c65cd754463f9aac075f567817b8b40de20587bfb70bc38a2b45676152673659

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 09:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe
Size

216KB
MD5

f6163da0a36549980519c0e83226090c
SHA1

466e4e997272e589c6f40f13336ee07ad3f62a0a
SHA256

c65cd754463f9aac075f567817b8b40de20587bfb70bc38a2b45676152673659
SHA512

2d2d278487ff656e3fee93cb345e28a380a68f1ae6789cf1cc2ba0f8510ea80b6d6ee011db24468f5aed4cd2dd38bc53eb3308c85fc557cdd118b445b7e9d9d6
SSDEEP

3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG3lEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}\stubpath = "C:\\Windows\\{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe"	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0859309-87FD-4f59-AE8D-CBED70932FA6}	{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAEA62AD-5E73-4d3a-9975-C5F85D49665D}	{B0859309-87FD-4f59-AE8D-CBED70932FA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9257C26-EC81-4d93-96B2-555664191E7D}\stubpath = "C:\\Windows\\{F9257C26-EC81-4d93-96B2-555664191E7D}.exe"	2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}\stubpath = "C:\\Windows\\{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe"	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}\stubpath = "C:\\Windows\\{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe"	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92E4CC1-2B65-4864-9511-51F248257BA0}\stubpath = "C:\\Windows\\{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe"	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA800C8E-C606-45e8-9075-46B9A7FC08B9}	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A71DD192-EC21-423d-BAE9-670EE79E948D}	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A71DD192-EC21-423d-BAE9-670EE79E948D}\stubpath = "C:\\Windows\\{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe"	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}\stubpath = "C:\\Windows\\{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe"	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFC2B251-9B56-4b6a-A291-0C1752117156}\stubpath = "C:\\Windows\\{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe"	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAEA62AD-5E73-4d3a-9975-C5F85D49665D}\stubpath = "C:\\Windows\\{FAEA62AD-5E73-4d3a-9975-C5F85D49665D}.exe"	{B0859309-87FD-4f59-AE8D-CBED70932FA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFC2B251-9B56-4b6a-A291-0C1752117156}	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAD67209-866A-4b12-A386-AC20ABF31A5A}	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAD67209-866A-4b12-A386-AC20ABF31A5A}\stubpath = "C:\\Windows\\{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe"	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92E4CC1-2B65-4864-9511-51F248257BA0}	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA800C8E-C606-45e8-9075-46B9A7FC08B9}\stubpath = "C:\\Windows\\{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe"	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0859309-87FD-4f59-AE8D-CBED70932FA6}\stubpath = "C:\\Windows\\{B0859309-87FD-4f59-AE8D-CBED70932FA6}.exe"	{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9257C26-EC81-4d93-96B2-555664191E7D}	2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
3172	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe
428	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe
3364	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe
2968	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe
3276	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe
1208	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe
960	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe
4172	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe
4072	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe
396	{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe
3012	{B0859309-87FD-4f59-AE8D-CBED70932FA6}.exe
3820	{FAEA62AD-5E73-4d3a-9975-C5F85D49665D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe
File created	C:\Windows\{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe
File created	C:\Windows\{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe
File created	C:\Windows\{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe
File created	C:\Windows\{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe
File created	C:\Windows\{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe
File created	C:\Windows\{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe
File created	C:\Windows\{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe
File created	C:\Windows\{B0859309-87FD-4f59-AE8D-CBED70932FA6}.exe	{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe
File created	C:\Windows\{F9257C26-EC81-4d93-96B2-555664191E7D}.exe	2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe
File created	C:\Windows\{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe
File created	C:\Windows\{FAEA62AD-5E73-4d3a-9975-C5F85D49665D}.exe	{B0859309-87FD-4f59-AE8D-CBED70932FA6}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FAEA62AD-5E73-4d3a-9975-C5F85D49665D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B0859309-87FD-4f59-AE8D-CBED70932FA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	860	2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3172	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe
Token: SeIncBasePriorityPrivilege	428	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe
Token: SeIncBasePriorityPrivilege	3364	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe
Token: SeIncBasePriorityPrivilege	2968	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe
Token: SeIncBasePriorityPrivilege	3276	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe
Token: SeIncBasePriorityPrivilege	1208	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe
Token: SeIncBasePriorityPrivilege	960	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe
Token: SeIncBasePriorityPrivilege	4172	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe
Token: SeIncBasePriorityPrivilege	4072	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe
Token: SeIncBasePriorityPrivilege	396	{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe
Token: SeIncBasePriorityPrivilege	3012	{B0859309-87FD-4f59-AE8D-CBED70932FA6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 3172	860	2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe	87
PID 860 wrote to memory of 3172	860	2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe	87
PID 860 wrote to memory of 3172	860	2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe	87
PID 860 wrote to memory of 4740	860	2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe	88
PID 860 wrote to memory of 4740	860	2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe	88
PID 860 wrote to memory of 4740	860	2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe	88
PID 3172 wrote to memory of 428	3172	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe	91
PID 3172 wrote to memory of 428	3172	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe	91
PID 3172 wrote to memory of 428	3172	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe	91
PID 3172 wrote to memory of 1404	3172	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe	92
PID 3172 wrote to memory of 1404	3172	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe	92
PID 3172 wrote to memory of 1404	3172	{F9257C26-EC81-4d93-96B2-555664191E7D}.exe	92
PID 428 wrote to memory of 3364	428	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe	95
PID 428 wrote to memory of 3364	428	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe	95
PID 428 wrote to memory of 3364	428	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe	95
PID 428 wrote to memory of 2160	428	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe	96
PID 428 wrote to memory of 2160	428	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe	96
PID 428 wrote to memory of 2160	428	{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe	96
PID 3364 wrote to memory of 2968	3364	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe	97
PID 3364 wrote to memory of 2968	3364	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe	97
PID 3364 wrote to memory of 2968	3364	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe	97
PID 3364 wrote to memory of 1180	3364	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe	98
PID 3364 wrote to memory of 1180	3364	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe	98
PID 3364 wrote to memory of 1180	3364	{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe	98
PID 2968 wrote to memory of 3276	2968	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe	99
PID 2968 wrote to memory of 3276	2968	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe	99
PID 2968 wrote to memory of 3276	2968	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe	99
PID 2968 wrote to memory of 1944	2968	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe	100
PID 2968 wrote to memory of 1944	2968	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe	100
PID 2968 wrote to memory of 1944	2968	{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe	100
PID 3276 wrote to memory of 1208	3276	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe	101
PID 3276 wrote to memory of 1208	3276	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe	101
PID 3276 wrote to memory of 1208	3276	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe	101
PID 3276 wrote to memory of 4092	3276	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe	102
PID 3276 wrote to memory of 4092	3276	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe	102
PID 3276 wrote to memory of 4092	3276	{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe	102
PID 1208 wrote to memory of 960	1208	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe	103
PID 1208 wrote to memory of 960	1208	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe	103
PID 1208 wrote to memory of 960	1208	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe	103
PID 1208 wrote to memory of 1456	1208	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe	104
PID 1208 wrote to memory of 1456	1208	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe	104
PID 1208 wrote to memory of 1456	1208	{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe	104
PID 960 wrote to memory of 4172	960	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe	105
PID 960 wrote to memory of 4172	960	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe	105
PID 960 wrote to memory of 4172	960	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe	105
PID 960 wrote to memory of 1060	960	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe	106
PID 960 wrote to memory of 1060	960	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe	106
PID 960 wrote to memory of 1060	960	{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe	106
PID 4172 wrote to memory of 4072	4172	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe	107
PID 4172 wrote to memory of 4072	4172	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe	107
PID 4172 wrote to memory of 4072	4172	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe	107
PID 4172 wrote to memory of 4704	4172	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe	108
PID 4172 wrote to memory of 4704	4172	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe	108
PID 4172 wrote to memory of 4704	4172	{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe	108
PID 4072 wrote to memory of 396	4072	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe	109
PID 4072 wrote to memory of 396	4072	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe	109
PID 4072 wrote to memory of 396	4072	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe	109
PID 4072 wrote to memory of 3472	4072	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe	110
PID 4072 wrote to memory of 3472	4072	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe	110
PID 4072 wrote to memory of 3472	4072	{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe	110
PID 396 wrote to memory of 3012	396	{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe	111
PID 396 wrote to memory of 3012	396	{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe	111
PID 396 wrote to memory of 3012	396	{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe	111
PID 396 wrote to memory of 5068	396	{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_f6163da0a36549980519c0e83226090c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\{F9257C26-EC81-4d93-96B2-555664191E7D}.exe
  C:\Windows\{F9257C26-EC81-4d93-96B2-555664191E7D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe
    C:\Windows\{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe
      C:\Windows\{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe
        
        C:\Windows\{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe
        
        C:\Windows\{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe
        
        C:\Windows\{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe
        
        C:\Windows\{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe
        
        C:\Windows\{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe
        
        C:\Windows\{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe
        
        C:\Windows\{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\{B0859309-87FD-4f59-AE8D-CBED70932FA6}.exe
        
        C:\Windows\{B0859309-87FD-4f59-AE8D-CBED70932FA6}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\{FAEA62AD-5E73-4d3a-9975-C5F85D49665D}.exe
        
        C:\Windows\{FAEA62AD-5E73-4d3a-9975-C5F85D49665D}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0859~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A71DD~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA800~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E92E4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAD67~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C428~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFC2B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C187A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F37AB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B9BEF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F9257~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C4288B1-234C-4096-AD9B-EFCB8CFE2DCA}.exe

Filesize
216KB

MD5
61d2c5f80e2175787b6d1f074e32c381

SHA1
6fcaa55b6b9a3b46e71207c440775598cbf42d82

SHA256
2e669ee2ac58f5ef978e2163ce4c7f91cc1bb3289a7dbc77183c025fae31151f

SHA512
c3c93a682fdc8ff7b792d51b4923516f811ae4c8b3dded828f1d6f55604f4b3d0d507e968d797fd9489284a7556c5ae484eaf2767400a9145502478e08050b51

Download Submit
C:\Windows\{A71DD192-EC21-423d-BAE9-670EE79E948D}.exe

Filesize
216KB

MD5
38091ee1b39f7893b2e903c21ff162ca

SHA1
435b71ed1d570b8038f6f11528a007136d5ea28a

SHA256
dc951368bc95b7423176b0fcc96130b320d4ea3a3fe57723f5661baf793f6dd5

SHA512
ef255a0ca53d5ffe2f402958cda94e7f6516f8f73cf9d8bc82aa3e9016ab5975b696e23781a02c2fbcc85bf28dc513daf80451bab895f03802f8e3d51025cb03

Download Submit
C:\Windows\{B0859309-87FD-4f59-AE8D-CBED70932FA6}.exe

Filesize
216KB

MD5
0284fdfc0a718ec0f2214ce25e6b950f

SHA1
7ce403ddc6d573e7132998fa4cd9d41fdf653e53

SHA256
21acd93d781c4a56cc4ba5acd2acbcd3b2ce54a694f02f5d326ba6f289a452b4

SHA512
00c6dbbcdff770f1e7cfe7358ce9bee7818cd4fa2090c007ebd895b00067d6c0f3fe6b717966001df04376ac4a08aae604f23fee72ebded35139623cbdc29300

Download Submit
C:\Windows\{B9BEF927-9862-41b8-8B79-CF0DC9CE5024}.exe

Filesize
216KB

MD5
8d7ec5e8d13610ecd3df432f2cd14930

SHA1
432a634e0b77e663d43ed64f90adae1e381ad98a

SHA256
2a297eb0747f6bfc98c3ae9e872276e177dddc78dd1c8381ede91d02541137d9

SHA512
37a3a2368e520d9364be4ca88923b231b494eb1caa0cbd2aabba85380babc5b25085c0a7566ee55713368e9cd6ecb413ed2e6b86225412e85438a0a5dbad8152

Download Submit
C:\Windows\{BFC2B251-9B56-4b6a-A291-0C1752117156}.exe

Filesize
216KB

MD5
479d6e373628ddab741de9b42af91f51

SHA1
2cd796f1d09ed6c0376f05c0271b38f1a4fd2c03

SHA256
aece39a1dd23f28a2f0e4d8a79b6739bdc33647c8e5c245f2f3cc6b1ad58d546

SHA512
7864f36098392b6fd95a1b5c031bfe9638a36c0ea8ec20f1bfc9476044c493933a9fe33329c2f97159d3f107c71725387c9240878c32203a1686d42c89b6dd7e

Download Submit
C:\Windows\{C187A797-ED32-49f4-B12D-4DEC0BA7CE00}.exe

Filesize
216KB

MD5
6fd98a266127b9968929575133cd0807

SHA1
125898f0e1edd44072d51e0cf47b5cd5d9ef3877

SHA256
c4192bd6ffdb76c7cb0a04f3306e1becafa69cb462b57c013199fd129a1e19b8

SHA512
8965b5580232626321e2f3d62a27cb1ca4e78afcacf81fc2b88df7092fba0b18b78fb737ada03132344e9b0b81bf6382fa76db2f677f06c5e03845468d852b0b

Download Submit
C:\Windows\{CA800C8E-C606-45e8-9075-46B9A7FC08B9}.exe

Filesize
216KB

MD5
03ac6c0429d0d3384d0c30d0ee6dcd51

SHA1
50136f0c7212e606e0149ad77123bc274f68ad2b

SHA256
3823d0228ad1101592fc222e7f37c8022d53c67e5b82282e0638dc1afe50a8d5

SHA512
5fdc8559125688f63af1ab925210b0288a452ed67455abea7e3494106e7c3c4b94477b619a1ddcd57940b2ad5782e73c604f13ea8320fa36ced99c39b1c165e3

Download Submit
C:\Windows\{E92E4CC1-2B65-4864-9511-51F248257BA0}.exe

Filesize
216KB

MD5
e312215a9cb65eb69ecc68ab57c819cb

SHA1
23532c0757b11933ad325c72e425ae79151ece12

SHA256
48e1a43fe72cc87ee21adbe0de3970e8347c6b1348a4756f1c841ad9f4620168

SHA512
1f012506a5d66f99b7c48fd4bf8adf8de93316b089c78681173919f54974bcdbfdd362b865d4df6da8032e383e69dd17e07084a19faae9c9739f36b1b54e688f

Download Submit
C:\Windows\{F37AB2F9-56F3-44cc-9C14-6D6E260BF399}.exe

Filesize
216KB

MD5
a29ad8e1d4f15b37db6873d72ee5428d

SHA1
25c32bf7a07880f10c66ab195fc47228098aaee6

SHA256
fa0b60f3bbed489949731eae24d117e166027e422622f7eadf1d9327a43c3cab

SHA512
c1e56f620f05a957f3d2b9c3b7b4d15b7b4c2e5d7b6e80fb941a3207897bb0a3f4bf980bb79af43b39b49367e4bde6cf397830fdaf115ea2ac1b268e1b3039d3

Download Submit
C:\Windows\{F9257C26-EC81-4d93-96B2-555664191E7D}.exe

Filesize
216KB

MD5
0ab89f7091b917e2bb54988282a5a7d5

SHA1
b33d4f0a06a25b6fef069e302789b45b42855d38

SHA256
ddbe8bce0f7fea75625af88b169e6854596e1e0e367cef16c5effc9f6b5d3d91

SHA512
51e43a2b99ab51e4a2bd9a468a83222ce4d07923f3e5ce04fafb34421c2fe998b7d9bab8ae69cd8c65a97cb1a70bc873f135b77ce231ffbe02dab0a4e4443f21

Download Submit
C:\Windows\{FAD67209-866A-4b12-A386-AC20ABF31A5A}.exe

Filesize
216KB

MD5
d9123a4412ad2b088c14b997e284d194

SHA1
458bc891ad8f16c62db5d006a1ae225fd83881ef

SHA256
4d984ff6cf5052c1f98b10015384744b0a35303d0e80a19649aac5b9c29ef1b6

SHA512
983b4b8ace4207c9287766f0c1113f4952a01cd184f09097ee465c32cdbae23a476d5f7cd3ab47d84e9729a950018cc8de14bcde3e6c53d3905469a82f73f244

Download Submit
C:\Windows\{FAEA62AD-5E73-4d3a-9975-C5F85D49665D}.exe

Filesize
216KB

MD5
4f6f0ea6a50b400bc0e6c4f1d19f7014

SHA1
5d72768a51135717e9ebabc29bcbd79d0c38261b

SHA256
a322df6600bb0b8d1f7f71159f97e45182433a03932f6662ddc695ffd19b5b27

SHA512
126dd7aec2120899ea13f664f11da412c2000ea52ef0914508082293c800a6a3edf5ff8d60eaa416539b20dc6051452a8b4c439c1e1af99ecba4e9dd6cc9b302

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads