8349

SHA256
ead7603eedde26e2627f5896c33d8dbf1c91e13c1d5e00b467e462b9f610384c

SHA512
d21a1c7b2f8e5a925158f3aa2637ab14fc2cde7c6e8f5cfee7e4d87f36b879daa3198fdc295d29d4d35fdca3a0fb331b483f871687b6bf77cb33f1891dc6ed0d

Download Submit
C:\Windows\{B77CEF26-C95F-49f4-9664-AFCC563DF1FE}.exe

Filesize
168KB

MD5
31ebc5c0806b92cbba9a66a1855761fb

SHA1
42b813715e1f276d4b3239e07ec7165e3c66fb55

SHA256
f437b3a7630425d11a3a93f8d1753454f69ccb576bbf0401221930738c22c85d

SHA512
cedcbe3079818dfa89579d456adec1a75b7aca315f04ad00c22e83cc79c1e245a270a4a0d619c809bb6a91552f088311ec1739da5eef756146bc0bcbde09443f

Download Submit
C:\Windows\{C0A395A8-FA31-404f-8221-8D50A2D48F0A}.exe

Filesize
168KB

MD5
9ebf854ded18c3e365cf9c96b9b4350c

SHA1
45146261f0a787d382d9e0095943d6c97fdd1305

SHA256
eefca81dbadd3b45f6c01f0af5b3a327e40c82148a0c2175ff654f3b24b53a6a

SHA512
195af04e2778aee4d7e60af992043080bfc45f84d8027ba2ad997433590f2c7510f60bd10aa29bf25283d39b7e5e7246687a64241231bc019a45f61f422d08c4

Download Submit
C:\Windows\{D8763240-BBA0-4365-B3D5-771CF4D22D45}.exe

Filesize
168KB

MD5
059a9c82388baa219da750c7635b3519

SHA1
3738b7ed064b5952cc581569b3c8874e8045c069

SHA256
c198d9175b263844bfa991b535cc0b9f0f7812a84572531cc721ff88019dfdab

SHA512
8f388e2636e2be0325c68abc3fa34a86b5912a4dda4b1a764c09ea679b42b3aae26e8ae6177e79c699f7d2965f8f5852ef0b151ab51257b07d64d6f37e544e11

Download Submit
C:\Windows\{EBD3F9D2-DC0E-4046-91C1-72A7F1B31A0A}.exe

Filesize
168KB

MD5
e5134a2dec0cb4ddc4eb93c6a8bd9b9f

SHA1
985ef9641020e7fdf4db3828b2836f0d4f3e1bc5

SHA256
5614ed3a286f332143ab6d3e96ed34a4f91e7d802061a28f05533cb0a61a1787

SHA512
655a1aa78dd786f37ec8daa259c27a4e151b276c27ce68bee1a2f9581ee8cbcb7907c7344a4f5e29e8a8e48cc1d4bcedc6c37b63729a65d8f81e61e5919fc3d5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads