198ccccefc77221033868e3b4347fbc2caed4ed3c203692b721c1e5c8415f04f

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 08:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
Size

192KB
MD5

1f03612414259e25895c05f0c5e3910f
SHA1

57993210d8791d5be41c8cd04a639c7a6c9761c6
SHA256

198ccccefc77221033868e3b4347fbc2caed4ed3c203692b721c1e5c8415f04f
SHA512

17d54a2051a2e0544368e97ead0d92e3cd6d80ee5f1852a47303e4bfa8096ca80107fd74af9781105cef61c5306eab4ca7bb48f67bd9262875edf5ed0da43e4b
SSDEEP

1536:1EGh0odl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0odl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}	{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}\stubpath = "C:\\Windows\\{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe"	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8181E912-F30F-4ad8-BA4F-08483C2C49B9}	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD59689B-51F1-489f-9457-0137C2A07668}	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD59689B-51F1-489f-9457-0137C2A07668}\stubpath = "C:\\Windows\\{DD59689B-51F1-489f-9457-0137C2A07668}.exe"	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D903BF-4E90-46f9-BE58-F6BCF565AA96}	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}\stubpath = "C:\\Windows\\{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe"	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}\stubpath = "C:\\Windows\\{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}.exe"	{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{996975A1-8EBA-4930-A3BB-0F3E8DC09CBE}	{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}\stubpath = "C:\\Windows\\{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe"	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}\stubpath = "C:\\Windows\\{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe"	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}\stubpath = "C:\\Windows\\{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe"	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D012A0B-4D7F-41fe-800C-6623EF068ED3}	{DD59689B-51F1-489f-9457-0137C2A07668}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81D903BF-4E90-46f9-BE58-F6BCF565AA96}\stubpath = "C:\\Windows\\{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe"	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8181E912-F30F-4ad8-BA4F-08483C2C49B9}\stubpath = "C:\\Windows\\{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe"	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}\stubpath = "C:\\Windows\\{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe"	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D012A0B-4D7F-41fe-800C-6623EF068ED3}\stubpath = "C:\\Windows\\{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe"	{DD59689B-51F1-489f-9457-0137C2A07668}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{996975A1-8EBA-4930-A3BB-0F3E8DC09CBE}\stubpath = "C:\\Windows\\{996975A1-8EBA-4930-A3BB-0F3E8DC09CBE}.exe"	{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}.exe

Executes dropped EXE 12 IoCs

pid	Process
3872	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe
3724	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe
2292	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe
4660	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe
400	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe
4156	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe
5036	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe
3376	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe
4476	{DD59689B-51F1-489f-9457-0137C2A07668}.exe
2056	{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe
3516	{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}.exe
2752	{996975A1-8EBA-4930-A3BB-0F3E8DC09CBE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DD59689B-51F1-489f-9457-0137C2A07668}.exe	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe
File created	C:\Windows\{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe	{DD59689B-51F1-489f-9457-0137C2A07668}.exe
File created	C:\Windows\{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}.exe	{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe
File created	C:\Windows\{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe
File created	C:\Windows\{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe
File created	C:\Windows\{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe
File created	C:\Windows\{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe
File created	C:\Windows\{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe
File created	C:\Windows\{996975A1-8EBA-4930-A3BB-0F3E8DC09CBE}.exe	{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}.exe
File created	C:\Windows\{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
File created	C:\Windows\{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe
File created	C:\Windows\{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{996975A1-8EBA-4930-A3BB-0F3E8DC09CBE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DD59689B-51F1-489f-9457-0137C2A07668}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2996	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3872	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe
Token: SeIncBasePriorityPrivilege	3724	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe
Token: SeIncBasePriorityPrivilege	2292	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe
Token: SeIncBasePriorityPrivilege	4660	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe
Token: SeIncBasePriorityPrivilege	400	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe
Token: SeIncBasePriorityPrivilege	4156	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe
Token: SeIncBasePriorityPrivilege	5036	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe
Token: SeIncBasePriorityPrivilege	3376	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe
Token: SeIncBasePriorityPrivilege	4476	{DD59689B-51F1-489f-9457-0137C2A07668}.exe
Token: SeIncBasePriorityPrivilege	2056	{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe
Token: SeIncBasePriorityPrivilege	3516	{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 3872	2996	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	82
PID 2996 wrote to memory of 3872	2996	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	82
PID 2996 wrote to memory of 3872	2996	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	82
PID 2996 wrote to memory of 1000	2996	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	83
PID 2996 wrote to memory of 1000	2996	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	83
PID 2996 wrote to memory of 1000	2996	2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe	83
PID 3872 wrote to memory of 3724	3872	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe	84
PID 3872 wrote to memory of 3724	3872	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe	84
PID 3872 wrote to memory of 3724	3872	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe	84
PID 3872 wrote to memory of 916	3872	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe	85
PID 3872 wrote to memory of 916	3872	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe	85
PID 3872 wrote to memory of 916	3872	{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe	85
PID 3724 wrote to memory of 2292	3724	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe	88
PID 3724 wrote to memory of 2292	3724	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe	88
PID 3724 wrote to memory of 2292	3724	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe	88
PID 3724 wrote to memory of 3788	3724	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe	89
PID 3724 wrote to memory of 3788	3724	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe	89
PID 3724 wrote to memory of 3788	3724	{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe	89
PID 2292 wrote to memory of 4660	2292	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe	94
PID 2292 wrote to memory of 4660	2292	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe	94
PID 2292 wrote to memory of 4660	2292	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe	94
PID 2292 wrote to memory of 804	2292	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe	95
PID 2292 wrote to memory of 804	2292	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe	95
PID 2292 wrote to memory of 804	2292	{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe	95
PID 4660 wrote to memory of 400	4660	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe	98
PID 4660 wrote to memory of 400	4660	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe	98
PID 4660 wrote to memory of 400	4660	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe	98
PID 4660 wrote to memory of 3108	4660	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe	99
PID 4660 wrote to memory of 3108	4660	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe	99
PID 4660 wrote to memory of 3108	4660	{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe	99
PID 400 wrote to memory of 4156	400	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe	100
PID 400 wrote to memory of 4156	400	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe	100
PID 400 wrote to memory of 4156	400	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe	100
PID 400 wrote to memory of 4016	400	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe	101
PID 400 wrote to memory of 4016	400	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe	101
PID 400 wrote to memory of 4016	400	{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe	101
PID 4156 wrote to memory of 5036	4156	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe	102
PID 4156 wrote to memory of 5036	4156	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe	102
PID 4156 wrote to memory of 5036	4156	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe	102
PID 4156 wrote to memory of 4928	4156	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe	103
PID 4156 wrote to memory of 4928	4156	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe	103
PID 4156 wrote to memory of 4928	4156	{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe	103
PID 5036 wrote to memory of 3376	5036	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe	104
PID 5036 wrote to memory of 3376	5036	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe	104
PID 5036 wrote to memory of 3376	5036	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe	104
PID 5036 wrote to memory of 3948	5036	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe	105
PID 5036 wrote to memory of 3948	5036	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe	105
PID 5036 wrote to memory of 3948	5036	{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe	105
PID 3376 wrote to memory of 4476	3376	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe	106
PID 3376 wrote to memory of 4476	3376	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe	106
PID 3376 wrote to memory of 4476	3376	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe	106
PID 3376 wrote to memory of 4472	3376	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe	107
PID 3376 wrote to memory of 4472	3376	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe	107
PID 3376 wrote to memory of 4472	3376	{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe	107
PID 4476 wrote to memory of 2056	4476	{DD59689B-51F1-489f-9457-0137C2A07668}.exe	108
PID 4476 wrote to memory of 2056	4476	{DD59689B-51F1-489f-9457-0137C2A07668}.exe	108
PID 4476 wrote to memory of 2056	4476	{DD59689B-51F1-489f-9457-0137C2A07668}.exe	108
PID 4476 wrote to memory of 1976	4476	{DD59689B-51F1-489f-9457-0137C2A07668}.exe	109
PID 4476 wrote to memory of 1976	4476	{DD59689B-51F1-489f-9457-0137C2A07668}.exe	109
PID 4476 wrote to memory of 1976	4476	{DD59689B-51F1-489f-9457-0137C2A07668}.exe	109
PID 2056 wrote to memory of 3516	2056	{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe	110
PID 2056 wrote to memory of 3516	2056	{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe	110
PID 2056 wrote to memory of 3516	2056	{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe	110
PID 2056 wrote to memory of 432	2056	{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_1f03612414259e25895c05f0c5e3910f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe
  C:\Windows\{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe
    C:\Windows\{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe
      C:\Windows\{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe
        
        C:\Windows\{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
      - C:\Windows\{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe
        
        C:\Windows\{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe
        
        C:\Windows\{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe
        
        C:\Windows\{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe
        
        C:\Windows\{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\{DD59689B-51F1-489f-9457-0137C2A07668}.exe
        
        C:\Windows\{DD59689B-51F1-489f-9457-0137C2A07668}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe
        
        C:\Windows\{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}.exe
        
        C:\Windows\{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Windows\{996975A1-8EBA-4930-A3BB-0F3E8DC09CBE}.exe
        
        C:\Windows\{996975A1-8EBA-4930-A3BB-0F3E8DC09CBE}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDAFA~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D012~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD596~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D14B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B10E4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8181E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81D90~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73BC3~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B05CC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4F2DA~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E9D6C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4F2DAB9B-B089-45d2-A839-B4B2AF6465EE}.exe

Filesize
192KB

MD5
02dba11450218b7a08e768433ef4156e

SHA1
3c75e2a59ae2b805007228a350c5804ae4ecac71

SHA256
c5bc95544b9aa659bdc21c24301c01506f1c2b8b4420d08d300d47296eec93ae

SHA512
f0af1e619c846b50a0f2c3dfb420a61be05563e8733e5236d84f193374c05ea812dac0a706ace65bf0deec126f92c268624eac8775436c2f067189d45116c2e2

Download Submit
C:\Windows\{6D012A0B-4D7F-41fe-800C-6623EF068ED3}.exe

Filesize
192KB

MD5
854069528ebd3e846b831c16df108e93

SHA1
52c2f9d293feb867a7fb69dcd33c53be24443e1f

SHA256
ffdb90fc1be6e0f1df9ffe9aade5e42afc7c1513878415425e959b7743a986c0

SHA512
a5ec92a0e15e9e7965ff5998938dae1023821558f01c17567c47c359205e7413770cb2794521bae034c0ffaf4f07b17b8f481b9cb6197e2188476f59df36c31d

Download Submit
C:\Windows\{73BC34FD-BFFD-4db6-8DD7-15AE9355ABA9}.exe

Filesize
192KB

MD5
edf18ab8c9ff8df14cad9f0c4b9c9655

SHA1
f53f07827b4688c85d289132f5c923ff8942b291

SHA256
c7fe1a1e3cbdc712ce075c14cc9258a0a32167b8008986564a4e19fe38547157

SHA512
33ac20c7ef713a79486e91d5a20825b21bbf9021efae125571c26ad6ae900ced346a4eb8833f2391bf17bf2e70b68a147fd47c27b6c6ffa47625101c5b8dd1e5

Download Submit
C:\Windows\{8181E912-F30F-4ad8-BA4F-08483C2C49B9}.exe

Filesize
192KB

MD5
1daf56d328ff86818aa0c114bc3c7924

SHA1
5b6a13a29440cc91d0b1c9d416b30c66c3019774

SHA256
9ec10693e8cba05fd304a04ded32919e5698df85c895ba8db7db0634005f2f0c

SHA512
72400403b4f65ef20a75cdaf9e972979a785d2d22638bd08d9e0704707a3843479d5e37c36cfd4b974acfe5847ea9d958216044ce582a1760962f27c2141846d

Download Submit
C:\Windows\{81D903BF-4E90-46f9-BE58-F6BCF565AA96}.exe

Filesize
192KB

MD5
b68455d774841717629f292b826d15e1

SHA1
23d62e40eee39d4e06b6a82d184aac4b8f93659e

SHA256
ab43c94cdbb6cebc0fd3a7fafb1064fe52770124579d83bdf1dc821553f9e8f0

SHA512
d4e0fece7d5b40fd00e17fff78da9cf78b03ae9fb0abc745602dc7e9abac0877b8788000d96fc39cc7813d70981089055d1aa802bda9056317666b716d8402ea

Download Submit
C:\Windows\{8D14BF46-D702-4ef7-BD0F-3F43D89546B5}.exe

Filesize
192KB

MD5
e2b5afeb6e5fde70a49b105dddbb618d

SHA1
627da75410c6393b558a62d2836dda9c19781fc6

SHA256
2edd89328612abf5f71a6f7816cea4382e6d202bbebdd591aaae851ae909fca5

SHA512
abd0a47eb8417df0a998e45214fef2e858ea505e61b4b603efa2235e9a13263a53ad04f5fd547cfc2ea885255ab9ec85fcd5640a0756043264604f613a8f311a

Download Submit
C:\Windows\{996975A1-8EBA-4930-A3BB-0F3E8DC09CBE}.exe

Filesize
192KB

MD5
083ced3f332c8e7743f7a8fd3986a19a

SHA1
7cbee1e3f4560de2c5e4ca3110457a7aaf0e1ca9

SHA256
dcd66c561d527dfcab7bb9281575c66d990b7620c6d4fdec7b6e9e1dcd8c3f5c

SHA512
bd4b40fdebe8a8246ad703a85db8de4fd8f42ac4b20446104d298eb98a4c85d8845bad32025a83c1bed284e80caead564702653b87ee6626a8b4a2a0b35a14c0

Download Submit
C:\Windows\{B05CCCA4-0777-400e-A2F0-9369BBAB2FBC}.exe

Filesize
192KB

MD5
69027672fe045703b8e76313a30f0e67

SHA1
0bc0a5344bf1945347432da48bf1550b37da662a

SHA256
10fbc326e0014bf9a21d2d0a85719514c7ed597fdab8ef92f20ef8768661fe07

SHA512
6fe7f66b2c357e9831c8ae7a7bd2cccc9f06709244eb237ce107a45e349ef2cc94de1aac7c010ebffa8dec30517f01f82a586aba6de0ecfef182f3b260a5a10a

Download Submit
C:\Windows\{B10E4FDF-66E4-48b7-8BFE-98A182FD4CCA}.exe

Filesize
192KB

MD5
fef0d9aaff9ee1aea1d8561362c8d96f

SHA1
1fba9ed2f7d526366655cefde8ba48ac69cc953b

SHA256
a9977601e2a5b9d7db37040820aed000b1efa4174d07bc5a18e3ed7e448f6ebf

SHA512
2b10c0ee19cb95a1a70dc09e6a01a14ec49f24da78e5d19a7470c97be08a12c1528e46899311f9c31864a93c029f26a344554ffa939560b93f72ae81d499d3da

Download Submit
C:\Windows\{DD59689B-51F1-489f-9457-0137C2A07668}.exe

Filesize
192KB

MD5
6adfe4a0d9799e4a727f42f762e755b5

SHA1
73363a8cf93ea12efd767c9f80dd7b18a02677b6

SHA256
349424665637a41d0432c318980125df1321830e2841a490df8f46f4e9c5e37b

SHA512
124099689af4d528ba99eeac4c45f74469dbba932e9c1fe30f555d5ab2677a5ab157d2d519d5e94892e2041ab89d028e64d09edd62e6742252794baba863ad00

Download Submit
C:\Windows\{E9D6CA95-6455-44e4-8E06-0A8E97D90CB4}.exe

Filesize
192KB

MD5
b573d431c4432dbdee9da7274ac82e72

SHA1
151b6142b954902b909a727780dbb229f6ceaee1

SHA256
b8fa6cf7f87fa7c556a576ce4dc819a8ae0a6b2ae400c7ec432f9660b0c692f4

SHA512
6ab595901ced7dcf783e958b89d8f431a4614ba493306a83d03bf92023c7b1fc15c3eb7d97948690bbcc0e7f81285c441644d724227f7aed52459bc073583578

Download Submit
C:\Windows\{EDAFAE9F-78BD-4486-9BA6-107F0ED48C26}.exe

Filesize
192KB

MD5
9308b196240c6a1fd0ff1dd3b41bd5be

SHA1
d33f33df326b1ceb566a1be8c5faa7626fe1b552

SHA256
044ea0f92ce9d49fe5fdbd7b8099f455361a5988bb603129743c534dce52f468

SHA512
cc7f16a1641162afa84c7ab15b1e8adb456e552e171e8742022746d5dad55abf3481adc2fe9e814617c1400f006d34fcd668f4111c9a7aa5a5c2e0a7ebc5d4e9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads