6a8c7c7e91bdc473e1e738551c5c773f64fdbc13b6e682ac655d7a091270ab6e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
Size

192KB
MD5

aac2545ee265b1e9e058f5b81c7d32ff
SHA1

9cc155d5ab689a688a651966a1c3d47038bdc3c4
SHA256

6a8c7c7e91bdc473e1e738551c5c773f64fdbc13b6e682ac655d7a091270ab6e
SHA512

dcc4fad8f6ca1e9ede8787cf265e9767f39680f350c187b910363db6baa86873d7e612f47d54c894412cf40e74ce5d8df5ef04a5b67273165cb7ae6eb663479e
SSDEEP

1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o9l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB177D2F-FF07-4440-8F98-77719F93223C}	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB177D2F-FF07-4440-8F98-77719F93223C}\stubpath = "C:\\Windows\\{AB177D2F-FF07-4440-8F98-77719F93223C}.exe"	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7502B2A6-CE52-4d30-BC32-458EC9239F47}\stubpath = "C:\\Windows\\{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe"	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0532A2ED-7F2B-448d-9FCE-4A760119AB25}\stubpath = "C:\\Windows\\{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe"	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}\stubpath = "C:\\Windows\\{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe"	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9178619F-CF9A-4e18-AE6D-428A3C34E338}	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9178619F-CF9A-4e18-AE6D-428A3C34E338}\stubpath = "C:\\Windows\\{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe"	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07F961D1-771F-4bae-8D8D-5478B601F5F4}	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07F961D1-771F-4bae-8D8D-5478B601F5F4}\stubpath = "C:\\Windows\\{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe"	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A35A5082-7AFD-41c0-A2E7-F8BB11E9493A}	{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}\stubpath = "C:\\Windows\\{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe"	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}	{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A35A5082-7AFD-41c0-A2E7-F8BB11E9493A}\stubpath = "C:\\Windows\\{A35A5082-7AFD-41c0-A2E7-F8BB11E9493A}.exe"	{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}\stubpath = "C:\\Windows\\{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}.exe"	{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}\stubpath = "C:\\Windows\\{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe"	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39931BD1-0A30-4ab2-8034-FB9B250AC265}	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39931BD1-0A30-4ab2-8034-FB9B250AC265}\stubpath = "C:\\Windows\\{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe"	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0532A2ED-7F2B-448d-9FCE-4A760119AB25}	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C243B3C-8D91-4a46-AACC-D91D3EF13316}	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C243B3C-8D91-4a46-AACC-D91D3EF13316}\stubpath = "C:\\Windows\\{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe"	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7502B2A6-CE52-4d30-BC32-458EC9239F47}	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe

Executes dropped EXE 12 IoCs

pid	Process
3096	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe
5060	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe
1484	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe
2616	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe
1120	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe
832	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe
4560	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe
2640	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe
116	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe
4580	{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe
1300	{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}.exe
4896	{A35A5082-7AFD-41c0-A2E7-F8BB11E9493A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe
File created	C:\Windows\{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe
File created	C:\Windows\{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe
File created	C:\Windows\{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe
File created	C:\Windows\{AB177D2F-FF07-4440-8F98-77719F93223C}.exe	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe
File created	C:\Windows\{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe
File created	C:\Windows\{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe
File created	C:\Windows\{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe
File created	C:\Windows\{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}.exe	{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe
File created	C:\Windows\{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
File created	C:\Windows\{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe
File created	C:\Windows\{A35A5082-7AFD-41c0-A2E7-F8BB11E9493A}.exe	{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A35A5082-7AFD-41c0-A2E7-F8BB11E9493A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2596	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3096	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe
Token: SeIncBasePriorityPrivilege	5060	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe
Token: SeIncBasePriorityPrivilege	1484	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe
Token: SeIncBasePriorityPrivilege	2616	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe
Token: SeIncBasePriorityPrivilege	1120	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe
Token: SeIncBasePriorityPrivilege	832	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe
Token: SeIncBasePriorityPrivilege	4560	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe
Token: SeIncBasePriorityPrivilege	2640	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe
Token: SeIncBasePriorityPrivilege	116	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe
Token: SeIncBasePriorityPrivilege	4580	{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe
Token: SeIncBasePriorityPrivilege	1300	{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 3096	2596	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	89
PID 2596 wrote to memory of 3096	2596	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	89
PID 2596 wrote to memory of 3096	2596	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	89
PID 2596 wrote to memory of 1444	2596	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	90
PID 2596 wrote to memory of 1444	2596	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	90
PID 2596 wrote to memory of 1444	2596	2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe	90
PID 3096 wrote to memory of 5060	3096	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe	91
PID 3096 wrote to memory of 5060	3096	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe	91
PID 3096 wrote to memory of 5060	3096	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe	91
PID 3096 wrote to memory of 2036	3096	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe	92
PID 3096 wrote to memory of 2036	3096	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe	92
PID 3096 wrote to memory of 2036	3096	{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe	92
PID 5060 wrote to memory of 1484	5060	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe	95
PID 5060 wrote to memory of 1484	5060	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe	95
PID 5060 wrote to memory of 1484	5060	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe	95
PID 5060 wrote to memory of 2316	5060	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe	96
PID 5060 wrote to memory of 2316	5060	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe	96
PID 5060 wrote to memory of 2316	5060	{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe	96
PID 1484 wrote to memory of 2616	1484	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe	97
PID 1484 wrote to memory of 2616	1484	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe	97
PID 1484 wrote to memory of 2616	1484	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe	97
PID 1484 wrote to memory of 2944	1484	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe	98
PID 1484 wrote to memory of 2944	1484	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe	98
PID 1484 wrote to memory of 2944	1484	{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe	98
PID 2616 wrote to memory of 1120	2616	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe	99
PID 2616 wrote to memory of 1120	2616	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe	99
PID 2616 wrote to memory of 1120	2616	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe	99
PID 2616 wrote to memory of 4476	2616	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe	100
PID 2616 wrote to memory of 4476	2616	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe	100
PID 2616 wrote to memory of 4476	2616	{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe	100
PID 1120 wrote to memory of 832	1120	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe	101
PID 1120 wrote to memory of 832	1120	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe	101
PID 1120 wrote to memory of 832	1120	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe	101
PID 1120 wrote to memory of 3284	1120	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe	102
PID 1120 wrote to memory of 3284	1120	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe	102
PID 1120 wrote to memory of 3284	1120	{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe	102
PID 832 wrote to memory of 4560	832	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe	103
PID 832 wrote to memory of 4560	832	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe	103
PID 832 wrote to memory of 4560	832	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe	103
PID 832 wrote to memory of 3604	832	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe	104
PID 832 wrote to memory of 3604	832	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe	104
PID 832 wrote to memory of 3604	832	{AB177D2F-FF07-4440-8F98-77719F93223C}.exe	104
PID 4560 wrote to memory of 2640	4560	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe	105
PID 4560 wrote to memory of 2640	4560	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe	105
PID 4560 wrote to memory of 2640	4560	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe	105
PID 4560 wrote to memory of 2388	4560	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe	106
PID 4560 wrote to memory of 2388	4560	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe	106
PID 4560 wrote to memory of 2388	4560	{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe	106
PID 2640 wrote to memory of 116	2640	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe	107
PID 2640 wrote to memory of 116	2640	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe	107
PID 2640 wrote to memory of 116	2640	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe	107
PID 2640 wrote to memory of 5004	2640	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe	108
PID 2640 wrote to memory of 5004	2640	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe	108
PID 2640 wrote to memory of 5004	2640	{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe	108
PID 116 wrote to memory of 4580	116	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe	109
PID 116 wrote to memory of 4580	116	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe	109
PID 116 wrote to memory of 4580	116	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe	109
PID 116 wrote to memory of 1988	116	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe	110
PID 116 wrote to memory of 1988	116	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe	110
PID 116 wrote to memory of 1988	116	{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe	110
PID 4580 wrote to memory of 1300	4580	{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe	111
PID 4580 wrote to memory of 1300	4580	{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe	111
PID 4580 wrote to memory of 1300	4580	{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe	111
PID 4580 wrote to memory of 3656	4580	{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_aac2545ee265b1e9e058f5b81c7d32ff_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe
  C:\Windows\{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe
    C:\Windows\{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe
      C:\Windows\{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe
        
        C:\Windows\{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe
        
        C:\Windows\{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\{AB177D2F-FF07-4440-8F98-77719F93223C}.exe
        
        C:\Windows\{AB177D2F-FF07-4440-8F98-77719F93223C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe
        
        C:\Windows\{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe
        
        C:\Windows\{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe
        
        C:\Windows\{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe
        
        C:\Windows\{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}.exe
        
        C:\Windows\{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\{A35A5082-7AFD-41c0-A2E7-F8BB11E9493A}.exe
        
        C:\Windows\{A35A5082-7AFD-41c0-A2E7-F8BB11E9493A}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC85E~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07F96~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0532A~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7502B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C243~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB177~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39931~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91786~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC576~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A2B3C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8C1CF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0532A2ED-7F2B-448d-9FCE-4A760119AB25}.exe

Filesize
192KB

MD5
ca09c1eb72280d2616c86c84f28ea552

SHA1
36ab3de820c32bb60b591c14cfdd6ea8896c5c4c

SHA256
fc81807f73907cda6a7c099e7f945e8cd3be7b3dd2007fb8cc06997642b21e06

SHA512
bd94aba0efff0ca81618d213cc0262d6aaaeff790d677adcf5948443eb950e6987d5c985a84e1a4cde39d2b2366ed1b7f039c56a53261dd0fe21c3e0f3f7c001

Download Submit
C:\Windows\{07F961D1-771F-4bae-8D8D-5478B601F5F4}.exe

Filesize
192KB

MD5
b7d32b4d52c57367d231416a8621a611

SHA1
ee3886863d8836ce637831103e57b65296970fb0

SHA256
6d21a2574b808f9d07d4a329649c5b7f234a86ad020095caf7ce924763f4cafc

SHA512
63926a03245b16ea07d326344166a5789639c4a97cc1dcab7c950508495ef026dbee6a730836c493641b0391573cfed5e03b5cb95081251f58a7a08ab876073d

Download Submit
C:\Windows\{2C243B3C-8D91-4a46-AACC-D91D3EF13316}.exe

Filesize
192KB

MD5
3f8ef83459dfef60c99310d045174639

SHA1
7c162deffe423ee18481436e94c3753c9baf2bc0

SHA256
fd8750c9fb17d53f82ebcb4440ca90ce1f1aa4fbcf8aa1a9516b77d4b2fbe540

SHA512
b91e1982d1cebce70d0cc2040afdccdbd925b120d926524efab50f66540c81abc27afa235635826d70ade6269255f99681def938771ddecf3361c9a01bb004e1

Download Submit
C:\Windows\{39931BD1-0A30-4ab2-8034-FB9B250AC265}.exe

Filesize
192KB

MD5
a4e1bb9fc6a3ba88ff24c498904d5df9

SHA1
411b5f86ee68688d0beae811b57e51c86218a954

SHA256
bf0c3689bdf36ed21cb9946ca9d237fe4bb2a52136f34efcc29b1bc52193385c

SHA512
c9bdb66c11c4e8a2c78f6b36941b9dc94142dbd1a2bc3aef2fbc182b2458ec57d2381c96d2317b9dc7403f9c5772df686e0a99ed519b5bccf8194c94a3fa28d8

Download Submit
C:\Windows\{7502B2A6-CE52-4d30-BC32-458EC9239F47}.exe

Filesize
192KB

MD5
28e0b7f1028a45de4b76f31247bbfce9

SHA1
55d2827ba1e5482c694d77b18b5c4fc87f0f2eaa

SHA256
46823f9daf0050157180d1cd1aca19dfddd94eb41501ee06b21de50b084e7b30

SHA512
9f73f1e4007e77d0dcbc5cea0a4a481638c838934365d595206ec1a36b0680c2a23afe20d6156eb77f2c885e4195fc4187bd5ba838040c849df7f26e71ef9396

Download Submit
C:\Windows\{8C1CF731-34DF-4d9c-B062-6BE6D5B812DD}.exe

Filesize
192KB

MD5
9dd82f5e184bc5da59750cea09c96726

SHA1
f060d36f2937a00fc2d4a4bd8845c79ccb30df4a

SHA256
2443109a810b34e6cd90174948ec64e1e398c1875f750e3c67480bd1043c7975

SHA512
e865286af01dbd12a8d7f45b9730fd54e58d5b4fef7230ad5e1972baba1b51d1995de4052b4407f0f728d93514d5bfd2c556deee7a464d6a2aff7268ae5a31ec

Download Submit
C:\Windows\{9178619F-CF9A-4e18-AE6D-428A3C34E338}.exe

Filesize
192KB

MD5
3f351ed61342a661b200af6f1c5c8e35

SHA1
0433908f2a59aef137454652cbe30b478ff2bfe7

SHA256
81785847fff3f26ca002799d05a1aa5213c3fe12462f489cec941fabd070f075

SHA512
d31d6c96860907e6b56acede85ead64de52bf88f7b55d5184507e3334ad92b431029f5630c72f0126111743db1b3db46f3397fad6a92a58ac95ed18d778b09b1

Download Submit
C:\Windows\{A2B3C3D7-E8ED-420f-83DE-0DC79281E022}.exe

Filesize
192KB

MD5
bb1844a10f0c557fc26c80d09187f1f1

SHA1
e5a01f88badbe4051a0ccbe9b346bdd5a71269d1

SHA256
294da02c09ffb6beaffaf44e207f602055e5ada78bbf00d004931bca55d2421f

SHA512
ef2380bac06b0860a1e6159ef92441b0867148e072147a1ac57bd0b1ddf1e3bcf5f00b45fc4ccb7c782e160bec3909848a51b9ebb4c53bbbec0c45d4945674f6

Download Submit
C:\Windows\{A35A5082-7AFD-41c0-A2E7-F8BB11E9493A}.exe

Filesize
192KB

MD5
bf47744c8b31750a510cebdff81fd110

SHA1
5271acb4682d3072dc73403c3969157d6369285a

SHA256
2032be84f97c008ab2a9b06a8f7d35d231ced059484a980bd638df12c518c621

SHA512
4558dfb15dfd3727422274dd1a2a6bdc7d86493f56958553bed436568e40094f5960bd461a0b65cd8fae9634adc67fab4519278266b4b97a379cd903dadbe3de

Download Submit
C:\Windows\{AB177D2F-FF07-4440-8F98-77719F93223C}.exe

Filesize
192KB

MD5
bb1bb781e45e420abaea3cf98c3d685b

SHA1
947ab0a272395018dc90ce8de91156a14286312a

SHA256
f7e227082f6dff5ad77a46031c7a0a6fec58a481233f346334df069962cdf114

SHA512
3a792e15db645d3a6a43b4338ace50c1d105c67fa9da46da3dcc456147f68b69aaa38c940e62223b48d473ef49d5a8051f2ecd087ca471f8b081714d94ac53ba

Download Submit
C:\Windows\{AC85E3B4-7905-438d-B249-B79D6AFCEA3B}.exe

Filesize
192KB

MD5
93fc93e3955f6744d0c5ac39d113f938

SHA1
c343ce35db78303f0837af2ee991eb6b0dd44375

SHA256
3fc8b36bfb4cc984e1046f86cae4c55ab05a2c7638ea365784b7ae91193691fb

SHA512
0a158da450c1579e69cda5520f7ad08eece3a661c99d9ee330c1ca51b40ea20edd00d4c4d613a49c4c7402139843d08494f00b1d7476cbd80e2a2174798c6d9f

Download Submit
C:\Windows\{BC576A87-F7AC-4f83-AC52-E2C49A6F9CDE}.exe

Filesize
192KB

MD5
764a8a243c2d945d20a6d1c6bb3feb3d

SHA1
fdeeb793bea1536d5d6da76dd19646fe7f7abb3d

SHA256
d098811631aecf6cdaf27ad4c052d31ea84543caaef95c8e1d35a86b83e41ab2

SHA512
b1fb3434631ccb2ec322e5502cbf6f9eedec3c566e3e859310f539587c938cd0b7345ef845840811242d115bc1dcb2a5226ed502e2a8e029d84e379d97dab8a4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads