00fe4248c5bdbb51040ddd08e6c523857c9df2d992a29a4367b53c40d75787fb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe
Size

344KB
MD5

9c58e6dba6d5d84fbee4de76a148fd75
SHA1

95d7c9fa7b83bc2c3de4487d38b00e7e19b627ff
SHA256

00fe4248c5bdbb51040ddd08e6c523857c9df2d992a29a4367b53c40d75787fb
SHA512

4cc1a89032d9da8ae2d02cd64d6d2963709b6522e08b9591d2099e23e5d3cee962459959d558672891568afe0034a59670e100a0b16193abcb3bbe83f8b27c38
SSDEEP

3072:mEGh0oalEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGQlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44FE2BEC-7DB8-476f-9418-CECB3279F353}\stubpath = "C:\\Windows\\{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe"	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}\stubpath = "C:\\Windows\\{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}.exe"	{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E786C4A-F165-4ae6-94D7-C8D9F1CC0237}\stubpath = "C:\\Windows\\{7E786C4A-F165-4ae6-94D7-C8D9F1CC0237}.exe"	{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{589C5344-FB9A-4c1d-B411-C21BC895B83E}\stubpath = "C:\\Windows\\{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe"	{9770E664-CF02-4112-A214-3696F00E30CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}\stubpath = "C:\\Windows\\{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe"	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}\stubpath = "C:\\Windows\\{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe"	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C615CA90-7624-4c38-B64A-20CC2358DD23}\stubpath = "C:\\Windows\\{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe"	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}\stubpath = "C:\\Windows\\{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe"	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D316E67-72C9-467e-AE52-EF2D49CBB228}	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D316E67-72C9-467e-AE52-EF2D49CBB228}\stubpath = "C:\\Windows\\{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe"	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0371390A-92AE-45d1-869E-BB89657E3C81}	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9770E664-CF02-4112-A214-3696F00E30CB}\stubpath = "C:\\Windows\\{9770E664-CF02-4112-A214-3696F00E30CB}.exe"	2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{589C5344-FB9A-4c1d-B411-C21BC895B83E}	{9770E664-CF02-4112-A214-3696F00E30CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18FF0ECA-8691-4822-B76E-BED363D60D61}	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C615CA90-7624-4c38-B64A-20CC2358DD23}	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44FE2BEC-7DB8-476f-9418-CECB3279F353}	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E786C4A-F165-4ae6-94D7-C8D9F1CC0237}	{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9770E664-CF02-4112-A214-3696F00E30CB}	2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18FF0ECA-8691-4822-B76E-BED363D60D61}\stubpath = "C:\\Windows\\{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe"	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0371390A-92AE-45d1-869E-BB89657E3C81}\stubpath = "C:\\Windows\\{0371390A-92AE-45d1-869E-BB89657E3C81}.exe"	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}	{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe

Executes dropped EXE 12 IoCs

pid	Process
3576	{9770E664-CF02-4112-A214-3696F00E30CB}.exe
2892	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe
2004	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe
3716	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe
2888	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe
1372	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe
1188	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe
1612	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe
4072	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe
4540	{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe
1428	{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}.exe
4448	{7E786C4A-F165-4ae6-94D7-C8D9F1CC0237}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9770E664-CF02-4112-A214-3696F00E30CB}.exe	2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe
File created	C:\Windows\{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe
File created	C:\Windows\{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe
File created	C:\Windows\{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe
File created	C:\Windows\{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe
File created	C:\Windows\{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}.exe	{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe
File created	C:\Windows\{7E786C4A-F165-4ae6-94D7-C8D9F1CC0237}.exe	{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}.exe
File created	C:\Windows\{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe	{9770E664-CF02-4112-A214-3696F00E30CB}.exe
File created	C:\Windows\{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe
File created	C:\Windows\{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe
File created	C:\Windows\{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe
File created	C:\Windows\{0371390A-92AE-45d1-869E-BB89657E3C81}.exe	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7E786C4A-F165-4ae6-94D7-C8D9F1CC0237}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9770E664-CF02-4112-A214-3696F00E30CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4136	2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3576	{9770E664-CF02-4112-A214-3696F00E30CB}.exe
Token: SeIncBasePriorityPrivilege	2892	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe
Token: SeIncBasePriorityPrivilege	2004	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe
Token: SeIncBasePriorityPrivilege	3716	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe
Token: SeIncBasePriorityPrivilege	2888	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe
Token: SeIncBasePriorityPrivilege	1372	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe
Token: SeIncBasePriorityPrivilege	1188	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe
Token: SeIncBasePriorityPrivilege	1612	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe
Token: SeIncBasePriorityPrivilege	4072	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe
Token: SeIncBasePriorityPrivilege	4540	{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe
Token: SeIncBasePriorityPrivilege	1428	{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 3576	4136	2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe	86
PID 4136 wrote to memory of 3576	4136	2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe	86
PID 4136 wrote to memory of 3576	4136	2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe	86
PID 4136 wrote to memory of 4076	4136	2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe	87
PID 4136 wrote to memory of 4076	4136	2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe	87
PID 4136 wrote to memory of 4076	4136	2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe	87
PID 3576 wrote to memory of 2892	3576	{9770E664-CF02-4112-A214-3696F00E30CB}.exe	93
PID 3576 wrote to memory of 2892	3576	{9770E664-CF02-4112-A214-3696F00E30CB}.exe	93
PID 3576 wrote to memory of 2892	3576	{9770E664-CF02-4112-A214-3696F00E30CB}.exe	93
PID 3576 wrote to memory of 3936	3576	{9770E664-CF02-4112-A214-3696F00E30CB}.exe	94
PID 3576 wrote to memory of 3936	3576	{9770E664-CF02-4112-A214-3696F00E30CB}.exe	94
PID 3576 wrote to memory of 3936	3576	{9770E664-CF02-4112-A214-3696F00E30CB}.exe	94
PID 2892 wrote to memory of 2004	2892	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe	97
PID 2892 wrote to memory of 2004	2892	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe	97
PID 2892 wrote to memory of 2004	2892	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe	97
PID 2892 wrote to memory of 3236	2892	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe	98
PID 2892 wrote to memory of 3236	2892	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe	98
PID 2892 wrote to memory of 3236	2892	{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe	98
PID 2004 wrote to memory of 3716	2004	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe	99
PID 2004 wrote to memory of 3716	2004	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe	99
PID 2004 wrote to memory of 3716	2004	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe	99
PID 2004 wrote to memory of 3168	2004	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe	100
PID 2004 wrote to memory of 3168	2004	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe	100
PID 2004 wrote to memory of 3168	2004	{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe	100
PID 3716 wrote to memory of 2888	3716	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe	101
PID 3716 wrote to memory of 2888	3716	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe	101
PID 3716 wrote to memory of 2888	3716	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe	101
PID 3716 wrote to memory of 3064	3716	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe	102
PID 3716 wrote to memory of 3064	3716	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe	102
PID 3716 wrote to memory of 3064	3716	{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe	102
PID 2888 wrote to memory of 1372	2888	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe	103
PID 2888 wrote to memory of 1372	2888	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe	103
PID 2888 wrote to memory of 1372	2888	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe	103
PID 2888 wrote to memory of 4688	2888	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe	104
PID 2888 wrote to memory of 4688	2888	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe	104
PID 2888 wrote to memory of 4688	2888	{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe	104
PID 1372 wrote to memory of 1188	1372	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe	105
PID 1372 wrote to memory of 1188	1372	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe	105
PID 1372 wrote to memory of 1188	1372	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe	105
PID 1372 wrote to memory of 4676	1372	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe	106
PID 1372 wrote to memory of 4676	1372	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe	106
PID 1372 wrote to memory of 4676	1372	{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe	106
PID 1188 wrote to memory of 1612	1188	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe	107
PID 1188 wrote to memory of 1612	1188	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe	107
PID 1188 wrote to memory of 1612	1188	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe	107
PID 1188 wrote to memory of 4312	1188	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe	108
PID 1188 wrote to memory of 4312	1188	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe	108
PID 1188 wrote to memory of 4312	1188	{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe	108
PID 1612 wrote to memory of 4072	1612	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe	109
PID 1612 wrote to memory of 4072	1612	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe	109
PID 1612 wrote to memory of 4072	1612	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe	109
PID 1612 wrote to memory of 4804	1612	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe	110
PID 1612 wrote to memory of 4804	1612	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe	110
PID 1612 wrote to memory of 4804	1612	{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe	110
PID 4072 wrote to memory of 4540	4072	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe	111
PID 4072 wrote to memory of 4540	4072	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe	111
PID 4072 wrote to memory of 4540	4072	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe	111
PID 4072 wrote to memory of 3496	4072	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe	112
PID 4072 wrote to memory of 3496	4072	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe	112
PID 4072 wrote to memory of 3496	4072	{0371390A-92AE-45d1-869E-BB89657E3C81}.exe	112
PID 4540 wrote to memory of 1428	4540	{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe	113
PID 4540 wrote to memory of 1428	4540	{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe	113
PID 4540 wrote to memory of 1428	4540	{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe	113
PID 4540 wrote to memory of 764	4540	{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_9c58e6dba6d5d84fbee4de76a148fd75_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\{9770E664-CF02-4112-A214-3696F00E30CB}.exe
  C:\Windows\{9770E664-CF02-4112-A214-3696F00E30CB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe
    C:\Windows\{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe
      C:\Windows\{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe
        
        C:\Windows\{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Windows\{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe
        
        C:\Windows\{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe
        
        C:\Windows\{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe
        
        C:\Windows\{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe
        
        C:\Windows\{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{0371390A-92AE-45d1-869E-BB89657E3C81}.exe
        
        C:\Windows\{0371390A-92AE-45d1-869E-BB89657E3C81}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe
        
        C:\Windows\{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}.exe
        
        C:\Windows\{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\{7E786C4A-F165-4ae6-94D7-C8D9F1CC0237}.exe
        
        C:\Windows\{7E786C4A-F165-4ae6-94D7-C8D9F1CC0237}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65EFF~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44FE2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03713~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D316~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28711~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C615C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C257E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0563E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18FF0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{589C5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9770E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0371390A-92AE-45d1-869E-BB89657E3C81}.exe

Filesize
344KB

MD5
2a2779c18a06f866269722f39cf5baea

SHA1
60546498fa53d01993880112a2a442ebc6a97489

SHA256
779158b8f2f3e62f38c91f12b6f409b9255f64a35e5fb3bdbccecf562f479ef0

SHA512
6f1f51d1c6c32d3fcf318f3220c09cb9ebb311706b773af26a93d618d5ef2a08279700baa7c83bc311df67136a970bd2ea831469cad7c0ceecf98b3d0a965448

Download Submit
C:\Windows\{0563E4B6-6B5E-4f8d-A1EC-D2D53905CDE3}.exe

Filesize
344KB

MD5
324f23fff117a15407c38e3fbf01558a

SHA1
933128ff247d93338313744447847a50edd7014c

SHA256
d24fb975fe53fa64b41f71246fc5ccf39fc38c3806f9f0d58a2c6e9ade5ed7d1

SHA512
a887111d113deab5e09d5a5531dd97d564c5afb20a0fa813ec7b1e35bf83823949050712e114acba911ffae420816deaa650818150274195be118211db12a081

Download Submit
C:\Windows\{18FF0ECA-8691-4822-B76E-BED363D60D61}.exe

Filesize
344KB

MD5
1cfc35914d6336499b172f4dacc8a39b

SHA1
22c8c62eafe16b8dcd390bebcb318ba5868f2c1e

SHA256
8d4de928f7494a5631d015cfe47123a676da5a6665d6066c2fe9c046b0ca4d92

SHA512
10a94ccc21a9608eafef8ee2e10261f2e5762a9ee1eda6cf664747cd7e2acbfabe11ef6e65851d090a4cbb288276bb7c24da002979b099122ea61bc4e3779644

Download Submit
C:\Windows\{28711B28-5BB7-43d9-B8F1-4A9B02AEC6A6}.exe

Filesize
344KB

MD5
7b414101ce071cd0a631b5d43f7f5db9

SHA1
cebb4c1127896955fff477b79565822783e6e970

SHA256
e8e18a2a7d6b5547d2aeded99f0c3569125dc04f3af505dd80ba749357bbdc09

SHA512
f6ee04611760f97afa9753f8eecda0cb787a6f22295d6f573677f8079ee6a07d269b6c6e8646133bd35a43d30ca76e56381722f20cee56f2eb65eb978ef54157

Download Submit
C:\Windows\{2D316E67-72C9-467e-AE52-EF2D49CBB228}.exe

Filesize
344KB

MD5
94070f08ff4dde71f3e32b85c5cd19f6

SHA1
6a1150907387e8872eb7f981a96a158076842838

SHA256
dc39bc022e50d972f43912efe90ae1728f73fd5356ee2bf678ecafd74d8bd9c2

SHA512
ff622b36fc82c6cc8ec2c40a38dab8329e7dcfd56dc0ab7e5177b435b4ba0acfc31b5301aba1c5a776c370c3c1f1b847ea7ae3272294bf46110987ede26446ac

Download Submit
C:\Windows\{44FE2BEC-7DB8-476f-9418-CECB3279F353}.exe

Filesize
344KB

MD5
a3341da2b534ec6048bb90ffd47bfb42

SHA1
92e8a309119221ec97a0a6d8189f61159de71b16

SHA256
99ad633eb57fe5704526d4b490abc66e273da97f6303d0e90966ce2bc65d30bc

SHA512
da39706fc92bc432d69896e4307cae5a14d2b72cb0f3137f3ffad9dd5a01297699048e78f0b33f97eb496672f87a65fadce8d4927a24fb188b47f47f6e73ee5a

Download Submit
C:\Windows\{589C5344-FB9A-4c1d-B411-C21BC895B83E}.exe

Filesize
344KB

MD5
dd7162b45f76acabc12b8ace84e391f7

SHA1
db4b0580afe3d0be63368a476f2af04b73e8c585

SHA256
daddd289a044f4dadb63e025d827b4293df11f4e94a90dd720ccff9bf82190fe

SHA512
e06530c57fa941219e6ba546bf0b8a101babdf16460642d65df63fd2bb8a6d69acf05d89292e7e81fa7439be0e707d6d83e02d03a0596d51670332ac6a627157

Download Submit
C:\Windows\{65EFF8D5-D089-4e56-9AE4-332BFE9F0BBF}.exe

Filesize
344KB

MD5
e30be041e7dfce755952aaaf1d03f01b

SHA1
77320a7d669bf8b8d561e4c2eab783d32789a4a4

SHA256
83f32e6df4431265afe4a74d880229a1fb56bb7db7369aa254563c727daae898

SHA512
0cef35943ec1698148b59df60c48e5b172b20f54677832c9ca6ab4db27ea64f47d5f326fc030e707dbe115d51ebc89975f58f82685c5feb9bc30b8e0f2aebe44

Download Submit
C:\Windows\{7E786C4A-F165-4ae6-94D7-C8D9F1CC0237}.exe

Filesize
344KB

MD5
e0180d5c2503b5c9de153f4fdffef233

SHA1
74b1ff0ff96ec086ecafec888ee792cb6d97f14d

SHA256
165d13f9b2b959a6d2ff98eaeb9afd8401886b9f5a52b9df530af148c0c16f8c

SHA512
7e8674d52bf71bac2434edd57dd94df3922dcdd451adeb65408f65110c30ca06e11ccc088865a60fb0213f85e2d5376ff8cd5001ee27d1d4ecb8214d402acf1d

Download Submit
C:\Windows\{9770E664-CF02-4112-A214-3696F00E30CB}.exe

Filesize
344KB

MD5
0f8160d31c8a657a5506a0767c696edd

SHA1
ed63b3a29102c54172c2920fa4cfcce7f2772a3e

SHA256
f3fb15b15e115e685e29d3ce880b268c00b96887cb78a56260a3d10b8e42e9c9

SHA512
0b8cfb8e203f8e20d5699359626e0f17a21319271599b2f0a67d134738c1f0ad7c1ad6aeaaf07e3a0b92bcbe39a6df5c946bdabbcc3ca9355aabb8c1b97fc120

Download Submit
C:\Windows\{C257E3A9-45B7-4ea6-B8ED-DD7704A580DB}.exe

Filesize
344KB

MD5
4b7f50346ed80f142c6ccc1ed8df3598

SHA1
c189f0be651bf836b33f0d3f822697d472c3ad8a

SHA256
8754f32e5e9ed27b87753e56cf00e591d9ce543d71e01871f4693e90f8245408

SHA512
2036827846180018e31adbe0a1070f6300761001525957ae300b7e79615539bca436aef0f8d6d0ebc8871ae13e755471b1cd74143dfe73053bb65a0e262b187e

Download Submit
C:\Windows\{C615CA90-7624-4c38-B64A-20CC2358DD23}.exe

Filesize
344KB

MD5
f26ff34936bf85b335d4b64087c902fd

SHA1
3a80a539a0d6f09e5d463742ac8076c9bd45d710

SHA256
950afa561f8dfbf29819e826d3aa102621d40573e83cbdf4750a396869e85a6a

SHA512
5f5d1abf7412b3af3bafc0990eef12eb08893f00943d848efe5ab15e805eaf2dade14e93dc7687e24cec503a8fe95e1c7e3de81cbbe79e9744a6ded3b7daea9f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads