2f136092964b38e946501e0bceae2afd914939119aac3df83a7d5e0dafc4cc15

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
Size

204KB
MD5

1022046ed5dff4ed2f15b0f13804f63d
SHA1

b3504a96d458b8f57ec12f6893fbaf3f33b73f8f
SHA256

2f136092964b38e946501e0bceae2afd914939119aac3df83a7d5e0dafc4cc15
SHA512

edd70644759952aa604981a1e6a2949f53a7016499ada6a979079454810ea8d11015f35429d3a210ce33c5eead7b3edcf5fb44163c073d5824653b94df6dbb1d
SSDEEP

1536:1EGh0oPvl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oPvl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24FFBD16-329D-44f2-9143-29CBE7073394}	{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8277F307-CFA0-4f33-ADD7-D3D707C64A68}	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{109B4078-FD47-4874-B55B-379111FA341F}\stubpath = "C:\\Windows\\{109B4078-FD47-4874-B55B-379111FA341F}.exe"	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE8A3253-43F0-4368-A0BA-A0B59AF70181}	{109B4078-FD47-4874-B55B-379111FA341F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A43407AB-F05C-4855-B09C-B3948A10E809}	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A43407AB-F05C-4855-B09C-B3948A10E809}\stubpath = "C:\\Windows\\{A43407AB-F05C-4855-B09C-B3948A10E809}.exe"	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE29BE6D-0D70-429f-BC97-74611305DE4F}\stubpath = "C:\\Windows\\{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe"	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}\stubpath = "C:\\Windows\\{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe"	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D46D0901-79E7-4608-ADE8-DA3429B302E2}	{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8277F307-CFA0-4f33-ADD7-D3D707C64A68}\stubpath = "C:\\Windows\\{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe"	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E039AE76-754D-45c9-B253-878788A93467}\stubpath = "C:\\Windows\\{E039AE76-754D-45c9-B253-878788A93467}.exe"	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}	{E039AE76-754D-45c9-B253-878788A93467}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24FFBD16-329D-44f2-9143-29CBE7073394}\stubpath = "C:\\Windows\\{24FFBD16-329D-44f2-9143-29CBE7073394}.exe"	{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE8A3253-43F0-4368-A0BA-A0B59AF70181}\stubpath = "C:\\Windows\\{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe"	{109B4078-FD47-4874-B55B-379111FA341F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE29BE6D-0D70-429f-BC97-74611305DE4F}	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFD33A9D-F0AB-41b0-9F0E-533475237C92}\stubpath = "C:\\Windows\\{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe"	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}\stubpath = "C:\\Windows\\{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe"	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFD33A9D-F0AB-41b0-9F0E-533475237C92}	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D46D0901-79E7-4608-ADE8-DA3429B302E2}\stubpath = "C:\\Windows\\{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe"	{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{109B4078-FD47-4874-B55B-379111FA341F}	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E039AE76-754D-45c9-B253-878788A93467}	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}\stubpath = "C:\\Windows\\{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe"	{E039AE76-754D-45c9-B253-878788A93467}.exe

Executes dropped EXE 12 IoCs

pid	Process
2212	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe
4232	{109B4078-FD47-4874-B55B-379111FA341F}.exe
1916	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe
4712	{E039AE76-754D-45c9-B253-878788A93467}.exe
764	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe
448	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe
956	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe
452	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe
2352	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe
3760	{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe
4984	{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe
684	{24FFBD16-329D-44f2-9143-29CBE7073394}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A43407AB-F05C-4855-B09C-B3948A10E809}.exe	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe
File created	C:\Windows\{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe
File created	C:\Windows\{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe
File created	C:\Windows\{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe	{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe
File created	C:\Windows\{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
File created	C:\Windows\{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe	{109B4078-FD47-4874-B55B-379111FA341F}.exe
File created	C:\Windows\{E039AE76-754D-45c9-B253-878788A93467}.exe	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe
File created	C:\Windows\{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe	{E039AE76-754D-45c9-B253-878788A93467}.exe
File created	C:\Windows\{24FFBD16-329D-44f2-9143-29CBE7073394}.exe	{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe
File created	C:\Windows\{109B4078-FD47-4874-B55B-379111FA341F}.exe	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe
File created	C:\Windows\{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe
File created	C:\Windows\{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{109B4078-FD47-4874-B55B-379111FA341F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E039AE76-754D-45c9-B253-878788A93467}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{24FFBD16-329D-44f2-9143-29CBE7073394}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4196	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2212	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe
Token: SeIncBasePriorityPrivilege	4232	{109B4078-FD47-4874-B55B-379111FA341F}.exe
Token: SeIncBasePriorityPrivilege	1916	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe
Token: SeIncBasePriorityPrivilege	4712	{E039AE76-754D-45c9-B253-878788A93467}.exe
Token: SeIncBasePriorityPrivilege	764	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe
Token: SeIncBasePriorityPrivilege	448	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe
Token: SeIncBasePriorityPrivilege	956	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe
Token: SeIncBasePriorityPrivilege	452	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe
Token: SeIncBasePriorityPrivilege	2352	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe
Token: SeIncBasePriorityPrivilege	3760	{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe
Token: SeIncBasePriorityPrivilege	4984	{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 2212	4196	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	89
PID 4196 wrote to memory of 2212	4196	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	89
PID 4196 wrote to memory of 2212	4196	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	89
PID 4196 wrote to memory of 2872	4196	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	90
PID 4196 wrote to memory of 2872	4196	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	90
PID 4196 wrote to memory of 2872	4196	2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe	90
PID 2212 wrote to memory of 4232	2212	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe	91
PID 2212 wrote to memory of 4232	2212	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe	91
PID 2212 wrote to memory of 4232	2212	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe	91
PID 2212 wrote to memory of 1180	2212	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe	92
PID 2212 wrote to memory of 1180	2212	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe	92
PID 2212 wrote to memory of 1180	2212	{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe	92
PID 4232 wrote to memory of 1916	4232	{109B4078-FD47-4874-B55B-379111FA341F}.exe	95
PID 4232 wrote to memory of 1916	4232	{109B4078-FD47-4874-B55B-379111FA341F}.exe	95
PID 4232 wrote to memory of 1916	4232	{109B4078-FD47-4874-B55B-379111FA341F}.exe	95
PID 4232 wrote to memory of 368	4232	{109B4078-FD47-4874-B55B-379111FA341F}.exe	96
PID 4232 wrote to memory of 368	4232	{109B4078-FD47-4874-B55B-379111FA341F}.exe	96
PID 4232 wrote to memory of 368	4232	{109B4078-FD47-4874-B55B-379111FA341F}.exe	96
PID 1916 wrote to memory of 4712	1916	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe	97
PID 1916 wrote to memory of 4712	1916	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe	97
PID 1916 wrote to memory of 4712	1916	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe	97
PID 1916 wrote to memory of 3140	1916	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe	98
PID 1916 wrote to memory of 3140	1916	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe	98
PID 1916 wrote to memory of 3140	1916	{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe	98
PID 4712 wrote to memory of 764	4712	{E039AE76-754D-45c9-B253-878788A93467}.exe	99
PID 4712 wrote to memory of 764	4712	{E039AE76-754D-45c9-B253-878788A93467}.exe	99
PID 4712 wrote to memory of 764	4712	{E039AE76-754D-45c9-B253-878788A93467}.exe	99
PID 4712 wrote to memory of 3780	4712	{E039AE76-754D-45c9-B253-878788A93467}.exe	100
PID 4712 wrote to memory of 3780	4712	{E039AE76-754D-45c9-B253-878788A93467}.exe	100
PID 4712 wrote to memory of 3780	4712	{E039AE76-754D-45c9-B253-878788A93467}.exe	100
PID 764 wrote to memory of 448	764	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe	101
PID 764 wrote to memory of 448	764	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe	101
PID 764 wrote to memory of 448	764	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe	101
PID 764 wrote to memory of 3584	764	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe	102
PID 764 wrote to memory of 3584	764	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe	102
PID 764 wrote to memory of 3584	764	{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe	102
PID 448 wrote to memory of 956	448	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe	103
PID 448 wrote to memory of 956	448	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe	103
PID 448 wrote to memory of 956	448	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe	103
PID 448 wrote to memory of 708	448	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe	104
PID 448 wrote to memory of 708	448	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe	104
PID 448 wrote to memory of 708	448	{A43407AB-F05C-4855-B09C-B3948A10E809}.exe	104
PID 956 wrote to memory of 452	956	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe	105
PID 956 wrote to memory of 452	956	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe	105
PID 956 wrote to memory of 452	956	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe	105
PID 956 wrote to memory of 3360	956	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe	106
PID 956 wrote to memory of 3360	956	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe	106
PID 956 wrote to memory of 3360	956	{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe	106
PID 452 wrote to memory of 2352	452	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe	107
PID 452 wrote to memory of 2352	452	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe	107
PID 452 wrote to memory of 2352	452	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe	107
PID 452 wrote to memory of 4456	452	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe	108
PID 452 wrote to memory of 4456	452	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe	108
PID 452 wrote to memory of 4456	452	{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe	108
PID 2352 wrote to memory of 3760	2352	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe	109
PID 2352 wrote to memory of 3760	2352	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe	109
PID 2352 wrote to memory of 3760	2352	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe	109
PID 2352 wrote to memory of 3820	2352	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe	110
PID 2352 wrote to memory of 3820	2352	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe	110
PID 2352 wrote to memory of 3820	2352	{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe	110
PID 3760 wrote to memory of 4984	3760	{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe	111
PID 3760 wrote to memory of 4984	3760	{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe	111
PID 3760 wrote to memory of 4984	3760	{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe	111
PID 3760 wrote to memory of 4460	3760	{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_1022046ed5dff4ed2f15b0f13804f63d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe
  C:\Windows\{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\{109B4078-FD47-4874-B55B-379111FA341F}.exe
    C:\Windows\{109B4078-FD47-4874-B55B-379111FA341F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe
      C:\Windows\{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\{E039AE76-754D-45c9-B253-878788A93467}.exe
        
        C:\Windows\{E039AE76-754D-45c9-B253-878788A93467}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe
        
        C:\Windows\{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{A43407AB-F05C-4855-B09C-B3948A10E809}.exe
        
        C:\Windows\{A43407AB-F05C-4855-B09C-B3948A10E809}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe
        
        C:\Windows\{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe
        
        C:\Windows\{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe
        
        C:\Windows\{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe
        
        C:\Windows\{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe
        
        C:\Windows\{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\{24FFBD16-329D-44f2-9143-29CBE7073394}.exe
        
        C:\Windows\{24FFBD16-329D-44f2-9143-29CBE7073394}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D46D0~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFD33~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53686~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9756~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE29B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4340~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FB3D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E039A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE8A3~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{109B4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8277F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FB3D06B-B5BF-4a29-8518-A2DBF3E647F0}.exe

Filesize
204KB

MD5
5fde44bbb2c6986c3b3bedaa090c7f12

SHA1
f670ee75bf8ed03232d5daaad440ab7a3201cd26

SHA256
d7010e12371189ec9aba7ed03092b3f478557303f930377d092eda9ef9330b25

SHA512
4528580ffd763e486deb7e7307d4e7526ca5af88d1da973b34031067f40713e60b7548a792ce0fc71b5bbf84e22278add2e9d1a32bc2f3c2c3552a88d949644f

Download Submit
C:\Windows\{109B4078-FD47-4874-B55B-379111FA341F}.exe

Filesize
204KB

MD5
9b18efafed140c0b89e3b8b356d27007

SHA1
65a55316a54410bd766ae3c6403017613c21a9f4

SHA256
058629a128daffd624fb550fcd104c5c921b0da6f3280903c73ee6b669b80963

SHA512
18e0ac12227e3cdbc71993a6ab1f9e22da3eb8bb18ff748ec9209d9bd6faeb5220108820c7b769ce423544aaaeef18ae552486098504971453ce9a47e3f5cffc

Download Submit
C:\Windows\{24FFBD16-329D-44f2-9143-29CBE7073394}.exe

Filesize
204KB

MD5
e51317c7d482d66eb9b00efae46a215b

SHA1
43d545a61216328440cce0aa1da56a8c2b05c958

SHA256
ba74fa92dbe4da6cfda9767796044ebfe43befd442cdd8fcee0b72fb0e69d443

SHA512
954bda8c69f7e821be3d834d6b2adb20476bed59bb2c6efecb1d5546484a1ff1b71ebde3eefec20d8ee651374d115a32f4f97a558fcf96d24e1423f1ea0c96d5

Download Submit
C:\Windows\{53686CCF-B958-4f69-AEDC-CE07D6F5E6ED}.exe

Filesize
204KB

MD5
aeb10929730a4da502bba1f4c74dd47d

SHA1
4635f812529b17fe21032c6a3a689e4b9290e6b2

SHA256
f5750c7e777f9cc2c572d66926854acea8b237d704650fda03b32bb4cb77885f

SHA512
2f03a5bdb176d73c1153f30238c2a88291dd4bcd6e39e7a428d9aa3ad6d44070c1bef46f7e7fa20d3d81148b78ff6da3f417a167adf3102a7ffd653485b27087

Download Submit
C:\Windows\{8277F307-CFA0-4f33-ADD7-D3D707C64A68}.exe

Filesize
204KB

MD5
3a3b7590b6e64de0bf0dae5937d96317

SHA1
837139fb76a2b8c28dac9c6242d110da6096c826

SHA256
09810bb20c076685cec7f4e746d750b82a425d44746d774a50352502e4771b8d

SHA512
c050a385f2dc879f558df2750f94da2844ecf3010033cdf15fd15b5c78b4135e5a80af76bfd89de454d31e01a86aa731c766a8af36db96bacdf4a390df8f5508

Download Submit
C:\Windows\{A43407AB-F05C-4855-B09C-B3948A10E809}.exe

Filesize
204KB

MD5
692d44538e5953f3b6af428a86a2c3f0

SHA1
6069abf7fc1b90469dcf66ca364850c400e0b3ae

SHA256
6d0501478816946af5c69af1377d0ad0bb60c947bed730df91a9f3f96186025f

SHA512
fc7c63e11f524d277da31461261fcc26a3e3c1326356db8f3c0583176f844cc68ff88b808ece071d972ce2a71fb7787eb36551f2686cf33d1edc2bf0e43c3d0f

Download Submit
C:\Windows\{AE8A3253-43F0-4368-A0BA-A0B59AF70181}.exe

Filesize
204KB

MD5
e0c3efca6c579e626fc3628c1f9a6bc7

SHA1
99159175eadbfef0fc72794605782ea501972dcc

SHA256
5bd9233f25edc6d64a19441b4517021cfa8569c2f2fd397affa77a6c824cb180

SHA512
ade4c032543daf2e976dade8ae78fb52009ffeaf65454831b86661986930cc9513155b06dec7b4a94d30357c806dd3f64a32afd0d6e7cdffbe1ecc2c4649f60c

Download Submit
C:\Windows\{BE29BE6D-0D70-429f-BC97-74611305DE4F}.exe

Filesize
204KB

MD5
261a40ad4e1da331bec503cb98a85ccd

SHA1
7de1bc6ecdbb953cf15631b0ba46ff9ea97cca8a

SHA256
49ea44fcc2d8e53561822cdfb321ec8fe53876b2463db01fead75f4f20387288

SHA512
0366c8cb364692353b6be1f2387048b9b32a030b103f6b049c4aadb4e6a28d2965d94d928c5cfe024b953fdb5c1cc433a1f56d5abe9e3d02cc9c3e5e87b0ddde

Download Submit
C:\Windows\{D46D0901-79E7-4608-ADE8-DA3429B302E2}.exe

Filesize
204KB

MD5
be20b74ee5f16b175fc168acdf890be4

SHA1
baced5faa0d5a5c61d7cba4cb2169391ceeaa32e

SHA256
ab4cf04d5fae1a0d8304a31ad10eb30cb772f5a14bdcf38f9f375e06daf42d69

SHA512
7a47c266fd62dc8e0d2fe82c11e963e9f73da3d4a70973e256422e14e73aa08233be2af785f626a89a68299c274e4ebe06dc19412717edd393d32fe6d2a2f3ec

Download Submit
C:\Windows\{DFD33A9D-F0AB-41b0-9F0E-533475237C92}.exe

Filesize
204KB

MD5
fa6b470270abda937796f6b5ee2d301e

SHA1
127f184417ba3c84b47a98d61a153131a15072c4

SHA256
5c39f5999ba6cfee7d73a9c9389eae7b058dad576abd0a0f9ac2f35fc4e99b0d

SHA512
d76442256d5207f3df49f11ac87c67e237f1e585aa0fa5198223062202642784006c5683164eb51a634a03f3c5cb883aaa50867dae6a0d7afd07d76e38b7a3d7

Download Submit
C:\Windows\{E039AE76-754D-45c9-B253-878788A93467}.exe

Filesize
204KB

MD5
d0c615a049eee42b156062e164e46747

SHA1
2533df07ae6fab5c68ed7eb346a577fa3f563d75

SHA256
fdb500781966aea646a1d51d5952150f0db78ecee76e9ba3f33bb8343e96d817

SHA512
28f1969e9f6992a8c91ec778d110e44462c8b1ecc2c89ac532273cbd0ac579bdb00067af96673c47c0af2cb2fe14966a1a27c73ed8e1c70ac0269e2acc865403

Download Submit
C:\Windows\{F9756EFB-C0CE-4546-8F26-4F91D5C05C4A}.exe

Filesize
204KB

MD5
a6fd3f0ed9e9849a936534fbd828296e

SHA1
218a397606b6802a0a6cc765e3fdcf8781c5639d

SHA256
aec0039212dcec2b9867ec394fda54029b456cd2049fa0361c5fcbdbdb46f3fe

SHA512
efbbb52509325a183de2a9a65fb041394ea2f5bba179f91c22b820490382169740cdf5b7907ba573d6120b5e820ca4bae0c4e0baf1d98a106ee6af912887c4bc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads