79cf5e82cacbbf4ff4895a84fabad5a75c1d23edd46650eba4ab2f8c2b0aa4a7

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
Size

408KB
MD5

31a9e0e6e057b3b8af919597478a4db8
SHA1

141ff9d7eafa6873f42b5b46f41121733da2cf0d
SHA256

79cf5e82cacbbf4ff4895a84fabad5a75c1d23edd46650eba4ab2f8c2b0aa4a7
SHA512

d150ba8c833e727706ea4dd1b5a0c89c23cfd41d29587dfce273440ed4aa4a3e495a4d2f26021e704b5f3029146ee883e1f6ff94e6cc955c9966365e2fbe0794
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGGldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47F92066-7159-43d7-A17D-9AD4882F94B9}\stubpath = "C:\\Windows\\{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe"	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27D08051-15FA-43c7-91C2-94BF2B27518F}	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8AD78C7-358A-47ee-9E1D-F13E9416086F}\stubpath = "C:\\Windows\\{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe"	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}	{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27D08051-15FA-43c7-91C2-94BF2B27518F}\stubpath = "C:\\Windows\\{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe"	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D940508C-27A9-4923-A53E-2571F196F4B9}	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8AD78C7-358A-47ee-9E1D-F13E9416086F}	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}\stubpath = "C:\\Windows\\{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe"	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC515932-7AA2-4d67-AB20-1013162F782F}	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC515932-7AA2-4d67-AB20-1013162F782F}\stubpath = "C:\\Windows\\{EC515932-7AA2-4d67-AB20-1013162F782F}.exe"	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}\stubpath = "C:\\Windows\\{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe"	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}\stubpath = "C:\\Windows\\{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe"	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20B25CCD-DCED-4725-AADA-969F8538F2AB}	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}\stubpath = "C:\\Windows\\{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}.exe"	{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{187A7FB8-F7E1-4c36-8B0A-050E06618979}\stubpath = "C:\\Windows\\{187A7FB8-F7E1-4c36-8B0A-050E06618979}.exe"	{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E765EB78-873E-4ef8-850B-20245B9CEFA4}\stubpath = "C:\\Windows\\{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe"	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E765EB78-873E-4ef8-850B-20245B9CEFA4}	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20B25CCD-DCED-4725-AADA-969F8538F2AB}\stubpath = "C:\\Windows\\{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe"	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{187A7FB8-F7E1-4c36-8B0A-050E06618979}	{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D940508C-27A9-4923-A53E-2571F196F4B9}\stubpath = "C:\\Windows\\{D940508C-27A9-4923-A53E-2571F196F4B9}.exe"	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47F92066-7159-43d7-A17D-9AD4882F94B9}	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe

Executes dropped EXE 12 IoCs

pid	Process
2360	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe
2468	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe
1536	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe
1316	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe
4664	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe
2828	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe
2016	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe
4588	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe
4116	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe
1424	{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe
2912	{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}.exe
3888	{187A7FB8-F7E1-4c36-8B0A-050E06618979}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe
File created	C:\Windows\{187A7FB8-F7E1-4c36-8B0A-050E06618979}.exe	{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}.exe
File created	C:\Windows\{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe
File created	C:\Windows\{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe
File created	C:\Windows\{D940508C-27A9-4923-A53E-2571F196F4B9}.exe	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe
File created	C:\Windows\{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe
File created	C:\Windows\{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe
File created	C:\Windows\{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe
File created	C:\Windows\{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
File created	C:\Windows\{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe
File created	C:\Windows\{EC515932-7AA2-4d67-AB20-1013162F782F}.exe	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe
File created	C:\Windows\{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}.exe	{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{187A7FB8-F7E1-4c36-8B0A-050E06618979}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5036	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2360	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe
Token: SeIncBasePriorityPrivilege	2468	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe
Token: SeIncBasePriorityPrivilege	1536	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe
Token: SeIncBasePriorityPrivilege	1316	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe
Token: SeIncBasePriorityPrivilege	4664	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe
Token: SeIncBasePriorityPrivilege	2828	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe
Token: SeIncBasePriorityPrivilege	2016	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe
Token: SeIncBasePriorityPrivilege	4588	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe
Token: SeIncBasePriorityPrivilege	4116	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe
Token: SeIncBasePriorityPrivilege	1424	{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe
Token: SeIncBasePriorityPrivilege	2912	{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2360	5036	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	87
PID 5036 wrote to memory of 2360	5036	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	87
PID 5036 wrote to memory of 2360	5036	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	87
PID 5036 wrote to memory of 216	5036	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	88
PID 5036 wrote to memory of 216	5036	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	88
PID 5036 wrote to memory of 216	5036	2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe	88
PID 2360 wrote to memory of 2468	2360	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe	91
PID 2360 wrote to memory of 2468	2360	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe	91
PID 2360 wrote to memory of 2468	2360	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe	91
PID 2360 wrote to memory of 1912	2360	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe	92
PID 2360 wrote to memory of 1912	2360	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe	92
PID 2360 wrote to memory of 1912	2360	{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe	92
PID 2468 wrote to memory of 1536	2468	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe	95
PID 2468 wrote to memory of 1536	2468	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe	95
PID 2468 wrote to memory of 1536	2468	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe	95
PID 2468 wrote to memory of 1728	2468	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe	96
PID 2468 wrote to memory of 1728	2468	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe	96
PID 2468 wrote to memory of 1728	2468	{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe	96
PID 1536 wrote to memory of 1316	1536	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe	97
PID 1536 wrote to memory of 1316	1536	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe	97
PID 1536 wrote to memory of 1316	1536	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe	97
PID 1536 wrote to memory of 532	1536	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe	98
PID 1536 wrote to memory of 532	1536	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe	98
PID 1536 wrote to memory of 532	1536	{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe	98
PID 1316 wrote to memory of 4664	1316	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe	99
PID 1316 wrote to memory of 4664	1316	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe	99
PID 1316 wrote to memory of 4664	1316	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe	99
PID 1316 wrote to memory of 1756	1316	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe	100
PID 1316 wrote to memory of 1756	1316	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe	100
PID 1316 wrote to memory of 1756	1316	{D940508C-27A9-4923-A53E-2571F196F4B9}.exe	100
PID 4664 wrote to memory of 2828	4664	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe	101
PID 4664 wrote to memory of 2828	4664	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe	101
PID 4664 wrote to memory of 2828	4664	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe	101
PID 4664 wrote to memory of 4160	4664	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe	102
PID 4664 wrote to memory of 4160	4664	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe	102
PID 4664 wrote to memory of 4160	4664	{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe	102
PID 2828 wrote to memory of 2016	2828	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe	103
PID 2828 wrote to memory of 2016	2828	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe	103
PID 2828 wrote to memory of 2016	2828	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe	103
PID 2828 wrote to memory of 4796	2828	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe	104
PID 2828 wrote to memory of 4796	2828	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe	104
PID 2828 wrote to memory of 4796	2828	{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe	104
PID 2016 wrote to memory of 4588	2016	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe	105
PID 2016 wrote to memory of 4588	2016	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe	105
PID 2016 wrote to memory of 4588	2016	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe	105
PID 2016 wrote to memory of 4720	2016	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe	106
PID 2016 wrote to memory of 4720	2016	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe	106
PID 2016 wrote to memory of 4720	2016	{EC515932-7AA2-4d67-AB20-1013162F782F}.exe	106
PID 4588 wrote to memory of 4116	4588	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe	107
PID 4588 wrote to memory of 4116	4588	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe	107
PID 4588 wrote to memory of 4116	4588	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe	107
PID 4588 wrote to memory of 4516	4588	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe	108
PID 4588 wrote to memory of 4516	4588	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe	108
PID 4588 wrote to memory of 4516	4588	{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe	108
PID 4116 wrote to memory of 1424	4116	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe	109
PID 4116 wrote to memory of 1424	4116	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe	109
PID 4116 wrote to memory of 1424	4116	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe	109
PID 4116 wrote to memory of 2364	4116	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe	110
PID 4116 wrote to memory of 2364	4116	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe	110
PID 4116 wrote to memory of 2364	4116	{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe	110
PID 1424 wrote to memory of 2912	1424	{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe	111
PID 1424 wrote to memory of 2912	1424	{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe	111
PID 1424 wrote to memory of 2912	1424	{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe	111
PID 1424 wrote to memory of 4064	1424	{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_31a9e0e6e057b3b8af919597478a4db8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe
  C:\Windows\{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe
    C:\Windows\{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe
      C:\Windows\{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\{D940508C-27A9-4923-A53E-2571F196F4B9}.exe
        
        C:\Windows\{D940508C-27A9-4923-A53E-2571F196F4B9}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
      - C:\Windows\{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe
        
        C:\Windows\{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe
        
        C:\Windows\{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{EC515932-7AA2-4d67-AB20-1013162F782F}.exe
        
        C:\Windows\{EC515932-7AA2-4d67-AB20-1013162F782F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe
        
        C:\Windows\{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe
        
        C:\Windows\{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe
        
        C:\Windows\{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}.exe
        
        C:\Windows\{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\{187A7FB8-F7E1-4c36-8B0A-050E06618979}.exe
        
        C:\Windows\{187A7FB8-F7E1-4c36-8B0A-050E06618979}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7BCC~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20B25~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E765E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7704E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC515~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4138F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8AD7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9405~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27D08~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{47F92~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{42EE8~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{187A7FB8-F7E1-4c36-8B0A-050E06618979}.exe

Filesize
408KB

MD5
d6ab527b97cbfe734ba86f86fd703a06

SHA1
1d54eb45fdeb61fc868b3e55bfad250387bb939e

SHA256
2aa37d77d125f0c127113c9f101958d969f6e0826ae790b07e8918ee6c4ba8d5

SHA512
6086aa36f38dba061e607aa9dc221b3c43f782f29cdea066875530bebdc01198444ef0c6e532a5b88b09eb770b56598a4a20aa7b5a8abb547c6234608353e1ae

Download Submit
C:\Windows\{20B25CCD-DCED-4725-AADA-969F8538F2AB}.exe

Filesize
408KB

MD5
e904a46a639d44f35f1c421495af145a

SHA1
263f2bf6f69f9e0d506aff2dcee9b0feda5281ed

SHA256
9c67888d253e8f047cac9535c1b37a08e1e3926820095e20eeed92ca6276b7b7

SHA512
0265e5dc450ad40d5733ae2cf77598b29ef095e6be367a18d30d13351023de947f7ecce586351716241b0b8c50a9886ccaad75e349e83f0c4c39656ece54a38c

Download Submit
C:\Windows\{27D08051-15FA-43c7-91C2-94BF2B27518F}.exe

Filesize
408KB

MD5
442edefa7cf8c2b46d0763636f1dfd26

SHA1
a7eba13843ae46bc1e66d950e540ec13afde2793

SHA256
a0fdaec7675fe5e514f9e97e81e290afad2468d82777ae2ada2a74210e676293

SHA512
0f24db04a9eee8c124e557dd6fbf3ad914859ef9b7222d500bc67f9a5219976db9f43ebc6f761c4f552791831ed92d6fdd125652ee8669008378070e8dfac0df

Download Submit
C:\Windows\{4138FD4B-3360-436f-A60C-FF47C4FDE3C8}.exe

Filesize
408KB

MD5
e87ddb7b82be0d21152c003f2d58f960

SHA1
2d7c083ad02f07805cc12f8cbe3548063c7618e2

SHA256
fb6190485f49ee8cbf491cd59935fb63a5f681b2b5622b1a4dc717321fafcba2

SHA512
0c39e6505872fe5208faf368117655db3586e9280046ef007a371ad59fb2a9c9c52aa76835013f99512eeae4ffa39635a9c8563d1db717ed1f302523f3735b1d

Download Submit
C:\Windows\{42EE8CE1-D606-4727-9670-F13E8BEDD4F6}.exe

Filesize
408KB

MD5
46f0712986d70486a4a1149722262741

SHA1
2c736a275ba7f3bf92ccf4cccd2e26bb89e59a41

SHA256
a0f656229f15483ffc7f6b0ab6f7359d1c16f164242a3001ff589a2d7fb6111b

SHA512
ea1d5a22fbab7228c3a89ad9d14b187b1b84628b16a0cc7f2788535b64d24f01923a6473fc97033dc7f8a6a9b462776557100914483acfba2a44fd06ade60823

Download Submit
C:\Windows\{47F92066-7159-43d7-A17D-9AD4882F94B9}.exe

Filesize
408KB

MD5
9a41ebdb3108eca45d68614a156c54ec

SHA1
6c403a0c2e6089b5d80d88e839ff44615af27c28

SHA256
6c26bc9c60af39c2f3cd8ccadb150838c66ac077bbcb5f03e0a79e4eafe5b614

SHA512
f008f02dfbeb7ba6f0a51608cbb2229e7bdbe50c48408120bfa5afa747126e116982c825b98fac4232fd665868903f237d741bb14e2f6df98a03598eabdf12c2

Download Submit
C:\Windows\{7704E9CB-A6E0-4e83-AD46-031AED2B1CA6}.exe

Filesize
408KB

MD5
008adff72951082f8c2b7992455363b4

SHA1
45d3eab72c78cb6b4ed0b331e555400181afcfc4

SHA256
382428e233c376afd14f35b65600cc2a667bc90507246b9e3c9dc2ae4b97d533

SHA512
de4a178d9a00c76add101ce30924d7559c38545f3ba57d54136a9fe0b7f04dd1150eafca739408658faad7f124e56c31ef865763ad8c7f55a9852b2a3dfbded1

Download Submit
C:\Windows\{D7BCCEB0-A0CD-4146-AE61-5781D7C8922B}.exe

Filesize
408KB

MD5
81851406a3704b03ae638dbfa7376f6b

SHA1
141a01598e5c235fcfb6365f4b8c8dd1266b3881

SHA256
f31c592beaa862d22ed6874d0fe7b28655d2af943c61bfe99877a043ed69555c

SHA512
c88f3401790abc366c7fd4d2e7212bd796e2a06d24d6f50a94e975d1e8b22e863948fa1850f8a02c66d5ff8e7bdba9f7340cf07f450bc129469345a18ab9442f

Download Submit
C:\Windows\{D940508C-27A9-4923-A53E-2571F196F4B9}.exe

Filesize
408KB

MD5
dcbc517fbd59b07c77a30345c01fab5c

SHA1
814fc2e4645b593d1e577d2edb21805d91e8b2c6

SHA256
110e493a6103da09da9b7a0239f574c158b0537c3cbedc5a85728de0a87ab044

SHA512
87bcd96b4bbee9ed7efc9af48cbd3911bfc122ccbede628ae6f1fa843cccd18aae3460af106db4cee08cb540aa86c970975eda7253f00da28f92653e39166eaa

Download Submit
C:\Windows\{E765EB78-873E-4ef8-850B-20245B9CEFA4}.exe

Filesize
408KB

MD5
d560d88c1bf9d77b095c0b8d37e57258

SHA1
acd244125a7a909149aa615aefb9df0e28362433

SHA256
ed646b5ac313d3a19f0a1ce329f779916f58678ad4fbe7383da4fd98efecc179

SHA512
d7aaf18326603e09e5968ca4912cdbe7ce3536f461c4c47de6552bfe55f5d04f14167500e11388b1ce440e11a8de5342bea91bab6135a3105d7269d1beba5d10

Download Submit
C:\Windows\{E8AD78C7-358A-47ee-9E1D-F13E9416086F}.exe

Filesize
408KB

MD5
52cd1ad18df249909d187d70d50ce2fa

SHA1
24eb01ffbddcf76dd5e226c248507036843a7fb5

SHA256
ff8ec4cd2fa39f690a256da4584df8cf506f6f8b0dbea9959419aa3fe1a719d9

SHA512
f036cf31ba163791d806acef1e86c2f7c1b9b329809a2d4173b98479dab8fd679b8010e43cb3e2d3cb78fc72f9c070e834b3b0984ab8a58b9640997890cb9a19

Download Submit
C:\Windows\{EC515932-7AA2-4d67-AB20-1013162F782F}.exe

Filesize
408KB

MD5
56f414ac000aa87c619f34e165cb7141

SHA1
b77c048a6c98bb2d4ec8322babc8788d96771f59

SHA256
f77b6001477e9f7dcd1a9786a230d2acc0cf1ead5ddd1c86d25d46778e93bf73

SHA512
43e6a3e2c49af6e4e15f2a4b84bf7fef24aa1fc9f6fa7f4c64550a548b38ace9ebbe98c4fd42076e6bc861339e506b91bcce5d012bf5863113c2699d3451a3dc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads