491b134f035deab9259b8082eb1a263775bbbaf902581f81d534cbc67ebf759f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe
Size

180KB
MD5

8b953551a67085ad3e3577bda919d261
SHA1

33a1a4f3e8d1f4dc59062ccb90abeef4b7ca2221
SHA256

491b134f035deab9259b8082eb1a263775bbbaf902581f81d534cbc67ebf759f
SHA512

f56dc91223f001d756a8eaea02a3859e2663f76c8f6b70868974eacf37bcd618aa6b5204b72ba962d115e7e1de1cfe8fced6f27203a667e208772cf2b24652ba
SSDEEP

3072:jEGh0oulfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG4l5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38A9D6E7-573F-4f9e-9034-E2187A053AC6}	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38A9D6E7-573F-4f9e-9034-E2187A053AC6}\stubpath = "C:\\Windows\\{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe"	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ABE0391-EA09-4d69-BA69-60778574BC41}\stubpath = "C:\\Windows\\{8ABE0391-EA09-4d69-BA69-60778574BC41}.exe"	{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}	2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{520DC01D-26C0-4d08-85B7-1BF7A55AD916}	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{520DC01D-26C0-4d08-85B7-1BF7A55AD916}\stubpath = "C:\\Windows\\{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe"	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8122F67-1752-4342-9508-17F7F7DF9B78}\stubpath = "C:\\Windows\\{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe"	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ABE0391-EA09-4d69-BA69-60778574BC41}	{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{335C2CC0-78F9-49e7-B9D2-0BDE65227308}	{8ABE0391-EA09-4d69-BA69-60778574BC41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{335C2CC0-78F9-49e7-B9D2-0BDE65227308}\stubpath = "C:\\Windows\\{335C2CC0-78F9-49e7-B9D2-0BDE65227308}.exe"	{8ABE0391-EA09-4d69-BA69-60778574BC41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96752BCB-7582-438c-B949-48AFD4F2BACD}	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96752BCB-7582-438c-B949-48AFD4F2BACD}\stubpath = "C:\\Windows\\{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe"	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33562A02-8C2E-45ed-9F53-0D8A77065024}	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33562A02-8C2E-45ed-9F53-0D8A77065024}\stubpath = "C:\\Windows\\{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe"	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}\stubpath = "C:\\Windows\\{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe"	2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D0CCA8-DA61-4645-8263-547C3F2898AC}	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D0CCA8-DA61-4645-8263-547C3F2898AC}\stubpath = "C:\\Windows\\{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe"	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}\stubpath = "C:\\Windows\\{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe"	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C5F323-5CFA-496c-A326-2D677E059A36}	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C5F323-5CFA-496c-A326-2D677E059A36}\stubpath = "C:\\Windows\\{32C5F323-5CFA-496c-A326-2D677E059A36}.exe"	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8122F67-1752-4342-9508-17F7F7DF9B78}	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61E15D42-65DA-42db-938B-A87C32ABCBD0}	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61E15D42-65DA-42db-938B-A87C32ABCBD0}\stubpath = "C:\\Windows\\{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe"	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe

Executes dropped EXE 12 IoCs

pid	Process
3924	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe
4552	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe
3580	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe
1792	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe
3904	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe
3040	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe
2352	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe
4584	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe
764	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe
4252	{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe
2660	{8ABE0391-EA09-4d69-BA69-60778574BC41}.exe
4892	{335C2CC0-78F9-49e7-B9D2-0BDE65227308}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe	2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe
File created	C:\Windows\{32C5F323-5CFA-496c-A326-2D677E059A36}.exe	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe
File created	C:\Windows\{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe
File created	C:\Windows\{8ABE0391-EA09-4d69-BA69-60778574BC41}.exe	{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe
File created	C:\Windows\{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe
File created	C:\Windows\{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe
File created	C:\Windows\{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe
File created	C:\Windows\{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe
File created	C:\Windows\{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe
File created	C:\Windows\{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe
File created	C:\Windows\{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe
File created	C:\Windows\{335C2CC0-78F9-49e7-B9D2-0BDE65227308}.exe	{8ABE0391-EA09-4d69-BA69-60778574BC41}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8ABE0391-EA09-4d69-BA69-60778574BC41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{335C2CC0-78F9-49e7-B9D2-0BDE65227308}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1712	2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3924	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe
Token: SeIncBasePriorityPrivilege	4552	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe
Token: SeIncBasePriorityPrivilege	3580	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe
Token: SeIncBasePriorityPrivilege	1792	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe
Token: SeIncBasePriorityPrivilege	3904	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe
Token: SeIncBasePriorityPrivilege	3040	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe
Token: SeIncBasePriorityPrivilege	2352	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe
Token: SeIncBasePriorityPrivilege	4584	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe
Token: SeIncBasePriorityPrivilege	764	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe
Token: SeIncBasePriorityPrivilege	4252	{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe
Token: SeIncBasePriorityPrivilege	2660	{8ABE0391-EA09-4d69-BA69-60778574BC41}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3924	1712	2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe	89
PID 1712 wrote to memory of 3924	1712	2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe	89
PID 1712 wrote to memory of 3924	1712	2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe	89
PID 1712 wrote to memory of 2872	1712	2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe	90
PID 1712 wrote to memory of 2872	1712	2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe	90
PID 1712 wrote to memory of 2872	1712	2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe	90
PID 3924 wrote to memory of 4552	3924	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe	91
PID 3924 wrote to memory of 4552	3924	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe	91
PID 3924 wrote to memory of 4552	3924	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe	91
PID 3924 wrote to memory of 4588	3924	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe	92
PID 3924 wrote to memory of 4588	3924	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe	92
PID 3924 wrote to memory of 4588	3924	{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe	92
PID 4552 wrote to memory of 3580	4552	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe	95
PID 4552 wrote to memory of 3580	4552	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe	95
PID 4552 wrote to memory of 3580	4552	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe	95
PID 4552 wrote to memory of 812	4552	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe	96
PID 4552 wrote to memory of 812	4552	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe	96
PID 4552 wrote to memory of 812	4552	{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe	96
PID 3580 wrote to memory of 1792	3580	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe	97
PID 3580 wrote to memory of 1792	3580	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe	97
PID 3580 wrote to memory of 1792	3580	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe	97
PID 3580 wrote to memory of 3388	3580	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe	98
PID 3580 wrote to memory of 3388	3580	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe	98
PID 3580 wrote to memory of 3388	3580	{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe	98
PID 1792 wrote to memory of 3904	1792	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe	99
PID 1792 wrote to memory of 3904	1792	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe	99
PID 1792 wrote to memory of 3904	1792	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe	99
PID 1792 wrote to memory of 3128	1792	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe	100
PID 1792 wrote to memory of 3128	1792	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe	100
PID 1792 wrote to memory of 3128	1792	{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe	100
PID 3904 wrote to memory of 3040	3904	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe	101
PID 3904 wrote to memory of 3040	3904	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe	101
PID 3904 wrote to memory of 3040	3904	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe	101
PID 3904 wrote to memory of 4912	3904	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe	102
PID 3904 wrote to memory of 4912	3904	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe	102
PID 3904 wrote to memory of 4912	3904	{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe	102
PID 3040 wrote to memory of 2352	3040	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe	103
PID 3040 wrote to memory of 2352	3040	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe	103
PID 3040 wrote to memory of 2352	3040	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe	103
PID 3040 wrote to memory of 1196	3040	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe	104
PID 3040 wrote to memory of 1196	3040	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe	104
PID 3040 wrote to memory of 1196	3040	{32C5F323-5CFA-496c-A326-2D677E059A36}.exe	104
PID 2352 wrote to memory of 4584	2352	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe	105
PID 2352 wrote to memory of 4584	2352	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe	105
PID 2352 wrote to memory of 4584	2352	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe	105
PID 2352 wrote to memory of 1988	2352	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe	106
PID 2352 wrote to memory of 1988	2352	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe	106
PID 2352 wrote to memory of 1988	2352	{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe	106
PID 4584 wrote to memory of 764	4584	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe	107
PID 4584 wrote to memory of 764	4584	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe	107
PID 4584 wrote to memory of 764	4584	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe	107
PID 4584 wrote to memory of 3572	4584	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe	108
PID 4584 wrote to memory of 3572	4584	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe	108
PID 4584 wrote to memory of 3572	4584	{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe	108
PID 764 wrote to memory of 4252	764	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe	109
PID 764 wrote to memory of 4252	764	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe	109
PID 764 wrote to memory of 4252	764	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe	109
PID 764 wrote to memory of 4432	764	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe	110
PID 764 wrote to memory of 4432	764	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe	110
PID 764 wrote to memory of 4432	764	{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe	110
PID 4252 wrote to memory of 2660	4252	{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe	111
PID 4252 wrote to memory of 2660	4252	{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe	111
PID 4252 wrote to memory of 2660	4252	{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe	111
PID 4252 wrote to memory of 5108	4252	{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_8b953551a67085ad3e3577bda919d261_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe
  C:\Windows\{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe
    C:\Windows\{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe
      C:\Windows\{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Windows\{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe
        
        C:\Windows\{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
      - C:\Windows\{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe
        
        C:\Windows\{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\{32C5F323-5CFA-496c-A326-2D677E059A36}.exe
        
        C:\Windows\{32C5F323-5CFA-496c-A326-2D677E059A36}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe
        
        C:\Windows\{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe
        
        C:\Windows\{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe
        
        C:\Windows\{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe
        
        C:\Windows\{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\{8ABE0391-EA09-4d69-BA69-60778574BC41}.exe
        
        C:\Windows\{8ABE0391-EA09-4d69-BA69-60778574BC41}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\{335C2CC0-78F9-49e7-B9D2-0BDE65227308}.exe
        
        C:\Windows\{335C2CC0-78F9-49e7-B9D2-0BDE65227308}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8ABE0~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61E15~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8122~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{520DC~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38A9D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32C5F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CA15~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33562~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39D0C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{96752~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0262C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0262C7CE-B32F-41d9-A606-6CFFC76F7EA3}.exe

Filesize
180KB

MD5
4bcfb5b8f2fd465668ea34fdf42fba8a

SHA1
f6a1f929084644440e8d1c35844ca3ca5ad38cec

SHA256
38376b6121200a98cc684901871ec4d64ced1afc4d27f9d8447bf8e42a585125

SHA512
59d055b27ca978f6142f5dbaa5773a34b8febbc02d1976e5c90b7fc1b4fba5fa89cda0ab0e1b6b3f5e24d089ac832e39d2d68bd33ffe8f401adc55b59a9c6da0

Download Submit
C:\Windows\{32C5F323-5CFA-496c-A326-2D677E059A36}.exe

Filesize
180KB

MD5
14e3dc0360b9250c0c5fe424b0acf03a

SHA1
70677294914ee775ac020c27eee76575ad75f2a8

SHA256
1dba047d835779e174f281d6c9f0c8a051220b1a571bb6219afd6ac1c303b3f2

SHA512
462a3a2d9105cbbba8b5cdc7438f9be8b7d27de3a372f80f059525c3bef687d234915ac9adf64db33e1c4ac5a17478e0e8b1afa750339bc36b658fc8211507a3

Download Submit
C:\Windows\{33562A02-8C2E-45ed-9F53-0D8A77065024}.exe

Filesize
180KB

MD5
28dc35ba0fb3f415eecbd70c3465d5da

SHA1
95b53414adac8b3a73717941691cc76849f4c793

SHA256
69fb925ee899ac3252727440d4a33b74b29d03f195f019a91f987a27d79a5efb

SHA512
724c8fe09f300b84e4f69544b8172a0af6ae07451384bf5fc75205c63a0a0c78f83767b0f27cc95a900f15094a3c8894e030d99d0556823b9d525327ad602e58

Download Submit
C:\Windows\{335C2CC0-78F9-49e7-B9D2-0BDE65227308}.exe

Filesize
180KB

MD5
81359bdfd487068c2fdd91da92e8e496

SHA1
18e84a5a1e9890ed4ef904156dcc54560cc5b968

SHA256
25b4d6aa4350c5d89058a8c8b2cd1366363b0a8b40751fdaf1d182565916928a

SHA512
3acb97b70f9772fdad304feab28c8420a5a09ae978a8764c7c52de3187a793f19ab57867f5bad086716991cc27a13abfcbc2481f96e672e4c198b592b1c4024f

Download Submit
C:\Windows\{38A9D6E7-573F-4f9e-9034-E2187A053AC6}.exe

Filesize
180KB

MD5
0b46a71d6456853fee8adf387189437e

SHA1
0d37d5ff0b1707d3c14621c28855b4cd37141c7f

SHA256
ab616edeee6b02440b8332e07e325c984c44bbad4e3fc9d95a13c75ed7e2ad7a

SHA512
c6f9ed8e51f4e52a0dc7f3523bbbb3a4d3d06fd7978aac5b2e942039b6be7a8a8eb7f5c11822f8070bb2fa356bcac989bfb3eda50a1c3f340bb54341abe35ac8

Download Submit
C:\Windows\{39D0CCA8-DA61-4645-8263-547C3F2898AC}.exe

Filesize
180KB

MD5
30613726793b53554cfec840e45f02fa

SHA1
aa18ca19df83b9657224f6a0914ab10e60414098

SHA256
7f59c8f08b800b6efb61e6cd17d84c50f5d2aaa9f818196ed5825a9adb27acc9

SHA512
5de411726b87b3f0055433a7051bd9d1cde2c97ba12096e01e8619de964024d4d21ebbf572bd3073f8558368cd2c6468068e584891b9155db6f518bd02e9ef14

Download Submit
C:\Windows\{520DC01D-26C0-4d08-85B7-1BF7A55AD916}.exe

Filesize
180KB

MD5
d325f8a6b113d7be93dabbe544952821

SHA1
7f67a82100c4bf1ef243ed52064f4b68145dfe79

SHA256
54e7caef1fd34ebdaf8911f7d5a1b2f8900afa1e4b50c939e7fa1f2c97cf9f10

SHA512
b785c05ec384ff53ae46168724590c1ecb1ec4c7b6afcf7dfe2de2dbf0325d7663a2b6565064e3f3f32167ff3ae954aad68f3257d980bf0737f469274b65218f

Download Submit
C:\Windows\{61E15D42-65DA-42db-938B-A87C32ABCBD0}.exe

Filesize
180KB

MD5
981c786ada7ef05c14b9e4ea4c342770

SHA1
c2869ce663e4522a4e8e800ae68dd84a5c6d01aa

SHA256
bdc8ae1407337049d930edc35ab26ef13751bff7ada2a5ae3bbd270a4fc9dc51

SHA512
b8b0e59aa51e94dee1f6bf7030885cb46140a13b4ff361e272ab3a76d71f6d1b04e68330605c08a18110d26a0dd10cd6c0e95ed167f0b640dd826caa35607b7f

Download Submit
C:\Windows\{8ABE0391-EA09-4d69-BA69-60778574BC41}.exe

Filesize
180KB

MD5
2c9cd31601b3b5e9697bedcd62d4c79e

SHA1
8c322f6ff5e108cbb657e0f0ee6a5791348406d7

SHA256
32baeffe992d6fa38eeb36b9c43e47a924e0d1a1c5cfbe7c7c608810ef1443b7

SHA512
9610c8b3f724a5c29b9010a7792d0c55a5613a4d30ddc90834be90256b300374a97cb4c7c500883118b4f8d497f994b2a0261a24d56100b440a9a5073a5b4527

Download Submit
C:\Windows\{96752BCB-7582-438c-B949-48AFD4F2BACD}.exe

Filesize
180KB

MD5
d402b2df2467e2795990c1ec670055c9

SHA1
90c25e259e308f43c617d8f093d409ac01449f7c

SHA256
f220083b6aa793b4dd4e98cf73d4990950d5093c754ef9574b626df7e87538d8

SHA512
2850d91ac86f186b530864bf48128b85cd5d0772f0c84b9cd92a0c58c99c0116ebf62e08966afdc87d598816c365f962b96e1a405de9dea888ef9a6a9b588b5b

Download Submit
C:\Windows\{9CA15A31-F8CA-402f-9C3C-A9DF4951CDBF}.exe

Filesize
180KB

MD5
21df92c07d0de2c426db0846a8ac88d3

SHA1
03b4657e1240db76c2499ab080a1df80bae31040

SHA256
a95f2188c80c60531828630a3a9d4784541b8fa98339350fc251776808ef4c3d

SHA512
cb6b253472897f9635ceacf4961cf3283631ef147750b7a4f20e51d09524ad30cead1c0be763a9f4157995086954e4e3743f7a14de720c14b6c275b59162f840

Download Submit
C:\Windows\{A8122F67-1752-4342-9508-17F7F7DF9B78}.exe

Filesize
180KB

MD5
42f85bb2c40d5bba0d4b934ab12df57a

SHA1
872d267913dad11ff9a2935a26a11c22fcca5dfb

SHA256
75efefdff8a140b4f6d4b82b7e5984acca55bfaeebeaa15a299d6a7e9396d8e7

SHA512
2fa428a71522ae17ff3c1039b4fb3416369d6f0431829b70a5da0e3f96a2e9fe67a90e96b63800ea65af90d5f354be6803d14c6ab34f3834cdac58da0fb3a659

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads