f90effcc43643dcf25642e51312ae89c91dcd8c4821026ccbc986b8196824ca5

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
Size

192KB
MD5

0d33c41443c0f4d0a2edb08376980b58
SHA1

e480a565d22b64ab2565b65d61251a3d21ebbbb5
SHA256

f90effcc43643dcf25642e51312ae89c91dcd8c4821026ccbc986b8196824ca5
SHA512

e33155d42fc1432c33a836f13c6cef94b27cc3424fd80c45a0d875cf55eb9f6c1d37c2e5c2c2f9db835eb65ad6107895748a87ed3bec780dd8b16ec03ccefaf5
SSDEEP

1536:1EGh0owl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0owl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{179FD877-D69B-4868-BE0C-6CE44E12C334}\stubpath = "C:\\Windows\\{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe"	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}	{8326F3A5-21CA-4927-969F-215567F26926}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}\stubpath = "C:\\Windows\\{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe"	{8326F3A5-21CA-4927-969F-215567F26926}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70A827D1-FADD-4967-959F-4A9118E117F8}	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F5F5584-49BB-4375-9744-DA45D49ED62F}	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}\stubpath = "C:\\Windows\\{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe"	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8326F3A5-21CA-4927-969F-215567F26926}	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8326F3A5-21CA-4927-969F-215567F26926}\stubpath = "C:\\Windows\\{8326F3A5-21CA-4927-969F-215567F26926}.exe"	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}\stubpath = "C:\\Windows\\{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe"	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70A827D1-FADD-4967-959F-4A9118E117F8}\stubpath = "C:\\Windows\\{70A827D1-FADD-4967-959F-4A9118E117F8}.exe"	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8B2E48B-F651-426a-8353-E5DF7EA008F1}	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8B2E48B-F651-426a-8353-E5DF7EA008F1}\stubpath = "C:\\Windows\\{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe"	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F5F5584-49BB-4375-9744-DA45D49ED62F}\stubpath = "C:\\Windows\\{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe"	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}\stubpath = "C:\\Windows\\{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe"	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E72310C-6227-45e9-AA88-B052E21A10F5}	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E72310C-6227-45e9-AA88-B052E21A10F5}\stubpath = "C:\\Windows\\{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe"	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67E29F1A-342F-493d-B860-3D47064D2E33}	{70A827D1-FADD-4967-959F-4A9118E117F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67E29F1A-342F-493d-B860-3D47064D2E33}\stubpath = "C:\\Windows\\{67E29F1A-342F-493d-B860-3D47064D2E33}.exe"	{70A827D1-FADD-4967-959F-4A9118E117F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{179FD877-D69B-4868-BE0C-6CE44E12C334}	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFA16194-146B-4a8f-B8AA-7E63A2444FB8}	{67E29F1A-342F-493d-B860-3D47064D2E33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFA16194-146B-4a8f-B8AA-7E63A2444FB8}\stubpath = "C:\\Windows\\{DFA16194-146B-4a8f-B8AA-7E63A2444FB8}.exe"	{67E29F1A-342F-493d-B860-3D47064D2E33}.exe

Executes dropped EXE 12 IoCs

pid	Process
2116	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe
2320	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe
5052	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe
224	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe
1696	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe
472	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe
1372	{8326F3A5-21CA-4927-969F-215567F26926}.exe
3724	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe
772	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe
404	{70A827D1-FADD-4967-959F-4A9118E117F8}.exe
1492	{67E29F1A-342F-493d-B860-3D47064D2E33}.exe
4476	{DFA16194-146B-4a8f-B8AA-7E63A2444FB8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe	{8326F3A5-21CA-4927-969F-215567F26926}.exe
File created	C:\Windows\{DFA16194-146B-4a8f-B8AA-7E63A2444FB8}.exe	{67E29F1A-342F-493d-B860-3D47064D2E33}.exe
File created	C:\Windows\{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
File created	C:\Windows\{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe
File created	C:\Windows\{8326F3A5-21CA-4927-969F-215567F26926}.exe	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe
File created	C:\Windows\{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe
File created	C:\Windows\{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe
File created	C:\Windows\{70A827D1-FADD-4967-959F-4A9118E117F8}.exe	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe
File created	C:\Windows\{67E29F1A-342F-493d-B860-3D47064D2E33}.exe	{70A827D1-FADD-4967-959F-4A9118E117F8}.exe
File created	C:\Windows\{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe
File created	C:\Windows\{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe
File created	C:\Windows\{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8326F3A5-21CA-4927-969F-215567F26926}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70A827D1-FADD-4967-959F-4A9118E117F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFA16194-146B-4a8f-B8AA-7E63A2444FB8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67E29F1A-342F-493d-B860-3D47064D2E33}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4476	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2116	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe
Token: SeIncBasePriorityPrivilege	2320	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe
Token: SeIncBasePriorityPrivilege	5052	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe
Token: SeIncBasePriorityPrivilege	224	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe
Token: SeIncBasePriorityPrivilege	1696	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe
Token: SeIncBasePriorityPrivilege	472	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe
Token: SeIncBasePriorityPrivilege	1372	{8326F3A5-21CA-4927-969F-215567F26926}.exe
Token: SeIncBasePriorityPrivilege	3724	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe
Token: SeIncBasePriorityPrivilege	772	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe
Token: SeIncBasePriorityPrivilege	404	{70A827D1-FADD-4967-959F-4A9118E117F8}.exe
Token: SeIncBasePriorityPrivilege	1492	{67E29F1A-342F-493d-B860-3D47064D2E33}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2116	4476	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	89
PID 4476 wrote to memory of 2116	4476	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	89
PID 4476 wrote to memory of 2116	4476	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	89
PID 4476 wrote to memory of 684	4476	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	90
PID 4476 wrote to memory of 684	4476	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	90
PID 4476 wrote to memory of 684	4476	2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe	90
PID 2116 wrote to memory of 2320	2116	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe	91
PID 2116 wrote to memory of 2320	2116	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe	91
PID 2116 wrote to memory of 2320	2116	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe	91
PID 2116 wrote to memory of 5068	2116	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe	92
PID 2116 wrote to memory of 5068	2116	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe	92
PID 2116 wrote to memory of 5068	2116	{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe	92
PID 2320 wrote to memory of 5052	2320	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe	95
PID 2320 wrote to memory of 5052	2320	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe	95
PID 2320 wrote to memory of 5052	2320	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe	95
PID 2320 wrote to memory of 740	2320	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe	96
PID 2320 wrote to memory of 740	2320	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe	96
PID 2320 wrote to memory of 740	2320	{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe	96
PID 5052 wrote to memory of 224	5052	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe	97
PID 5052 wrote to memory of 224	5052	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe	97
PID 5052 wrote to memory of 224	5052	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe	97
PID 5052 wrote to memory of 856	5052	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe	98
PID 5052 wrote to memory of 856	5052	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe	98
PID 5052 wrote to memory of 856	5052	{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe	98
PID 224 wrote to memory of 1696	224	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe	99
PID 224 wrote to memory of 1696	224	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe	99
PID 224 wrote to memory of 1696	224	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe	99
PID 224 wrote to memory of 556	224	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe	100
PID 224 wrote to memory of 556	224	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe	100
PID 224 wrote to memory of 556	224	{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe	100
PID 1696 wrote to memory of 472	1696	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe	101
PID 1696 wrote to memory of 472	1696	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe	101
PID 1696 wrote to memory of 472	1696	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe	101
PID 1696 wrote to memory of 2984	1696	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe	102
PID 1696 wrote to memory of 2984	1696	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe	102
PID 1696 wrote to memory of 2984	1696	{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe	102
PID 472 wrote to memory of 1372	472	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe	103
PID 472 wrote to memory of 1372	472	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe	103
PID 472 wrote to memory of 1372	472	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe	103
PID 472 wrote to memory of 1820	472	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe	104
PID 472 wrote to memory of 1820	472	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe	104
PID 472 wrote to memory of 1820	472	{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe	104
PID 1372 wrote to memory of 3724	1372	{8326F3A5-21CA-4927-969F-215567F26926}.exe	105
PID 1372 wrote to memory of 3724	1372	{8326F3A5-21CA-4927-969F-215567F26926}.exe	105
PID 1372 wrote to memory of 3724	1372	{8326F3A5-21CA-4927-969F-215567F26926}.exe	105
PID 1372 wrote to memory of 1748	1372	{8326F3A5-21CA-4927-969F-215567F26926}.exe	106
PID 1372 wrote to memory of 1748	1372	{8326F3A5-21CA-4927-969F-215567F26926}.exe	106
PID 1372 wrote to memory of 1748	1372	{8326F3A5-21CA-4927-969F-215567F26926}.exe	106
PID 3724 wrote to memory of 772	3724	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe	107
PID 3724 wrote to memory of 772	3724	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe	107
PID 3724 wrote to memory of 772	3724	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe	107
PID 3724 wrote to memory of 3720	3724	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe	108
PID 3724 wrote to memory of 3720	3724	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe	108
PID 3724 wrote to memory of 3720	3724	{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe	108
PID 772 wrote to memory of 404	772	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe	109
PID 772 wrote to memory of 404	772	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe	109
PID 772 wrote to memory of 404	772	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe	109
PID 772 wrote to memory of 3440	772	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe	110
PID 772 wrote to memory of 3440	772	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe	110
PID 772 wrote to memory of 3440	772	{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe	110
PID 404 wrote to memory of 1492	404	{70A827D1-FADD-4967-959F-4A9118E117F8}.exe	111
PID 404 wrote to memory of 1492	404	{70A827D1-FADD-4967-959F-4A9118E117F8}.exe	111
PID 404 wrote to memory of 1492	404	{70A827D1-FADD-4967-959F-4A9118E117F8}.exe	111
PID 404 wrote to memory of 656	404	{70A827D1-FADD-4967-959F-4A9118E117F8}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_0d33c41443c0f4d0a2edb08376980b58_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe
  C:\Windows\{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe
    C:\Windows\{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe
      C:\Windows\{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Windows\{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe
        
        C:\Windows\{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Windows\{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe
        
        C:\Windows\{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe
        
        C:\Windows\{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\{8326F3A5-21CA-4927-969F-215567F26926}.exe
        
        C:\Windows\{8326F3A5-21CA-4927-969F-215567F26926}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe
        
        C:\Windows\{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe
        
        C:\Windows\{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\{70A827D1-FADD-4967-959F-4A9118E117F8}.exe
        
        C:\Windows\{70A827D1-FADD-4967-959F-4A9118E117F8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{67E29F1A-342F-493d-B860-3D47064D2E33}.exe
        
        C:\Windows\{67E29F1A-342F-493d-B860-3D47064D2E33}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\{DFA16194-146B-4a8f-B8AA-7E63A2444FB8}.exe
        
        C:\Windows\{DFA16194-146B-4a8f-B8AA-7E63A2444FB8}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67E29~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70A82~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29E3A~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44B6E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8326F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E723~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5F59~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{179FD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96D52~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9F5F5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C8B2E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{179FD877-D69B-4868-BE0C-6CE44E12C334}.exe

Filesize
192KB

MD5
a1a8eb5e4ec77a82b570eb0d2a177f83

SHA1
061c872e625ef3b1181ad93a759443e9704ad307

SHA256
e005222f516c49115519b653bad83795bc94cb895248737ce4d66de133390103

SHA512
cc4ae61fe703f4f67ee37e3615872ab5fd230754222efe8341918f85c80b0f0823fa4d46bf92b661b0b8bdfbf79956a9b344d56f01d45d7ddc998a17a1760054

Download Submit
C:\Windows\{29E3ABD8-5475-4628-B2DF-4A6FB6B4ADDA}.exe

Filesize
192KB

MD5
c0ba1e746230384a4919bb3971b6ef82

SHA1
7a1f7cd36e6ace375a1e60390d3a4dc0b2bfe58d

SHA256
9bb1870a7e3d775b4294fc75b48cb9c56ea0a7e6abff06c1dfd9797b713522fc

SHA512
656b75139ed60a110da9431c876dabd14eaddbd9df481c1066e418b363b195089a634bc766c45594f1e65713bdb5f982eb4ce8c81ad6592a103caa9aad3cd1a7

Download Submit
C:\Windows\{3E72310C-6227-45e9-AA88-B052E21A10F5}.exe

Filesize
192KB

MD5
7abf1c23df3331f22a4e131a3a971272

SHA1
f3a5add63ab219d6b65f5a0ae710405a8aa207d8

SHA256
bbf0990a16dc73b58d6b02a03fdcce8806c516d8852122573b3406670f10c204

SHA512
5891f8caa9655436df692f4b74169ffc7ccb7bf4a7a4ca3c22908b551ba30287d19dd76c2bd7f5619ad661af8b6d1c25a3a908d46ebdabae207067875f90e4ec

Download Submit
C:\Windows\{44B6E74D-732A-43c2-BCD7-E2B38659C5DC}.exe

Filesize
192KB

MD5
49786118e37606ce68f2812e114c3443

SHA1
b6a0849041b7ccd07a9724dcf59b8819324fcd2d

SHA256
ca4e97b02a05e1dcd0463a37ed3c5f656e3674fc61bec27e7b5ee240124bc45d

SHA512
337c316c8f89d3aa2da24f46230344391406993e144e54ce1de96d840329ae5bc4ac443674c9981edc94a8b2c9fa05db414ebd54057bc42ac0a1a09ede157d7c

Download Submit
C:\Windows\{67E29F1A-342F-493d-B860-3D47064D2E33}.exe

Filesize
192KB

MD5
c5f5cafce2cf03212d97c8652bb54088

SHA1
b5db6e30bf048ecf58b302f6c21b40916aef61f8

SHA256
4a7aaa4af250b84af8f423ee24ce76e1ef216ec3e9b1bfa5d8e6a4c8b6459792

SHA512
a58195227f01b20e4a713cfa2035da3264f00afb50d6ac4b7fc83cd19da05038e4c7177ad0161e764c2f4896a4af200ab04dbac6330f0aa2dcaba26ade751c7d

Download Submit
C:\Windows\{70A827D1-FADD-4967-959F-4A9118E117F8}.exe

Filesize
192KB

MD5
46010053076bd3f7bd0578cf09458125

SHA1
0238ca7c1859713c55e1c3fcbb2268bbeb5de518

SHA256
22409ba72a19ab5810bbc44ba33cce16607313a8538e2d9809ea42943749a2ad

SHA512
5b0dc7e6f867cc6ec3afc67bd343c372fde7faa72d52a4597f6c9859aa5ff5c2a5825543fbe923fc4c938c14a8625cde16bf0fac928e7ee51cbf49c979f57dfd

Download Submit
C:\Windows\{8326F3A5-21CA-4927-969F-215567F26926}.exe

Filesize
192KB

MD5
027be5ecdc2cafbeef5421a6d321839c

SHA1
9f908508b54fb56b944430c9e4e9e27185c3df9e

SHA256
953d3428fb96e6f90a70594d1bc1d9c5a320976f01b48a4d2b7409295a7e287c

SHA512
4b0cf2ab7d58628e64668eeca33a1443aa10613dc30f52fb8b6645289e5e7c0aed57b5c67f5dc1af483b0623374799fc3200f8fef756be2bb5bd1a4d4a37b31f

Download Submit
C:\Windows\{96D52FD3-CE0B-44c2-ACD0-E5D4D5158E28}.exe

Filesize
192KB

MD5
a18cfe9d962f0f221159225dc7864a8e

SHA1
873398d3ab01da739d7a2bd0d8b242dec7cca7e5

SHA256
06b752b72b73fd32ef5b5d587b58bb0172ef67193bc808e6632def537d959e16

SHA512
cff882385850e72aa8242544d446a265cc989253c0e6ba17857461fb313ca7f70c9f267a7610a2bf3187e198a91eaefb12dbac378f5c27bca733f8d61f73b2e3

Download Submit
C:\Windows\{9F5F5584-49BB-4375-9744-DA45D49ED62F}.exe

Filesize
192KB

MD5
463d6b9f3067f697f178613887abf243

SHA1
e7f5fb93b082263490673d74c4940f918b9c21bd

SHA256
413d027ef34341b42bf888edc3ff31cf0b9aa48fe31ff27243f97fd74dd13172

SHA512
3c9a4f21a58d413ba2a5b453d89595f9bcd4070a2e4f7601912f093a6dace20d3921a5ffcda549b5d2ad4718895b5b7da00a77b6dd68d68866625fd943cdc55f

Download Submit
C:\Windows\{C5F59E7F-CA65-4bb9-BCF3-BD44E93796AF}.exe

Filesize
192KB

MD5
a82fd3585aa7550bc466e50c29c4c317

SHA1
a2c10ac2a2e1362714dc95989de77d9caf871318

SHA256
ed150f703580de26b0d3c4caf41551d1df5e7669359603fffd61388ba3ddf642

SHA512
2f394277c9f1fc302747d555d312d9a15e4d2c0a7176e2e703ad1d17ca9239bd584377df1327746e883ee7d31ae4e8fdaaf54e7258d374b5a3ba3361693be9c6

Download Submit
C:\Windows\{C8B2E48B-F651-426a-8353-E5DF7EA008F1}.exe

Filesize
192KB

MD5
6c877622a350cb6671a74530c7692cef

SHA1
c6d7788ad2717fb6e2a9724ee24166d613a04cbf

SHA256
bb87b9efe3610b24783bc97a3c8c1f76b6496fbc2c1249e42614caa5458e5142

SHA512
bc555f6c15ec8ed5c2fac8b52d5e404f1ff2326eeb89541c4e2bf1e7256fb3ea2c54a06967a84def91896f11c08c88d3ee143e0de3cf777ccb1b59d9c09e68d2

Download Submit
C:\Windows\{DFA16194-146B-4a8f-B8AA-7E63A2444FB8}.exe

Filesize
192KB

MD5
c6cd619aac8f9142945780913fcdf442

SHA1
fc0c6ffe605fa539af6ef2c7c9480325ae6b54e7

SHA256
cdaad769ce67562aaef7151cd1cc7312e585d17a5e4f33b62ab6cb7e01c6d63a

SHA512
2736370cb9308e90f2382a77c737950370c9be0afbb12d85cd0adca1d2943a39333166de8882c600baacf0df03618f88d5805c7e46f69b5be1cceb9de3210722

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads