f1db3555becf04c219b9786b130a31e1c05f3ff28e1de0b0f80c7e11ff96d32b

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
Size

180KB
MD5

24315375ec2c41a61116330a3016c1b6
SHA1

a450e29f6db727c4dd7e3c8d2ae62b024181ff17
SHA256

f1db3555becf04c219b9786b130a31e1c05f3ff28e1de0b0f80c7e11ff96d32b
SHA512

7ad427f5b6df229fea88f4b39584e82e61c753500813e831b72fc5ba5945c177d074f4c004aa3e92f0fbeaf6836a846b557e9fa79691f10201c76af11c2b97e7
SSDEEP

3072:jEGh0oPlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGRl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}\stubpath = "C:\\Windows\\{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe"	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E17493-FC4D-4af9-9B01-034735344C30}	{942D13F0-35D1-4519-B020-9C98EB061022}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B58092F-FB7F-4f50-866C-A80ACC1433B2}	{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B58092F-FB7F-4f50-866C-A80ACC1433B2}\stubpath = "C:\\Windows\\{8B58092F-FB7F-4f50-866C-A80ACC1433B2}.exe"	{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04B180A1-3CDF-41a6-9B85-F435D51D35B8}	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}\stubpath = "C:\\Windows\\{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe"	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04B180A1-3CDF-41a6-9B85-F435D51D35B8}\stubpath = "C:\\Windows\\{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe"	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{942D13F0-35D1-4519-B020-9C98EB061022}	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E17493-FC4D-4af9-9B01-034735344C30}\stubpath = "C:\\Windows\\{99E17493-FC4D-4af9-9B01-034735344C30}.exe"	{942D13F0-35D1-4519-B020-9C98EB061022}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}\stubpath = "C:\\Windows\\{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe"	{99E17493-FC4D-4af9-9B01-034735344C30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AA60668-AA6B-46f1-8291-774809C68BEE}	{8B58092F-FB7F-4f50-866C-A80ACC1433B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAAAC829-D6FB-4112-A546-A94BE6BA170D}	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DDEF084-96A3-4a64-A079-194C72DA94A6}	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{942D13F0-35D1-4519-B020-9C98EB061022}\stubpath = "C:\\Windows\\{942D13F0-35D1-4519-B020-9C98EB061022}.exe"	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AA60668-AA6B-46f1-8291-774809C68BEE}\stubpath = "C:\\Windows\\{4AA60668-AA6B-46f1-8291-774809C68BEE}.exe"	{8B58092F-FB7F-4f50-866C-A80ACC1433B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}\stubpath = "C:\\Windows\\{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe"	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}\stubpath = "C:\\Windows\\{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe"	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DDEF084-96A3-4a64-A079-194C72DA94A6}\stubpath = "C:\\Windows\\{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe"	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}	{99E17493-FC4D-4af9-9B01-034735344C30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAAAC829-D6FB-4112-A546-A94BE6BA170D}\stubpath = "C:\\Windows\\{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe"	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe

Executes dropped EXE 12 IoCs

pid	Process
3724	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe
4496	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe
4932	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe
1892	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe
3728	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe
536	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe
940	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe
3700	{942D13F0-35D1-4519-B020-9C98EB061022}.exe
4924	{99E17493-FC4D-4af9-9B01-034735344C30}.exe
3980	{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe
840	{8B58092F-FB7F-4f50-866C-A80ACC1433B2}.exe
2920	{4AA60668-AA6B-46f1-8291-774809C68BEE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe
File created	C:\Windows\{942D13F0-35D1-4519-B020-9C98EB061022}.exe	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe
File created	C:\Windows\{8B58092F-FB7F-4f50-866C-A80ACC1433B2}.exe	{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe
File created	C:\Windows\{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe
File created	C:\Windows\{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe
File created	C:\Windows\{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe
File created	C:\Windows\{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe
File created	C:\Windows\{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe
File created	C:\Windows\{99E17493-FC4D-4af9-9B01-034735344C30}.exe	{942D13F0-35D1-4519-B020-9C98EB061022}.exe
File created	C:\Windows\{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe	{99E17493-FC4D-4af9-9B01-034735344C30}.exe
File created	C:\Windows\{4AA60668-AA6B-46f1-8291-774809C68BEE}.exe	{8B58092F-FB7F-4f50-866C-A80ACC1433B2}.exe
File created	C:\Windows\{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{942D13F0-35D1-4519-B020-9C98EB061022}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B58092F-FB7F-4f50-866C-A80ACC1433B2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4AA60668-AA6B-46f1-8291-774809C68BEE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99E17493-FC4D-4af9-9B01-034735344C30}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4432	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3724	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe
Token: SeIncBasePriorityPrivilege	4496	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe
Token: SeIncBasePriorityPrivilege	4932	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe
Token: SeIncBasePriorityPrivilege	1892	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe
Token: SeIncBasePriorityPrivilege	3728	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe
Token: SeIncBasePriorityPrivilege	536	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe
Token: SeIncBasePriorityPrivilege	940	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe
Token: SeIncBasePriorityPrivilege	3700	{942D13F0-35D1-4519-B020-9C98EB061022}.exe
Token: SeIncBasePriorityPrivilege	4924	{99E17493-FC4D-4af9-9B01-034735344C30}.exe
Token: SeIncBasePriorityPrivilege	3980	{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe
Token: SeIncBasePriorityPrivilege	840	{8B58092F-FB7F-4f50-866C-A80ACC1433B2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 3724	4432	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	86
PID 4432 wrote to memory of 3724	4432	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	86
PID 4432 wrote to memory of 3724	4432	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	86
PID 4432 wrote to memory of 4888	4432	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	87
PID 4432 wrote to memory of 4888	4432	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	87
PID 4432 wrote to memory of 4888	4432	2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe	87
PID 3724 wrote to memory of 4496	3724	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe	91
PID 3724 wrote to memory of 4496	3724	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe	91
PID 3724 wrote to memory of 4496	3724	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe	91
PID 3724 wrote to memory of 3100	3724	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe	92
PID 3724 wrote to memory of 3100	3724	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe	92
PID 3724 wrote to memory of 3100	3724	{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe	92
PID 4496 wrote to memory of 4932	4496	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe	95
PID 4496 wrote to memory of 4932	4496	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe	95
PID 4496 wrote to memory of 4932	4496	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe	95
PID 4496 wrote to memory of 2608	4496	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe	96
PID 4496 wrote to memory of 2608	4496	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe	96
PID 4496 wrote to memory of 2608	4496	{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe	96
PID 4932 wrote to memory of 1892	4932	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe	97
PID 4932 wrote to memory of 1892	4932	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe	97
PID 4932 wrote to memory of 1892	4932	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe	97
PID 4932 wrote to memory of 1452	4932	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe	98
PID 4932 wrote to memory of 1452	4932	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe	98
PID 4932 wrote to memory of 1452	4932	{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe	98
PID 1892 wrote to memory of 3728	1892	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe	99
PID 1892 wrote to memory of 3728	1892	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe	99
PID 1892 wrote to memory of 3728	1892	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe	99
PID 1892 wrote to memory of 2124	1892	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe	100
PID 1892 wrote to memory of 2124	1892	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe	100
PID 1892 wrote to memory of 2124	1892	{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe	100
PID 3728 wrote to memory of 536	3728	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe	101
PID 3728 wrote to memory of 536	3728	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe	101
PID 3728 wrote to memory of 536	3728	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe	101
PID 3728 wrote to memory of 1368	3728	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe	102
PID 3728 wrote to memory of 1368	3728	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe	102
PID 3728 wrote to memory of 1368	3728	{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe	102
PID 536 wrote to memory of 940	536	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe	103
PID 536 wrote to memory of 940	536	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe	103
PID 536 wrote to memory of 940	536	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe	103
PID 536 wrote to memory of 1164	536	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe	104
PID 536 wrote to memory of 1164	536	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe	104
PID 536 wrote to memory of 1164	536	{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe	104
PID 940 wrote to memory of 3700	940	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe	105
PID 940 wrote to memory of 3700	940	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe	105
PID 940 wrote to memory of 3700	940	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe	105
PID 940 wrote to memory of 3480	940	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe	106
PID 940 wrote to memory of 3480	940	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe	106
PID 940 wrote to memory of 3480	940	{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe	106
PID 3700 wrote to memory of 4924	3700	{942D13F0-35D1-4519-B020-9C98EB061022}.exe	107
PID 3700 wrote to memory of 4924	3700	{942D13F0-35D1-4519-B020-9C98EB061022}.exe	107
PID 3700 wrote to memory of 4924	3700	{942D13F0-35D1-4519-B020-9C98EB061022}.exe	107
PID 3700 wrote to memory of 4596	3700	{942D13F0-35D1-4519-B020-9C98EB061022}.exe	108
PID 3700 wrote to memory of 4596	3700	{942D13F0-35D1-4519-B020-9C98EB061022}.exe	108
PID 3700 wrote to memory of 4596	3700	{942D13F0-35D1-4519-B020-9C98EB061022}.exe	108
PID 4924 wrote to memory of 3980	4924	{99E17493-FC4D-4af9-9B01-034735344C30}.exe	109
PID 4924 wrote to memory of 3980	4924	{99E17493-FC4D-4af9-9B01-034735344C30}.exe	109
PID 4924 wrote to memory of 3980	4924	{99E17493-FC4D-4af9-9B01-034735344C30}.exe	109
PID 4924 wrote to memory of 3128	4924	{99E17493-FC4D-4af9-9B01-034735344C30}.exe	110
PID 4924 wrote to memory of 3128	4924	{99E17493-FC4D-4af9-9B01-034735344C30}.exe	110
PID 4924 wrote to memory of 3128	4924	{99E17493-FC4D-4af9-9B01-034735344C30}.exe	110
PID 3980 wrote to memory of 840	3980	{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe	111
PID 3980 wrote to memory of 840	3980	{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe	111
PID 3980 wrote to memory of 840	3980	{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe	111
PID 3980 wrote to memory of 2852	3980	{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_24315375ec2c41a61116330a3016c1b6_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe
  C:\Windows\{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe
    C:\Windows\{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe
      C:\Windows\{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Windows\{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe
        
        C:\Windows\{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Windows\{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe
        
        C:\Windows\{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe
        
        C:\Windows\{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe
        
        C:\Windows\{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{942D13F0-35D1-4519-B020-9C98EB061022}.exe
        
        C:\Windows\{942D13F0-35D1-4519-B020-9C98EB061022}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\{99E17493-FC4D-4af9-9B01-034735344C30}.exe
        
        C:\Windows\{99E17493-FC4D-4af9-9B01-034735344C30}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe
        
        C:\Windows\{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\{8B58092F-FB7F-4f50-866C-A80ACC1433B2}.exe
        
        C:\Windows\{8B58092F-FB7F-4f50-866C-A80ACC1433B2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\{4AA60668-AA6B-46f1-8291-774809C68BEE}.exe
        
        C:\Windows\{4AA60668-AA6B-46f1-8291-774809C68BEE}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B580~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9854C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99E17~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{942D1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABE21~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B487E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04B18~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DDEF~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7E3C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BAAAC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7BD28~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04B180A1-3CDF-41a6-9B85-F435D51D35B8}.exe

Filesize
180KB

MD5
63377823c05e4c8bcedadfacb3ae7293

SHA1
1e254becf796a4e3faf842d8cbc3856b6daf82a3

SHA256
81448c986c0f72e63db26493a4dddac39ba5be16d441a405ad34301edcfd0f1d

SHA512
8a0f9eed4225c6b8d729f6c85d6600f9ea81d2abaac57a1b187bf33da71ecb2bb41560eea3c6306340d700a9b3140b554e8aace92de4f19549bd629892f28b4c

Download Submit
C:\Windows\{2DDEF084-96A3-4a64-A079-194C72DA94A6}.exe

Filesize
180KB

MD5
4a15bbca8ed14850cc44691141c31675

SHA1
736f6e468f3fbcd46da477b5f2ba51032f300ed0

SHA256
cd092e874b7b5d694def7d04939a2acfd43526e6d021fd5cf00891986dea5655

SHA512
835575486905ddf0f25bd0a6c43824d8152b12b327039f27e36793e536d0fc72023c1af17f5b74dbb9533fe14241cefaf9acda90bf0fa74084b6239c32e37501

Download Submit
C:\Windows\{4AA60668-AA6B-46f1-8291-774809C68BEE}.exe

Filesize
180KB

MD5
dc43076cfae24d8e0d02073c2b1ab1fc

SHA1
422ab9c1c77071a59b10e952d9c6084e9d7cfbb3

SHA256
19912dca04f94653ec61175208237822ceb917c327e5195e001e16ce36d33bcf

SHA512
2872a16b6c0c87a81a3959b197b8cf8cbaf52c470588de9cb5cd117336108040abc2d39945b937afbdfdee6c3c97840ad38655d15e59701204c44bf92a1ecd09

Download Submit
C:\Windows\{7BD288BD-AA0A-4fc7-8BAC-73E445B7D9F4}.exe

Filesize
180KB

MD5
7de39595933e943a3020a48b28226805

SHA1
57844cd7a07a737490359119b5fc3067158da768

SHA256
f8fe7308cb80e8f84099b1bbb55681d649ec5a0dd0afbc832afe50243101d87e

SHA512
2e096676a6698e21e55d71abd45b3aa89a9f2a173fcda0f7279fe4e3e44c01908d9a53d0995cb70a6cde8796b4d7eb565d4cab62a90aac57f35a3321b91c3f1d

Download Submit
C:\Windows\{8B58092F-FB7F-4f50-866C-A80ACC1433B2}.exe

Filesize
180KB

MD5
b9eaf375e1a45ae185e6935cb1c8f811

SHA1
577eebb72a2b6418fffba5f72d33101873c81c7b

SHA256
37bf2db163fcc00e1f42ab5b71cdbdcff36bc7192e90b8fa422a53cb90571a27

SHA512
c6feab2145f485c8bce765988d364b9e3db724a494abf96b3aa2e983ebc22d751813032b2830189c31c110fee710448b48e7e8a7c1a691b175d36d39c310225f

Download Submit
C:\Windows\{942D13F0-35D1-4519-B020-9C98EB061022}.exe

Filesize
180KB

MD5
11dd5cc4bc2f173ac5c5f09f33e72000

SHA1
27e96b613719c755998550dc715b2226fed20c1f

SHA256
6eb1550f815bc249c4e19fdc6d33817f7bc92956852acebe7697c7ff13a4ea20

SHA512
cbe064b067a56d5baa981c8eb70387c1e1082b4aab46907e66bcb0c007c1532db88517beef7e9707bc733388a49c12787c31c31a5e6d1ae528ce17949ab1a2dc

Download Submit
C:\Windows\{9854C2F8-57BB-4455-9EF7-4D3A4F950C8F}.exe

Filesize
180KB

MD5
5a669e99b1325e35eae76b59c24db9eb

SHA1
62cda2f569c6e1640cc7511fbb8d9c7ed56b68ad

SHA256
d85761b0ac45d2491a50d0bb15b2c7ca287ac0a2cec1726604f0da49de7e5519

SHA512
d23110bf9846774c8008a6a37ea86fec094450135e637065d0fa6e5382a41d0bc9c82fd263ed5bd0d2158e2f7200cea854cdcb4b48c7b27147f75bdaa965ffa9

Download Submit
C:\Windows\{99E17493-FC4D-4af9-9B01-034735344C30}.exe

Filesize
180KB

MD5
4124ae735c38f6243a8eee9e237307de

SHA1
cb83e7f35a10c8dd1d399cef2b81faf759d32ea7

SHA256
9881667432d2ef372a4412b76867c1d3fd4bbeacadeab15c328a55d88593c245

SHA512
7820891cbb96b25c62ff9ad9dc517588a69a0764343ba3b4b8ae9286daf7edb3e1b8c17ad33c41ee5c4f43883e86889beee284d99cab84ccb94b20310dfdeb87

Download Submit
C:\Windows\{ABE218BA-95E6-4779-A6D1-8ED9A302D6C5}.exe

Filesize
180KB

MD5
e162de9e6862b06d48e1c1682594cc1f

SHA1
663981a57e6d4d1054a661eee5247fdad29eb4c3

SHA256
fc0c3bc52e801929e6dba9433cc767c3049c7bf156a1c09e1d2baaa26d6d2a06

SHA512
9f06f41ab6afd996e974aa1d37e339e4970230de7e6bdf6b822fe558e38dd0550826666478f13f624f769022841de7f44b6b1a47ed45c74849ee419ce033310f

Download Submit
C:\Windows\{B487E6C6-2B67-4487-ABD2-7D9ED0C3DC20}.exe

Filesize
180KB

MD5
d4d99571d719150c7fcf059cf9daa09c

SHA1
830b42d8f49437ebaaaa54f93604c45b2460782d

SHA256
1600c1421d4c888921be7f31b2b41dbefd0737c5631d534843ac2e29b288e10b

SHA512
80d479467aeaac638399cbe787450c4ff6e3ec372fb097b2263228013cff45e11a500c58b961dae826b6a98902806377c344e9b337ce5d3f6d353b09257e5e33

Download Submit
C:\Windows\{BAAAC829-D6FB-4112-A546-A94BE6BA170D}.exe

Filesize
180KB

MD5
cb23e4991206cfbdd9140849ed494fde

SHA1
023c0a0e0e4c71420ed62be536fda17080bfdac6

SHA256
f4e56247c0dee73ba3f982612abab4df17d5cbf06b1eee403455efb539f01df6

SHA512
25ca7beb9474fdd5eab423b536ff77556f9a31bb12c6befd8c67153210822bb5275ab68aea033be052c434fe81fdfcafd5ac3f4d54aa067f1c0722116c679bbe

Download Submit
C:\Windows\{D7E3C5D4-3CEB-4236-AD12-B6CB033FFE91}.exe

Filesize
180KB

MD5
b209df2697ba91bcbf7713b326bf4740

SHA1
72e4e75412b861063b54bd3a8ccc92c60eafba64

SHA256
a7ccf031c48f23bd5870e2b553f2ce7ada2cc1d162d734795f6385a7e78200ba

SHA512
c242f98cd7864221adc89e042a904f61b14105a0e81048a4583ba05b4e3d0821aeeebce1b58d9e00337490eae2f7b48ee356d771ed3536af2e363a94359053ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads