89d28d208caa6319ca08120452b2d40e7198105f19e0013293c5650c481db97a

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 06:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe
Size

180KB
MD5

cee27adaf5ff4e64853abe0d83a749b0
SHA1

c2d2596f49732398b2bea7f82eeba74b859a6fd4
SHA256

89d28d208caa6319ca08120452b2d40e7198105f19e0013293c5650c481db97a
SHA512

8191244e2c91671651a123feb33377e36629c4675b363504ec3350733e92584bb906789ed0cc8144b13255936f56b00bfbf01ab4adfc4112190d2746cf372cd3
SSDEEP

3072:jEGh0oUlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGOl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F3CD357-0863-4e35-8608-AB735C86858B}	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F873BA7-8477-45de-884E-F85B0BE599D4}	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}\stubpath = "C:\\Windows\\{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}.exe"	{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7474B95-95F9-43a9-875C-B18EFAABF2BF}\stubpath = "C:\\Windows\\{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe"	2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}\stubpath = "C:\\Windows\\{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe"	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E04D05D4-F021-4c64-AD67-AEC3B06B9827}\stubpath = "C:\\Windows\\{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe"	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81690830-C38E-4c95-AD6B-776A3A91EA7B}\stubpath = "C:\\Windows\\{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe"	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD1A3E38-AF14-41f8-BD46-9A16520665F6}	{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E04D05D4-F021-4c64-AD67-AEC3B06B9827}	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}\stubpath = "C:\\Windows\\{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe"	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F3CD357-0863-4e35-8608-AB735C86858B}\stubpath = "C:\\Windows\\{6F3CD357-0863-4e35-8608-AB735C86858B}.exe"	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}\stubpath = "C:\\Windows\\{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe"	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}	{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E044118-A109-437d-ABA5-39EFB088DF92}	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}\stubpath = "C:\\Windows\\{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe"	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F873BA7-8477-45de-884E-F85B0BE599D4}\stubpath = "C:\\Windows\\{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe"	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81690830-C38E-4c95-AD6B-776A3A91EA7B}	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD1A3E38-AF14-41f8-BD46-9A16520665F6}\stubpath = "C:\\Windows\\{BD1A3E38-AF14-41f8-BD46-9A16520665F6}.exe"	{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7474B95-95F9-43a9-875C-B18EFAABF2BF}	2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E044118-A109-437d-ABA5-39EFB088DF92}\stubpath = "C:\\Windows\\{4E044118-A109-437d-ABA5-39EFB088DF92}.exe"	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe

Executes dropped EXE 12 IoCs

pid	Process
1712	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe
4956	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe
1324	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe
3508	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe
4044	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe
2180	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe
3480	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe
3732	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe
4204	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe
1196	{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe
4980	{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}.exe
2496	{BD1A3E38-AF14-41f8-BD46-9A16520665F6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe
File created	C:\Windows\{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe
File created	C:\Windows\{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe
File created	C:\Windows\{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe
File created	C:\Windows\{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe
File created	C:\Windows\{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}.exe	{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe
File created	C:\Windows\{BD1A3E38-AF14-41f8-BD46-9A16520665F6}.exe	{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}.exe
File created	C:\Windows\{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe	2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe
File created	C:\Windows\{6F3CD357-0863-4e35-8608-AB735C86858B}.exe	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe
File created	C:\Windows\{4E044118-A109-437d-ABA5-39EFB088DF92}.exe	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe
File created	C:\Windows\{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe
File created	C:\Windows\{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD1A3E38-AF14-41f8-BD46-9A16520665F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3268	2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1712	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe
Token: SeIncBasePriorityPrivilege	4956	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe
Token: SeIncBasePriorityPrivilege	1324	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe
Token: SeIncBasePriorityPrivilege	3508	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe
Token: SeIncBasePriorityPrivilege	4044	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe
Token: SeIncBasePriorityPrivilege	2180	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe
Token: SeIncBasePriorityPrivilege	3480	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe
Token: SeIncBasePriorityPrivilege	3732	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe
Token: SeIncBasePriorityPrivilege	4204	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe
Token: SeIncBasePriorityPrivilege	1196	{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe
Token: SeIncBasePriorityPrivilege	4980	{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 1712	3268	2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe	89
PID 3268 wrote to memory of 1712	3268	2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe	89
PID 3268 wrote to memory of 1712	3268	2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe	89
PID 3268 wrote to memory of 2864	3268	2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe	90
PID 3268 wrote to memory of 2864	3268	2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe	90
PID 3268 wrote to memory of 2864	3268	2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe	90
PID 1712 wrote to memory of 4956	1712	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe	93
PID 1712 wrote to memory of 4956	1712	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe	93
PID 1712 wrote to memory of 4956	1712	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe	93
PID 1712 wrote to memory of 3396	1712	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe	94
PID 1712 wrote to memory of 3396	1712	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe	94
PID 1712 wrote to memory of 3396	1712	{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe	94
PID 4956 wrote to memory of 1324	4956	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe	97
PID 4956 wrote to memory of 1324	4956	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe	97
PID 4956 wrote to memory of 1324	4956	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe	97
PID 4956 wrote to memory of 4924	4956	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe	98
PID 4956 wrote to memory of 4924	4956	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe	98
PID 4956 wrote to memory of 4924	4956	{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe	98
PID 1324 wrote to memory of 3508	1324	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe	99
PID 1324 wrote to memory of 3508	1324	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe	99
PID 1324 wrote to memory of 3508	1324	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe	99
PID 1324 wrote to memory of 4704	1324	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe	100
PID 1324 wrote to memory of 4704	1324	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe	100
PID 1324 wrote to memory of 4704	1324	{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe	100
PID 3508 wrote to memory of 4044	3508	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe	101
PID 3508 wrote to memory of 4044	3508	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe	101
PID 3508 wrote to memory of 4044	3508	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe	101
PID 3508 wrote to memory of 2132	3508	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe	102
PID 3508 wrote to memory of 2132	3508	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe	102
PID 3508 wrote to memory of 2132	3508	{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe	102
PID 4044 wrote to memory of 2180	4044	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe	103
PID 4044 wrote to memory of 2180	4044	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe	103
PID 4044 wrote to memory of 2180	4044	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe	103
PID 4044 wrote to memory of 1128	4044	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe	104
PID 4044 wrote to memory of 1128	4044	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe	104
PID 4044 wrote to memory of 1128	4044	{6F3CD357-0863-4e35-8608-AB735C86858B}.exe	104
PID 2180 wrote to memory of 3480	2180	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe	105
PID 2180 wrote to memory of 3480	2180	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe	105
PID 2180 wrote to memory of 3480	2180	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe	105
PID 2180 wrote to memory of 2284	2180	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe	106
PID 2180 wrote to memory of 2284	2180	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe	106
PID 2180 wrote to memory of 2284	2180	{4E044118-A109-437d-ABA5-39EFB088DF92}.exe	106
PID 3480 wrote to memory of 3732	3480	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe	107
PID 3480 wrote to memory of 3732	3480	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe	107
PID 3480 wrote to memory of 3732	3480	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe	107
PID 3480 wrote to memory of 384	3480	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe	108
PID 3480 wrote to memory of 384	3480	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe	108
PID 3480 wrote to memory of 384	3480	{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe	108
PID 3732 wrote to memory of 4204	3732	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe	109
PID 3732 wrote to memory of 4204	3732	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe	109
PID 3732 wrote to memory of 4204	3732	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe	109
PID 3732 wrote to memory of 4828	3732	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe	110
PID 3732 wrote to memory of 4828	3732	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe	110
PID 3732 wrote to memory of 4828	3732	{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe	110
PID 4204 wrote to memory of 1196	4204	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe	111
PID 4204 wrote to memory of 1196	4204	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe	111
PID 4204 wrote to memory of 1196	4204	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe	111
PID 4204 wrote to memory of 3724	4204	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe	112
PID 4204 wrote to memory of 3724	4204	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe	112
PID 4204 wrote to memory of 3724	4204	{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe	112
PID 1196 wrote to memory of 4980	1196	{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe	113
PID 1196 wrote to memory of 4980	1196	{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe	113
PID 1196 wrote to memory of 4980	1196	{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe	113
PID 1196 wrote to memory of 5056	1196	{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_cee27adaf5ff4e64853abe0d83a749b0_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe
  C:\Windows\{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe
    C:\Windows\{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe
      C:\Windows\{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Windows\{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe
        
        C:\Windows\{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Windows\{6F3CD357-0863-4e35-8608-AB735C86858B}.exe
        
        C:\Windows\{6F3CD357-0863-4e35-8608-AB735C86858B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\{4E044118-A109-437d-ABA5-39EFB088DF92}.exe
        
        C:\Windows\{4E044118-A109-437d-ABA5-39EFB088DF92}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe
        
        C:\Windows\{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe
        
        C:\Windows\{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe
        
        C:\Windows\{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe
        
        C:\Windows\{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}.exe
        
        C:\Windows\{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\Windows\{BD1A3E38-AF14-41f8-BD46-9A16520665F6}.exe
        
        C:\Windows\{BD1A3E38-AF14-41f8-BD46-9A16520665F6}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B216~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEFFA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF09B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81690~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F873~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E044~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F3CD~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15F65~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E04D0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75965~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F7474~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B216A04-A97B-4a5d-8CD7-1B0C02191CBF}.exe

Filesize
180KB

MD5
f7153209af8084946f7a53668fc32785

SHA1
09339c0118dfad12f62d240af0e4d7b5e8c69bdd

SHA256
ecfc362918338b178f8fd788448a5238d68dbc731cdec8a4936ffab2c1ee2ec6

SHA512
5aca13c32fe6723c85d1a01b64599292825159bdacce93571a9b6b039ddb144bd368106dcb5654ced04b11d70e56110e3c65d2372a71461bc7106e878195b10e

Download Submit
C:\Windows\{0F873BA7-8477-45de-884E-F85B0BE599D4}.exe

Filesize
180KB

MD5
86f761d752e2afa25c5e5af4c2f938d0

SHA1
adc9030f50336267a082bc61fdccc52e38195e39

SHA256
cb289501449dddfa805b68d17a4f3ad42c2feedc63ed38645731b0a254d96859

SHA512
aa1c04a12e654a06d918eec1b054e1c7b93a4824b9c0987011c575e1c76cd329b454992d74e1f2ccede06eb89da75958f7f8a98a13916d8c054ba1ccb4c0ea10

Download Submit
C:\Windows\{15F657F6-B7A5-4c6f-931F-D3CA72F2C3B6}.exe

Filesize
180KB

MD5
a13f034cfc8ca73a397eb795b64c3475

SHA1
ed77cc8d696349b7551ad3b59f279888061b3059

SHA256
e7574fd3dab3f621ab58313daeb2202997d45b8a7ad8cec297d3f9123117884e

SHA512
0978f05ec4233a5179ac3b05e1d5caf7c8055366635c6ed3952e4238eaf9779e91a2c67cb279bb25c75e5fe9094e6cc7bd56891aed6a20ddfa457d53880e05e6

Download Submit
C:\Windows\{4E044118-A109-437d-ABA5-39EFB088DF92}.exe

Filesize
180KB

MD5
b87ee328484c88ea8f097affa584895f

SHA1
1383b5a170802b63f033a39e1a7a0fd782844de1

SHA256
8eda6bdb4369fd30174c0e2d4bce4d3a5b2ddac10dd8ec9d36fbb2f43c8868df

SHA512
800c91dbabf814f9ee2dcb931e8773d723a13e5ffa59b975c2406f18e97cb7ab873de7a23fd0e2018b2d3a9950f3d2782e923216f9f52b87c38d0750bc7560f5

Download Submit
C:\Windows\{6F3CD357-0863-4e35-8608-AB735C86858B}.exe

Filesize
180KB

MD5
19088e4062ea45e386955a03f797009c

SHA1
91d00fe67dc06f819b421c301bfc8f62ecb5691b

SHA256
26f33a4dd192dfa3faaa269145f9c5c60e149b058893ff56863c7f8004dbc24b

SHA512
5579548074ee48f21c2fb7fcb750c07b8a0bba9236e1ad426a1c0313e07b58b3d80af22d9b13ec78253e770fda9ce37b7760eb6514bdab347e62979567f59fa5

Download Submit
C:\Windows\{75965140-A930-4fcb-9C6C-4EAF2AFAAB15}.exe

Filesize
180KB

MD5
13470ebace263d672dd320804f3018f8

SHA1
f1f45b6797e11d5129c45e6e7ea283a19fb07c43

SHA256
e7c8da7379bad08da98a07a9fcaff698583d40dc619c550f356ffab216d29ffb

SHA512
12218282f20e78fcb74275dc2fd03f9cac9b7525b0c4cf45b6b1c3c379bc2dfeca410832ecc18447aea0d565af25148c869d0ca288ec235cddba9e06b0f0261e

Download Submit
C:\Windows\{81690830-C38E-4c95-AD6B-776A3A91EA7B}.exe

Filesize
180KB

MD5
22deb9c4b3c3256d513b30a7e3715551

SHA1
e238a79af81fcb1770f49695e71613c7610743a0

SHA256
e857bd6f3761d8540d7ed5c6e1e1f0996e76e3e24f1f3ec4b168a4574081cf56

SHA512
17b877158a0dc44c98618f7be447ffee3a8f8536553c730549a2469f40b35a9f159b648b6f1ea127dcd2ac441454d7c7ebfadb1162e8b6a0569d2e1d2d5970ff

Download Submit
C:\Windows\{AF09BAD0-9F3C-4e76-89F9-7E9FF0DA05E3}.exe

Filesize
180KB

MD5
71c5a84f09f541b0820fc50869a1168b

SHA1
c3ddd5e3bff854b82a4067a4dfb714259aec35ed

SHA256
697efc81bde694636b874b3c568a9695a32e1a8751ec9824ee322db643772644

SHA512
8acbda8db344cd81f076b3c76bb82d486ae84fde78095ae725a8989c78a402df2954d5a67858eeee803ba4bebf07fe0948204ddce2b50d30e90be9b62d15763d

Download Submit
C:\Windows\{BD1A3E38-AF14-41f8-BD46-9A16520665F6}.exe

Filesize
180KB

MD5
de1b9bd1b4d664ffa0df93975560076c

SHA1
34c755b137852554cd80db3bd21be90ed37591a9

SHA256
077a4fd8fe28aeb6a9e359c957d5ba274c6dd3c0bdace66dee5b19f2ab5ba840

SHA512
16a5dd15b2763947d72d04fb6a5157d73a7b5e4ffe0c59d2c7115587ea21353d5bf15001d8dcad8fad2eb0eef3ec9fde1d174823520fe6e083b652096f184d21

Download Submit
C:\Windows\{CEFFABB9-FAB4-413f-B0F4-31749375AF6C}.exe

Filesize
180KB

MD5
f0b065bf5f8d62a6e1a048cb5c53b416

SHA1
87c5412d66bc3c3b0d928bac576bc35a2eabcb1f

SHA256
1e24d35213fe26a2a3acc46f4e5fba32ca6ffa6b2402042de2c376ea3812e590

SHA512
422903eaf3646218e58ec0ae43e4f024cd6a28c951cc6cc849ef6b29ef58327d87c1d125afb34a073b96c0db439c0902533b78991af094d20410b573a06dbbcc

Download Submit
C:\Windows\{E04D05D4-F021-4c64-AD67-AEC3B06B9827}.exe

Filesize
180KB

MD5
214df54cce4302c0c557fa60acff6adb

SHA1
7ee9a46b802ecc896497aea9b2188fbefb81c97f

SHA256
1f9d6e70edb937307eab6aa93c9d32f13c6a65c1450fbc125ac4a71bf55801e1

SHA512
a1a3237d609c8ad61651a0b514f8928b5dc720f15c40c51ffb4ad440dffb16980c5463a57166316531e032f12c33662ece0a0cbdea2237ef809c7e28e39777d5

Download Submit
C:\Windows\{F7474B95-95F9-43a9-875C-B18EFAABF2BF}.exe

Filesize
180KB

MD5
5b6dc8080e04da7d253f46e1fe0db3c5

SHA1
9c2bc13b7faaeffbb57cda905a47795a35c7d41e

SHA256
664016ef792d23411f7a9677b5073ef1c8cd1eeb8a15d0c118bcf2cd36f13f37

SHA512
aed405d54db42ee4a34fa3c14e850cb12444315c9e060fbae674626b03ac9ee70b9cb492b854e23ac7451cc810e0b3bb0a5a160d38b0c9b0c0c9796990f7661c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads