56e02b5fa11e81e31378ddb4e0b63db656b7bb647fa16b7384437ee2eaf1af39

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe
Size

380KB
MD5

fd1441d9179581a63cec50659e4b2665
SHA1

14b065f52946c65bf2ac43db5990bc964bc71554
SHA256

56e02b5fa11e81e31378ddb4e0b63db656b7bb647fa16b7384437ee2eaf1af39
SHA512

1eedbc17afc8f31177b2096a6aaba3235fb49b5cfd5176d3e86b72c1ce2c193ab0d6fb8f9b3dbae6181565e7ec4765881c386e65b0f8aaa35a84319d314f9085
SSDEEP

3072:mEGh0oDlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG5l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}\stubpath = "C:\\Windows\\{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe"	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3034043E-E2F6-4e81-B716-52E599394C5C}	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2DB68C4-0B62-40d3-8690-25832DE82BDC}	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}\stubpath = "C:\\Windows\\{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe"	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}\stubpath = "C:\\Windows\\{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}.exe"	{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2EA0D33-664B-4553-82E2-786C1E1E9F08}\stubpath = "C:\\Windows\\{C2EA0D33-664B-4553-82E2-786C1E1E9F08}.exe"	{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{398A0372-5CC2-4203-B3B6-E462F6E46583}\stubpath = "C:\\Windows\\{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe"	2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3205093C-CEE1-4c62-843A-44F586F6A439}	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B04B61BC-8A3B-4044-A231-B00FD367CCCC}\stubpath = "C:\\Windows\\{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe"	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{398A0372-5CC2-4203-B3B6-E462F6E46583}	2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35A484A2-1994-446c-8F78-3C8B7E97A81D}\stubpath = "C:\\Windows\\{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe"	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA466A61-B352-4e8c-949E-89EE68007CBA}\stubpath = "C:\\Windows\\{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe"	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B04B61BC-8A3B-4044-A231-B00FD367CCCC}	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2DB68C4-0B62-40d3-8690-25832DE82BDC}\stubpath = "C:\\Windows\\{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe"	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2EA0D33-664B-4553-82E2-786C1E1E9F08}	{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3205093C-CEE1-4c62-843A-44F586F6A439}\stubpath = "C:\\Windows\\{3205093C-CEE1-4c62-843A-44F586F6A439}.exe"	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA466A61-B352-4e8c-949E-89EE68007CBA}	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35A484A2-1994-446c-8F78-3C8B7E97A81D}	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3034043E-E2F6-4e81-B716-52E599394C5C}\stubpath = "C:\\Windows\\{3034043E-E2F6-4e81-B716-52E599394C5C}.exe"	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}	{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}\stubpath = "C:\\Windows\\{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe"	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe

Executes dropped EXE 12 IoCs

pid	Process
2812	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe
2944	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe
912	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe
4416	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe
4188	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe
2776	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe
1444	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe
4992	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe
372	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe
452	{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe
4472	{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}.exe
1432	{C2EA0D33-664B-4553-82E2-786C1E1E9F08}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe
File created	C:\Windows\{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe
File created	C:\Windows\{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe
File created	C:\Windows\{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe
File created	C:\Windows\{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe
File created	C:\Windows\{3034043E-E2F6-4e81-B716-52E599394C5C}.exe	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe
File created	C:\Windows\{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe
File created	C:\Windows\{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}.exe	{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe
File created	C:\Windows\{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe	2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe
File created	C:\Windows\{3205093C-CEE1-4c62-843A-44F586F6A439}.exe	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe
File created	C:\Windows\{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe
File created	C:\Windows\{C2EA0D33-664B-4553-82E2-786C1E1E9F08}.exe	{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C2EA0D33-664B-4553-82E2-786C1E1E9F08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3836	2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2812	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe
Token: SeIncBasePriorityPrivilege	2944	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe
Token: SeIncBasePriorityPrivilege	912	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe
Token: SeIncBasePriorityPrivilege	4416	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe
Token: SeIncBasePriorityPrivilege	4188	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe
Token: SeIncBasePriorityPrivilege	2776	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe
Token: SeIncBasePriorityPrivilege	1444	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe
Token: SeIncBasePriorityPrivilege	4992	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe
Token: SeIncBasePriorityPrivilege	372	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe
Token: SeIncBasePriorityPrivilege	452	{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe
Token: SeIncBasePriorityPrivilege	4472	{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 2812	3836	2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe	86
PID 3836 wrote to memory of 2812	3836	2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe	86
PID 3836 wrote to memory of 2812	3836	2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe	86
PID 3836 wrote to memory of 3416	3836	2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe	87
PID 3836 wrote to memory of 3416	3836	2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe	87
PID 3836 wrote to memory of 3416	3836	2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe	87
PID 2812 wrote to memory of 2944	2812	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe	91
PID 2812 wrote to memory of 2944	2812	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe	91
PID 2812 wrote to memory of 2944	2812	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe	91
PID 2812 wrote to memory of 3600	2812	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe	92
PID 2812 wrote to memory of 3600	2812	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe	92
PID 2812 wrote to memory of 3600	2812	{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe	92
PID 2944 wrote to memory of 912	2944	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe	95
PID 2944 wrote to memory of 912	2944	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe	95
PID 2944 wrote to memory of 912	2944	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe	95
PID 2944 wrote to memory of 1788	2944	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe	96
PID 2944 wrote to memory of 1788	2944	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe	96
PID 2944 wrote to memory of 1788	2944	{3205093C-CEE1-4c62-843A-44F586F6A439}.exe	96
PID 912 wrote to memory of 4416	912	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe	97
PID 912 wrote to memory of 4416	912	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe	97
PID 912 wrote to memory of 4416	912	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe	97
PID 912 wrote to memory of 940	912	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe	98
PID 912 wrote to memory of 940	912	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe	98
PID 912 wrote to memory of 940	912	{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe	98
PID 4416 wrote to memory of 4188	4416	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe	99
PID 4416 wrote to memory of 4188	4416	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe	99
PID 4416 wrote to memory of 4188	4416	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe	99
PID 4416 wrote to memory of 1160	4416	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe	100
PID 4416 wrote to memory of 1160	4416	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe	100
PID 4416 wrote to memory of 1160	4416	{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe	100
PID 4188 wrote to memory of 2776	4188	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe	101
PID 4188 wrote to memory of 2776	4188	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe	101
PID 4188 wrote to memory of 2776	4188	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe	101
PID 4188 wrote to memory of 2268	4188	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe	102
PID 4188 wrote to memory of 2268	4188	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe	102
PID 4188 wrote to memory of 2268	4188	{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe	102
PID 2776 wrote to memory of 1444	2776	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe	103
PID 2776 wrote to memory of 1444	2776	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe	103
PID 2776 wrote to memory of 1444	2776	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe	103
PID 2776 wrote to memory of 3504	2776	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe	104
PID 2776 wrote to memory of 3504	2776	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe	104
PID 2776 wrote to memory of 3504	2776	{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe	104
PID 1444 wrote to memory of 4992	1444	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe	105
PID 1444 wrote to memory of 4992	1444	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe	105
PID 1444 wrote to memory of 4992	1444	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe	105
PID 1444 wrote to memory of 4392	1444	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe	106
PID 1444 wrote to memory of 4392	1444	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe	106
PID 1444 wrote to memory of 4392	1444	{3034043E-E2F6-4e81-B716-52E599394C5C}.exe	106
PID 4992 wrote to memory of 372	4992	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe	107
PID 4992 wrote to memory of 372	4992	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe	107
PID 4992 wrote to memory of 372	4992	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe	107
PID 4992 wrote to memory of 4860	4992	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe	108
PID 4992 wrote to memory of 4860	4992	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe	108
PID 4992 wrote to memory of 4860	4992	{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe	108
PID 372 wrote to memory of 452	372	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe	109
PID 372 wrote to memory of 452	372	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe	109
PID 372 wrote to memory of 452	372	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe	109
PID 372 wrote to memory of 4312	372	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe	110
PID 372 wrote to memory of 4312	372	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe	110
PID 372 wrote to memory of 4312	372	{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe	110
PID 452 wrote to memory of 4472	452	{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe	111
PID 452 wrote to memory of 4472	452	{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe	111
PID 452 wrote to memory of 4472	452	{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe	111
PID 452 wrote to memory of 4396	452	{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_fd1441d9179581a63cec50659e4b2665_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe
  C:\Windows\{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\{3205093C-CEE1-4c62-843A-44F586F6A439}.exe
    C:\Windows\{3205093C-CEE1-4c62-843A-44F586F6A439}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe
      C:\Windows\{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe
        
        C:\Windows\{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
      - C:\Windows\{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe
        
        C:\Windows\{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe
        
        C:\Windows\{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{3034043E-E2F6-4e81-B716-52E599394C5C}.exe
        
        C:\Windows\{3034043E-E2F6-4e81-B716-52E599394C5C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe
        
        C:\Windows\{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe
        
        C:\Windows\{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe
        
        C:\Windows\{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}.exe
        
        C:\Windows\{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
        
        C:\Windows\{C2EA0D33-664B-4553-82E2-786C1E1E9F08}.exe
        
        C:\Windows\{C2EA0D33-664B-4553-82E2-786C1E1E9F08}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC227~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC6A3~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2DB6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B04B6~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30340~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93F4B~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA466~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35A48~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E2DD~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{32050~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{398A0~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E2DD229-B4F0-4f8b-B5F1-6CB2797DCEA2}.exe

Filesize
380KB

MD5
8ba8eecee1738ac71c8badb8ad60323a

SHA1
18aa7a21310b632baafc38a4c4d61f332065d4ea

SHA256
3a2044ec86acb68d1e9af38da88760e93471456a78348c9551bad8cbbff98705

SHA512
a044f04e2641cf2338ce27a11d59f8bd24868a6ae54c41612b32fffcb7b4b8e61c78a49e17905a3e244bcd41454f9499b1b9f16a355ae7a407b80625230a69e3

Download Submit
C:\Windows\{3034043E-E2F6-4e81-B716-52E599394C5C}.exe

Filesize
380KB

MD5
6fe6d774369be36a01149002423a4e35

SHA1
69249803708e6a2a184e0f79b5707c958473a4b6

SHA256
70e663bbeccac775cc68bb2289f73b433caff342c49653c94a24652798c0abbd

SHA512
e2a5576cf2d1862e75e1bb982ab48734ebbd7761aabea9864278f146b21f42454355102fbe1bb869f77e6214638ad9af85bd5750881b346d5a375ff9d2b1d108

Download Submit
C:\Windows\{3205093C-CEE1-4c62-843A-44F586F6A439}.exe

Filesize
380KB

MD5
6e1f3187caaae734c31b41314b1c086c

SHA1
a5971f2705434c676b33e0554efc048437f09d7e

SHA256
b23cef55b86485140f89519c4a6e1fa9b78a4ca4a9a166b31a52e5efcba401ef

SHA512
834622070287e2be6ebd9c9eb977656bfb8430695b0acadbb589eab5b15f34d9e9427f0b52fa0fe08851f5dc0d8e8594ff9abbe7f6712c3bbd5aea05fb435553

Download Submit
C:\Windows\{35A484A2-1994-446c-8F78-3C8B7E97A81D}.exe

Filesize
380KB

MD5
4972490bccbf78240ae7e4e323e49051

SHA1
c77eba17125dbdb737a48c36d55324a18aed4a04

SHA256
7e912cb8558bd5c2c11b1c1afb9519e0ae0a95b78eb02ef1c884243239b0ca2e

SHA512
162919597c145a976b0f237dcea3429839e6be682a364f65b0ac01c42645964c8f78cb284c9a6ca7ed3e230c3cefdf45551e9b26ed157de49e9cc90128ca4292

Download Submit
C:\Windows\{398A0372-5CC2-4203-B3B6-E462F6E46583}.exe

Filesize
380KB

MD5
e686d93808e5e45bfacdd7a889af79b3

SHA1
d4cf9d072d488365dd4584108736af1f86f98d5f

SHA256
3018a302ae888d024752737ceb100af962b84ed9bd80c534a37beb4c48eba0f0

SHA512
08b11122e73e5669665887ac6d611a81538f31b0402bef53ee9d9c4ae606a479e6d42dbd010e6180744df7b5a739fda0b4d2d26c8e7ec01918618c516b2bebfa

Download Submit
C:\Windows\{93F4BA9E-259D-44f6-9B77-5CF8C06D4478}.exe

Filesize
380KB

MD5
410ca32ec197a3993589f56d6d0ebdd1

SHA1
efaf1a235b6d0ccb95e99b8a225ac385f9c9f732

SHA256
bc3c129722e906c162c418a3db4272afee7911d5283ac01636e988231bc87b1a

SHA512
7be141a08300dde85e7ede39d94ca189e0f298e9a530c7f2e8a7a39c8c1c4f0284a33b696ac17c74796ece3821505fde7ae81d706b42c125d2d127804945ca24

Download Submit
C:\Windows\{B04B61BC-8A3B-4044-A231-B00FD367CCCC}.exe

Filesize
380KB

MD5
41349e69254ea88b1d9d5037b98fa2ea

SHA1
d97bd4982f51a13f167aa964f409881a59da0e3f

SHA256
9946d8ec4f4a034c7bfc9c44cd9723aab51e5e26be2bc8e24f4b64a76e089b33

SHA512
d6c17e92aa6fecc9d4fb9938b2b138917fe674dd6730696a0812aba2c22dee13c8fec056d7272081261a7a4a37a947ca3becc086329bfd65b476e62efb64ccfa

Download Submit
C:\Windows\{C2EA0D33-664B-4553-82E2-786C1E1E9F08}.exe

Filesize
380KB

MD5
1e71e472b9782fce43ded76745a2a2f6

SHA1
455492cb5e8437b3d891fb48a6d6ea1a13fc5e35

SHA256
46d6cc8d195149b5b27b4b7a779c9f4855471b13763d29a9ad0969573a7d6966

SHA512
94027c600ec9845f71854d40d005e40a3963c5e5aa3203be487341318ea3f8d54d39d9faff22f64e00db4463f6ec60a48c45159cff20ec4f153855e48dca78c5

Download Submit
C:\Windows\{E2DB68C4-0B62-40d3-8690-25832DE82BDC}.exe

Filesize
380KB

MD5
89b9646c6e86f3af33b63b74b80f634d

SHA1
d678947a34dd2c08c4f9bec7c51991681dc26c23

SHA256
48f190e4c3d5501fd8a7b52c0fbe55d887db4804ead1c2929f430f00c954ed2f

SHA512
73bba7357f21a41df674452cbad66fa5c046d830d17342a3329ccabc71e6083a42f2a03fd684c7b128a3fe0a39ef45cda99a8585c0d7903c57e2f5b481aa6187

Download Submit
C:\Windows\{EA466A61-B352-4e8c-949E-89EE68007CBA}.exe

Filesize
380KB

MD5
ae9dc27b0913ad6ea13af850eebc5450

SHA1
048417555584f705a7260a50708438241150f0e2

SHA256
d25aa022ce468ef48f6b32271f5484bcc89bf83ff3194da6b39a8319faa90d62

SHA512
61b31254fd852ec8fa67cefffd8b148e7b58c218fa4b1da17945f367bd5d49309c7180f872a26ec76e7a0a91e1990286fb0c5a77667dc09bb36f6032b3896f54

Download Submit
C:\Windows\{EC6A3DCC-2BFA-476b-9C8C-FC00B8A9B968}.exe

Filesize
380KB

MD5
e27188d9ef248f7729c72e12c1b16269

SHA1
8571a4741e8370dbe29b5f6ecdef6052bfa5f0d9

SHA256
106b2c07ea74b0ce850d24fb56036bdb62e53457ce852a4f9c7ed4bb0e9e64a9

SHA512
24a47ca5f73171df7a7edbe520cc7254a74dde8cc2fd2487a2c413186599cf2a31e7781f04487489ac1472e9c0d1b3690eea7cab6c3f95213604d37ed94ef06c

Download Submit
C:\Windows\{FC227BBA-3B28-45fc-92A1-5DB5739F7DA6}.exe

Filesize
380KB

MD5
791877b5627375456ab7fd540c96a163

SHA1
4564d34e99962b393dede5e5d59dcef68f999745

SHA256
c992633250b52e6faac575571d6b0afe9f1a29f6363a4cdda4d49a5b85700b57

SHA512
07a35c39fd9891d0f64aa7d6affae1d25f0b13c70024f170dcc462861fc2478638214edca4deda48d4281e2fbe752165297ec62d5e4410b62663abd7a63752e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads