415bcc99280f72cdfcc0a6dcf195802c118dc2d31aed18b8ba84b706c9f4fe1b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
Size

197KB
MD5

51bde2fdf4845cf2e8879d44bc28a263
SHA1

5b1c546ab92c659ecabbb2ccd489d7c6b34674c1
SHA256

415bcc99280f72cdfcc0a6dcf195802c118dc2d31aed18b8ba84b706c9f4fe1b
SHA512

65406e3db538e9021389508b2097819c5bb251878a81b1dd7d9da3884da3d260aa28af04997498b6aeefe1b1fc99098423ffbe53c37da6940da7bcb84dca0157
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGZlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC48701F-2112-44a1-94EA-BCB4411F46AD}	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42F65764-6EEA-4f38-81AC-213C830B180D}	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47355661-3FE9-4189-BCCA-786A1A3C9332}	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D666251-9F09-414a-8EA6-874E0EE09303}	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D666251-9F09-414a-8EA6-874E0EE09303}\stubpath = "C:\\Windows\\{3D666251-9F09-414a-8EA6-874E0EE09303}.exe"	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{840DA0EF-5147-46a2-B881-C7A033269415}\stubpath = "C:\\Windows\\{840DA0EF-5147-46a2-B881-C7A033269415}.exe"	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A57B49E9-B244-4c1f-8671-50623220514E}\stubpath = "C:\\Windows\\{A57B49E9-B244-4c1f-8671-50623220514E}.exe"	{840DA0EF-5147-46a2-B881-C7A033269415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC9BBD98-7245-42ba-9189-1AA706AB8690}\stubpath = "C:\\Windows\\{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe"	{A57B49E9-B244-4c1f-8671-50623220514E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D23D7056-6105-4965-9A91-AF58184EE367}	{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09EBC377-D6A5-4c40-954E-8677DD505BFE}	{D23D7056-6105-4965-9A91-AF58184EE367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09EBC377-D6A5-4c40-954E-8677DD505BFE}\stubpath = "C:\\Windows\\{09EBC377-D6A5-4c40-954E-8677DD505BFE}.exe"	{D23D7056-6105-4965-9A91-AF58184EE367}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}\stubpath = "C:\\Windows\\{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe"	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC48701F-2112-44a1-94EA-BCB4411F46AD}\stubpath = "C:\\Windows\\{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe"	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08E883E4-C12F-409c-8E11-E9A5599D005C}\stubpath = "C:\\Windows\\{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe"	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{840DA0EF-5147-46a2-B881-C7A033269415}	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A57B49E9-B244-4c1f-8671-50623220514E}	{840DA0EF-5147-46a2-B881-C7A033269415}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D23D7056-6105-4965-9A91-AF58184EE367}\stubpath = "C:\\Windows\\{D23D7056-6105-4965-9A91-AF58184EE367}.exe"	{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42F65764-6EEA-4f38-81AC-213C830B180D}\stubpath = "C:\\Windows\\{42F65764-6EEA-4f38-81AC-213C830B180D}.exe"	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08E883E4-C12F-409c-8E11-E9A5599D005C}	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47355661-3FE9-4189-BCCA-786A1A3C9332}\stubpath = "C:\\Windows\\{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe"	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}\stubpath = "C:\\Windows\\{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe"	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC9BBD98-7245-42ba-9189-1AA706AB8690}	{A57B49E9-B244-4c1f-8671-50623220514E}.exe

Executes dropped EXE 12 IoCs

pid	Process
3936	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe
1072	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe
2480	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe
1212	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe
3764	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe
2856	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe
2064	{840DA0EF-5147-46a2-B881-C7A033269415}.exe
1776	{A57B49E9-B244-4c1f-8671-50623220514E}.exe
1152	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe
4460	{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe
1348	{D23D7056-6105-4965-9A91-AF58184EE367}.exe
3464	{09EBC377-D6A5-4c40-954E-8677DD505BFE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe
File created	C:\Windows\{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe
File created	C:\Windows\{840DA0EF-5147-46a2-B881-C7A033269415}.exe	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe
File created	C:\Windows\{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe	{A57B49E9-B244-4c1f-8671-50623220514E}.exe
File created	C:\Windows\{42F65764-6EEA-4f38-81AC-213C830B180D}.exe	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe
File created	C:\Windows\{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe
File created	C:\Windows\{3D666251-9F09-414a-8EA6-874E0EE09303}.exe	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe
File created	C:\Windows\{A57B49E9-B244-4c1f-8671-50623220514E}.exe	{840DA0EF-5147-46a2-B881-C7A033269415}.exe
File created	C:\Windows\{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe
File created	C:\Windows\{D23D7056-6105-4965-9A91-AF58184EE367}.exe	{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe
File created	C:\Windows\{09EBC377-D6A5-4c40-954E-8677DD505BFE}.exe	{D23D7056-6105-4965-9A91-AF58184EE367}.exe
File created	C:\Windows\{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09EBC377-D6A5-4c40-954E-8677DD505BFE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A57B49E9-B244-4c1f-8671-50623220514E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{840DA0EF-5147-46a2-B881-C7A033269415}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D23D7056-6105-4965-9A91-AF58184EE367}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1140	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3936	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe
Token: SeIncBasePriorityPrivilege	1072	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe
Token: SeIncBasePriorityPrivilege	2480	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe
Token: SeIncBasePriorityPrivilege	1212	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe
Token: SeIncBasePriorityPrivilege	3764	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe
Token: SeIncBasePriorityPrivilege	2856	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe
Token: SeIncBasePriorityPrivilege	2064	{840DA0EF-5147-46a2-B881-C7A033269415}.exe
Token: SeIncBasePriorityPrivilege	1776	{A57B49E9-B244-4c1f-8671-50623220514E}.exe
Token: SeIncBasePriorityPrivilege	1152	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe
Token: SeIncBasePriorityPrivilege	4460	{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe
Token: SeIncBasePriorityPrivilege	1348	{D23D7056-6105-4965-9A91-AF58184EE367}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 3936	1140	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	89
PID 1140 wrote to memory of 3936	1140	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	89
PID 1140 wrote to memory of 3936	1140	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	89
PID 1140 wrote to memory of 3924	1140	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	90
PID 1140 wrote to memory of 3924	1140	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	90
PID 1140 wrote to memory of 3924	1140	2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe	90
PID 3936 wrote to memory of 1072	3936	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe	91
PID 3936 wrote to memory of 1072	3936	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe	91
PID 3936 wrote to memory of 1072	3936	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe	91
PID 3936 wrote to memory of 2188	3936	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe	92
PID 3936 wrote to memory of 2188	3936	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe	92
PID 3936 wrote to memory of 2188	3936	{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe	92
PID 1072 wrote to memory of 2480	1072	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe	95
PID 1072 wrote to memory of 2480	1072	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe	95
PID 1072 wrote to memory of 2480	1072	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe	95
PID 1072 wrote to memory of 4808	1072	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe	96
PID 1072 wrote to memory of 4808	1072	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe	96
PID 1072 wrote to memory of 4808	1072	{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe	96
PID 2480 wrote to memory of 1212	2480	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe	97
PID 2480 wrote to memory of 1212	2480	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe	97
PID 2480 wrote to memory of 1212	2480	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe	97
PID 2480 wrote to memory of 2264	2480	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe	98
PID 2480 wrote to memory of 2264	2480	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe	98
PID 2480 wrote to memory of 2264	2480	{42F65764-6EEA-4f38-81AC-213C830B180D}.exe	98
PID 1212 wrote to memory of 3764	1212	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe	99
PID 1212 wrote to memory of 3764	1212	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe	99
PID 1212 wrote to memory of 3764	1212	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe	99
PID 1212 wrote to memory of 4156	1212	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe	100
PID 1212 wrote to memory of 4156	1212	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe	100
PID 1212 wrote to memory of 4156	1212	{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe	100
PID 3764 wrote to memory of 2856	3764	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe	101
PID 3764 wrote to memory of 2856	3764	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe	101
PID 3764 wrote to memory of 2856	3764	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe	101
PID 3764 wrote to memory of 3096	3764	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe	102
PID 3764 wrote to memory of 3096	3764	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe	102
PID 3764 wrote to memory of 3096	3764	{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe	102
PID 2856 wrote to memory of 2064	2856	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe	103
PID 2856 wrote to memory of 2064	2856	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe	103
PID 2856 wrote to memory of 2064	2856	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe	103
PID 2856 wrote to memory of 2288	2856	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe	104
PID 2856 wrote to memory of 2288	2856	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe	104
PID 2856 wrote to memory of 2288	2856	{3D666251-9F09-414a-8EA6-874E0EE09303}.exe	104
PID 2064 wrote to memory of 1776	2064	{840DA0EF-5147-46a2-B881-C7A033269415}.exe	105
PID 2064 wrote to memory of 1776	2064	{840DA0EF-5147-46a2-B881-C7A033269415}.exe	105
PID 2064 wrote to memory of 1776	2064	{840DA0EF-5147-46a2-B881-C7A033269415}.exe	105
PID 2064 wrote to memory of 1700	2064	{840DA0EF-5147-46a2-B881-C7A033269415}.exe	106
PID 2064 wrote to memory of 1700	2064	{840DA0EF-5147-46a2-B881-C7A033269415}.exe	106
PID 2064 wrote to memory of 1700	2064	{840DA0EF-5147-46a2-B881-C7A033269415}.exe	106
PID 1776 wrote to memory of 1152	1776	{A57B49E9-B244-4c1f-8671-50623220514E}.exe	107
PID 1776 wrote to memory of 1152	1776	{A57B49E9-B244-4c1f-8671-50623220514E}.exe	107
PID 1776 wrote to memory of 1152	1776	{A57B49E9-B244-4c1f-8671-50623220514E}.exe	107
PID 1776 wrote to memory of 1196	1776	{A57B49E9-B244-4c1f-8671-50623220514E}.exe	108
PID 1776 wrote to memory of 1196	1776	{A57B49E9-B244-4c1f-8671-50623220514E}.exe	108
PID 1776 wrote to memory of 1196	1776	{A57B49E9-B244-4c1f-8671-50623220514E}.exe	108
PID 1152 wrote to memory of 4460	1152	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe	109
PID 1152 wrote to memory of 4460	1152	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe	109
PID 1152 wrote to memory of 4460	1152	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe	109
PID 1152 wrote to memory of 2672	1152	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe	110
PID 1152 wrote to memory of 2672	1152	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe	110
PID 1152 wrote to memory of 2672	1152	{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe	110
PID 4460 wrote to memory of 1348	4460	{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe	111
PID 4460 wrote to memory of 1348	4460	{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe	111
PID 4460 wrote to memory of 1348	4460	{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe	111
PID 4460 wrote to memory of 5096	4460	{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_51bde2fdf4845cf2e8879d44bc28a263_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe
  C:\Windows\{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe
    C:\Windows\{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\{42F65764-6EEA-4f38-81AC-213C830B180D}.exe
      C:\Windows\{42F65764-6EEA-4f38-81AC-213C830B180D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe
        
        C:\Windows\{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
      - C:\Windows\{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe
        
        C:\Windows\{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\{3D666251-9F09-414a-8EA6-874E0EE09303}.exe
        
        C:\Windows\{3D666251-9F09-414a-8EA6-874E0EE09303}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{840DA0EF-5147-46a2-B881-C7A033269415}.exe
        
        C:\Windows\{840DA0EF-5147-46a2-B881-C7A033269415}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{A57B49E9-B244-4c1f-8671-50623220514E}.exe
        
        C:\Windows\{A57B49E9-B244-4c1f-8671-50623220514E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe
        
        C:\Windows\{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe
        
        C:\Windows\{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{D23D7056-6105-4965-9A91-AF58184EE367}.exe
        
        C:\Windows\{D23D7056-6105-4965-9A91-AF58184EE367}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Windows\{09EBC377-D6A5-4c40-954E-8677DD505BFE}.exe
        
        C:\Windows\{09EBC377-D6A5-4c40-954E-8677DD505BFE}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D23D7~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C713~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC9BB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A57B4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{840DA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D666~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47355~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3096
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08E88~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42F65~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CC487~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4527D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08E883E4-C12F-409c-8E11-E9A5599D005C}.exe

Filesize
197KB

MD5
faf1edc96d8d1ef7a7505bf674b72a92

SHA1
11789a18914b7ca85285e82bfd8be436c34ba8ca

SHA256
c057c861c93fb8cda3f256223f9d6a9b84bb336b78fe4b2aee50f20193557022

SHA512
23105c1f76ce27869f901b452373e07e6e43b4397720fa841a9404b2e608c0ed1cc9124cb35a91b4898acd299ff79e064af8ac96c2a931d14579956b85303226

Download Submit
C:\Windows\{09EBC377-D6A5-4c40-954E-8677DD505BFE}.exe

Filesize
197KB

MD5
6288b62c5660dc42fe556803421a18d4

SHA1
dd1332091ef21051ee47e8ff5d07d87bb50816e1

SHA256
71bb6aa780869a7eb56114b529b22c3bdeb636f5d530a8c45b0fc9f4152771e8

SHA512
f7c1826a9820e15a9aa0e10dc37e32e406074c94fa69ccd8f484c48dba7fc17b0c3426be717e95456d3302f5cf6c1a9251b0b28402254ccbc58d4f61273cc74c

Download Submit
C:\Windows\{3D666251-9F09-414a-8EA6-874E0EE09303}.exe

Filesize
197KB

MD5
a994eb04d6e4d7b0a27394461d1c505e

SHA1
aeee2c3cfa6beab10db622b252f0e8b050640b12

SHA256
51805f9cbc6feb496487c43ec40249efd0af7d10498f954b01c24aeee6517f55

SHA512
49f197ffce3718bc1a8799a9dda77235ec88233212d1275f04d432a40aa86be02e408582ccd3f042693e9874be2f02edcbd8d711b37f8085b85b083c29fae0e2

Download Submit
C:\Windows\{42F65764-6EEA-4f38-81AC-213C830B180D}.exe

Filesize
197KB

MD5
672d68dcf4af01e6dc5c7739672c9113

SHA1
3a492759b31fd746d983634a4b00ae9c48b2a76d

SHA256
672e6b2b02341918c16b98ef87ccdf430c64ff5749646dc4c91c025a483ec252

SHA512
960ee6aaac3afc0dd83ab68b058e6cb8c7ee5c71fae73072c7c374f3d6204fb263d47ed8bdc2e843c381e3754a6906d8f4bbaf6f42581b14c73369fd163e4f83

Download Submit
C:\Windows\{4527DFE3-440F-4f0c-BBB6-9C7523FC66B5}.exe

Filesize
197KB

MD5
ee4d5e7305f54749f0d88c3ca10c97fa

SHA1
d363e836caff6e35fd4750dffc7fb1e52ecc4727

SHA256
e252d5a1541e2d9a11cf842158b138c96b1b4dfa682a26d097f7ff284f30871a

SHA512
ff1b3d8fb5f10e1efc20985ae60bac2cb03bb170b95ed5e1225721c05c0345c8b3d07caa4c9eac7ffbab1749e1f3634fda6aed2d819f324e60d0b5a98e5c52d6

Download Submit
C:\Windows\{47355661-3FE9-4189-BCCA-786A1A3C9332}.exe

Filesize
197KB

MD5
41670de8100c59f4bafd463806821694

SHA1
3aabb86aeb0ec7caff4842ee078aab1873729881

SHA256
8d2e5a77d30b4842c5b9abf47584ab30acbc3f785d0897252b7301c6459cf0f6

SHA512
4a1797aeebd072729dbd5695685444e694790b0007a7c681018f0be670f59e798a0a67fad81ff524beb4ed7d2271148cb0e8d1a009e8758c7fb008c14178f0c0

Download Submit
C:\Windows\{6C71379A-4E50-4883-BBD4-C76D63C0D2D5}.exe

Filesize
197KB

MD5
1ada63a8c8224173e01cf8db29eb74a4

SHA1
621c1f8c3c2a406a8722666cea636620a69fcf5c

SHA256
24bc6d2ca84e70da166e77a39f04190104d739020b4c1b21381e8a44f8f0c9a3

SHA512
9998aaf689b9933b5232bbc981a50481ded2ff2fc03a076ce40db42fae74c22a4c5fc8a1407e1684e2a32d4dc945f7c34c5460dde78233686b28ed38cbb27b06

Download Submit
C:\Windows\{840DA0EF-5147-46a2-B881-C7A033269415}.exe

Filesize
197KB

MD5
518051d29f853973d40c69778df1c834

SHA1
c5103913af29b34b9e83ef381db501df0969907c

SHA256
f37022717d716d3e615222c145cca4b79862bf8e2b7e02b85d277cf5f523942d

SHA512
b471f64571e641992ff67e682ddbbbfa04986ea506245294204c47072be23b8adb428762bb460cfcbbcc2baaedcc52aa1bf6612a080eb7925f9492e3aef89b7f

Download Submit
C:\Windows\{A57B49E9-B244-4c1f-8671-50623220514E}.exe

Filesize
197KB

MD5
e9a0f881af0fd1517b273a6fabd6554e

SHA1
287bd6a4e67b8ac023d30bcae721db1ef6cbb788

SHA256
a9abe9109d45c909288cf7df7c02a2ddc5605bc5b9277978597f6a2a31af0e4c

SHA512
ca7f9d9f2235670c3daaa82c76ea1470fbd9ebb0ade3f04f69faf2a37dfef839532545ec6462099b11674cecc9275d97daabb93f713d0585e6704c19b16d9e27

Download Submit
C:\Windows\{AC9BBD98-7245-42ba-9189-1AA706AB8690}.exe

Filesize
197KB

MD5
3c07f378a22065087d45f28d50ece8cd

SHA1
bcb1cea4770700037beea40e93446507b53d5b7c

SHA256
f039ab749bd0df16d0c068232144747de2dc4869e995313ef05a438efbf40c42

SHA512
64aa99afdcd90c370d7978c78d8ee6c4dedeeec1474f315682a1c532dd13b606e7fcbad8a669c3aa562cd3d026afcce283d1773344139b108ee0ad6ff2e9e93e

Download Submit
C:\Windows\{CC48701F-2112-44a1-94EA-BCB4411F46AD}.exe

Filesize
197KB

MD5
c1325e1392b4c9c85bef958290b33620

SHA1
f6a31126c13c091906dd6cc10d5b24428d9e80f2

SHA256
ae64b26ca61c1f66b7cd0ad9ac501a650f53758bb36237749c9ed817ef707f43

SHA512
9a5c1a99cb4a562db019fdea1769bef96b8d5581716bdb9d6323d560e81fe5efae45ce8e3cc33ecdbecd88284cab370361f3171bf76da2bc0b4720b2129b76ed

Download Submit
C:\Windows\{D23D7056-6105-4965-9A91-AF58184EE367}.exe

Filesize
197KB

MD5
9e3e9f0c55ac899a0190fd67837b9009

SHA1
9422033b5d328ad8bfb61da3531a80d5e933e5d6

SHA256
add1d82d1aa71599662dad3359bb7cedde89313b696ed7b32f0b49d04ddad0d5

SHA512
4755d0842fcd4b3af6d6c0d2e928cb4d14f97f91c6672de227e19376940b20c09cddbdd523ad90e6b36936a17a81f85b0ea5dce01d862f764be37b9ade46864f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads