f1d090ca339ff4685c9d5386601c932870cac57ed0d066d75e1dcfd29df90638

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
Size

168KB
MD5

bff10f26fc723981043494ffece9472f
SHA1

9b78afbaa62f1e9647cad0651af5b49baa049b58
SHA256

f1d090ca339ff4685c9d5386601c932870cac57ed0d066d75e1dcfd29df90638
SHA512

68b1e52986cf3f187710ad2c1c2caf0b6ebf5bb19ecee76d8136b78c95713a5a4bc42146aa6b39a3892aa8881d6c288629ac8af4ef686489a8f765c958ed6a19
SSDEEP

1536:1EGh0o2lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o2lqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEF74407-92D3-4794-8B24-092B49388E5A}	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEF74407-92D3-4794-8B24-092B49388E5A}\stubpath = "C:\\Windows\\{FEF74407-92D3-4794-8B24-092B49388E5A}.exe"	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D03EBC3F-8753-4849-9D7C-03526D877AE8}	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52FC21E6-7140-4cbc-8BA7-251FD46C9978}	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52FC21E6-7140-4cbc-8BA7-251FD46C9978}\stubpath = "C:\\Windows\\{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe"	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}\stubpath = "C:\\Windows\\{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe"	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}\stubpath = "C:\\Windows\\{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe"	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}\stubpath = "C:\\Windows\\{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe"	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{082369C1-DF0B-462f-8606-97A027E9C485}\stubpath = "C:\\Windows\\{082369C1-DF0B-462f-8606-97A027E9C485}.exe"	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08529C52-82F5-43af-9C18-F8747EE1DAD5}	{082369C1-DF0B-462f-8606-97A027E9C485}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}	{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{826BF32E-10CA-46a6-99B1-2A894367CAEA}	{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{826BF32E-10CA-46a6-99B1-2A894367CAEA}\stubpath = "C:\\Windows\\{826BF32E-10CA-46a6-99B1-2A894367CAEA}.exe"	{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}\stubpath = "C:\\Windows\\{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe"	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{157DAE49-2959-4182-9EE6-D1AA2856B82C}	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{082369C1-DF0B-462f-8606-97A027E9C485}	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}\stubpath = "C:\\Windows\\{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}.exe"	{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D03EBC3F-8753-4849-9D7C-03526D877AE8}\stubpath = "C:\\Windows\\{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe"	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{157DAE49-2959-4182-9EE6-D1AA2856B82C}\stubpath = "C:\\Windows\\{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe"	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08529C52-82F5-43af-9C18-F8747EE1DAD5}\stubpath = "C:\\Windows\\{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe"	{082369C1-DF0B-462f-8606-97A027E9C485}.exe

Executes dropped EXE 12 IoCs

pid	Process
5056	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe
3956	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe
3340	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe
3524	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe
2532	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe
3880	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe
3456	{082369C1-DF0B-462f-8606-97A027E9C485}.exe
3472	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe
3864	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe
2984	{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe
1976	{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}.exe
2380	{826BF32E-10CA-46a6-99B1-2A894367CAEA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{826BF32E-10CA-46a6-99B1-2A894367CAEA}.exe	{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}.exe
File created	C:\Windows\{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe
File created	C:\Windows\{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe
File created	C:\Windows\{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe	{082369C1-DF0B-462f-8606-97A027E9C485}.exe
File created	C:\Windows\{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe
File created	C:\Windows\{082369C1-DF0B-462f-8606-97A027E9C485}.exe	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe
File created	C:\Windows\{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe
File created	C:\Windows\{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe
File created	C:\Windows\{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}.exe	{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe
File created	C:\Windows\{FEF74407-92D3-4794-8B24-092B49388E5A}.exe	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
File created	C:\Windows\{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe
File created	C:\Windows\{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{082369C1-DF0B-462f-8606-97A027E9C485}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{826BF32E-10CA-46a6-99B1-2A894367CAEA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1896	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5056	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe
Token: SeIncBasePriorityPrivilege	3956	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe
Token: SeIncBasePriorityPrivilege	3340	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe
Token: SeIncBasePriorityPrivilege	3524	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe
Token: SeIncBasePriorityPrivilege	2532	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe
Token: SeIncBasePriorityPrivilege	3880	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe
Token: SeIncBasePriorityPrivilege	3456	{082369C1-DF0B-462f-8606-97A027E9C485}.exe
Token: SeIncBasePriorityPrivilege	3472	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe
Token: SeIncBasePriorityPrivilege	3864	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe
Token: SeIncBasePriorityPrivilege	2984	{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe
Token: SeIncBasePriorityPrivilege	1976	{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 5056	1896	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	89
PID 1896 wrote to memory of 5056	1896	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	89
PID 1896 wrote to memory of 5056	1896	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	89
PID 1896 wrote to memory of 4584	1896	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	90
PID 1896 wrote to memory of 4584	1896	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	90
PID 1896 wrote to memory of 4584	1896	2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe	90
PID 5056 wrote to memory of 3956	5056	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe	96
PID 5056 wrote to memory of 3956	5056	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe	96
PID 5056 wrote to memory of 3956	5056	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe	96
PID 5056 wrote to memory of 4896	5056	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe	97
PID 5056 wrote to memory of 4896	5056	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe	97
PID 5056 wrote to memory of 4896	5056	{FEF74407-92D3-4794-8B24-092B49388E5A}.exe	97
PID 3956 wrote to memory of 3340	3956	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe	99
PID 3956 wrote to memory of 3340	3956	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe	99
PID 3956 wrote to memory of 3340	3956	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe	99
PID 3956 wrote to memory of 3260	3956	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe	100
PID 3956 wrote to memory of 3260	3956	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe	100
PID 3956 wrote to memory of 3260	3956	{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe	100
PID 3340 wrote to memory of 3524	3340	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe	101
PID 3340 wrote to memory of 3524	3340	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe	101
PID 3340 wrote to memory of 3524	3340	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe	101
PID 3340 wrote to memory of 1596	3340	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe	102
PID 3340 wrote to memory of 1596	3340	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe	102
PID 3340 wrote to memory of 1596	3340	{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe	102
PID 3524 wrote to memory of 2532	3524	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe	103
PID 3524 wrote to memory of 2532	3524	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe	103
PID 3524 wrote to memory of 2532	3524	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe	103
PID 3524 wrote to memory of 1516	3524	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe	104
PID 3524 wrote to memory of 1516	3524	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe	104
PID 3524 wrote to memory of 1516	3524	{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe	104
PID 2532 wrote to memory of 3880	2532	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe	106
PID 2532 wrote to memory of 3880	2532	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe	106
PID 2532 wrote to memory of 3880	2532	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe	106
PID 2532 wrote to memory of 3876	2532	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe	107
PID 2532 wrote to memory of 3876	2532	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe	107
PID 2532 wrote to memory of 3876	2532	{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe	107
PID 3880 wrote to memory of 3456	3880	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe	108
PID 3880 wrote to memory of 3456	3880	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe	108
PID 3880 wrote to memory of 3456	3880	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe	108
PID 3880 wrote to memory of 2320	3880	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe	109
PID 3880 wrote to memory of 2320	3880	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe	109
PID 3880 wrote to memory of 2320	3880	{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe	109
PID 3456 wrote to memory of 3472	3456	{082369C1-DF0B-462f-8606-97A027E9C485}.exe	110
PID 3456 wrote to memory of 3472	3456	{082369C1-DF0B-462f-8606-97A027E9C485}.exe	110
PID 3456 wrote to memory of 3472	3456	{082369C1-DF0B-462f-8606-97A027E9C485}.exe	110
PID 3456 wrote to memory of 4880	3456	{082369C1-DF0B-462f-8606-97A027E9C485}.exe	111
PID 3456 wrote to memory of 4880	3456	{082369C1-DF0B-462f-8606-97A027E9C485}.exe	111
PID 3456 wrote to memory of 4880	3456	{082369C1-DF0B-462f-8606-97A027E9C485}.exe	111
PID 3472 wrote to memory of 3864	3472	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe	112
PID 3472 wrote to memory of 3864	3472	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe	112
PID 3472 wrote to memory of 3864	3472	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe	112
PID 3472 wrote to memory of 2368	3472	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe	113
PID 3472 wrote to memory of 2368	3472	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe	113
PID 3472 wrote to memory of 2368	3472	{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe	113
PID 3864 wrote to memory of 2984	3864	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe	114
PID 3864 wrote to memory of 2984	3864	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe	114
PID 3864 wrote to memory of 2984	3864	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe	114
PID 3864 wrote to memory of 4656	3864	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe	115
PID 3864 wrote to memory of 4656	3864	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe	115
PID 3864 wrote to memory of 4656	3864	{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe	115
PID 2984 wrote to memory of 1976	2984	{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe	116
PID 2984 wrote to memory of 1976	2984	{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe	116
PID 2984 wrote to memory of 1976	2984	{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe	116
PID 2984 wrote to memory of 4440	2984	{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_bff10f26fc723981043494ffece9472f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\{FEF74407-92D3-4794-8B24-092B49388E5A}.exe
  C:\Windows\{FEF74407-92D3-4794-8B24-092B49388E5A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe
    C:\Windows\{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe
      C:\Windows\{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3340
    - - C:\Windows\{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe
        
        C:\Windows\{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
      - C:\Windows\{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe
        
        C:\Windows\{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe
        
        C:\Windows\{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\{082369C1-DF0B-462f-8606-97A027E9C485}.exe
        
        C:\Windows\{082369C1-DF0B-462f-8606-97A027E9C485}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe
        
        C:\Windows\{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe
        
        C:\Windows\{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe
        
        C:\Windows\{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}.exe
        
        C:\Windows\{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\{826BF32E-10CA-46a6-99B1-2A894367CAEA}.exe
        
        C:\Windows\{826BF32E-10CA-46a6-99B1-2A894367CAEA}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01520~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52FC2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE72A~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08529~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08236~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{157DA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3294D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C65D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73C68~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D03EB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FEF74~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01520EF1-30E8-43d1-B5E6-F976E5AE3C32}.exe

Filesize
168KB

MD5
c98ab701ec009ff71157b5678b45dd0b

SHA1
66dc8ee4094d7c4122737d9efe201f2a2e3d3284

SHA256
7a90acd5ec54d8d43c9e4720a297a7851e609dfcb807f3a1ad8d8310fc622f91

SHA512
1d8c224f89f72df1ddafe7af2d4f11d3631d3e403d194d979137e75721ae4cac99519b11abfb16473bff78f169c4bbea8f4a5b5f1cda1ae8a09b799037ee51ea

Download Submit
C:\Windows\{082369C1-DF0B-462f-8606-97A027E9C485}.exe

Filesize
168KB

MD5
7aaa965eaa2e0e403341cc0b686fc160

SHA1
a9b1dd5613e3c18b1aa10d1bccf00ef17f0cac14

SHA256
d30268a81c9bca10ac09fa7ebfdfcefd53de03aa9812ec9064daea56620e06e8

SHA512
7a7b43545a0ec12d12e05c4018cda5b6a2a16001bccb58db7ce0067d8d515107eb06c8b747e43f57f8d180e1c79114bb080af59fc65fa170729c51b8661c1010

Download Submit
C:\Windows\{08529C52-82F5-43af-9C18-F8747EE1DAD5}.exe

Filesize
168KB

MD5
012a4a4d7f1c2c11c53dd0668a1e02e0

SHA1
4e28e11daf03ba19bf7afb42df24d8d2781944ad

SHA256
6ce06fec465127cb5a4b3a677429bed2f532c2dc5d9c5c8cc199af96e90ff4dc

SHA512
d494768ea2f1cebe8a899d8a2addfb65b4db7638fc73cc0f86a84849890b783ab0dc12873b1012d0fd4ea3624343268f1ab101d73fdb919ad96e21fceb752586

Download Submit
C:\Windows\{157DAE49-2959-4182-9EE6-D1AA2856B82C}.exe

Filesize
168KB

MD5
9936fd0bd1be93e77878949550285d94

SHA1
c351ac36d2a21a8350c768376f1740dc336478eb

SHA256
2ba03023e75d2ab9d2eef52b6d761b62cac7402aeb62b493a224c6159f2e3906

SHA512
e6d68adbc0a67cb81d5d9d8b70870b0a7a3b51b7545b264620fb2051dce25ed6398e6c30095377de392d463fa618a9d3b26f4a60bcd1c2fc7c9566b32096ab6e

Download Submit
C:\Windows\{3294DB2C-76EF-4e59-AF10-2D7B2715CD9D}.exe

Filesize
168KB

MD5
cbc787e0aac30da7b6cee6ad349e96f8

SHA1
8af262263015f265fb9496c52e7267f0a92185d3

SHA256
cc4021b93ea18d1d879b93458d69952a5e98f76ced4bfea459acb4d6336dbfb3

SHA512
5f08337531a874a2731f8aff48a083fb4f9f9ff4a7f3af72694ccf6c2d56bd7f48edb8af78f3ec85615bd8640ef35199b2da0319f879e11e31ad9b051e77dd52

Download Submit
C:\Windows\{52FC21E6-7140-4cbc-8BA7-251FD46C9978}.exe

Filesize
168KB

MD5
ceb7598bc18d8d278747c7b95c14cd98

SHA1
814d93bbedfbd251b63c32bbd213408f121d954e

SHA256
4512538dd6c6bb8d55ac734e496ef79f867c0b466d6c69e1a02c4283d14f4864

SHA512
897dcf7e6c9150588909117efbbdfdc8de7be27be0a6489f4aaab762bc8a7165feff2f23600d1fc9d726b5b4c4e438f040b7f10d4bf7bc0db71493a296d59886

Download Submit
C:\Windows\{73C68B74-D27B-48eb-BAF2-73D5A39DC9B1}.exe

Filesize
168KB

MD5
acd78d6d40dfae1f973ea6f86b0e9718

SHA1
a76799f49a20f39b01e66a9aa4539279c5afd9ff

SHA256
979bb20abc7655c72f8dacb854c588318804458c82f9c5de1b9d1f890eac04f8

SHA512
ac5cd5c15a271b641f6060fac43e85c4126ea7457b5f182b44c1cb9312d9493500c992dc7e472bdf80b44cf0f31ee505e379886ebded4c3acf4fd44067d41b0e

Download Submit
C:\Windows\{826BF32E-10CA-46a6-99B1-2A894367CAEA}.exe

Filesize
168KB

MD5
4857dd8c5b3cf81ef2369ce62bfc30c5

SHA1
1ab5a17753bab3945db6ba65a7231fa634f684ac

SHA256
3be5b4cf76eb631d67592d28ad1e5921e179d3702b1a92356735789a0f6cf452

SHA512
d9752a66ab2ab22d292f96d59fb75e953d94bb248fe83eb371da7b9e56a11c80df99e409d3ba9628d41dabdd630975d81127b1902dd168c9f4b9d79f3ee46413

Download Submit
C:\Windows\{9C65DB8A-250A-4374-9D89-E54CF26BCE9B}.exe

Filesize
168KB

MD5
be8852c27e45bbf6e1cb4d3f043253a9

SHA1
3ab398c9c65402a31712b94d8fdd8de1fb450b1b

SHA256
3e1789a91f903b0b6e2acb08b1533f5127d0d70f4d9e64c0acf6b92436d1204b

SHA512
ee0e82b5fb3308e6cdaa40b4e39740f6e117ceeceac5131685dd5b71ab8076df187ebc37b4138d3a8bf2ae195468f55b0798ff13f0cd949d725afcc80a1da661

Download Submit
C:\Windows\{AE72A0A6-30AB-41dd-907C-4ECFB1612A4C}.exe

Filesize
168KB

MD5
4828f632dcd9ff0735871f68e2dd2fe1

SHA1
41f71f77f0c78e5c8fe419fbead78bf201e6b1a2

SHA256
fc8bc9da0cf56b0dddc80db9d9aff3a15feed582300c725439e36d24513715d0

SHA512
bc91c1fd43594ef1ff3be752c4e0886b8416f2eb519552610822b0a903764a519051ceac3fc450457db547b5f4ec861eb8cbb4002ad372c5c25c7863eeae6bb1

Download Submit
C:\Windows\{D03EBC3F-8753-4849-9D7C-03526D877AE8}.exe

Filesize
168KB

MD5
bee84033aed5dad0947cfd7051930c2e

SHA1
09225c291108796eb0578f4ec47405e86f1dca17

SHA256
4885ed7ece0708d5f9a27574c3ab0221391a5c680a4ead00488388a3d0b91df1

SHA512
6eef8f42ff3c85deb9b257755ade1403f065fa5e75bd144b9f77e8d45eab30843cbd906383023a0be2b35d3a407e9a63cf414a640a82cf9961e92e65f3691dca

Download Submit
C:\Windows\{FEF74407-92D3-4794-8B24-092B49388E5A}.exe

Filesize
168KB

MD5
58f945cdeee48fa0b353b936d1024cbd

SHA1
1028f4a980287a76d5a7b937882ee8ca7930dfd3

SHA256
b332aad087e16c606ec2eb926447d36aa95a790dfaea25d161b7646a16a0c4ec

SHA512
c7f9ed09749d532571931135575a53ba71cd6be736d4347dfbaf64586e204a9809242f3ebfda59c984bc45c7e64175124855fda7dfd75b55e36558bb003d5512

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads