980370c72c6b26821701b90f03953c6977f7e260efdf370d07ff22e387627f78

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe
Size

216KB
MD5

5f639c17df2fd07400eca95a0aba89eb
SHA1

a25ba74a9a9c1dfcd77e9574adf021b2bd277457
SHA256

980370c72c6b26821701b90f03953c6977f7e260efdf370d07ff22e387627f78
SHA512

973d83105949852136d992d4fdb71c5e2d6079cde1a689119ceb554c90cd7a0be7c92957ce1c04f7a6af0c709981ff2ed599c72cd13a2066bb8bc7e9383e49f5
SSDEEP

3072:jEGh0ogl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGilEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F91118B-0135-4d07-9B21-CCCA46987A36}	{8B46C051-3249-4ece-823E-6761BD92E191}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F91118B-0135-4d07-9B21-CCCA46987A36}\stubpath = "C:\\Windows\\{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe"	{8B46C051-3249-4ece-823E-6761BD92E191}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9E1B070-E269-4c18-94F4-093DFCEDA207}	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A614E4EF-F1B5-4186-ADCD-7F299A55B710}	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6794AD02-9411-45df-8AC9-4970AAE20F55}\stubpath = "C:\\Windows\\{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe"	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}\stubpath = "C:\\Windows\\{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe"	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}\stubpath = "C:\\Windows\\{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe"	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E58B239A-1903-44b6-A5D8-36538CF9A885}	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B3A576D-D584-415a-B2FE-11F8A10667E3}\stubpath = "C:\\Windows\\{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe"	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CB8AB91-86F5-4a62-B902-7A7A9CC8A2A2}\stubpath = "C:\\Windows\\{5CB8AB91-86F5-4a62-B902-7A7A9CC8A2A2}.exe"	{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}\stubpath = "C:\\Windows\\{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe"	2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9E1B070-E269-4c18-94F4-093DFCEDA207}\stubpath = "C:\\Windows\\{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe"	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A614E4EF-F1B5-4186-ADCD-7F299A55B710}\stubpath = "C:\\Windows\\{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe"	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E58B239A-1903-44b6-A5D8-36538CF9A885}\stubpath = "C:\\Windows\\{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe"	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B3A576D-D584-415a-B2FE-11F8A10667E3}	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CB8AB91-86F5-4a62-B902-7A7A9CC8A2A2}	{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}	2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B46C051-3249-4ece-823E-6761BD92E191}	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B46C051-3249-4ece-823E-6761BD92E191}\stubpath = "C:\\Windows\\{8B46C051-3249-4ece-823E-6761BD92E191}.exe"	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6794AD02-9411-45df-8AC9-4970AAE20F55}	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}	{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}\stubpath = "C:\\Windows\\{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}.exe"	{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe

Executes dropped EXE 12 IoCs

pid	Process
3212	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe
4776	{8B46C051-3249-4ece-823E-6761BD92E191}.exe
5020	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe
4408	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe
4636	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe
1196	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe
1040	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe
1936	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe
4572	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe
1580	{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe
4396	{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}.exe
516	{5CB8AB91-86F5-4a62-B902-7A7A9CC8A2A2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe
File created	C:\Windows\{8B46C051-3249-4ece-823E-6761BD92E191}.exe	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe
File created	C:\Windows\{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe
File created	C:\Windows\{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe
File created	C:\Windows\{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe
File created	C:\Windows\{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe
File created	C:\Windows\{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe
File created	C:\Windows\{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}.exe	{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe
File created	C:\Windows\{5CB8AB91-86F5-4a62-B902-7A7A9CC8A2A2}.exe	{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}.exe
File created	C:\Windows\{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe	2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe
File created	C:\Windows\{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe	{8B46C051-3249-4ece-823E-6761BD92E191}.exe
File created	C:\Windows\{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5CB8AB91-86F5-4a62-B902-7A7A9CC8A2A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B46C051-3249-4ece-823E-6761BD92E191}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1188	2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3212	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe
Token: SeIncBasePriorityPrivilege	4776	{8B46C051-3249-4ece-823E-6761BD92E191}.exe
Token: SeIncBasePriorityPrivilege	5020	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe
Token: SeIncBasePriorityPrivilege	4408	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe
Token: SeIncBasePriorityPrivilege	4636	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe
Token: SeIncBasePriorityPrivilege	1196	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe
Token: SeIncBasePriorityPrivilege	1040	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe
Token: SeIncBasePriorityPrivilege	1936	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe
Token: SeIncBasePriorityPrivilege	4572	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe
Token: SeIncBasePriorityPrivilege	1580	{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe
Token: SeIncBasePriorityPrivilege	4396	{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 3212	1188	2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe	96
PID 1188 wrote to memory of 3212	1188	2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe	96
PID 1188 wrote to memory of 3212	1188	2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe	96
PID 1188 wrote to memory of 1636	1188	2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe	97
PID 1188 wrote to memory of 1636	1188	2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe	97
PID 1188 wrote to memory of 1636	1188	2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe	97
PID 3212 wrote to memory of 4776	3212	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe	98
PID 3212 wrote to memory of 4776	3212	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe	98
PID 3212 wrote to memory of 4776	3212	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe	98
PID 3212 wrote to memory of 1968	3212	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe	99
PID 3212 wrote to memory of 1968	3212	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe	99
PID 3212 wrote to memory of 1968	3212	{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe	99
PID 4776 wrote to memory of 5020	4776	{8B46C051-3249-4ece-823E-6761BD92E191}.exe	103
PID 4776 wrote to memory of 5020	4776	{8B46C051-3249-4ece-823E-6761BD92E191}.exe	103
PID 4776 wrote to memory of 5020	4776	{8B46C051-3249-4ece-823E-6761BD92E191}.exe	103
PID 4776 wrote to memory of 3936	4776	{8B46C051-3249-4ece-823E-6761BD92E191}.exe	104
PID 4776 wrote to memory of 3936	4776	{8B46C051-3249-4ece-823E-6761BD92E191}.exe	104
PID 4776 wrote to memory of 3936	4776	{8B46C051-3249-4ece-823E-6761BD92E191}.exe	104
PID 5020 wrote to memory of 4408	5020	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe	105
PID 5020 wrote to memory of 4408	5020	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe	105
PID 5020 wrote to memory of 4408	5020	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe	105
PID 5020 wrote to memory of 3572	5020	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe	106
PID 5020 wrote to memory of 3572	5020	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe	106
PID 5020 wrote to memory of 3572	5020	{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe	106
PID 4408 wrote to memory of 4636	4408	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe	107
PID 4408 wrote to memory of 4636	4408	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe	107
PID 4408 wrote to memory of 4636	4408	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe	107
PID 4408 wrote to memory of 3364	4408	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe	108
PID 4408 wrote to memory of 3364	4408	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe	108
PID 4408 wrote to memory of 3364	4408	{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe	108
PID 4636 wrote to memory of 1196	4636	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe	110
PID 4636 wrote to memory of 1196	4636	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe	110
PID 4636 wrote to memory of 1196	4636	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe	110
PID 4636 wrote to memory of 1044	4636	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe	111
PID 4636 wrote to memory of 1044	4636	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe	111
PID 4636 wrote to memory of 1044	4636	{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe	111
PID 1196 wrote to memory of 1040	1196	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe	112
PID 1196 wrote to memory of 1040	1196	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe	112
PID 1196 wrote to memory of 1040	1196	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe	112
PID 1196 wrote to memory of 3168	1196	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe	113
PID 1196 wrote to memory of 3168	1196	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe	113
PID 1196 wrote to memory of 3168	1196	{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe	113
PID 1040 wrote to memory of 1936	1040	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe	118
PID 1040 wrote to memory of 1936	1040	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe	118
PID 1040 wrote to memory of 1936	1040	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe	118
PID 1040 wrote to memory of 3224	1040	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe	119
PID 1040 wrote to memory of 3224	1040	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe	119
PID 1040 wrote to memory of 3224	1040	{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe	119
PID 1936 wrote to memory of 4572	1936	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe	120
PID 1936 wrote to memory of 4572	1936	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe	120
PID 1936 wrote to memory of 4572	1936	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe	120
PID 1936 wrote to memory of 392	1936	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe	121
PID 1936 wrote to memory of 392	1936	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe	121
PID 1936 wrote to memory of 392	1936	{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe	121
PID 4572 wrote to memory of 1580	4572	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe	122
PID 4572 wrote to memory of 1580	4572	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe	122
PID 4572 wrote to memory of 1580	4572	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe	122
PID 4572 wrote to memory of 3500	4572	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe	123
PID 4572 wrote to memory of 3500	4572	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe	123
PID 4572 wrote to memory of 3500	4572	{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe	123
PID 1580 wrote to memory of 4396	1580	{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe	124
PID 1580 wrote to memory of 4396	1580	{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe	124
PID 1580 wrote to memory of 4396	1580	{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe	124
PID 1580 wrote to memory of 4484	1580	{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_5f639c17df2fd07400eca95a0aba89eb_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe
  C:\Windows\{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\{8B46C051-3249-4ece-823E-6761BD92E191}.exe
    C:\Windows\{8B46C051-3249-4ece-823E-6761BD92E191}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe
      C:\Windows\{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe
        
        C:\Windows\{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe
        
        C:\Windows\{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe
        
        C:\Windows\{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe
        
        C:\Windows\{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe
        
        C:\Windows\{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe
        
        C:\Windows\{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe
        
        C:\Windows\{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}.exe
        
        C:\Windows\{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
        
        C:\Windows\{5CB8AB91-86F5-4a62-B902-7A7A9CC8A2A2}.exe
        
        C:\Windows\{5CB8AB91-86F5-4a62-B902-7A7A9CC8A2A2}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C100~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B3A5~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E58B2~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6794A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A614E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E6D0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B4F4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9E1B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F911~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8B46C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B1DEF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B4F4F3C-0EE0-457f-9736-9015FF44BBD4}.exe

Filesize
216KB

MD5
e0f52b55a907c6fc2b209733c9395128

SHA1
d61299f3e14786a0d446b42075c7011faec276f0

SHA256
3c5a8fce58222fd7b2a1ddb6b8a470535295b45066ecc0ee7ae74910759d27c6

SHA512
3ca8c9b1094e92fccb69f582567f5db116771b6a0266f326582e10e4253bce0a0595a3ee9156055d63bc304ca0413ea3cd46fd8c6eac2467a0a2d5a6dcb228aa

Download Submit
C:\Windows\{5B3A576D-D584-415a-B2FE-11F8A10667E3}.exe

Filesize
216KB

MD5
96d7e0b6ffefecdb6ac634c5b5e0e00b

SHA1
dc4b7b1db9b231480b9a4ba231424eb4f7229258

SHA256
a6e2cacfb04ab6fc09094b30441c2e71354871c68e4b3b626b5b80279e1c0a4e

SHA512
57c920b44410203a35a8d7b6ee3c63a31b04b5152535448adfb8a5d9e57561800c44c7eacfaf154768a74cef4a99d96b1862e6fee350063d71456fa1f263224e

Download Submit
C:\Windows\{5C1003E9-C7C1-4b6d-AF13-9D6FD62D7DFD}.exe

Filesize
216KB

MD5
6ae86b1bf433cf038eefed9e659ca59c

SHA1
cbe63cdef94b6a4402638b73f3db0af840fcc7fd

SHA256
a85d4aed4ed950fb22a2a6f9adb752f5fa86b952d144b95c4e1c4abdb4595a61

SHA512
2fe4e6ad21f92840b0d5f7f59afeb000c211d0cecc379877617fbc3c3e49708073662046044b02483ceedf83e519cb496d24024f7d6a9518eaee8f39d9f3deb0

Download Submit
C:\Windows\{5CB8AB91-86F5-4a62-B902-7A7A9CC8A2A2}.exe

Filesize
216KB

MD5
1904f6ea8b9e08f06b76a0a4e13cda3d

SHA1
fc575b881c92af49833f99ee5b3d74c153e85619

SHA256
7eb2d9145a0ca2c3f24d1c379b94956bb2f9f50c80d3fb8b143eddf126b5b73b

SHA512
b2344252bdfbae06a7320c14873b0ad0934e96d711ea4796901db92e56c417efb1896a7c341c35ac774dfac19866acecdee9fbf4e3afd84a0d21612f50da6faf

Download Submit
C:\Windows\{5E6D0DBF-D943-4214-BDBD-71E0E31D58C2}.exe

Filesize
216KB

MD5
73a0f0462aa81e0e2d031f341557869d

SHA1
036ca14f6772f64835f7e6900e2316380bb65747

SHA256
af9619427920e88e61ca608884e58e23f6a738cdc9796b462366e5597db7b4ab

SHA512
0355dbaba44c3a9d116e0086b70d8eb58e8f966e4b51b9f7be7f13c69f39416b35d4fb15b7a553852167abe06283c0458b88667e903ce5d5e90e2722813e4a0d

Download Submit
C:\Windows\{6794AD02-9411-45df-8AC9-4970AAE20F55}.exe

Filesize
216KB

MD5
131f1b8e0db0407110fb3a06e1b667e5

SHA1
179f98eb60e806463d1c6d09ff1573181af17ef7

SHA256
4876e9fa66deacd1cbb8d9f6253e83ac9395427d6eb0e3dd453caa1b8b2a6e06

SHA512
709803230ba3a37278af45ca0a11c56b50fdd035161584ba9edd16632cd0c49ef4d0ffd633deb4597a48b22e5dbbe6ef96233fb7e10234e77e254cb2f7e0db21

Download Submit
C:\Windows\{8B46C051-3249-4ece-823E-6761BD92E191}.exe

Filesize
216KB

MD5
621447f001106485c169049ee3d59ead

SHA1
811ae7dcb882055cca12e324736999d8795b950c

SHA256
cdc8ce43cab1ef97d139664d39ed915a3957e359b9475252ac8053fc48c3e444

SHA512
571cba4b7c590d9d9dbb520c7cd8ebbfa53f1498c5e9166a165cde4677f775b7d0eccea0e6d56484a75a02423cf26039bfd2fe2910876dc749cc917c56351590

Download Submit
C:\Windows\{8F91118B-0135-4d07-9B21-CCCA46987A36}.exe

Filesize
216KB

MD5
7a83a2746ac4c32afd7618e706783ec9

SHA1
612886de2c5cf9ece679074bd982886c8e58d01f

SHA256
1cd82fb13885107a786608b40e016f6659b64b0b98fcdca4bf7ba5934c1b93c1

SHA512
fe8a9f6cc75b447509a69bcca23310efdaf5d328c759033ed28029f43bf38196a713917ad06cb18d910228171545b79cb355fd34369caa69954bf86afd63add6

Download Submit
C:\Windows\{A614E4EF-F1B5-4186-ADCD-7F299A55B710}.exe

Filesize
216KB

MD5
4a5113d39234d38bc25ee777f33fad9b

SHA1
d32a0f1f5ad58d3324223df09102c3203db6095c

SHA256
b09926cb66638c4c1ca38a7b1237c7dc07edb5fc58cd70e0f593c87e89084332

SHA512
101bb389cf292c94f3eb7fa6b812d90a08d9ed5fd6353ee8e06b55ec2319ba835cadd5fab3c2038d3627b60d23a57d606e6ba951ee1285f44a2d9ebaf93717d2

Download Submit
C:\Windows\{B1DEF7C7-531F-4884-AB38-6A6064C61C1E}.exe

Filesize
216KB

MD5
35cc5be80aebb712737cd3c660b3cd2c

SHA1
ae57480f43ad504f74379aff0204b48e1f5ab0ea

SHA256
103b5306354c8b9684715e604131dd178150e0e02052088534123ae2c33c0d4b

SHA512
3931671bc729f33fe763152644d30bc6be33e9a08483521d96cc21d14f117ac5261dc3f50b322e781da587bac7ffcc9dc5f0d1d16c6c5d8174da9ae13f489b9f

Download Submit
C:\Windows\{E58B239A-1903-44b6-A5D8-36538CF9A885}.exe

Filesize
216KB

MD5
8de8f1897872cce9a6c3e90fcc435a43

SHA1
c9dd28156af5c68b42758112ae39eb08e0a62601

SHA256
87e12702cf6a512c157411ecfe9bdf700e4821a097b04f6d03d0b98b73ea1871

SHA512
5902e659539e371f1f2b991d945c51cc2deb0be78e838a810b675f75e2ae0b115b1f829415ac48437edb12893b4ea4a13c7eda04f0c2d4c5761c3c4aaf1cce2c

Download Submit
C:\Windows\{F9E1B070-E269-4c18-94F4-093DFCEDA207}.exe

Filesize
216KB

MD5
4c9a2e266ae2c33c0cb8520eb3e3961d

SHA1
23333151bf075ea7788afb4802e0f067b3bfb761

SHA256
39c408abaf1dfcf88e14a9d887f98c35885ceb3d076ec0f767013290f18cb7ad

SHA512
7257a0772d475027f5f5555ac72a3769df7c9a80b14da595c7596a5dc378716c59935e5e9c2b515a40deb550c137810bc6beb0fb0f0f413b3073d4e3acaa6cbb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads