915e36e1ddc155fd5932b2d7594d2014ee73fa266b1542ba6761158bfcd230aa

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
Size

216KB
MD5

72ed0660c593fcc8850e76ccd67d897e
SHA1

bc3e280e204376736334a01240256b895a08193a
SHA256

915e36e1ddc155fd5932b2d7594d2014ee73fa266b1542ba6761158bfcd230aa
SHA512

e1538c922f471e155bd32fea85293a41f8dde3c280f9a05471b0e1b465f1a91153485b25082a6ae2e1af526c488a8a51cdb84f913baa03a24810ba800bfd1fb0
SSDEEP

3072:jEGh0obl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG5lEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}\stubpath = "C:\\Windows\\{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe"	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE5975F-709F-4f97-BA9C-E7727E864ACE}\stubpath = "C:\\Windows\\{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe"	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}\stubpath = "C:\\Windows\\{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe"	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63CEAF41-1FC9-4fcd-AB6F-CA8D61A4685E}\stubpath = "C:\\Windows\\{63CEAF41-1FC9-4fcd-AB6F-CA8D61A4685E}.exe"	{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D64FB195-2237-46d6-8B5B-A2FD16266B51}	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}\stubpath = "C:\\Windows\\{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe"	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE5975F-709F-4f97-BA9C-E7727E864ACE}	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}\stubpath = "C:\\Windows\\{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe"	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}\stubpath = "C:\\Windows\\{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}.exe"	{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DF7E829-6686-4125-B7BC-558742F1DB48}\stubpath = "C:\\Windows\\{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe"	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13FE0E98-60FE-475e-9D06-C31C30F8AE85}\stubpath = "C:\\Windows\\{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe"	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{020D2728-6923-4b56-97C8-38A56DAC0F92}	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{020D2728-6923-4b56-97C8-38A56DAC0F92}\stubpath = "C:\\Windows\\{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe"	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}\stubpath = "C:\\Windows\\{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe"	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63CEAF41-1FC9-4fcd-AB6F-CA8D61A4685E}	{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13FE0E98-60FE-475e-9D06-C31C30F8AE85}	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D64FB195-2237-46d6-8B5B-A2FD16266B51}\stubpath = "C:\\Windows\\{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe"	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}	{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DF7E829-6686-4125-B7BC-558742F1DB48}	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe

Executes dropped EXE 12 IoCs

pid	Process
560	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe
3264	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe
3272	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe
4304	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe
3120	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe
2188	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe
4828	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe
2180	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe
3556	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe
2972	{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe
5000	{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}.exe
3608	{63CEAF41-1FC9-4fcd-AB6F-CA8D61A4685E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe
File created	C:\Windows\{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe
File created	C:\Windows\{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe
File created	C:\Windows\{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe
File created	C:\Windows\{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe
File created	C:\Windows\{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe
File created	C:\Windows\{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}.exe	{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe
File created	C:\Windows\{63CEAF41-1FC9-4fcd-AB6F-CA8D61A4685E}.exe	{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}.exe
File created	C:\Windows\{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
File created	C:\Windows\{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe
File created	C:\Windows\{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe
File created	C:\Windows\{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63CEAF41-1FC9-4fcd-AB6F-CA8D61A4685E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3492	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	560	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe
Token: SeIncBasePriorityPrivilege	3264	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe
Token: SeIncBasePriorityPrivilege	3272	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe
Token: SeIncBasePriorityPrivilege	4304	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe
Token: SeIncBasePriorityPrivilege	3120	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe
Token: SeIncBasePriorityPrivilege	2188	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe
Token: SeIncBasePriorityPrivilege	4828	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe
Token: SeIncBasePriorityPrivilege	2180	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe
Token: SeIncBasePriorityPrivilege	3556	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe
Token: SeIncBasePriorityPrivilege	2972	{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe
Token: SeIncBasePriorityPrivilege	5000	{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 560	3492	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	82
PID 3492 wrote to memory of 560	3492	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	82
PID 3492 wrote to memory of 560	3492	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	82
PID 3492 wrote to memory of 784	3492	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	83
PID 3492 wrote to memory of 784	3492	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	83
PID 3492 wrote to memory of 784	3492	2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe	83
PID 560 wrote to memory of 3264	560	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe	91
PID 560 wrote to memory of 3264	560	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe	91
PID 560 wrote to memory of 3264	560	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe	91
PID 560 wrote to memory of 1136	560	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe	92
PID 560 wrote to memory of 1136	560	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe	92
PID 560 wrote to memory of 1136	560	{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe	92
PID 3264 wrote to memory of 3272	3264	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe	95
PID 3264 wrote to memory of 3272	3264	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe	95
PID 3264 wrote to memory of 3272	3264	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe	95
PID 3264 wrote to memory of 4220	3264	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe	96
PID 3264 wrote to memory of 4220	3264	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe	96
PID 3264 wrote to memory of 4220	3264	{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe	96
PID 3272 wrote to memory of 4304	3272	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe	97
PID 3272 wrote to memory of 4304	3272	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe	97
PID 3272 wrote to memory of 4304	3272	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe	97
PID 3272 wrote to memory of 3964	3272	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe	98
PID 3272 wrote to memory of 3964	3272	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe	98
PID 3272 wrote to memory of 3964	3272	{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe	98
PID 4304 wrote to memory of 3120	4304	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe	99
PID 4304 wrote to memory of 3120	4304	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe	99
PID 4304 wrote to memory of 3120	4304	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe	99
PID 4304 wrote to memory of 8	4304	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe	100
PID 4304 wrote to memory of 8	4304	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe	100
PID 4304 wrote to memory of 8	4304	{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe	100
PID 3120 wrote to memory of 2188	3120	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe	101
PID 3120 wrote to memory of 2188	3120	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe	101
PID 3120 wrote to memory of 2188	3120	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe	101
PID 3120 wrote to memory of 3652	3120	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe	102
PID 3120 wrote to memory of 3652	3120	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe	102
PID 3120 wrote to memory of 3652	3120	{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe	102
PID 2188 wrote to memory of 4828	2188	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe	103
PID 2188 wrote to memory of 4828	2188	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe	103
PID 2188 wrote to memory of 4828	2188	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe	103
PID 2188 wrote to memory of 2084	2188	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe	104
PID 2188 wrote to memory of 2084	2188	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe	104
PID 2188 wrote to memory of 2084	2188	{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe	104
PID 4828 wrote to memory of 2180	4828	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe	105
PID 4828 wrote to memory of 2180	4828	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe	105
PID 4828 wrote to memory of 2180	4828	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe	105
PID 4828 wrote to memory of 2672	4828	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe	106
PID 4828 wrote to memory of 2672	4828	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe	106
PID 4828 wrote to memory of 2672	4828	{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe	106
PID 2180 wrote to memory of 3556	2180	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe	107
PID 2180 wrote to memory of 3556	2180	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe	107
PID 2180 wrote to memory of 3556	2180	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe	107
PID 2180 wrote to memory of 4840	2180	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe	108
PID 2180 wrote to memory of 4840	2180	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe	108
PID 2180 wrote to memory of 4840	2180	{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe	108
PID 3556 wrote to memory of 2972	3556	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe	109
PID 3556 wrote to memory of 2972	3556	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe	109
PID 3556 wrote to memory of 2972	3556	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe	109
PID 3556 wrote to memory of 4352	3556	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe	110
PID 3556 wrote to memory of 4352	3556	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe	110
PID 3556 wrote to memory of 4352	3556	{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe	110
PID 2972 wrote to memory of 5000	2972	{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe	111
PID 2972 wrote to memory of 5000	2972	{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe	111
PID 2972 wrote to memory of 5000	2972	{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe	111
PID 2972 wrote to memory of 2164	2972	{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_72ed0660c593fcc8850e76ccd67d897e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe
  C:\Windows\{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe
    C:\Windows\{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe
      C:\Windows\{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3272
    - - C:\Windows\{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe
        
        C:\Windows\{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4304
      - C:\Windows\{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe
        
        C:\Windows\{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe
        
        C:\Windows\{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe
        
        C:\Windows\{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe
        
        C:\Windows\{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe
        
        C:\Windows\{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe
        
        C:\Windows\{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}.exe
        
        C:\Windows\{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Windows\{63CEAF41-1FC9-4fcd-AB6F-CA8D61A4685E}.exe
        
        C:\Windows\{63CEAF41-1FC9-4fcd-AB6F-CA8D61A4685E}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{364FA~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D94A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DC9B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52BFD~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DE59~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3806C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D64FB~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDE15~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DF7E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{020D2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{13FE0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{020D2728-6923-4b56-97C8-38A56DAC0F92}.exe

Filesize
216KB

MD5
b05eea711f107567242853031a4b5295

SHA1
5a372c780806d8af4ca394d3a45f0659c5affa7e

SHA256
1fddc3432cf031a0ff6e6864cf95ffda246898ffd559cc0281d82181a0cfaf6c

SHA512
8ae969db3e34ac7fa2276972c3e3d72022c0da8d787d6c616549b4719e0657fa1dd9f022a460c958e0af44fd98b4ccf1a8054cd0e3ea37060cefe5b26ec43435

Download Submit
C:\Windows\{13FE0E98-60FE-475e-9D06-C31C30F8AE85}.exe

Filesize
216KB

MD5
9eda826e66cb0a6183dc2ec6c2e16cd6

SHA1
448797fa6fbf0fe757d46d36cd70d83b01f361c7

SHA256
59ddb151c0ee6cd10989b6971270799e52ef660dd1e3e593b7f43e89d341946d

SHA512
33bd9b8db7001a8c667053cd6fad1961e19f697a72e177db295e4d8bac81e31c16d451bb163b135a4ae14e56931c5b3a0bd51a69f06fe8988cd5e788f179c89e

Download Submit
C:\Windows\{364FAB5F-C8CF-43f8-93A8-D468A722AD2A}.exe

Filesize
216KB

MD5
307cc99c287396742b01c68e51f894de

SHA1
9e66680829ae0b36d97a35824dcd9f827f8e6eec

SHA256
d11ac23e3639b47c60f110e7bc3bfb9d6e3d37ec3258af6922378a4808a1e0c1

SHA512
0daa34a88a937cc32de11b97fa71014e8c0df86a01daf094b051b8b8b921dc5878078db2b8d2794e74e672ac9bcda401e4e62392d1ee282c8186b7f7070e7dc4

Download Submit
C:\Windows\{3806C1A6-45F9-4d4f-A45B-0F967B7FA083}.exe

Filesize
216KB

MD5
e51591057c1d52f031ad9980ffbfb65b

SHA1
7fb5a364f9e42829006f5c0cddfacc5906a1ed00

SHA256
89729be9effdad900a3023f9fc91784ac92d35fe193a539ec4ebb9fb46763beb

SHA512
e3d33e4e940c63d46867c3774091b046bbe46d6b37ab24fec8649e38b584d77ad1f2f5a5112899406f3aa00cd95c3cf4dd0300251b1444d00e718a390ed6e6e4

Download Submit
C:\Windows\{3D94A6C8-E086-4f28-9A87-33693D0D9DCA}.exe

Filesize
216KB

MD5
c286d6f4b0af62e497a5d466c0044bc4

SHA1
62b4f21ae8e927862d2879cb592b3cd2aea680f0

SHA256
809140611442e0a76d2efdf071d969c3365c1d9189d11a46aecd9a6e5e14afc7

SHA512
6ed81aa568ba1e29bebc4ec552bfd494d843b397d7a5d61fdcc5be186686dfa22f6fd41795c6918cb9e9a97877d48378a61fd80ea3fbb0f3e001181cf1029464

Download Submit
C:\Windows\{3DC9B3D3-2B39-4803-B83E-2159E9B663A9}.exe

Filesize
216KB

MD5
c51a996fc335faa831a8d10d834d779d

SHA1
28f9b35fe6c02da173ec8c1b61fe52cb56dd6633

SHA256
f2699b974d33a6e241ed2bed0ca396b53594dfaa753d87bc91c1dde3b26791c0

SHA512
9c3377ce566298b793f873b2d49d2da889c041d5251ef32f7439fc6325400e49eb1954e3c48875d24cb1a9d5aba4683cf772acf79ed550d8826fc9f87cca4b53

Download Submit
C:\Windows\{3DE5975F-709F-4f97-BA9C-E7727E864ACE}.exe

Filesize
216KB

MD5
7dc0efa73e98f9a096250dac5984f28f

SHA1
a849e22db40a49192254897e221902000f38cd0d

SHA256
92008ab191181fe47b359392c6d51437cf6be9135c25ccbcd021b50ebc5291cc

SHA512
2baa883577ac7a124c24c00850ae482b800411a03f70e55f82a1cefd1b7e75955f4a2b9e4fb577b86324057865820fdc2e88f813dd4ada48d0c6960829ed86aa

Download Submit
C:\Windows\{52BFD74B-1D1B-4443-AA63-3A7BFFDDA043}.exe

Filesize
216KB

MD5
a74cbe861ee459ffd35616c792ca0ae3

SHA1
dd5443db9d2fcaad0097607c7861ceacbafa3820

SHA256
74ccb68bac5e7b26835dbeff83f3ec7483db86d38a7b1773f8fe2728389bf8ae

SHA512
b32ff5e204967801c4da027d2626faf27e4951d799ba60453c5ed40d94f6404232bbbb190a6921dd6c8bf20b5b45bd1813d7da2ad18f55bdc7b34be5293eea83

Download Submit
C:\Windows\{63CEAF41-1FC9-4fcd-AB6F-CA8D61A4685E}.exe

Filesize
216KB

MD5
4fda82b1b62c495eba1b66cf1e76be54

SHA1
c4e42e04b166a03a550e24b63aec9cc31d1ba273

SHA256
ab542e94859459cf5a3bc9244d7dca46c23ab55fd18dea5b6a36d0a64454ae2e

SHA512
78656367239c096da1234c32892bbb76bc0ec86273f3a9ca1cd38aab1cba0d2297f8e554e16ebf963afa1fcd680add661f4fc8b884d291a751f1aa6923df68ba

Download Submit
C:\Windows\{6DF7E829-6686-4125-B7BC-558742F1DB48}.exe

Filesize
216KB

MD5
6cd5221e20a0ba16385b5fd39193dd55

SHA1
01b56ad71a4b95b876047c0a446673bdb2394a9c

SHA256
1d07b4c83152ca9eccdb36caaa1e71368f2b09a8d1b707cb8b1331fbd718bb45

SHA512
ce33d149c0bc06aa0231a60855a1bf1402941e0a9da3426c8ad3cd2fa779865e67b4a70368bab2245471617f8d9dd6a9f205f4724c5c6fd26148fe4a0ae595fc

Download Submit
C:\Windows\{D64FB195-2237-46d6-8B5B-A2FD16266B51}.exe

Filesize
216KB

MD5
7624b9d021b885fc49f3f8ef330e7555

SHA1
7016c602e95086cf7cdcf3de8dd0c2d65d685927

SHA256
e1c1dc3d7c3c267a679ecc6789ad0ece43ab708da7716d28c6f3660e983dbf74

SHA512
a3df5f74439bb07ee535c21f47267ccc2afa14bd540315f8ca9c04419f5ae2197615fb014a897bf7cbec175af069ec06d2fc0739170e717bf31f889c59a6e431

Download Submit
C:\Windows\{DDE15FE7-1388-4be2-BCEA-2B113B3D1184}.exe

Filesize
216KB

MD5
169cbfb04180068e2652f5561be684b6

SHA1
932e73ebd53d4dcc3d31cde30361d338f1f6fb0d

SHA256
93690ed7bfbefedbe34b00a9413237820e36708061c9021591f2a3a498ce741d

SHA512
af6fa8f5b02ce3ebba775cfbb2930d626468dfb6b36da13ee390d6f07f4f9131bfa160865d8f3d0da106a43f51a95be640629cde947027e39c93a53cabe234ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads