904ce9941f4c7de3769671b1d7d7b48d2dd1ce66363d374b7da6856f69e70f6c

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 09:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe
Size

284KB
MD5

83aaf3ea0010f785da1c22ac68b0f848
SHA1

5dafc6fe0b1fa8805f3fbad883a8a4ada748c4ce
SHA256

904ce9941f4c7de3769671b1d7d7b48d2dd1ce66363d374b7da6856f69e70f6c
SHA512

258cbd96435125714e1bf028e713a7923845f351868c0a7bcd4ca4c420e88eff46026b8887c2f8aa7f7a57927324642f1799dee10fb663d63ee3a5cc08260610
SSDEEP

3072:BEGh0oFlcOHOe2MUVg3bHrH/HqOYGqe+rcC4F+jHMUy:BEGblnOe2MUVg3vceKc+y

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{254098B4-0CDE-4035-9002-824FC4CA461E}\stubpath = "C:\\Windows\\{254098B4-0CDE-4035-9002-824FC4CA461E}.exe"	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC6D66C7-08DC-4a51-9289-32E009E35307}	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BB802EE-F595-440b-B4DC-B7D8AE16965B}\stubpath = "C:\\Windows\\{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe"	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F95DE17E-1E5F-4ae5-B0A8-0C17A26AB568}	{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB2C16A9-A034-4a72-AC26-FFFB0872E162}\stubpath = "C:\\Windows\\{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe"	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}\stubpath = "C:\\Windows\\{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe"	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}	{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2826933-F45A-433f-89D8-F12F2FA4793E}	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC6D66C7-08DC-4a51-9289-32E009E35307}\stubpath = "C:\\Windows\\{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe"	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}\stubpath = "C:\\Windows\\{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}.exe"	{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}\stubpath = "C:\\Windows\\{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe"	2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB2C16A9-A034-4a72-AC26-FFFB0872E162}	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{254098B4-0CDE-4035-9002-824FC4CA461E}	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36860D61-6A31-4118-A6C5-7D00C05BBA68}	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2826933-F45A-433f-89D8-F12F2FA4793E}\stubpath = "C:\\Windows\\{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe"	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}\stubpath = "C:\\Windows\\{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe"	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BB802EE-F595-440b-B4DC-B7D8AE16965B}	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F95DE17E-1E5F-4ae5-B0A8-0C17A26AB568}\stubpath = "C:\\Windows\\{F95DE17E-1E5F-4ae5-B0A8-0C17A26AB568}.exe"	{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}	2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}\stubpath = "C:\\Windows\\{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe"	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36860D61-6A31-4118-A6C5-7D00C05BBA68}\stubpath = "C:\\Windows\\{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe"	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe

Executes dropped EXE 12 IoCs

pid	Process
2848	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe
4344	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe
2448	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe
3824	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe
1732	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe
4872	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe
4824	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe
716	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe
4832	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe
3460	{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe
3076	{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}.exe
2736	{F95DE17E-1E5F-4ae5-B0A8-0C17A26AB568}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{254098B4-0CDE-4035-9002-824FC4CA461E}.exe	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe
File created	C:\Windows\{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe
File created	C:\Windows\{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe
File created	C:\Windows\{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe
File created	C:\Windows\{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe
File created	C:\Windows\{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe
File created	C:\Windows\{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}.exe	{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe
File created	C:\Windows\{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe	2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe
File created	C:\Windows\{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe
File created	C:\Windows\{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe
File created	C:\Windows\{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe
File created	C:\Windows\{F95DE17E-1E5F-4ae5-B0A8-0C17A26AB568}.exe	{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F95DE17E-1E5F-4ae5-B0A8-0C17A26AB568}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2012	2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2848	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe
Token: SeIncBasePriorityPrivilege	4344	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe
Token: SeIncBasePriorityPrivilege	2448	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe
Token: SeIncBasePriorityPrivilege	3824	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe
Token: SeIncBasePriorityPrivilege	1732	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe
Token: SeIncBasePriorityPrivilege	4872	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe
Token: SeIncBasePriorityPrivilege	4824	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe
Token: SeIncBasePriorityPrivilege	716	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe
Token: SeIncBasePriorityPrivilege	4832	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe
Token: SeIncBasePriorityPrivilege	3460	{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe
Token: SeIncBasePriorityPrivilege	3076	{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2848	2012	2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe	94
PID 2012 wrote to memory of 2848	2012	2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe	94
PID 2012 wrote to memory of 2848	2012	2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe	94
PID 2012 wrote to memory of 4652	2012	2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe	95
PID 2012 wrote to memory of 4652	2012	2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe	95
PID 2012 wrote to memory of 4652	2012	2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe	95
PID 2848 wrote to memory of 4344	2848	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe	96
PID 2848 wrote to memory of 4344	2848	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe	96
PID 2848 wrote to memory of 4344	2848	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe	96
PID 2848 wrote to memory of 212	2848	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe	97
PID 2848 wrote to memory of 212	2848	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe	97
PID 2848 wrote to memory of 212	2848	{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe	97
PID 4344 wrote to memory of 2448	4344	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe	101
PID 4344 wrote to memory of 2448	4344	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe	101
PID 4344 wrote to memory of 2448	4344	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe	101
PID 4344 wrote to memory of 4044	4344	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe	102
PID 4344 wrote to memory of 4044	4344	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe	102
PID 4344 wrote to memory of 4044	4344	{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe	102
PID 2448 wrote to memory of 3824	2448	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe	103
PID 2448 wrote to memory of 3824	2448	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe	103
PID 2448 wrote to memory of 3824	2448	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe	103
PID 2448 wrote to memory of 3512	2448	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe	104
PID 2448 wrote to memory of 3512	2448	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe	104
PID 2448 wrote to memory of 3512	2448	{254098B4-0CDE-4035-9002-824FC4CA461E}.exe	104
PID 3824 wrote to memory of 1732	3824	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe	105
PID 3824 wrote to memory of 1732	3824	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe	105
PID 3824 wrote to memory of 1732	3824	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe	105
PID 3824 wrote to memory of 532	3824	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe	106
PID 3824 wrote to memory of 532	3824	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe	106
PID 3824 wrote to memory of 532	3824	{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe	106
PID 1732 wrote to memory of 4872	1732	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe	108
PID 1732 wrote to memory of 4872	1732	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe	108
PID 1732 wrote to memory of 4872	1732	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe	108
PID 1732 wrote to memory of 3176	1732	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe	109
PID 1732 wrote to memory of 3176	1732	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe	109
PID 1732 wrote to memory of 3176	1732	{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe	109
PID 4872 wrote to memory of 4824	4872	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe	110
PID 4872 wrote to memory of 4824	4872	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe	110
PID 4872 wrote to memory of 4824	4872	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe	110
PID 4872 wrote to memory of 1000	4872	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe	111
PID 4872 wrote to memory of 1000	4872	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe	111
PID 4872 wrote to memory of 1000	4872	{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe	111
PID 4824 wrote to memory of 716	4824	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe	116
PID 4824 wrote to memory of 716	4824	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe	116
PID 4824 wrote to memory of 716	4824	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe	116
PID 4824 wrote to memory of 2808	4824	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe	117
PID 4824 wrote to memory of 2808	4824	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe	117
PID 4824 wrote to memory of 2808	4824	{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe	117
PID 716 wrote to memory of 4832	716	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe	122
PID 716 wrote to memory of 4832	716	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe	122
PID 716 wrote to memory of 4832	716	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe	122
PID 716 wrote to memory of 4996	716	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe	123
PID 716 wrote to memory of 4996	716	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe	123
PID 716 wrote to memory of 4996	716	{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe	123
PID 4832 wrote to memory of 3460	4832	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe	124
PID 4832 wrote to memory of 3460	4832	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe	124
PID 4832 wrote to memory of 3460	4832	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe	124
PID 4832 wrote to memory of 4772	4832	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe	125
PID 4832 wrote to memory of 4772	4832	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe	125
PID 4832 wrote to memory of 4772	4832	{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe	125
PID 3460 wrote to memory of 3076	3460	{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe	129
PID 3460 wrote to memory of 3076	3460	{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe	129
PID 3460 wrote to memory of 3076	3460	{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe	129
PID 3460 wrote to memory of 920	3460	{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_83aaf3ea0010f785da1c22ac68b0f848_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe
  C:\Windows\{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe
    C:\Windows\{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\{254098B4-0CDE-4035-9002-824FC4CA461E}.exe
      C:\Windows\{254098B4-0CDE-4035-9002-824FC4CA461E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe
        
        C:\Windows\{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe
        
        C:\Windows\{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe
        
        C:\Windows\{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe
        
        C:\Windows\{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe
        
        C:\Windows\{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe
        
        C:\Windows\{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe
        
        C:\Windows\{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}.exe
        
        C:\Windows\{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
        
        C:\Windows\{F95DE17E-1E5F-4ae5-B0A8-0C17A26AB568}.exe
        
        C:\Windows\{F95DE17E-1E5F-4ae5-B0A8-0C17A26AB568}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB4AC~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BB80~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC6D6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{237FB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DBD6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2826~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36860~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28C61~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25409~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DB2C1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2FDC4~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{237FBC3E-D732-4a94-B37F-CC2E0EB825AF}.exe

Filesize
284KB

MD5
e3cc1abb6014af9f78ebccf3f035ee7b

SHA1
4f2914700257c9b2f389c112217bd07dbc43290f

SHA256
fed777267c09be7ce347ef6335e18c6830a9ffc9293a9dceb69db049298c8723

SHA512
50ea7097b8bc9070856cf14ce04f603c52d38553c6936325677b4a74ed52d0f5069cea719740164b7412b2901993c2ccfc27a490e22d8807f47311d1d0e2dbfb

Download Submit
C:\Windows\{254098B4-0CDE-4035-9002-824FC4CA461E}.exe

Filesize
284KB

MD5
046454cf415cfcccf8111ff4922180b9

SHA1
107052737c90681f83814a3554eb7f0ec284c691

SHA256
6110f776dec5bd2469cdfb9bc514c5039152d4b5068c0d178c368a697d31e5dc

SHA512
6c974eb20ec667ab3a611e2ff545d1c58a6256b71c3a2ea12f38430a3631d5104684bbb801570dbe9eb9cbc62ce07612ad31c8da2adab57d1fc87a89a811ff43

Download Submit
C:\Windows\{28C616B2-F8AF-4768-9B41-57AD2DDB6AB7}.exe

Filesize
284KB

MD5
e5cc35324907999509861b26585ebecb

SHA1
caceaba3b94457218dc6f8836cf138e8e3ceb265

SHA256
36f82c8b4a1ab365401607a33a8582eba0089010d71a347bace07c862d4ea33d

SHA512
350b06a252cefed8123d5c4ad3d355aaefd7cfa9e7af8619b0b3c6cbf3114f9bfd59c50738ea1a7470b24942d92552dbfafebaae1de7c460436f5827fa87dca3

Download Submit
C:\Windows\{2FDC4ED0-8AF9-4a49-868F-A6FDA0B990DE}.exe

Filesize
284KB

MD5
ba307585d7a2b1cbd3fdea038b9e3e16

SHA1
cf45ba0e32cb1959073c92d6f8120e613042aba8

SHA256
e67926dac0d819f21e14224658f002bb653eb5da1a659b8f09afcb2e1b76e539

SHA512
d6a12b87af9693dbc9acd9f90674140b32a8e950eabf9a26737ae26e3ef95ae4c1cab6679c38633038a1fda96fcfb8b47f5dbacb91894b99e46d399118afc87c

Download Submit
C:\Windows\{36860D61-6A31-4118-A6C5-7D00C05BBA68}.exe

Filesize
284KB

MD5
e6007c697a9a666110ad72921274436c

SHA1
fb507268803974aee484f999d883f5e2ed718ee2

SHA256
66f31f73ce59ce1b3b6f890f56381bff3c4e6037c33f69ff4897ea6103aa0dcb

SHA512
a3b98f89a516d14edf26b03e5b830aaa1ff20cf8859efe31326852ed7d6b053d72e78da3377b7f311634f7c40b94a85be963ef956cdb001e9c84811330160b32

Download Submit
C:\Windows\{7DBD6B09-AA7D-4999-98E3-4DC3B3C6976F}.exe

Filesize
284KB

MD5
e5168809ad4540f7da539908d7ef105b

SHA1
ac5afafc4523f908559a6039bf1b5f8f2563f540

SHA256
4291896411bdb71a072148854760de0c7eebf7a22cc31399415fd41b40b3cda6

SHA512
1bbf1e8f42f859013a083153d51fea44b9f43128b7e25fe09f2462b5e924e038ccc1c5e345205c5f262a8367c19a9dfc53fa450bffbeb932796fc215416644ea

Download Submit
C:\Windows\{8BB802EE-F595-440b-B4DC-B7D8AE16965B}.exe

Filesize
284KB

MD5
8819cc4b2321778456893adef8d21510

SHA1
2403b6ce9af4b2b2d2eb399e25f7dec071fc2e59

SHA256
0c648470aa9dd895bbaba6e1cd216a487941b9e89aacedeed49d64e129cdf87d

SHA512
c29b2f99d5220e766ea0a43c7daaccbdaa56591c885c102d1272a586a8a9f112a0a0d7c868b76879683444db4996526fd63b52692202d5cf4eef131c9c8e3ab5

Download Submit
C:\Windows\{AC6D66C7-08DC-4a51-9289-32E009E35307}.exe

Filesize
284KB

MD5
facb0e1930236e086286077f9836c152

SHA1
25c64391cbe9ceaec9a7a84a8e887d3f859e2349

SHA256
a4e012ad9c5c2229c934f1c50bdaa18e8a144f7b12831b3f807cd78804fab94c

SHA512
00e671a74faa458165486f3759d23a288d33320aaecfe8c30cac4b06651608e0fef23df01c20be79280839fc6a35e7d57d7ea88e3594c73378ae5376aead196d

Download Submit
C:\Windows\{DB2C16A9-A034-4a72-AC26-FFFB0872E162}.exe

Filesize
284KB

MD5
82cac674eae17f720a51f5ce2ceee4bd

SHA1
1a21c114cf5d723270e64217846a5e9b080b3b95

SHA256
66660b13bf13f470f0acd8980d1322bd8c97129c0a9e16de44f6d4ed13c16cc0

SHA512
5bc12f94941e9bfe17e2048efdb4a864348135ca62448340db92503e1ca4a6baf4d9b70cc034cc4d6817f7a10a22b429508b8f4751a2a002b89f07b24c901bd9

Download Submit
C:\Windows\{DB4AC31D-8072-40ee-A0CA-0FE1266BDC4F}.exe

Filesize
284KB

MD5
3d83c12bc30e551baae586955c876529

SHA1
0c1d4639251de2ec302fe114c95b3ba278c4ef60

SHA256
1769623c077309242f3be1e9abec118c5d8b85784c81f00c538977183a71aba3

SHA512
dd0c53a271d9d3d8ca9672904b6134c87bc66c551d2f2b2aac79d28066260093ca6f8470dae573831aecd85f81b9c77e8c15ed0db387d00b3ced3cec8b7cc030

Download Submit
C:\Windows\{E2826933-F45A-433f-89D8-F12F2FA4793E}.exe

Filesize
284KB

MD5
9618f9a8a273c4cd518da170ed20807a

SHA1
f2051daf70672b95a49fb03ce2dcc893b2630c33

SHA256
edd2001ef059098e5b1b088e2465d1a6b07014c57a94f048d781ca55bfc89c32

SHA512
da50991b1488fb4dce96a88b7fa645be7c905fc3764a4f3c48bf6eb819710dfaf84624633b59b1156b3ab46fc774e92738dbde07198f5bc1b2cd0625b02976e1

Download Submit
C:\Windows\{F95DE17E-1E5F-4ae5-B0A8-0C17A26AB568}.exe

Filesize
284KB

MD5
cedce9af16c5a46ec7db5495a4f3e9a5

SHA1
c8bd2e590ea42234c5ae6894dc49afab4a9aeb1f

SHA256
c28a5438425add8344fc452a730dc390d60cb3eb672539eb574df83fba8b9269

SHA512
c7507e3649bd6b589a57e55ba8d8dada6bc0ac0c7d21e3fc14b391e1384ed3f707aa60dd8bc8b55e5a8e73528473c443f2cc41e8133e25e4cb13d09b590e22be

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads