25e885e1bbf39b87074f12eb92f72cc47c82649fea07b96d8f9b5e3cef0d9567

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
Size

192KB
MD5

a5fff169e180062b77ac501c2460fc3c
SHA1

0f60903ab471387d076c07d5d0ade5750185af42
SHA256

25e885e1bbf39b87074f12eb92f72cc47c82649fea07b96d8f9b5e3cef0d9567
SHA512

2dde251881c2ba858ea1c6dd9502c309d508dc781cf5a377cb3ad759afedb2faaf1f0c63ecdc209fbae05672a1be80439790c11600cc59dffa7062c112a4c6eb
SSDEEP

1536:1EGh0o8l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o8l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E870BBA9-C7EF-4228-B114-9BF71E17E43D}\stubpath = "C:\\Windows\\{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe"	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C86A27A-62D4-417e-AD05-EA6A95DD3769}	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E07BD3-3B65-4ffd-82B0-AE735053615E}	{A0834596-E7B1-4174-9781-8A121253AC26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B239C35-050B-4c53-9778-5230B41FF67F}	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D025759B-5069-4c74-9063-2F3AE0432B77}\stubpath = "C:\\Windows\\{D025759B-5069-4c74-9063-2F3AE0432B77}.exe"	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D025759B-5069-4c74-9063-2F3AE0432B77}	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B239C35-050B-4c53-9778-5230B41FF67F}\stubpath = "C:\\Windows\\{2B239C35-050B-4c53-9778-5230B41FF67F}.exe"	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20A73F6F-D02B-426a-B15F-8D19D52F1466}\stubpath = "C:\\Windows\\{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe"	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A753357B-D1D3-47b2-AACB-284428C3B67C}\stubpath = "C:\\Windows\\{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe"	{D8767561-2434-42b5-B7BD-936616664948}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}\stubpath = "C:\\Windows\\{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe"	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8767561-2434-42b5-B7BD-936616664948}	{C68B2958-9562-4d94-B077-A78732301C02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8767561-2434-42b5-B7BD-936616664948}\stubpath = "C:\\Windows\\{D8767561-2434-42b5-B7BD-936616664948}.exe"	{C68B2958-9562-4d94-B077-A78732301C02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C68B2958-9562-4d94-B077-A78732301C02}	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C68B2958-9562-4d94-B077-A78732301C02}\stubpath = "C:\\Windows\\{C68B2958-9562-4d94-B077-A78732301C02}.exe"	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A753357B-D1D3-47b2-AACB-284428C3B67C}	{D8767561-2434-42b5-B7BD-936616664948}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20A73F6F-D02B-426a-B15F-8D19D52F1466}	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E870BBA9-C7EF-4228-B114-9BF71E17E43D}	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C86A27A-62D4-417e-AD05-EA6A95DD3769}\stubpath = "C:\\Windows\\{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe"	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}\stubpath = "C:\\Windows\\{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe"	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19E07BD3-3B65-4ffd-82B0-AE735053615E}\stubpath = "C:\\Windows\\{19E07BD3-3B65-4ffd-82B0-AE735053615E}.exe"	{A0834596-E7B1-4174-9781-8A121253AC26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0834596-E7B1-4174-9781-8A121253AC26}	{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0834596-E7B1-4174-9781-8A121253AC26}\stubpath = "C:\\Windows\\{A0834596-E7B1-4174-9781-8A121253AC26}.exe"	{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe

Executes dropped EXE 12 IoCs

pid	Process
4948	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe
3956	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe
1988	{C68B2958-9562-4d94-B077-A78732301C02}.exe
1416	{D8767561-2434-42b5-B7BD-936616664948}.exe
1984	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe
4756	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe
3200	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe
4264	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe
3064	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe
4628	{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe
764	{A0834596-E7B1-4174-9781-8A121253AC26}.exe
708	{19E07BD3-3B65-4ffd-82B0-AE735053615E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{19E07BD3-3B65-4ffd-82B0-AE735053615E}.exe	{A0834596-E7B1-4174-9781-8A121253AC26}.exe
File created	C:\Windows\{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
File created	C:\Windows\{2B239C35-050B-4c53-9778-5230B41FF67F}.exe	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe
File created	C:\Windows\{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe
File created	C:\Windows\{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe
File created	C:\Windows\{A0834596-E7B1-4174-9781-8A121253AC26}.exe	{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe
File created	C:\Windows\{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe
File created	C:\Windows\{C68B2958-9562-4d94-B077-A78732301C02}.exe	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe
File created	C:\Windows\{D8767561-2434-42b5-B7BD-936616664948}.exe	{C68B2958-9562-4d94-B077-A78732301C02}.exe
File created	C:\Windows\{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe	{D8767561-2434-42b5-B7BD-936616664948}.exe
File created	C:\Windows\{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe
File created	C:\Windows\{D025759B-5069-4c74-9063-2F3AE0432B77}.exe	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A0834596-E7B1-4174-9781-8A121253AC26}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19E07BD3-3B65-4ffd-82B0-AE735053615E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D8767561-2434-42b5-B7BD-936616664948}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C68B2958-9562-4d94-B077-A78732301C02}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	440	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4948	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe
Token: SeIncBasePriorityPrivilege	3956	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe
Token: SeIncBasePriorityPrivilege	1988	{C68B2958-9562-4d94-B077-A78732301C02}.exe
Token: SeIncBasePriorityPrivilege	1416	{D8767561-2434-42b5-B7BD-936616664948}.exe
Token: SeIncBasePriorityPrivilege	1984	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe
Token: SeIncBasePriorityPrivilege	4756	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe
Token: SeIncBasePriorityPrivilege	3200	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe
Token: SeIncBasePriorityPrivilege	4264	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe
Token: SeIncBasePriorityPrivilege	3064	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe
Token: SeIncBasePriorityPrivilege	4628	{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe
Token: SeIncBasePriorityPrivilege	764	{A0834596-E7B1-4174-9781-8A121253AC26}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 4948	440	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	89
PID 440 wrote to memory of 4948	440	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	89
PID 440 wrote to memory of 4948	440	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	89
PID 440 wrote to memory of 4808	440	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	90
PID 440 wrote to memory of 4808	440	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	90
PID 440 wrote to memory of 4808	440	2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe	90
PID 4948 wrote to memory of 3956	4948	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe	91
PID 4948 wrote to memory of 3956	4948	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe	91
PID 4948 wrote to memory of 3956	4948	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe	91
PID 4948 wrote to memory of 4384	4948	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe	92
PID 4948 wrote to memory of 4384	4948	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe	92
PID 4948 wrote to memory of 4384	4948	{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe	92
PID 3956 wrote to memory of 1988	3956	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe	95
PID 3956 wrote to memory of 1988	3956	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe	95
PID 3956 wrote to memory of 1988	3956	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe	95
PID 3956 wrote to memory of 1672	3956	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe	96
PID 3956 wrote to memory of 1672	3956	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe	96
PID 3956 wrote to memory of 1672	3956	{2B239C35-050B-4c53-9778-5230B41FF67F}.exe	96
PID 1988 wrote to memory of 1416	1988	{C68B2958-9562-4d94-B077-A78732301C02}.exe	97
PID 1988 wrote to memory of 1416	1988	{C68B2958-9562-4d94-B077-A78732301C02}.exe	97
PID 1988 wrote to memory of 1416	1988	{C68B2958-9562-4d94-B077-A78732301C02}.exe	97
PID 1988 wrote to memory of 3148	1988	{C68B2958-9562-4d94-B077-A78732301C02}.exe	98
PID 1988 wrote to memory of 3148	1988	{C68B2958-9562-4d94-B077-A78732301C02}.exe	98
PID 1988 wrote to memory of 3148	1988	{C68B2958-9562-4d94-B077-A78732301C02}.exe	98
PID 1416 wrote to memory of 1984	1416	{D8767561-2434-42b5-B7BD-936616664948}.exe	99
PID 1416 wrote to memory of 1984	1416	{D8767561-2434-42b5-B7BD-936616664948}.exe	99
PID 1416 wrote to memory of 1984	1416	{D8767561-2434-42b5-B7BD-936616664948}.exe	99
PID 1416 wrote to memory of 2656	1416	{D8767561-2434-42b5-B7BD-936616664948}.exe	100
PID 1416 wrote to memory of 2656	1416	{D8767561-2434-42b5-B7BD-936616664948}.exe	100
PID 1416 wrote to memory of 2656	1416	{D8767561-2434-42b5-B7BD-936616664948}.exe	100
PID 1984 wrote to memory of 4756	1984	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe	101
PID 1984 wrote to memory of 4756	1984	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe	101
PID 1984 wrote to memory of 4756	1984	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe	101
PID 1984 wrote to memory of 1140	1984	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe	102
PID 1984 wrote to memory of 1140	1984	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe	102
PID 1984 wrote to memory of 1140	1984	{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe	102
PID 4756 wrote to memory of 3200	4756	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe	103
PID 4756 wrote to memory of 3200	4756	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe	103
PID 4756 wrote to memory of 3200	4756	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe	103
PID 4756 wrote to memory of 696	4756	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe	104
PID 4756 wrote to memory of 696	4756	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe	104
PID 4756 wrote to memory of 696	4756	{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe	104
PID 3200 wrote to memory of 4264	3200	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe	105
PID 3200 wrote to memory of 4264	3200	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe	105
PID 3200 wrote to memory of 4264	3200	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe	105
PID 3200 wrote to memory of 384	3200	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe	106
PID 3200 wrote to memory of 384	3200	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe	106
PID 3200 wrote to memory of 384	3200	{D025759B-5069-4c74-9063-2F3AE0432B77}.exe	106
PID 4264 wrote to memory of 3064	4264	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe	107
PID 4264 wrote to memory of 3064	4264	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe	107
PID 4264 wrote to memory of 3064	4264	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe	107
PID 4264 wrote to memory of 3016	4264	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe	108
PID 4264 wrote to memory of 3016	4264	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe	108
PID 4264 wrote to memory of 3016	4264	{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe	108
PID 3064 wrote to memory of 4628	3064	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe	109
PID 3064 wrote to memory of 4628	3064	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe	109
PID 3064 wrote to memory of 4628	3064	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe	109
PID 3064 wrote to memory of 3900	3064	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe	110
PID 3064 wrote to memory of 3900	3064	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe	110
PID 3064 wrote to memory of 3900	3064	{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe	110
PID 4628 wrote to memory of 764	4628	{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe	111
PID 4628 wrote to memory of 764	4628	{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe	111
PID 4628 wrote to memory of 764	4628	{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe	111
PID 4628 wrote to memory of 3040	4628	{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_a5fff169e180062b77ac501c2460fc3c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe
  C:\Windows\{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\{2B239C35-050B-4c53-9778-5230B41FF67F}.exe
    C:\Windows\{2B239C35-050B-4c53-9778-5230B41FF67F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\{C68B2958-9562-4d94-B077-A78732301C02}.exe
      C:\Windows\{C68B2958-9562-4d94-B077-A78732301C02}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\{D8767561-2434-42b5-B7BD-936616664948}.exe
        
        C:\Windows\{D8767561-2434-42b5-B7BD-936616664948}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - C:\Windows\{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe
        
        C:\Windows\{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe
        
        C:\Windows\{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\{D025759B-5069-4c74-9063-2F3AE0432B77}.exe
        
        C:\Windows\{D025759B-5069-4c74-9063-2F3AE0432B77}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe
        
        C:\Windows\{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe
        
        C:\Windows\{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe
        
        C:\Windows\{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\{A0834596-E7B1-4174-9781-8A121253AC26}.exe
        
        C:\Windows\{A0834596-E7B1-4174-9781-8A121253AC26}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\{19E07BD3-3B65-4ffd-82B0-AE735053615E}.exe
        
        C:\Windows\{19E07BD3-3B65-4ffd-82B0-AE735053615E}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0834~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C86A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E870B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29A1E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0257~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20A73~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7533~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8767~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C68B2~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2B239~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{127E5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{127E57BB-083F-4b99-9EE6-6FBCAC9A3656}.exe

Filesize
192KB

MD5
1981c0611cf80538d86099a3596f6b8d

SHA1
4c1dd4439bcfa981c52c9e3ceac073df4c2489a5

SHA256
33cb81fc486ea2df4e7a700d58f41674d8001b3be10c3368780ef5f43112ec2a

SHA512
e292ac3636c7eec783999e1ab36290fa0fec1668ea906547120bf75a8110d4ccda6bf9bfed2a4cad87694618e637fbb16e67d27317282b52187faa9bdfffd92b

Download Submit
C:\Windows\{19E07BD3-3B65-4ffd-82B0-AE735053615E}.exe

Filesize
192KB

MD5
9391bcd272edb6eec37e5c6c8dec4404

SHA1
7f2fb16debbdfcf22d1a723e1760db557da72643

SHA256
c93e632531fa18a0b41338fd2ac765d737b8496ba85efacb322c459ee8865a4e

SHA512
e876580f026fd1d8ca74ee76b47e604ba37864387521b2f486411af2ccf45feea87a073df7cb83f47659872cbb571f052ba48a3f821b67a28442bb5f8488d3e6

Download Submit
C:\Windows\{20A73F6F-D02B-426a-B15F-8D19D52F1466}.exe

Filesize
192KB

MD5
531bcc46d72faebea7be975f704c3bc1

SHA1
5227300d743ff7fdb0e440a93b25af47ea1e7c78

SHA256
7e59ebc1653d754fe299f59ee9fdb45267f5c3e74f758da6da8a516b8e51007c

SHA512
97904b70417a650107286466cf4f6665e2c0583b12503f4df6998ae55c067568ccea14686373872c13a1c7dc69389d324a8a219749e16dfa7a090893a869f9cf

Download Submit
C:\Windows\{29A1EC74-8F4E-45eb-A8AF-93A4D6F6E441}.exe

Filesize
192KB

MD5
36b1149f87a16a88f3f0aeff5d886caf

SHA1
c425a2c49ec8c982f932535f0c84ae9c1e540d40

SHA256
b6f37e21c1b099543375053e49376fb3fef0fc989cce19eed77fdd5fefbc39cb

SHA512
7af5e8c969a44940203c3493369384d6c7e279582ade6d2cd46a8d32b3809a2e23f15c12fd8310bcb30b19c88bc19e57143142204d6f85722787af82eb793dcb

Download Submit
C:\Windows\{2B239C35-050B-4c53-9778-5230B41FF67F}.exe

Filesize
192KB

MD5
2f6b9071ba1341b989d8f1d5040de9b1

SHA1
ea834049acd16ecb903a5a827179f8bf4f86caef

SHA256
a9167800b8822f40dc5b8ed2dcede6169132621f53063a37ddcb4681f7189c9d

SHA512
28c18f5e85ca50728495c389c67b380acc1faa5554a14eee64d1b78dcaf2c4c501997d80fbae658ca0617eadc8cd65edad46206d517901b72533dc84c46ec1e0

Download Submit
C:\Windows\{7C86A27A-62D4-417e-AD05-EA6A95DD3769}.exe

Filesize
192KB

MD5
5bfdcf43436eb566d9a86503813fb66b

SHA1
652e80dfb1603565019723c5bfaafb2ee995b7dc

SHA256
6e14baab1e94615c0a92e072917fb6c1d4696af49b5fa2281a7c667afa5a826e

SHA512
8f44cc88e2326d21ce6791c727261dc8e5be43f290c8e6eeda5cf398eb256037e810f0f1e04b5fa400f1f8610296874f2511c525a31521051365fc0ac5198f14

Download Submit
C:\Windows\{A0834596-E7B1-4174-9781-8A121253AC26}.exe

Filesize
192KB

MD5
11d581d4d3781fba64b067a4b2fc9eec

SHA1
91e79e38cf835a347fe4f5a4c8f17424cbbaf193

SHA256
90da42cf66a622508d20ba47938a414b8d1bad9c85dc5a01407bd913b3b0bfce

SHA512
7e7c82a2f92900b004b8a2fcde5f437568ab39ae9eada6b922cc3840d6d9246a33e9738c9ba661e0145ac833a134a399f5965d6dda8d8b4373b17cbcce058cbc

Download Submit
C:\Windows\{A753357B-D1D3-47b2-AACB-284428C3B67C}.exe

Filesize
192KB

MD5
db07774e5617254c9227d149b2a9c403

SHA1
89edc103ea9d4d762d6198cb03d950f7576eb347

SHA256
069b3f76f20cddc7d20b8aa1597cfdad0269f664db1935245f3221119514ea29

SHA512
8d979c105828bd82517b264a4e3288c221733e3f718b9b4d593fa6d940c1670acfa9f32d54bd64a02b36d8ce7f6ed1b8e3bcf79457f9b1be53549b0b5a5ad263

Download Submit
C:\Windows\{C68B2958-9562-4d94-B077-A78732301C02}.exe

Filesize
192KB

MD5
1d89cbba28013496094942762b3ba6d6

SHA1
17f2cf89365ee19785b5b280c9d6382308ced600

SHA256
90e11ff800b0f07d0a941af369900e9811432d175674788fb4a9a245c1c5ea5f

SHA512
f09765e887651cb84877a51ce6efd2e355d40a4805c176b5db202afa33fb38d4db87226f29f63a2696e4701e35a1a2467761a74bf912da6b7fefea2687698f53

Download Submit
C:\Windows\{D025759B-5069-4c74-9063-2F3AE0432B77}.exe

Filesize
192KB

MD5
a52b3363e630e470f7e44ed91a779829

SHA1
02784c3f50a1459c6c8a228e74f128a6c3c4d2b4

SHA256
77b028502f1b5611a688459e4842161a0414838a5e1bab99bdcecea7cdb574d2

SHA512
f5ee5cc37494965d3a7933c058067929947da4e66a586b95fc8fd52dc9985f547c600319f445fa1309e6d01efee07b0d3967aca20647e489a931ee4ad2e395fb

Download Submit
C:\Windows\{D8767561-2434-42b5-B7BD-936616664948}.exe

Filesize
192KB

MD5
1c36340885a58d0911c846b1bd07719a

SHA1
58ffa66a00a82393f0abe78181aa458d62eca3f8

SHA256
b83745c2a73baeee08f12e0214a3c0ce2a4921798448754cc51fa89cc267b19a

SHA512
75d032a9a7f4278f58dccfeda478402f685980e8daaa4e4ef370aca582cc940865296713021df55b989d15d46f7a77dc1b88cf237ad07c0cc1054905b9fc63db

Download Submit
C:\Windows\{E870BBA9-C7EF-4228-B114-9BF71E17E43D}.exe

Filesize
192KB

MD5
9fdb6045c62cc5aa53367a8f9bd64493

SHA1
a1f75283f1d0cb69e805cafc809e41e1fec96d89

SHA256
d5bc748196309a247f711277415cfb9dc9ee36d0530449368d84323c36cb8502

SHA512
74a0c7f915457c4cda93fd989e09a8a508ad716784f06a539fa47be90108d6b354ccb230db3372143742738296d4e2d633d4e587c5ad012b1e06aadfcf09576e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads