755308bee753dbd1021527b66d26ecfe178cbc31006aee4cf17a07dad014cacd

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe
Size

192KB
MD5

4d4c4beb28cdb26fc9e135713c74482d
SHA1

c8c120fd7352b22c69ae8c8498ea627d67182b5b
SHA256

755308bee753dbd1021527b66d26ecfe178cbc31006aee4cf17a07dad014cacd
SHA512

f39a7f65b1f4f02d379667478c4e4da03d833c420dc8c29a3eaa6798671d4ce2fb74ec357caf7f529213eedc7373a662ee5628059ac0b4a018ee79a1ae59c7c7
SSDEEP

1536:1EGh0oSl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oSl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C153EF32-83C5-4bcf-B935-68B8947163E4}	{42662744-71BE-48f4-828E-BC7A452C0305}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02593748-F677-4e29-BEC2-A57B5ED5D1A3}	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02593748-F677-4e29-BEC2-A57B5ED5D1A3}\stubpath = "C:\\Windows\\{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe"	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}\stubpath = "C:\\Windows\\{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}.exe"	{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01663BD5-596B-40d6-AE8A-F6CA884F7C96}	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A00A04FE-ADB0-42cf-864D-86B4DD93320B}	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}\stubpath = "C:\\Windows\\{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe"	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C6175F1-B675-4f29-85F1-CEA9EE239C92}	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C153EF32-83C5-4bcf-B935-68B8947163E4}\stubpath = "C:\\Windows\\{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe"	{42662744-71BE-48f4-828E-BC7A452C0305}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42662744-71BE-48f4-828E-BC7A452C0305}\stubpath = "C:\\Windows\\{42662744-71BE-48f4-828E-BC7A452C0305}.exe"	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}\stubpath = "C:\\Windows\\{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe"	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95616AA7-930D-4c3c-81D6-9A716BB2056D}	2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C6175F1-B675-4f29-85F1-CEA9EE239C92}\stubpath = "C:\\Windows\\{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe"	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A00A04FE-ADB0-42cf-864D-86B4DD93320B}\stubpath = "C:\\Windows\\{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe"	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42662744-71BE-48f4-828E-BC7A452C0305}	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}\stubpath = "C:\\Windows\\{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe"	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}	{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DECD2815-BD2C-4f2d-8457-407970276E30}	{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95616AA7-930D-4c3c-81D6-9A716BB2056D}\stubpath = "C:\\Windows\\{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe"	2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01663BD5-596B-40d6-AE8A-F6CA884F7C96}\stubpath = "C:\\Windows\\{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe"	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DECD2815-BD2C-4f2d-8457-407970276E30}\stubpath = "C:\\Windows\\{DECD2815-BD2C-4f2d-8457-407970276E30}.exe"	{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}.exe

Executes dropped EXE 12 IoCs

pid	Process
1300	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe
1640	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe
1732	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe
4604	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe
1892	{42662744-71BE-48f4-828E-BC7A452C0305}.exe
3576	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe
5112	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe
1804	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe
1576	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe
4104	{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe
4344	{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}.exe
3616	{DECD2815-BD2C-4f2d-8457-407970276E30}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe	2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe
File created	C:\Windows\{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe
File created	C:\Windows\{DECD2815-BD2C-4f2d-8457-407970276E30}.exe	{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}.exe
File created	C:\Windows\{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe
File created	C:\Windows\{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe
File created	C:\Windows\{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe
File created	C:\Windows\{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe
File created	C:\Windows\{42662744-71BE-48f4-828E-BC7A452C0305}.exe	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe
File created	C:\Windows\{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe	{42662744-71BE-48f4-828E-BC7A452C0305}.exe
File created	C:\Windows\{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe
File created	C:\Windows\{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe
File created	C:\Windows\{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}.exe	{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DECD2815-BD2C-4f2d-8457-407970276E30}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{42662744-71BE-48f4-828E-BC7A452C0305}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3760	2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1300	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe
Token: SeIncBasePriorityPrivilege	1640	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe
Token: SeIncBasePriorityPrivilege	1732	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe
Token: SeIncBasePriorityPrivilege	4604	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe
Token: SeIncBasePriorityPrivilege	1892	{42662744-71BE-48f4-828E-BC7A452C0305}.exe
Token: SeIncBasePriorityPrivilege	3576	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe
Token: SeIncBasePriorityPrivilege	5112	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe
Token: SeIncBasePriorityPrivilege	1804	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe
Token: SeIncBasePriorityPrivilege	1576	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe
Token: SeIncBasePriorityPrivilege	4104	{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe
Token: SeIncBasePriorityPrivilege	4344	{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 1300	3760	2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe	87
PID 3760 wrote to memory of 1300	3760	2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe	87
PID 3760 wrote to memory of 1300	3760	2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe	87
PID 3760 wrote to memory of 1416	3760	2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe	88
PID 3760 wrote to memory of 1416	3760	2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe	88
PID 3760 wrote to memory of 1416	3760	2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe	88
PID 1300 wrote to memory of 1640	1300	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe	91
PID 1300 wrote to memory of 1640	1300	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe	91
PID 1300 wrote to memory of 1640	1300	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe	91
PID 1300 wrote to memory of 3960	1300	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe	92
PID 1300 wrote to memory of 3960	1300	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe	92
PID 1300 wrote to memory of 3960	1300	{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe	92
PID 1640 wrote to memory of 1732	1640	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe	95
PID 1640 wrote to memory of 1732	1640	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe	95
PID 1640 wrote to memory of 1732	1640	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe	95
PID 1640 wrote to memory of 3316	1640	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe	96
PID 1640 wrote to memory of 3316	1640	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe	96
PID 1640 wrote to memory of 3316	1640	{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe	96
PID 1732 wrote to memory of 4604	1732	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe	97
PID 1732 wrote to memory of 4604	1732	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe	97
PID 1732 wrote to memory of 4604	1732	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe	97
PID 1732 wrote to memory of 1620	1732	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe	98
PID 1732 wrote to memory of 1620	1732	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe	98
PID 1732 wrote to memory of 1620	1732	{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe	98
PID 4604 wrote to memory of 1892	4604	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe	99
PID 4604 wrote to memory of 1892	4604	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe	99
PID 4604 wrote to memory of 1892	4604	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe	99
PID 4604 wrote to memory of 692	4604	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe	100
PID 4604 wrote to memory of 692	4604	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe	100
PID 4604 wrote to memory of 692	4604	{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe	100
PID 1892 wrote to memory of 3576	1892	{42662744-71BE-48f4-828E-BC7A452C0305}.exe	101
PID 1892 wrote to memory of 3576	1892	{42662744-71BE-48f4-828E-BC7A452C0305}.exe	101
PID 1892 wrote to memory of 3576	1892	{42662744-71BE-48f4-828E-BC7A452C0305}.exe	101
PID 1892 wrote to memory of 1284	1892	{42662744-71BE-48f4-828E-BC7A452C0305}.exe	102
PID 1892 wrote to memory of 1284	1892	{42662744-71BE-48f4-828E-BC7A452C0305}.exe	102
PID 1892 wrote to memory of 1284	1892	{42662744-71BE-48f4-828E-BC7A452C0305}.exe	102
PID 3576 wrote to memory of 5112	3576	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe	103
PID 3576 wrote to memory of 5112	3576	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe	103
PID 3576 wrote to memory of 5112	3576	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe	103
PID 3576 wrote to memory of 740	3576	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe	104
PID 3576 wrote to memory of 740	3576	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe	104
PID 3576 wrote to memory of 740	3576	{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe	104
PID 5112 wrote to memory of 1804	5112	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe	105
PID 5112 wrote to memory of 1804	5112	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe	105
PID 5112 wrote to memory of 1804	5112	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe	105
PID 5112 wrote to memory of 4808	5112	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe	106
PID 5112 wrote to memory of 4808	5112	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe	106
PID 5112 wrote to memory of 4808	5112	{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe	106
PID 1804 wrote to memory of 1576	1804	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe	107
PID 1804 wrote to memory of 1576	1804	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe	107
PID 1804 wrote to memory of 1576	1804	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe	107
PID 1804 wrote to memory of 4128	1804	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe	108
PID 1804 wrote to memory of 4128	1804	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe	108
PID 1804 wrote to memory of 4128	1804	{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe	108
PID 1576 wrote to memory of 4104	1576	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe	109
PID 1576 wrote to memory of 4104	1576	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe	109
PID 1576 wrote to memory of 4104	1576	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe	109
PID 1576 wrote to memory of 3536	1576	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe	110
PID 1576 wrote to memory of 3536	1576	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe	110
PID 1576 wrote to memory of 3536	1576	{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe	110
PID 4104 wrote to memory of 4344	4104	{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe	111
PID 4104 wrote to memory of 4344	4104	{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe	111
PID 4104 wrote to memory of 4344	4104	{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe	111
PID 4104 wrote to memory of 4500	4104	{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_4d4c4beb28cdb26fc9e135713c74482d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe
  C:\Windows\{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe
    C:\Windows\{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe
      C:\Windows\{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe
        
        C:\Windows\{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Windows\{42662744-71BE-48f4-828E-BC7A452C0305}.exe
        
        C:\Windows\{42662744-71BE-48f4-828E-BC7A452C0305}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe
        
        C:\Windows\{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe
        
        C:\Windows\{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe
        
        C:\Windows\{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe
        
        C:\Windows\{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe
        
        C:\Windows\{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}.exe
        
        C:\Windows\{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\{DECD2815-BD2C-4f2d-8457-407970276E30}.exe
        
        C:\Windows\{DECD2815-BD2C-4f2d-8457-407970276E30}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E13B~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54D49~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B3DF~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02593~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E706~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C153E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42662~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A00A0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C617~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{01663~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{95616~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01663BD5-596B-40d6-AE8A-F6CA884F7C96}.exe

Filesize
192KB

MD5
7ddc68763861bfcec38ad1ad61655f70

SHA1
b15b859941f0002f5d6b2f48880af5729e14472c

SHA256
6f452a91b299c5b5a70fd0c142811cff7ca6e8865131cffd8deafac6c289e97b

SHA512
fb641cd5d70ad52ba887834527ddab87e2adb47575d761fb6262e8425c7b25048a2e15891b2f35fd6f48cb1e94ba7e250527a208b48db3f2aaaec222e2c4dd2d

Download Submit
C:\Windows\{02593748-F677-4e29-BEC2-A57B5ED5D1A3}.exe

Filesize
192KB

MD5
261f12725ad95c36b5bdabbb53b51771

SHA1
f0b1ffa88cffd54172f76038292183e8090513b5

SHA256
00badf00b341a5bdb09ff4faa1fc60884fa7ca770f8ad91127c7d8bc8520ec0f

SHA512
90c6750a1612b716be7d08a0554275fab23e54ed894e1debafd88bd6d9afbc7a91873e43eafbbc451606f2bbc15ef9b002a919010165fb42564c66c2f947c0b4

Download Submit
C:\Windows\{1E13BF82-2F92-4059-A7B1-ED8CE6740C84}.exe

Filesize
192KB

MD5
1fadca39db108d046d85c5bf06fd68bf

SHA1
e5043b28388f41d61f048a308367b202f87948c1

SHA256
e784554b1e91836ae5612660be94ed13b2768e4e350a532a482518b010898c0b

SHA512
087011d90518ba1ef0d9ae03331bfecd2c1db7223670d91509fdae9d7b95f3131f449d39a158ecab9fa5832e80731dde6fce9ceb63b0ede64fd8a501b34c38d4

Download Submit
C:\Windows\{42662744-71BE-48f4-828E-BC7A452C0305}.exe

Filesize
192KB

MD5
881090088f866082aa23d5e64dbd1f3f

SHA1
5c2ccb1f810b028cdd0e26627fda0609e6a451a7

SHA256
df27580eb22f97f0dc7f68a54ce4468e2e5d17a512237fbb8b2f89e7e665a263

SHA512
48ae3e41e16adb21e611cff01ac17ac0be9b6d2a4844c1ba744acc3516d3b1eef46df7d1b9420bad34b014467ca96d18fab2f25c3df60b92b2819462dc6450c1

Download Submit
C:\Windows\{54D49A7E-59C4-4e6f-8CF8-BC6B4D976FC6}.exe

Filesize
192KB

MD5
88256c67b09a499089d805239f33b7f9

SHA1
6d8b66ac0d43c494089695001c1c179fd38a3949

SHA256
72e31fde580be03edc4e18ff63b163ed9a71c00409c7cf0235e57ef424283f26

SHA512
51db3445568c6b5c9a9e0799d2f0610051cc27dcde963479b09ec36e5f830b19b7c1a54d2f6210a0f7145c1397a662c4bb60d2b70d3ed5113c890a89deb7506e

Download Submit
C:\Windows\{5B3DFF8D-3184-49e1-B99D-F0CCCEBDEB48}.exe

Filesize
192KB

MD5
6ab1cf8832636d8878c3d40446c3cc5a

SHA1
1be3fda91322ed9b978ee17a05f20262534fdf6e

SHA256
1482de3b39877dab834728be486535cfe57d9e1db21706f8273ce3e7e1d7025a

SHA512
19e0577e6714f5092dcfb4680ce07bf0b276b5c3f859dd9687b88c5bce627eadff169c9e149372e2a2d166278aaeab69039233bf0f2ddb888934d6af3c229566

Download Submit
C:\Windows\{5C6175F1-B675-4f29-85F1-CEA9EE239C92}.exe

Filesize
192KB

MD5
921aac121cd901e77f16185ddcfb3a29

SHA1
856292a4fb53ef16fc4d9f8c1c9d091f3b07df4c

SHA256
322c50dc3ca09c16c31823fc03774c6bff4f8d8a59647d45b3ed2be3dc626ec6

SHA512
adec87d3c0187bbe4769a1a7192015edffa04bd95057025a5a09701d8a033feee76a97b4612ce754ad62216e9fb4b691e7407f9f48489cf428a47873e3a75559

Download Submit
C:\Windows\{95616AA7-930D-4c3c-81D6-9A716BB2056D}.exe

Filesize
192KB

MD5
59ebb5b6658a1da64ea4d208556ad1be

SHA1
29dc66aa2c0901045f60474a22c75efe34cd1e6d

SHA256
809fca3f4825f31cd6adca9902b9956cad1f277497aefeac302197fa14247e66

SHA512
a0061fc40ab02ecd1da7d449fd664c6660ac491702891465874e226a8f38dc0da3efc4be7d50ee8e3c6db342c2babca740571495fbc1a5eb102e609740479b82

Download Submit
C:\Windows\{9E70666A-E632-4e93-B4B4-7AE8224DBAB7}.exe

Filesize
192KB

MD5
32836f6665a9a66b5391b6b1981acabf

SHA1
2dc3118e28d2dea288dcaebe7590449a1593a6c0

SHA256
b7cb78c4b0d7e96235603a1b9bc44c44ebd85d02342f8b59dcba8fcc14892892

SHA512
4d1e81985da96b85d840074da86a0bcce78690b7f24f8c37b3ec63e80f7bfe97c5e7e48b48e4a7266014076ae7485f7d0297d2571ef9fc23c08e537ec18e3dd8

Download Submit
C:\Windows\{A00A04FE-ADB0-42cf-864D-86B4DD93320B}.exe

Filesize
192KB

MD5
e0c02460b384b41bcaefe5e54519b24f

SHA1
2e708f6354a6fea4a3995e2e810a723679400e5d

SHA256
87671802557ef0e20529ea309f1c4d18720a3052031076dd70ffdc6d6bca1d46

SHA512
2933aefa4c18577bbc9d341e09513b61c7c3c97476d5e4f9a0014454a1b5856a4a96a435d82113da89b87ef1772743b8c23b120153f0992dd0bb914c1c4623f0

Download Submit
C:\Windows\{C153EF32-83C5-4bcf-B935-68B8947163E4}.exe

Filesize
192KB

MD5
d79396a303ba3abbbaace149c7ea5fd6

SHA1
96e47bcebfc47c37d8c1cfb209befeaf9c5d9673

SHA256
1b3715e8cdd7571daaae47e8d0d0514b25d005b4ab8dbddce523e77372b4074a

SHA512
f9f86c85889ac6cc207be609b3b3602d64e444e10bf4f3173d3ea8fb9e7aeb776df675771b0fae7fa40ad1e52d95f8eb879a382d864c35313aea46f631165066

Download Submit
C:\Windows\{DECD2815-BD2C-4f2d-8457-407970276E30}.exe

Filesize
192KB

MD5
d1e67660476d3822c47053fce9de9fec

SHA1
5efa044e99aea60a5c9a57b84afbd15bf887fd47

SHA256
7677ecf4d40d3004e88de7fe100430a3672136ea209c06a3a2ea4fd6d737dc8a

SHA512
f592943095317698e65c512706e5b0b1fb2729a587338c9907a5968ac2f1777587637a66a381c849001ccefd020ca505dfdb96a84b4df54d353f3b3f28470cf2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads