fe1c869a097ae9f46720cbada0ea43bbd590f2f4d049d3bad0973c7d9ee013c8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
Size

192KB
MD5

7959c1eaea681847fd9e9f384d96a7aa
SHA1

342b130232be1c7fd44a6acc16cf92180aad426c
SHA256

fe1c869a097ae9f46720cbada0ea43bbd590f2f4d049d3bad0973c7d9ee013c8
SHA512

fc395695c9f0cae0945c58d67c15f69e270f6c54ba71aeccd2ff9e98da2047018d4e21f3a6364675dc47f4f4fe77c83b565bfb6e2586d93e4e115313bd3317ce
SSDEEP

1536:1EGh0o+l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o+l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6123F79D-E0C7-478e-93CB-AA82EC553C2E}\stubpath = "C:\\Windows\\{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe"	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}\stubpath = "C:\\Windows\\{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe"	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{337DAF2D-9E78-4f81-8451-3826B06BDB15}\stubpath = "C:\\Windows\\{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe"	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6426F51C-74B2-4873-9929-CDEEFC54A04E}	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27188799-D803-4378-9399-BD6BA6B3E682}	{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EE46506-42E5-484d-940D-552960EE710A}	{27188799-D803-4378-9399-BD6BA6B3E682}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EE46506-42E5-484d-940D-552960EE710A}\stubpath = "C:\\Windows\\{5EE46506-42E5-484d-940D-552960EE710A}.exe"	{27188799-D803-4378-9399-BD6BA6B3E682}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6123F79D-E0C7-478e-93CB-AA82EC553C2E}	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7692BEB6-93BF-44e3-9AE0-3178A728A787}\stubpath = "C:\\Windows\\{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe"	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}\stubpath = "C:\\Windows\\{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe"	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}\stubpath = "C:\\Windows\\{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe"	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27188799-D803-4378-9399-BD6BA6B3E682}\stubpath = "C:\\Windows\\{27188799-D803-4378-9399-BD6BA6B3E682}.exe"	{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6426F51C-74B2-4873-9929-CDEEFC54A04E}\stubpath = "C:\\Windows\\{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe"	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}\stubpath = "C:\\Windows\\{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe"	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}\stubpath = "C:\\Windows\\{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe"	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7692BEB6-93BF-44e3-9AE0-3178A728A787}	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{337DAF2D-9E78-4f81-8451-3826B06BDB15}	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}\stubpath = "C:\\Windows\\{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe"	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe

Executes dropped EXE 12 IoCs

pid	Process
744	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe
3704	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe
1736	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe
3540	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe
2140	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe
4120	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe
2176	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe
2348	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe
3920	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe
3700	{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe
2844	{27188799-D803-4378-9399-BD6BA6B3E682}.exe
3972	{5EE46506-42E5-484d-940D-552960EE710A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe
File created	C:\Windows\{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe
File created	C:\Windows\{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe
File created	C:\Windows\{27188799-D803-4378-9399-BD6BA6B3E682}.exe	{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe
File created	C:\Windows\{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe
File created	C:\Windows\{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe
File created	C:\Windows\{5EE46506-42E5-484d-940D-552960EE710A}.exe	{27188799-D803-4378-9399-BD6BA6B3E682}.exe
File created	C:\Windows\{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
File created	C:\Windows\{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe
File created	C:\Windows\{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe
File created	C:\Windows\{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe
File created	C:\Windows\{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27188799-D803-4378-9399-BD6BA6B3E682}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5EE46506-42E5-484d-940D-552960EE710A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3548	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	744	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe
Token: SeIncBasePriorityPrivilege	3704	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe
Token: SeIncBasePriorityPrivilege	1736	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe
Token: SeIncBasePriorityPrivilege	3540	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe
Token: SeIncBasePriorityPrivilege	2140	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe
Token: SeIncBasePriorityPrivilege	4120	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe
Token: SeIncBasePriorityPrivilege	2176	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe
Token: SeIncBasePriorityPrivilege	2348	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe
Token: SeIncBasePriorityPrivilege	3920	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe
Token: SeIncBasePriorityPrivilege	3700	{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe
Token: SeIncBasePriorityPrivilege	2844	{27188799-D803-4378-9399-BD6BA6B3E682}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 744	3548	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	89
PID 3548 wrote to memory of 744	3548	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	89
PID 3548 wrote to memory of 744	3548	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	89
PID 3548 wrote to memory of 3972	3548	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	90
PID 3548 wrote to memory of 3972	3548	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	90
PID 3548 wrote to memory of 3972	3548	2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe	90
PID 744 wrote to memory of 3704	744	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe	91
PID 744 wrote to memory of 3704	744	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe	91
PID 744 wrote to memory of 3704	744	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe	91
PID 744 wrote to memory of 4648	744	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe	92
PID 744 wrote to memory of 4648	744	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe	92
PID 744 wrote to memory of 4648	744	{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe	92
PID 3704 wrote to memory of 1736	3704	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe	95
PID 3704 wrote to memory of 1736	3704	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe	95
PID 3704 wrote to memory of 1736	3704	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe	95
PID 3704 wrote to memory of 3772	3704	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe	96
PID 3704 wrote to memory of 3772	3704	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe	96
PID 3704 wrote to memory of 3772	3704	{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe	96
PID 1736 wrote to memory of 3540	1736	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe	97
PID 1736 wrote to memory of 3540	1736	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe	97
PID 1736 wrote to memory of 3540	1736	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe	97
PID 1736 wrote to memory of 2260	1736	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe	98
PID 1736 wrote to memory of 2260	1736	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe	98
PID 1736 wrote to memory of 2260	1736	{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe	98
PID 3540 wrote to memory of 2140	3540	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe	99
PID 3540 wrote to memory of 2140	3540	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe	99
PID 3540 wrote to memory of 2140	3540	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe	99
PID 3540 wrote to memory of 2740	3540	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe	100
PID 3540 wrote to memory of 2740	3540	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe	100
PID 3540 wrote to memory of 2740	3540	{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe	100
PID 2140 wrote to memory of 4120	2140	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe	101
PID 2140 wrote to memory of 4120	2140	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe	101
PID 2140 wrote to memory of 4120	2140	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe	101
PID 2140 wrote to memory of 1180	2140	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe	102
PID 2140 wrote to memory of 1180	2140	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe	102
PID 2140 wrote to memory of 1180	2140	{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe	102
PID 4120 wrote to memory of 2176	4120	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe	103
PID 4120 wrote to memory of 2176	4120	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe	103
PID 4120 wrote to memory of 2176	4120	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe	103
PID 4120 wrote to memory of 1688	4120	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe	104
PID 4120 wrote to memory of 1688	4120	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe	104
PID 4120 wrote to memory of 1688	4120	{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe	104
PID 2176 wrote to memory of 2348	2176	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe	105
PID 2176 wrote to memory of 2348	2176	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe	105
PID 2176 wrote to memory of 2348	2176	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe	105
PID 2176 wrote to memory of 1776	2176	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe	106
PID 2176 wrote to memory of 1776	2176	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe	106
PID 2176 wrote to memory of 1776	2176	{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe	106
PID 2348 wrote to memory of 3920	2348	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe	107
PID 2348 wrote to memory of 3920	2348	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe	107
PID 2348 wrote to memory of 3920	2348	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe	107
PID 2348 wrote to memory of 884	2348	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe	108
PID 2348 wrote to memory of 884	2348	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe	108
PID 2348 wrote to memory of 884	2348	{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe	108
PID 3920 wrote to memory of 3700	3920	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe	109
PID 3920 wrote to memory of 3700	3920	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe	109
PID 3920 wrote to memory of 3700	3920	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe	109
PID 3920 wrote to memory of 3948	3920	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe	110
PID 3920 wrote to memory of 3948	3920	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe	110
PID 3920 wrote to memory of 3948	3920	{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe	110
PID 3700 wrote to memory of 2844	3700	{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe	111
PID 3700 wrote to memory of 2844	3700	{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe	111
PID 3700 wrote to memory of 2844	3700	{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe	111
PID 3700 wrote to memory of 436	3700	{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_7959c1eaea681847fd9e9f384d96a7aa_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Windows\{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe
  C:\Windows\{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe
    C:\Windows\{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe
      C:\Windows\{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe
        
        C:\Windows\{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
      - C:\Windows\{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe
        
        C:\Windows\{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe
        
        C:\Windows\{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe
        
        C:\Windows\{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe
        
        C:\Windows\{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe
        
        C:\Windows\{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe
        
        C:\Windows\{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\{27188799-D803-4378-9399-BD6BA6B3E682}.exe
        
        C:\Windows\{27188799-D803-4378-9399-BD6BA6B3E682}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{5EE46506-42E5-484d-940D-552960EE710A}.exe
        
        C:\Windows\{5EE46506-42E5-484d-940D-552960EE710A}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27188~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6426F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4B2C~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2C30~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{337DA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AB61~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7692B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{413AE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D4D6~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6123F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{17E6C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AB615FA-D4ED-4fb0-B288-A1BA4F4E4007}.exe

Filesize
192KB

MD5
c0845909a9202f5388e03fb12b11d455

SHA1
89587852614bb04160190d30091e81edc40863d3

SHA256
34d9ba480496e8bf0a2930d991278bad9c78f1382fa72c08f115e8ca4f8891fe

SHA512
0cbc66f59fd59c3671bf96cd44072d8b45c67cdbcd8f83d18fcc3db9f6d7ff1907e1c1f44841df07e80d435bbb84ed916856b7f0b0d98ae965bdd980a1490228

Download Submit
C:\Windows\{17E6CAC0-D257-4a55-8CCE-B0C0D00F557D}.exe

Filesize
192KB

MD5
26378c1e88a458dfcdf2c786d07160b4

SHA1
0391dda3ae5f913986513f6e6f2c369863dd9064

SHA256
55be7d4a33c7fe339c9f37236c8571e27e84c2b1a43632e7a6f01c1bc61a3968

SHA512
91a6771dc7d5a18e87fbd058b31830132d9ecbaa1f7c1e17aff7a6ee1f88c5ec06de7241b27d73d706d229a7c6738e72f05b5ae653a049e7c74b1c8876a85e14

Download Submit
C:\Windows\{27188799-D803-4378-9399-BD6BA6B3E682}.exe

Filesize
192KB

MD5
00ba68578b015c2085c456d1e7c97fdf

SHA1
f50b930a8784342a8c46d48ade002dcec06b7226

SHA256
4c213f16efb644d9dccf9636c0f67098b7e36b3a653ab24ec4cb0bb4a19aec0e

SHA512
2a316bc3d3ba1150b897ce574758bf4ac04d2fc57b4731f2bcb8a79565ef01d26324afa4fe8f2141b46d4a7fbdbd96bebc856f479960644d9823477b609b1e1c

Download Submit
C:\Windows\{337DAF2D-9E78-4f81-8451-3826B06BDB15}.exe

Filesize
192KB

MD5
0802340eef064d44a0db1bfbdc38e8dd

SHA1
21a570eae519952c106f8b1650ff43ae1af4f804

SHA256
942805d735cbfdfbad9605fcfa7a35224d58500a9f4b332bd452fe568422f33a

SHA512
dc544ed4af2ac98768febb9741942f288dd7111ee50dd32b9cf2f4f6ebb3069526d5e53646be4efbbe52511a1d11012c0e144946ca3e0a4d3739088872e7e088

Download Submit
C:\Windows\{3D4D6A26-320C-457f-B0FF-A6C696AFF0CD}.exe

Filesize
192KB

MD5
414ddf87d424bec6239368793dce08d5

SHA1
3ef9e1b52e8bd2e4223f7752d9d517ed9d941379

SHA256
2558ac10184c2c4c785b7e00552d227a8d37bf66aeef31c26e92a98b08325d5a

SHA512
18cdf11ebb953879ff9e44edea0fbe4f8838af2db26cbd908c394398f8a577783db7bfd2dccbf33f83b68761d89fda1fc1c2fc6dafe9ee0d73923ac607837d5d

Download Submit
C:\Windows\{413AE0C5-CC9D-40f2-8C6E-09F95C67152B}.exe

Filesize
192KB

MD5
1bc7a9f99607ac4fdb133dd5d3c9be5e

SHA1
55921269da22c9d131c80fdbb4526d583474eb1b

SHA256
f2622fb90070e7c8c9586825f07b4769e78cc1515c0c9354b6c46bb19d3c5877

SHA512
473e78d27928e6f2e0572d78952fe6832635fb7edbf1e9268454bae02b47f50eb30c44002e349640d2a870cc0ac8569888cd0491293dcfdf90640a3af0c790d7

Download Submit
C:\Windows\{5EE46506-42E5-484d-940D-552960EE710A}.exe

Filesize
192KB

MD5
8b1a961ad6ddfb170af9db8e6b325965

SHA1
11014967f82ce96c8a72fb74c582c63aab021646

SHA256
5c0c4f9745db0ec5d666024ff12628d16155565a72b307e83c48742c75ce4d42

SHA512
24ea1735129a142cc442740acdbe7ec51890f0d55bb8f20fe0d150ec678d08774b91a914d1e811432531b964520e0e7cde626f7f4ed2389559fbcb208cfd8dfb

Download Submit
C:\Windows\{6123F79D-E0C7-478e-93CB-AA82EC553C2E}.exe

Filesize
192KB

MD5
4d396e380faa51329c648b766e4ceb86

SHA1
cc33c1d1b525d92145d9a70aca6523d75ecfa2cc

SHA256
6e3554ea2cfb0dd3a45a521ff3a5495d230a1b3297fc8d697358ec7e98e709fa

SHA512
5f5e2bd14d9d3c15971276d2d54582795ee0d30476dd8ff68514eccb47a9aaac4c4081a21ece3b3bfad919a374a1233dbc4cc924c588c2088bd8ad1bd1cceb6e

Download Submit
C:\Windows\{6426F51C-74B2-4873-9929-CDEEFC54A04E}.exe

Filesize
192KB

MD5
1ffd8c4f3d9c7d74bc25b2ff9071abdd

SHA1
c44b1356643cb4b50e2d3d6e2000693cd9a122e2

SHA256
9ee5166f3b85b05bf95ecdc8528fe085919d6281997af07917c80f24e0eb3b1c

SHA512
efc93e1defc9c3fc3a4ce9d85b1c196b86c43b3cb7d9230e649bc4a5141b488d66f281d7ff9da804ad08b4b861a2b37fc61f0b6fafcc2d495a6ded1fb83a0914

Download Submit
C:\Windows\{7692BEB6-93BF-44e3-9AE0-3178A728A787}.exe

Filesize
192KB

MD5
2781b1da02c730afa7eaf24da4eec8cd

SHA1
dcb42c8f5857713eb55ae2cbdf8949f784439b24

SHA256
c3f8af0a953a9d576f9b80096819432ba229de530e8e684275bfcd3844c1a2c0

SHA512
cbd8d7f158c1f387a08a3bd2e2a0355b72d9018e6b5cfad84ae1221c03864045e91d3839c147318ea5e25d0f9a7ec28efc335eb1d2b295db50f5175b6f75839c

Download Submit
C:\Windows\{A2C30796-CE5D-47a3-8E91-8FA9BAA76F92}.exe

Filesize
192KB

MD5
ea7468d158d60805a57352fd8b4d0a39

SHA1
919e2044c48804e056d546576d1bfeeae09d6f77

SHA256
8720dcccf0268a52fd8ba1e999d2ea1921566c6fbfbcdf33a6e7b04a26b049f0

SHA512
0795fd720e35422451a0d2209e5de8ec7e3c5a05ac0fd52f92acf8690bc14c69a4134a810a60edfc5a6f86633605b3f454ae345932531bf876eaef5006afc053

Download Submit
C:\Windows\{E4B2C595-9AC3-4537-8DF1-B353AE54F9F9}.exe

Filesize
192KB

MD5
e3b30bc8bb232a82b817610800bfee5e

SHA1
8d7c78f82bb67ef23868cf33110804ff30f032b7

SHA256
f5044ae300b2d87cb42ea1644fb1d15a8442b7ed6e63c91cb375f2e7149abdd0

SHA512
e2d1a29140d9a57ecc7cfebf1f9cbdc88bcbe97af44bc73311efd6f5b79ae8535bc1495ec0038b41e40dbc214179fa361aa04f2f66ba4f772c5c531bf1c5a119

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads