c874c2be7c25b162b9e99bcfcf4b1242dc5724c09f8b8dd2634a826a7fd3f2f3

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
Size

344KB
MD5

f0e4781c8f97f090861ef4a4c61a04c9
SHA1

cedca16776bc3b7f95e7b67ebf9fe2bd4d52814c
SHA256

c874c2be7c25b162b9e99bcfcf4b1242dc5724c09f8b8dd2634a826a7fd3f2f3
SHA512

98df69e5828857c1053bdac9ab227a747bdf07c7e9364cd1c7f5e4d6ace3cee1711cbad9a7c4cf82836a8e4c22536daedd1f4b169baba14acededa548fb20820
SSDEEP

3072:mEGh0oOlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGMlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}\stubpath = "C:\\Windows\\{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe"	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}\stubpath = "C:\\Windows\\{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe"	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C597768-1A58-4d74-BB85-B16B9961AC29}	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}\stubpath = "C:\\Windows\\{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe"	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BF9138D-4085-4f11-8516-16F4E081BA29}	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BF9138D-4085-4f11-8516-16F4E081BA29}\stubpath = "C:\\Windows\\{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe"	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{504B305F-08C3-46e8-A06E-D97F21BE005C}\stubpath = "C:\\Windows\\{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe"	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F810197-E275-4e03-A9AE-BF8816B7494F}\stubpath = "C:\\Windows\\{5F810197-E275-4e03-A9AE-BF8816B7494F}.exe"	{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A3580DF-9750-48e6-89D7-DB14145F06BF}	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C597768-1A58-4d74-BB85-B16B9961AC29}\stubpath = "C:\\Windows\\{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe"	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}\stubpath = "C:\\Windows\\{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe"	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}\stubpath = "C:\\Windows\\{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe"	{033353DA-966B-436f-8153-91244846631E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{033353DA-966B-436f-8153-91244846631E}	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}	{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}\stubpath = "C:\\Windows\\{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}.exe"	{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A3580DF-9750-48e6-89D7-DB14145F06BF}\stubpath = "C:\\Windows\\{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe"	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{504B305F-08C3-46e8-A06E-D97F21BE005C}	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{033353DA-966B-436f-8153-91244846631E}\stubpath = "C:\\Windows\\{033353DA-966B-436f-8153-91244846631E}.exe"	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}	{033353DA-966B-436f-8153-91244846631E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F810197-E275-4e03-A9AE-BF8816B7494F}	{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}.exe

Executes dropped EXE 12 IoCs

pid	Process
4484	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe
2376	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe
4892	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe
1472	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe
5036	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe
1416	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe
4240	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe
3244	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe
2644	{033353DA-966B-436f-8153-91244846631E}.exe
4564	{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe
3572	{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}.exe
640	{5F810197-E275-4e03-A9AE-BF8816B7494F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe
File created	C:\Windows\{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe
File created	C:\Windows\{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe
File created	C:\Windows\{033353DA-966B-436f-8153-91244846631E}.exe	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe
File created	C:\Windows\{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe	{033353DA-966B-436f-8153-91244846631E}.exe
File created	C:\Windows\{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}.exe	{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe
File created	C:\Windows\{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe
File created	C:\Windows\{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe
File created	C:\Windows\{5F810197-E275-4e03-A9AE-BF8816B7494F}.exe	{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}.exe
File created	C:\Windows\{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe
File created	C:\Windows\{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
File created	C:\Windows\{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{033353DA-966B-436f-8153-91244846631E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F810197-E275-4e03-A9AE-BF8816B7494F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4656	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4484	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe
Token: SeIncBasePriorityPrivilege	2376	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe
Token: SeIncBasePriorityPrivilege	4892	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe
Token: SeIncBasePriorityPrivilege	1472	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe
Token: SeIncBasePriorityPrivilege	5036	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe
Token: SeIncBasePriorityPrivilege	1416	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe
Token: SeIncBasePriorityPrivilege	4240	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe
Token: SeIncBasePriorityPrivilege	3244	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe
Token: SeIncBasePriorityPrivilege	2644	{033353DA-966B-436f-8153-91244846631E}.exe
Token: SeIncBasePriorityPrivilege	4564	{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe
Token: SeIncBasePriorityPrivilege	3572	{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4484	4656	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	92
PID 4656 wrote to memory of 4484	4656	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	92
PID 4656 wrote to memory of 4484	4656	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	92
PID 4656 wrote to memory of 1440	4656	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	93
PID 4656 wrote to memory of 1440	4656	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	93
PID 4656 wrote to memory of 1440	4656	2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe	93
PID 4484 wrote to memory of 2376	4484	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe	94
PID 4484 wrote to memory of 2376	4484	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe	94
PID 4484 wrote to memory of 2376	4484	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe	94
PID 4484 wrote to memory of 220	4484	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe	95
PID 4484 wrote to memory of 220	4484	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe	95
PID 4484 wrote to memory of 220	4484	{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe	95
PID 2376 wrote to memory of 4892	2376	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe	98
PID 2376 wrote to memory of 4892	2376	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe	98
PID 2376 wrote to memory of 4892	2376	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe	98
PID 2376 wrote to memory of 3608	2376	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe	99
PID 2376 wrote to memory of 3608	2376	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe	99
PID 2376 wrote to memory of 3608	2376	{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe	99
PID 4892 wrote to memory of 1472	4892	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe	100
PID 4892 wrote to memory of 1472	4892	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe	100
PID 4892 wrote to memory of 1472	4892	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe	100
PID 4892 wrote to memory of 1740	4892	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe	101
PID 4892 wrote to memory of 1740	4892	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe	101
PID 4892 wrote to memory of 1740	4892	{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe	101
PID 1472 wrote to memory of 5036	1472	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe	102
PID 1472 wrote to memory of 5036	1472	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe	102
PID 1472 wrote to memory of 5036	1472	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe	102
PID 1472 wrote to memory of 932	1472	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe	103
PID 1472 wrote to memory of 932	1472	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe	103
PID 1472 wrote to memory of 932	1472	{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe	103
PID 5036 wrote to memory of 1416	5036	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe	104
PID 5036 wrote to memory of 1416	5036	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe	104
PID 5036 wrote to memory of 1416	5036	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe	104
PID 5036 wrote to memory of 3284	5036	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe	105
PID 5036 wrote to memory of 3284	5036	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe	105
PID 5036 wrote to memory of 3284	5036	{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe	105
PID 1416 wrote to memory of 4240	1416	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe	106
PID 1416 wrote to memory of 4240	1416	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe	106
PID 1416 wrote to memory of 4240	1416	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe	106
PID 1416 wrote to memory of 2584	1416	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe	107
PID 1416 wrote to memory of 2584	1416	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe	107
PID 1416 wrote to memory of 2584	1416	{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe	107
PID 4240 wrote to memory of 3244	4240	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe	108
PID 4240 wrote to memory of 3244	4240	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe	108
PID 4240 wrote to memory of 3244	4240	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe	108
PID 4240 wrote to memory of 4152	4240	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe	109
PID 4240 wrote to memory of 4152	4240	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe	109
PID 4240 wrote to memory of 4152	4240	{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe	109
PID 3244 wrote to memory of 2644	3244	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe	110
PID 3244 wrote to memory of 2644	3244	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe	110
PID 3244 wrote to memory of 2644	3244	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe	110
PID 3244 wrote to memory of 5060	3244	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe	111
PID 3244 wrote to memory of 5060	3244	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe	111
PID 3244 wrote to memory of 5060	3244	{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe	111
PID 2644 wrote to memory of 4564	2644	{033353DA-966B-436f-8153-91244846631E}.exe	112
PID 2644 wrote to memory of 4564	2644	{033353DA-966B-436f-8153-91244846631E}.exe	112
PID 2644 wrote to memory of 4564	2644	{033353DA-966B-436f-8153-91244846631E}.exe	112
PID 2644 wrote to memory of 1636	2644	{033353DA-966B-436f-8153-91244846631E}.exe	113
PID 2644 wrote to memory of 1636	2644	{033353DA-966B-436f-8153-91244846631E}.exe	113
PID 2644 wrote to memory of 1636	2644	{033353DA-966B-436f-8153-91244846631E}.exe	113
PID 4564 wrote to memory of 3572	4564	{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe	114
PID 4564 wrote to memory of 3572	4564	{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe	114
PID 4564 wrote to memory of 3572	4564	{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe	114
PID 4564 wrote to memory of 212	4564	{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_f0e4781c8f97f090861ef4a4c61a04c9_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe
  C:\Windows\{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe
    C:\Windows\{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe
      C:\Windows\{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe
        
        C:\Windows\{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe
        
        C:\Windows\{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe
        
        C:\Windows\{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe
        
        C:\Windows\{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe
        
        C:\Windows\{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\{033353DA-966B-436f-8153-91244846631E}.exe
        
        C:\Windows\{033353DA-966B-436f-8153-91244846631E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe
        
        C:\Windows\{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}.exe
        
        C:\Windows\{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Windows\{5F810197-E275-4e03-A9AE-BF8816B7494F}.exe
        
        C:\Windows\{5F810197-E275-4e03-A9AE-BF8816B7494F}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3F6B~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24986~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03335~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{504B3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF91~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B64D5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1549A~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C597~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EB5D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A358~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C93D5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{033353DA-966B-436f-8153-91244846631E}.exe

Filesize
344KB

MD5
a365be439633be57daf72b26fc647865

SHA1
07b39a6b88f834a746b85ca1e79ecbe5d92b3f67

SHA256
9eaedf391941390e7e78f75dbac6a9cdcc1bf532d8702f5b144cc32ed0cdf1dc

SHA512
dbb95b991c764724cb2eaefb7436cfe4228d74ee849dd228968eb3fea8b5772057236c98dbceae79c73457fee6892f407e3ef2766879a805167224c216cdde3c

Download Submit
C:\Windows\{1549A7AD-9A40-42cb-B6C6-2F9B4C16CC65}.exe

Filesize
344KB

MD5
2b4cdd2a067c7e7268640cd60c7e107b

SHA1
ddcb3f1783c6e37060b08cbfe0a53621ab5212f5

SHA256
ec69bd04e018c5b80dd250a3259b68eb4559dc14b1e360e188642193b1912b4d

SHA512
05d7d2a3330e68be2a146b9bb2bc6a3e45288b84829f82586da00e1f344418697424ada20a6d8ce7960522dcfe604bf5318ba1c594133534ab03420dcfe75757

Download Submit
C:\Windows\{249861D0-E6DB-4870-AFF6-AD3B0B6B04B7}.exe

Filesize
344KB

MD5
687245fd7184bf42c65c83eb5ae54189

SHA1
2552d6be9a2ef9f7b818bb36e79545e10b272355

SHA256
f636680eb50ff2eac71ab34b1cd4e99f509218519ce6480bc40a30e67188df5f

SHA512
a7b2d4d620e4fa3cf7714f6146f23436f2fbec3173e0d414e5210d77010a9e59bc7d1f3bd06bbc3529529434abcd43a4a63fbdbe8e4c932f80426eb885404554

Download Submit
C:\Windows\{2EB5D5CC-545D-4931-BBF6-DC5457D0D994}.exe

Filesize
344KB

MD5
729c7562abf035f476d2a90d57d07b76

SHA1
dcf626388be31395deda04a78dceea31bee224b5

SHA256
68bf568fbed608c64bec3f657d8c43f6b419fa185ba8838575036b1a01b805f5

SHA512
6cbdc127b3606cdfae72305de395dbfdde9fcc1f4da20b99572229dbc9d7ec7aa7896c3ada548f4fe1637fde1d0205644261f5001533a2b0c972d2d45cd8944f

Download Submit
C:\Windows\{3BF9138D-4085-4f11-8516-16F4E081BA29}.exe

Filesize
344KB

MD5
22751ba8427ad18856cd280b88e71090

SHA1
85028ca4d614b2e09067a4af28d409a7c2190f3c

SHA256
18dc712927d5480024b167ec3da3bc9bc528e2adba89172fd8c057b6dae6304e

SHA512
46e5433edcf69eff6737aece880673fb4c86199beaeb76ea448d1e52595c1f7853a5eeac4ed4458bf89aff63bfe6cbf1de96345cdf38268d5266f56f9fe32bd3

Download Submit
C:\Windows\{3C597768-1A58-4d74-BB85-B16B9961AC29}.exe

Filesize
344KB

MD5
b3033fd6ca6f072f0d759b61cdcb74d3

SHA1
568723003733895a9af199dcfb25bac9c05c56ef

SHA256
426274676334d602fd4f812cceda3a0fea46ed917849a60503c7fcf259ccc324

SHA512
8f48030464246e1caf52951bd6c145cbe199fe33197573ae9798a98b89abb8c3413559de383bf3205b57665bbbcf79ac921133e292ff9d1cfa870ed5c155904d

Download Submit
C:\Windows\{504B305F-08C3-46e8-A06E-D97F21BE005C}.exe

Filesize
344KB

MD5
fef0059732f13a6304e463b18e6dfafc

SHA1
012d38182ef55b84c3ec1b3ea163a075bf126465

SHA256
4b9557f590721cc1a24b95bb72fc3a2ac7fc90fc2e74a3cb259a8ccb34dfb7ee

SHA512
c5778ac2584b4039ca9369c49ab5ffd3899f34c6c944d493ad7f2fd94f95847b1a5ed09b6cf0703ba54ef1de53ae3b5713bda6cc718d054dd70e3917c932e5ff

Download Submit
C:\Windows\{5F810197-E275-4e03-A9AE-BF8816B7494F}.exe

Filesize
344KB

MD5
ae5eb3571ae8757747fba0353d474461

SHA1
14708d387f5a3e2f1fbf4b4e37f533f8fde9eadc

SHA256
1420531031cae5fc3c55cc5d9ce88b2f9d3f6a429480ecff40038f60def1f552

SHA512
aab0e191f6cf56b48d7ce26abf367cddf09795aa41d17d3ba52a255353b30582322ab017346f02ba8e77170ed35f30a98393ed90afef1bb2318db794ba691eda

Download Submit
C:\Windows\{8A3580DF-9750-48e6-89D7-DB14145F06BF}.exe

Filesize
344KB

MD5
efbf6b2563c0524c5ea7f499752e31bd

SHA1
07d162d01ae0a3e81a33ba5272193170e9775ec3

SHA256
0c5a2457d2c5ce542903d1c0412af2f1b92fef01d60ffd9ab741bf5808a92f8e

SHA512
dc1aae1f71033e1f61a823b7b8fd6f192f786aba46419bb7f35e22b5a868aa37731f1bda0a4636316243d84aa91cae8eb47d9186371bf6bc9fb818d55a039f14

Download Submit
C:\Windows\{A3F6B66F-8021-4a8e-B125-8F603A3EE84C}.exe

Filesize
344KB

MD5
7adc18bb7da2c84582eed1a07e5c019a

SHA1
f715377e16275133e071e5ceaea9b4eaee3253ae

SHA256
c980e7ee71c196fd670d9e771cba00aaa820ddba00ef0b65fa2a8e47e4272156

SHA512
f909c04f4097655c2a1b3ccc01e8fb747f82e8ee99a7758e22fa034fe5e4a0f823a2b272f43866f1613aa2ed32baf647d73cea8c22c671bab0700333b51768a7

Download Submit
C:\Windows\{B64D5833-692E-4e63-A7EC-E14D6F9C28C0}.exe

Filesize
344KB

MD5
3e2bc0160eb4101a3c543aee93a5abdd

SHA1
82e2cb52020299e1cd05bdc08ccbe727da621967

SHA256
30c0fdcfa34a15c41579a32e7cc69e23da8ef344b2eafb26b473ac1a7e00a32d

SHA512
07bc1ecb7609eb0fdca228de94ef28701ca86298e35ecaf33f99262f7181b5feae279cbfd19b2f6cf30dea613d170b2a044673fb520cd8e0683431c51b692c48

Download Submit
C:\Windows\{C93D5E40-9B61-49b4-8C4C-6AB11E5056BB}.exe

Filesize
344KB

MD5
f0e0af37e12e9a6d4794ce3adff1a4a5

SHA1
302f89f86f841183a9345ca1cd82357bd4cf198e

SHA256
5d24db7fba08c35666184d3d8046db08e2ba28ca679d0d7bdd61ccf31100154b

SHA512
2d93d8ddf492ace9998f9e83a1933395ffe093dd1c81dc1d793bb643639dffb3e98291911225f3d5eba770955ec806a2256c8776bc486a5a36d5eb2610bd2767

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads