7d2f74f2aa09dfec98089075fbbef5d5dbcd523445cf722c972548a832f7b126

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe
Size

372KB
MD5

432027b80210bfd2e3c1592c4af8a23b
SHA1

cf0b0fed9156ca60ad12c7658e964cc9a1e95db2
SHA256

7d2f74f2aa09dfec98089075fbbef5d5dbcd523445cf722c972548a832f7b126
SHA512

57d42a0853828f5a6a5a2598edfa8e1b04010e8a7f7df49f0507caeb3e18a000d1791ff208ac8f9a1848582173a6b8e0740e8cc400b504da7965da3828be8702
SSDEEP

3072:CEGh0oBmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGGl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{249E911A-1DE3-45b8-BFD2-8369060AF0CC}\stubpath = "C:\\Windows\\{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe"	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9173F929-BFAF-4a77-B959-1D3E5EB750E0}	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87C79729-9B40-4b7d-B01E-B96EB9E75896}\stubpath = "C:\\Windows\\{87C79729-9B40-4b7d-B01E-B96EB9E75896}.exe"	{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}\stubpath = "C:\\Windows\\{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe"	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{249E911A-1DE3-45b8-BFD2-8369060AF0CC}	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}\stubpath = "C:\\Windows\\{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe"	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}\stubpath = "C:\\Windows\\{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe"	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87C79729-9B40-4b7d-B01E-B96EB9E75896}	{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AC53BCC-53FB-4c2f-A238-C465D447875A}\stubpath = "C:\\Windows\\{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe"	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E15EDF90-2043-41b0-934A-16ABD52E89C9}	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9173F929-BFAF-4a77-B959-1D3E5EB750E0}\stubpath = "C:\\Windows\\{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe"	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}\stubpath = "C:\\Windows\\{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe"	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{220FCC06-F230-4419-ACC2-A0164AF79A90}	{87C79729-9B40-4b7d-B01E-B96EB9E75896}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{220FCC06-F230-4419-ACC2-A0164AF79A90}\stubpath = "C:\\Windows\\{220FCC06-F230-4419-ACC2-A0164AF79A90}.exe"	{87C79729-9B40-4b7d-B01E-B96EB9E75896}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD5865E9-6971-4c13-BF22-95FD3EE00909}\stubpath = "C:\\Windows\\{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe"	2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E15EDF90-2043-41b0-934A-16ABD52E89C9}\stubpath = "C:\\Windows\\{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe"	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AC53BCC-53FB-4c2f-A238-C465D447875A}	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}\stubpath = "C:\\Windows\\{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe"	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD5865E9-6971-4c13-BF22-95FD3EE00909}	2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe

Executes dropped EXE 12 IoCs

pid	Process
3456	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe
2916	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe
1788	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe
4752	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe
2156	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe
1484	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe
60	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe
3124	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe
960	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe
4000	{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe
2356	{87C79729-9B40-4b7d-B01E-B96EB9E75896}.exe
4568	{220FCC06-F230-4419-ACC2-A0164AF79A90}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe	2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe
File created	C:\Windows\{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe
File created	C:\Windows\{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe
File created	C:\Windows\{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe
File created	C:\Windows\{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe
File created	C:\Windows\{220FCC06-F230-4419-ACC2-A0164AF79A90}.exe	{87C79729-9B40-4b7d-B01E-B96EB9E75896}.exe
File created	C:\Windows\{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe
File created	C:\Windows\{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe
File created	C:\Windows\{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe
File created	C:\Windows\{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe
File created	C:\Windows\{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe
File created	C:\Windows\{87C79729-9B40-4b7d-B01E-B96EB9E75896}.exe	{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87C79729-9B40-4b7d-B01E-B96EB9E75896}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{220FCC06-F230-4419-ACC2-A0164AF79A90}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3668	2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3456	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe
Token: SeIncBasePriorityPrivilege	2916	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe
Token: SeIncBasePriorityPrivilege	1788	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe
Token: SeIncBasePriorityPrivilege	4752	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe
Token: SeIncBasePriorityPrivilege	2156	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe
Token: SeIncBasePriorityPrivilege	1484	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe
Token: SeIncBasePriorityPrivilege	60	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe
Token: SeIncBasePriorityPrivilege	3124	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe
Token: SeIncBasePriorityPrivilege	960	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe
Token: SeIncBasePriorityPrivilege	4000	{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe
Token: SeIncBasePriorityPrivilege	2356	{87C79729-9B40-4b7d-B01E-B96EB9E75896}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 3456	3668	2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe	87
PID 3668 wrote to memory of 3456	3668	2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe	87
PID 3668 wrote to memory of 3456	3668	2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe	87
PID 3668 wrote to memory of 220	3668	2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe	88
PID 3668 wrote to memory of 220	3668	2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe	88
PID 3668 wrote to memory of 220	3668	2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe	88
PID 3456 wrote to memory of 2916	3456	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe	91
PID 3456 wrote to memory of 2916	3456	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe	91
PID 3456 wrote to memory of 2916	3456	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe	91
PID 3456 wrote to memory of 1784	3456	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe	92
PID 3456 wrote to memory of 1784	3456	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe	92
PID 3456 wrote to memory of 1784	3456	{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe	92
PID 2916 wrote to memory of 1788	2916	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe	95
PID 2916 wrote to memory of 1788	2916	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe	95
PID 2916 wrote to memory of 1788	2916	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe	95
PID 2916 wrote to memory of 3096	2916	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe	96
PID 2916 wrote to memory of 3096	2916	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe	96
PID 2916 wrote to memory of 3096	2916	{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe	96
PID 1788 wrote to memory of 4752	1788	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe	97
PID 1788 wrote to memory of 4752	1788	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe	97
PID 1788 wrote to memory of 4752	1788	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe	97
PID 1788 wrote to memory of 4788	1788	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe	98
PID 1788 wrote to memory of 4788	1788	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe	98
PID 1788 wrote to memory of 4788	1788	{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe	98
PID 4752 wrote to memory of 2156	4752	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe	99
PID 4752 wrote to memory of 2156	4752	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe	99
PID 4752 wrote to memory of 2156	4752	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe	99
PID 4752 wrote to memory of 3784	4752	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe	100
PID 4752 wrote to memory of 3784	4752	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe	100
PID 4752 wrote to memory of 3784	4752	{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe	100
PID 2156 wrote to memory of 1484	2156	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe	101
PID 2156 wrote to memory of 1484	2156	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe	101
PID 2156 wrote to memory of 1484	2156	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe	101
PID 2156 wrote to memory of 2844	2156	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe	102
PID 2156 wrote to memory of 2844	2156	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe	102
PID 2156 wrote to memory of 2844	2156	{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe	102
PID 1484 wrote to memory of 60	1484	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe	103
PID 1484 wrote to memory of 60	1484	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe	103
PID 1484 wrote to memory of 60	1484	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe	103
PID 1484 wrote to memory of 2124	1484	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe	104
PID 1484 wrote to memory of 2124	1484	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe	104
PID 1484 wrote to memory of 2124	1484	{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe	104
PID 60 wrote to memory of 3124	60	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe	105
PID 60 wrote to memory of 3124	60	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe	105
PID 60 wrote to memory of 3124	60	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe	105
PID 60 wrote to memory of 428	60	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe	106
PID 60 wrote to memory of 428	60	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe	106
PID 60 wrote to memory of 428	60	{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe	106
PID 3124 wrote to memory of 960	3124	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe	107
PID 3124 wrote to memory of 960	3124	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe	107
PID 3124 wrote to memory of 960	3124	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe	107
PID 3124 wrote to memory of 4412	3124	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe	108
PID 3124 wrote to memory of 4412	3124	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe	108
PID 3124 wrote to memory of 4412	3124	{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe	108
PID 960 wrote to memory of 4000	960	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe	109
PID 960 wrote to memory of 4000	960	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe	109
PID 960 wrote to memory of 4000	960	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe	109
PID 960 wrote to memory of 2856	960	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe	110
PID 960 wrote to memory of 2856	960	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe	110
PID 960 wrote to memory of 2856	960	{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe	110
PID 4000 wrote to memory of 2356	4000	{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe	111
PID 4000 wrote to memory of 2356	4000	{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe	111
PID 4000 wrote to memory of 2356	4000	{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe	111
PID 4000 wrote to memory of 4040	4000	{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_432027b80210bfd2e3c1592c4af8a23b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe
  C:\Windows\{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe
    C:\Windows\{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe
      C:\Windows\{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe
        
        C:\Windows\{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe
        
        C:\Windows\{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe
        
        C:\Windows\{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe
        
        C:\Windows\{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe
        
        C:\Windows\{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe
        
        C:\Windows\{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe
        
        C:\Windows\{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\{87C79729-9B40-4b7d-B01E-B96EB9E75896}.exe
        
        C:\Windows\{87C79729-9B40-4b7d-B01E-B96EB9E75896}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\{220FCC06-F230-4419-ACC2-A0164AF79A90}.exe
        
        C:\Windows\{220FCC06-F230-4419-ACC2-A0164AF79A90}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87C79~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E32B2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80819~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E4D3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B190~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9173F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E15ED~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{249E9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AC53~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{91C1B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FD586~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AC53BCC-53FB-4c2f-A238-C465D447875A}.exe

Filesize
372KB

MD5
4b9cf37c2fe34fe1ffb04ed6a5935946

SHA1
bbf6d0d47499ef07a7ab80ed141d4838d4534423

SHA256
bc74608e3d34d736e7aaa07cc07f889c3711e4cdfdf094ca23242e7104b6d3a9

SHA512
f5f9635abf251dca2d4f921a924f5aa05c73e5719bceae31a7c5f54db91234d4c8dbdf70ecbff9889ad10982059d9657fd22e8cf033af8e1b5a5418bba8b14ae

Download Submit
C:\Windows\{0B190AAA-0D81-45b0-8C2C-3D6A830D5CB9}.exe

Filesize
372KB

MD5
46185d1a46cb30067f4fabd6c7b1e135

SHA1
36415185c60c7913479b0eece452b5c876ee9a84

SHA256
a1259e94f1439c11687036b82ab8d1d2bdb730e739f6e25039b523a07ceccc2a

SHA512
0654854a78844b6ef9a6b6d6cd7522f40c6484600208a4212c2310cad4af1c9ea6e9698ebde6cdd224e2db57a9003dd11121de31823e78d11d1b9887453d503e

Download Submit
C:\Windows\{220FCC06-F230-4419-ACC2-A0164AF79A90}.exe

Filesize
372KB

MD5
f2e7dc02b709536e23267f0184400fb5

SHA1
04f1b53dd851b96e819e153834d0963363cf1a59

SHA256
f46b095d9515c1b5accc2c50278357778de5a11ab5b5e39e443b197f0fb2ecb3

SHA512
43121e1f4663d36fe1eeceaba85b8fc9d89d9f226c24a4bd679d6944cac70112a92c1b177ba60f8440084ee5fd5f1c57133ad2c81049a8d6ac7389e4356e6164

Download Submit
C:\Windows\{249E911A-1DE3-45b8-BFD2-8369060AF0CC}.exe

Filesize
372KB

MD5
9a022c2844daf198de59fa016b8fa80c

SHA1
2d9cb06de8277de3d0ff652b37349d0a97c22202

SHA256
d871dd58d78b796effcffe84cbafcaef390e2a2024d874cbef6bb0d3163acfe3

SHA512
37d51ddff2ee26d10964303cf1105859b6f46c57a935eda758291fd41e5d1726a6c9ad05627937e0390a56b1b47c61db0a72703511b89795a2745858ecc06d7e

Download Submit
C:\Windows\{3E4D3790-1F32-4192-BE94-3D6516B3A6FB}.exe

Filesize
372KB

MD5
538579fa248683ad460b07bb1e5df4b9

SHA1
2bf618f2c3cccbe60af5ad978c029ff65da9a0e1

SHA256
e4ba40055652ae4984a5b32d6f589e7027060bfc88bf5a07dab3994c4d78a765

SHA512
3e961a24d53f1167bfc926909bd86a856748322a7ba0c8f2b26e933c302eaf509f8ea25a60038a4e2816e635c674374b640292c47a248e5aa57ca3d2b9cf0a91

Download Submit
C:\Windows\{80819BAD-018C-46d8-ADCB-0B2CB1A3856F}.exe

Filesize
372KB

MD5
3c621bb3c1539d1300f9c2d957a09001

SHA1
fdd27eed619cb150d83f27dd0fa80fc8a2720ae2

SHA256
72deee3d7f09309898988596332e359e8b3a791dc0358f665feedb9972a4e2e0

SHA512
f1ec5c5d2e08dce1caea11bd98c7d05c4b3d4265d57feec133875bcb43ff2da313598a2ba1867c8cb3d397ed08b9f117b83355a48c0bd3c2c2a6b36431b332ff

Download Submit
C:\Windows\{87C79729-9B40-4b7d-B01E-B96EB9E75896}.exe

Filesize
372KB

MD5
b069cd20c70dab90aa9fb3ceb7996829

SHA1
870a04f974e6277e58774d465db8434f37d50759

SHA256
183319a43a9af71fcc51352a46b38939a1b7ca20a2412845ed82de41a8823310

SHA512
e41fa04a29563c3069bd2f19e97701327bd97c7112b9aac08197fdea55f727e0743a4d32b0c6c6efc125d47e658bc514ecd8483d9ca11e43d0518477d86aecfc

Download Submit
C:\Windows\{9173F929-BFAF-4a77-B959-1D3E5EB750E0}.exe

Filesize
372KB

MD5
509bac50e85df933b79a38274569a744

SHA1
4ac6cb41c4d5f71fa165e61ea3a6abf9f153c046

SHA256
11d267d24e2cd7b0fe18353bfcbb8ae368e8ef0a07bb04ca41ab29863b09888b

SHA512
d3670cfaf22778a1c6d54d7c8b497188b0a685fbb02219673df025052157687bdf3d5ebf346c9844a782f48e08323c0243c008aaea3951a85acd30b9e68ee5c6

Download Submit
C:\Windows\{91C1B78E-00A4-47d6-BC85-37C6AB283CF2}.exe

Filesize
372KB

MD5
eb857783e1c2d0529dcdeb74a2d313e4

SHA1
11867a452c38a00c4a17945bee4c8d5359de983f

SHA256
907efb03c64ca81ef3f2b15c594fb9869a6e45c95280f3713b79e27afd46e81c

SHA512
9c34d23bf43ae0c30800e3aa0fa851a9851e72713a2dec49fbf5be55e9c504e81db357af00b3328d2c211700fb01c3795758f95eede297031947a99820723847

Download Submit
C:\Windows\{E15EDF90-2043-41b0-934A-16ABD52E89C9}.exe

Filesize
372KB

MD5
9dad15df9fd1e65d2e32e05388e1c0d4

SHA1
9be293ff7fe47bd924b0e25872103d71b09844a6

SHA256
0b6390f6bb86e30531b09742dbf7a7a9738dcd6cffcabe4f48117e405bbf23dc

SHA512
0fcc3f10132b0b78031e918dc25b75abc7bab29db93d2679b68b03afb31eeab7a8ea04d6ca4ff6164b25f8a4862045ac79396f636b9eaec7a73a6423e8d2afcd

Download Submit
C:\Windows\{E32B2D44-1DB0-4f30-9CB2-C36BFD11C051}.exe

Filesize
372KB

MD5
955b82a4a513734a81c279a678930622

SHA1
bc9d23dd8b0f268628c2445f9392eee4c2970f97

SHA256
f6e9200fc8672a569935af2e8edbaa6be0865cfc05576a02355b75ca5ebb9a7f

SHA512
1e03eb001852c8e5ace2bdee967500cccae9d048640e7896170f776b2ff9dd735ed2dd879dcee6730ffb5a79c9a12794aa915e8bce972afc837a83e01b082ce7

Download Submit
C:\Windows\{FD5865E9-6971-4c13-BF22-95FD3EE00909}.exe

Filesize
372KB

MD5
2017f4c0bb9e3cfb699cbd5a4bdbe869

SHA1
4a69b3474706c9a0685897effd93c304973de8ef

SHA256
f5f69cc7ea85ddd42a035c0a76502af0f1abbb93b2ef492a98da095f285b136a

SHA512
36fe6dd618af445ad9a5aed04edcc6749aae7477691c82afca1502524f07eab935f30b91e209a167e54b426736aff8219f9f51cf7c91a793295fe786f1ac1f53

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads