13c23094edd1c20bcfa7cfbf04b46598d15e4ceb62e075418f4077075f222d4f

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe
Size

192KB
MD5

25861ea2893539cd23cb931ad9fbf92e
SHA1

e573e98263a326f9bd4e558ae354c30a6a9c2c33
SHA256

13c23094edd1c20bcfa7cfbf04b46598d15e4ceb62e075418f4077075f222d4f
SHA512

dc723717327501e11b8aa3642cd2fbba444dcd82a9f5064df8c3ea25e7dd9df4cd1d359b6faad2ad613b5a44ba09d64be1adb05cba865247a7f717a2ed62cdab
SSDEEP

1536:1EGh0o1l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o1l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA386CED-9583-477a-A293-7C7340B11749}\stubpath = "C:\\Windows\\{DA386CED-9583-477a-A293-7C7340B11749}.exe"	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94D68563-2AAC-4a14-A4AD-0202C90DF387}	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94D68563-2AAC-4a14-A4AD-0202C90DF387}\stubpath = "C:\\Windows\\{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe"	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08A09470-D918-485d-9C1E-870F282E80D5}	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}\stubpath = "C:\\Windows\\{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe"	{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A002CF13-7790-4203-801B-CC32763045A8}\stubpath = "C:\\Windows\\{A002CF13-7790-4203-801B-CC32763045A8}.exe"	2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63C124B9-78DF-49c4-B5DC-AD229B19169A}\stubpath = "C:\\Windows\\{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe"	{A002CF13-7790-4203-801B-CC32763045A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA386CED-9583-477a-A293-7C7340B11749}	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A71BCE35-4697-4258-9967-99C4BFD74AC3}\stubpath = "C:\\Windows\\{A71BCE35-4697-4258-9967-99C4BFD74AC3}.exe"	{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEDB5427-8130-4ca0-8143-964F390A5051}\stubpath = "C:\\Windows\\{BEDB5427-8130-4ca0-8143-964F390A5051}.exe"	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08A09470-D918-485d-9C1E-870F282E80D5}\stubpath = "C:\\Windows\\{08A09470-D918-485d-9C1E-870F282E80D5}.exe"	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B894BF99-0857-4998-A43E-7ECC1BA8B12C}	{08A09470-D918-485d-9C1E-870F282E80D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B894BF99-0857-4998-A43E-7ECC1BA8B12C}\stubpath = "C:\\Windows\\{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe"	{08A09470-D918-485d-9C1E-870F282E80D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}\stubpath = "C:\\Windows\\{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe"	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D3F9B3D-774B-4611-95CD-15212A3CB38B}\stubpath = "C:\\Windows\\{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe"	{DA386CED-9583-477a-A293-7C7340B11749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEDB5427-8130-4ca0-8143-964F390A5051}	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A71BCE35-4697-4258-9967-99C4BFD74AC3}	{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D3F9B3D-774B-4611-95CD-15212A3CB38B}	{DA386CED-9583-477a-A293-7C7340B11749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10AEC087-BC54-4539-9236-C74B9AA3664D}	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10AEC087-BC54-4539-9236-C74B9AA3664D}\stubpath = "C:\\Windows\\{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe"	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}	{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A002CF13-7790-4203-801B-CC32763045A8}	2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63C124B9-78DF-49c4-B5DC-AD229B19169A}	{A002CF13-7790-4203-801B-CC32763045A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe

Executes dropped EXE 12 IoCs

pid	Process
860	{A002CF13-7790-4203-801B-CC32763045A8}.exe
5092	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe
2316	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe
4340	{DA386CED-9583-477a-A293-7C7340B11749}.exe
4956	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe
3320	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe
1516	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe
2160	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe
4992	{08A09470-D918-485d-9C1E-870F282E80D5}.exe
4724	{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe
1832	{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe
4312	{A71BCE35-4697-4258-9967-99C4BFD74AC3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe	{A002CF13-7790-4203-801B-CC32763045A8}.exe
File created	C:\Windows\{BEDB5427-8130-4ca0-8143-964F390A5051}.exe	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe
File created	C:\Windows\{08A09470-D918-485d-9C1E-870F282E80D5}.exe	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe
File created	C:\Windows\{A71BCE35-4697-4258-9967-99C4BFD74AC3}.exe	{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe
File created	C:\Windows\{A002CF13-7790-4203-801B-CC32763045A8}.exe	2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe
File created	C:\Windows\{DA386CED-9583-477a-A293-7C7340B11749}.exe	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe
File created	C:\Windows\{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe	{DA386CED-9583-477a-A293-7C7340B11749}.exe
File created	C:\Windows\{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe
File created	C:\Windows\{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe
File created	C:\Windows\{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe	{08A09470-D918-485d-9C1E-870F282E80D5}.exe
File created	C:\Windows\{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe	{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe
File created	C:\Windows\{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A002CF13-7790-4203-801B-CC32763045A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA386CED-9583-477a-A293-7C7340B11749}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A71BCE35-4697-4258-9967-99C4BFD74AC3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08A09470-D918-485d-9C1E-870F282E80D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4056	2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	860	{A002CF13-7790-4203-801B-CC32763045A8}.exe
Token: SeIncBasePriorityPrivilege	5092	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe
Token: SeIncBasePriorityPrivilege	2316	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe
Token: SeIncBasePriorityPrivilege	4340	{DA386CED-9583-477a-A293-7C7340B11749}.exe
Token: SeIncBasePriorityPrivilege	4956	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe
Token: SeIncBasePriorityPrivilege	3320	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe
Token: SeIncBasePriorityPrivilege	1516	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe
Token: SeIncBasePriorityPrivilege	2160	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe
Token: SeIncBasePriorityPrivilege	4992	{08A09470-D918-485d-9C1E-870F282E80D5}.exe
Token: SeIncBasePriorityPrivilege	4724	{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe
Token: SeIncBasePriorityPrivilege	1832	{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 860	4056	2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe	84
PID 4056 wrote to memory of 860	4056	2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe	84
PID 4056 wrote to memory of 860	4056	2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe	84
PID 4056 wrote to memory of 2556	4056	2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe	85
PID 4056 wrote to memory of 2556	4056	2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe	85
PID 4056 wrote to memory of 2556	4056	2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe	85
PID 860 wrote to memory of 5092	860	{A002CF13-7790-4203-801B-CC32763045A8}.exe	93
PID 860 wrote to memory of 5092	860	{A002CF13-7790-4203-801B-CC32763045A8}.exe	93
PID 860 wrote to memory of 5092	860	{A002CF13-7790-4203-801B-CC32763045A8}.exe	93
PID 860 wrote to memory of 4364	860	{A002CF13-7790-4203-801B-CC32763045A8}.exe	94
PID 860 wrote to memory of 4364	860	{A002CF13-7790-4203-801B-CC32763045A8}.exe	94
PID 860 wrote to memory of 4364	860	{A002CF13-7790-4203-801B-CC32763045A8}.exe	94
PID 5092 wrote to memory of 2316	5092	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe	97
PID 5092 wrote to memory of 2316	5092	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe	97
PID 5092 wrote to memory of 2316	5092	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe	97
PID 5092 wrote to memory of 4692	5092	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe	98
PID 5092 wrote to memory of 4692	5092	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe	98
PID 5092 wrote to memory of 4692	5092	{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe	98
PID 2316 wrote to memory of 4340	2316	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe	99
PID 2316 wrote to memory of 4340	2316	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe	99
PID 2316 wrote to memory of 4340	2316	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe	99
PID 2316 wrote to memory of 3512	2316	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe	100
PID 2316 wrote to memory of 3512	2316	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe	100
PID 2316 wrote to memory of 3512	2316	{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe	100
PID 4340 wrote to memory of 4956	4340	{DA386CED-9583-477a-A293-7C7340B11749}.exe	101
PID 4340 wrote to memory of 4956	4340	{DA386CED-9583-477a-A293-7C7340B11749}.exe	101
PID 4340 wrote to memory of 4956	4340	{DA386CED-9583-477a-A293-7C7340B11749}.exe	101
PID 4340 wrote to memory of 2904	4340	{DA386CED-9583-477a-A293-7C7340B11749}.exe	102
PID 4340 wrote to memory of 2904	4340	{DA386CED-9583-477a-A293-7C7340B11749}.exe	102
PID 4340 wrote to memory of 2904	4340	{DA386CED-9583-477a-A293-7C7340B11749}.exe	102
PID 4956 wrote to memory of 3320	4956	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe	103
PID 4956 wrote to memory of 3320	4956	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe	103
PID 4956 wrote to memory of 3320	4956	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe	103
PID 4956 wrote to memory of 4664	4956	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe	104
PID 4956 wrote to memory of 4664	4956	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe	104
PID 4956 wrote to memory of 4664	4956	{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe	104
PID 3320 wrote to memory of 1516	3320	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe	105
PID 3320 wrote to memory of 1516	3320	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe	105
PID 3320 wrote to memory of 1516	3320	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe	105
PID 3320 wrote to memory of 4776	3320	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe	106
PID 3320 wrote to memory of 4776	3320	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe	106
PID 3320 wrote to memory of 4776	3320	{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe	106
PID 1516 wrote to memory of 2160	1516	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe	107
PID 1516 wrote to memory of 2160	1516	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe	107
PID 1516 wrote to memory of 2160	1516	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe	107
PID 1516 wrote to memory of 3200	1516	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe	108
PID 1516 wrote to memory of 3200	1516	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe	108
PID 1516 wrote to memory of 3200	1516	{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe	108
PID 2160 wrote to memory of 4992	2160	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe	109
PID 2160 wrote to memory of 4992	2160	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe	109
PID 2160 wrote to memory of 4992	2160	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe	109
PID 2160 wrote to memory of 1420	2160	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe	110
PID 2160 wrote to memory of 1420	2160	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe	110
PID 2160 wrote to memory of 1420	2160	{BEDB5427-8130-4ca0-8143-964F390A5051}.exe	110
PID 4992 wrote to memory of 4724	4992	{08A09470-D918-485d-9C1E-870F282E80D5}.exe	111
PID 4992 wrote to memory of 4724	4992	{08A09470-D918-485d-9C1E-870F282E80D5}.exe	111
PID 4992 wrote to memory of 4724	4992	{08A09470-D918-485d-9C1E-870F282E80D5}.exe	111
PID 4992 wrote to memory of 3020	4992	{08A09470-D918-485d-9C1E-870F282E80D5}.exe	112
PID 4992 wrote to memory of 3020	4992	{08A09470-D918-485d-9C1E-870F282E80D5}.exe	112
PID 4992 wrote to memory of 3020	4992	{08A09470-D918-485d-9C1E-870F282E80D5}.exe	112
PID 4724 wrote to memory of 1832	4724	{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe	113
PID 4724 wrote to memory of 1832	4724	{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe	113
PID 4724 wrote to memory of 1832	4724	{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe	113
PID 4724 wrote to memory of 2844	4724	{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_25861ea2893539cd23cb931ad9fbf92e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\{A002CF13-7790-4203-801B-CC32763045A8}.exe
  C:\Windows\{A002CF13-7790-4203-801B-CC32763045A8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe
    C:\Windows\{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe
      C:\Windows\{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\{DA386CED-9583-477a-A293-7C7340B11749}.exe
        
        C:\Windows\{DA386CED-9583-477a-A293-7C7340B11749}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Windows\{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe
        
        C:\Windows\{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe
        
        C:\Windows\{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe
        
        C:\Windows\{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\{BEDB5427-8130-4ca0-8143-964F390A5051}.exe
        
        C:\Windows\{BEDB5427-8130-4ca0-8143-964F390A5051}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{08A09470-D918-485d-9C1E-870F282E80D5}.exe
        
        C:\Windows\{08A09470-D918-485d-9C1E-870F282E80D5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe
        
        C:\Windows\{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe
        
        C:\Windows\{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\{A71BCE35-4697-4258-9967-99C4BFD74AC3}.exe
        
        C:\Windows\{A71BCE35-4697-4258-9967-99C4BFD74AC3}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3FB1~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B894B~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08A09~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEDB5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10AEC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94D68~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D3F9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA386~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2F94~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{63C12~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A002C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08A09470-D918-485d-9C1E-870F282E80D5}.exe

Filesize
192KB

MD5
3078edb9db2dd3fc14a9776de428ec6b

SHA1
7ae3a1cca630ed849f7514e4ce84df109510b889

SHA256
46cf291796cec590e66e4984e4b5b09bade3ed8c2685dcbcf9175bc20425d991

SHA512
3b30ae9c72c643742120542ba227535fce60e7b36db1330d01b12a705eb8d3d34a04b11c0d6f51ec681000712576ebaee1ec5440e5628f91531b4155f64a2480

Download Submit
C:\Windows\{10AEC087-BC54-4539-9236-C74B9AA3664D}.exe

Filesize
192KB

MD5
cac7deeed5d9df79b042c6bf3bd634b4

SHA1
ecbf543d5bc28c558152a25e3799cff49c2c6dbe

SHA256
335a2e291b2a2d7f73f01d236f41e5eac4c206c7fa4e35d1dc3d77885b8a726f

SHA512
b0e17dfb552afdf08546d92209e4dfa151d35f0334cf8692cfd00c033909ab671a5403e624cee12ea4c1011e18c610b53242a90c81ef217f392de8ae15c7ea55

Download Submit
C:\Windows\{63C124B9-78DF-49c4-B5DC-AD229B19169A}.exe

Filesize
192KB

MD5
c6e4a374c1f0c8d953ed396e519ddc92

SHA1
7dec578c1edf8ec53fb444fe1b5b7e516020d47e

SHA256
335b30775650cbe889a5de45115d7b183008c325f426e56b985d367534652904

SHA512
11d96fd6d3fc29304d5a4bee25a9735b4d6478632d48eb3cca9a15244024f0b8a32c01eb78691a3ac1a7b10ecad5667350c1761e6956bd8871e91c01973b2533

Download Submit
C:\Windows\{8D3F9B3D-774B-4611-95CD-15212A3CB38B}.exe

Filesize
192KB

MD5
6666618f6c7dae2ecead1edf029cd809

SHA1
6603454cb0957ae77fa5ae4e32ea4003aeff85e5

SHA256
db152aae912d9c3fb313dfe8c368e71562410901a4de7a47e2f8a90053e1b8ee

SHA512
df4dbab88c9d4d28f253bbb9e108c9687460040a3c7d0392e584287c15c704f41049b96bcd055e1cd9b5c147e123dc1e3bd43c34a0876f6d73243efc76d7fab6

Download Submit
C:\Windows\{94D68563-2AAC-4a14-A4AD-0202C90DF387}.exe

Filesize
192KB

MD5
904ea5b61a21888d97183ce7979e8049

SHA1
416d77f11275e3bbe28414f1252eee25831cc5d7

SHA256
00185694afeeac5b6125b8259e68d8b81438922898b78a7c8e6eae3c545f83ba

SHA512
c7866c707d0caecd67c17facc444ab061a1ecfebe999b4881259cb8abe53007f2e92b2d1c326bfcc64eaff6d054007ca80ee36ddb290e94e4f5e91bfd140ae1d

Download Submit
C:\Windows\{A002CF13-7790-4203-801B-CC32763045A8}.exe

Filesize
192KB

MD5
828b881701151a9c8e2d74387a4f6021

SHA1
1611f2e7ac1674d813535adaf62ad79a3b4f0332

SHA256
c6fc88353de88d6caf5c08253fbfa3a9e41cbe9ace5c6d5cddbcbc98722eb326

SHA512
6623247de97ab6cb54caaee04d9d971e3d2311c93b419abe1c034ef8e8b06fc212f54e5d167f114c05bc1c2e65063c41a6d14dc79aa5e9a7cd0c55f411dadef2

Download Submit
C:\Windows\{A3FB1DA0-C7F1-4fcf-9C77-AA190BDACD6C}.exe

Filesize
192KB

MD5
c48391ed656d7b715ceebc34513b4185

SHA1
a316582ea801378765cc52574d64fe8fcd17b55a

SHA256
3f06b65df20452ddf11e4324299333dbbbc38c51177f78a8347e95cf19f32812

SHA512
dfc1db09c4148c20dea9b465f8cd9c7c9743b1b907332ba76d02d1984ff30a85b7f3f18626b0fc768c377341e102455d782454838a6fb67160fd51a8795fc0d4

Download Submit
C:\Windows\{A71BCE35-4697-4258-9967-99C4BFD74AC3}.exe

Filesize
192KB

MD5
52f2f07e1423b27a336835c030a698a9

SHA1
d733f65473581165b5a9224b3e433de199129de9

SHA256
cc5751bcef2d47e48bd22c7f0dd776d71298d748abf0935a6fd3e472597b9a2a

SHA512
7f91b53ef57cb55a3ab2c72bdf483f350be6a4eb75dc71b4751de092c2a20883a6fffd09390ffff7a21beb0476f5cde84f5f5fc433665cdd8f881f5c58b8e575

Download Submit
C:\Windows\{B894BF99-0857-4998-A43E-7ECC1BA8B12C}.exe

Filesize
192KB

MD5
c83cff975b2e21c167fd975ce23aaf7e

SHA1
89a800cca50b5a607dbb9413a81b0a2fc05bd4b8

SHA256
785c6e3cbca35401c4860249e4f2e92959dde86a751565d622cb7b94a32ce0aa

SHA512
c8a96b07f83f723f9f92956eff2485c09d71198c4b2fe69957378ec4fe0d01ed720fa7ba4f2a519695513a0af3b72410ce2bb52c2c848836350f67cfc662408e

Download Submit
C:\Windows\{BEDB5427-8130-4ca0-8143-964F390A5051}.exe

Filesize
192KB

MD5
1dc65aee0d13e377c7a5e6886c0d37c6

SHA1
fe831bed6c58e608cb9c0790b2ce129f02fb5c9a

SHA256
373a23dd43eb895ea2c63ccc225bcda4b314b7b8e2a2c0c9f3462e1fdb2d5241

SHA512
710542ba532d3a36734b167e74ebc4fda38adf2c17873193f46fd1bc7f407711e0162a5e0b370cccedd4db9bd6163a0929bf6b000b0f35d67c759ea7e2d22ce4

Download Submit
C:\Windows\{C2F943F1-BA92-495b-A5C2-B2CE37A8B3FC}.exe

Filesize
192KB

MD5
84421e0acafe4122cba9fe74ce797c65

SHA1
90a454248ed5ed54e16c7dcd008c03c7e19d5c4a

SHA256
4904c7cd2d7cf5d46a5907e3f11e337c3cd6b1e8c5b5ebc3135115e969199b38

SHA512
a1db0f49f54803203a67eb85d65b9d3cd0d5f3f0f6017b18ce66d865558d0b7901c2337753e92ba85ef941c5727cee38a0c8b7f207419857a48f10c19bc6dc36

Download Submit
C:\Windows\{DA386CED-9583-477a-A293-7C7340B11749}.exe

Filesize
192KB

MD5
b59c6a1fb55f3a249ca3089c53df5ee5

SHA1
f57b4638cf1a6728f4d98d1f7f683bfa2d08d328

SHA256
4fa76d7fac31b117b7f04ababf9a5a0d42eecd0c3a3d4557d0ecd4cdbb0deacc

SHA512
22af380e118bc2b043a8417b212d73e2f135b41327e71132ad07bda6c2c6463e4c37cadde3045553099ba6181e1c3e056c6f54c623effe8a607f452dd5d2b154

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads