7b1d1b7ff40bb68cf8d767d3d026e1a12dc45b06d53199ff41085cd89bff37ab

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
Size

204KB
MD5

ff2451f94026a59134c9a4312abf2b33
SHA1

8514c26e81a5342a8f3f2c89829255e3f18c0f35
SHA256

7b1d1b7ff40bb68cf8d767d3d026e1a12dc45b06d53199ff41085cd89bff37ab
SHA512

55fb8a2bfa8bc76844398fcd6a1c391e1d32ae870f5fdd4c9ec95dde40e6a7c0cfff1ff93917fe718a5b439291fcc30b2b994127969271b6ee58a012653fe597
SSDEEP

1536:1EGh0obl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0obl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C88C26D2-5D26-4bed-AB9E-8FB738699F00}	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E072493B-DA9F-4895-968E-40AC78CD8EB6}\stubpath = "C:\\Windows\\{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe"	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2EEDD03-334E-4955-B484-79116FD837A8}	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F5682C2-A6D6-4743-BD29-FE0D88653199}	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F5682C2-A6D6-4743-BD29-FE0D88653199}\stubpath = "C:\\Windows\\{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe"	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}\stubpath = "C:\\Windows\\{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}.exe"	{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D538FA9F-88AB-4045-82F6-18E839C02734}	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D538FA9F-88AB-4045-82F6-18E839C02734}\stubpath = "C:\\Windows\\{D538FA9F-88AB-4045-82F6-18E839C02734}.exe"	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E072493B-DA9F-4895-968E-40AC78CD8EB6}	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}\stubpath = "C:\\Windows\\{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe"	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2EEDD03-334E-4955-B484-79116FD837A8}\stubpath = "C:\\Windows\\{F2EEDD03-334E-4955-B484-79116FD837A8}.exe"	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72CB59AE-A09B-4521-8A51-5F09AA5C922C}	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72CB59AE-A09B-4521-8A51-5F09AA5C922C}\stubpath = "C:\\Windows\\{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe"	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}	{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C88C26D2-5D26-4bed-AB9E-8FB738699F00}\stubpath = "C:\\Windows\\{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe"	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4061C121-0257-4c09-826F-93B37BACF7C9}\stubpath = "C:\\Windows\\{4061C121-0257-4c09-826F-93B37BACF7C9}.exe"	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CBF8338-5A30-4acb-B655-A180ECF51FCA}	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CBF8338-5A30-4acb-B655-A180ECF51FCA}\stubpath = "C:\\Windows\\{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe"	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F99321E-9201-482b-9D1D-A50AF3AFB9D7}\stubpath = "C:\\Windows\\{0F99321E-9201-482b-9D1D-A50AF3AFB9D7}.exe"	{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}\stubpath = "C:\\Windows\\{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe"	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4061C121-0257-4c09-826F-93B37BACF7C9}	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F99321E-9201-482b-9D1D-A50AF3AFB9D7}	{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1856	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe
4960	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe
3108	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe
864	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe
1716	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe
4540	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe
1444	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe
2688	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe
2088	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe
3532	{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe
4348	{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}.exe
3796	{0F99321E-9201-482b-9D1D-A50AF3AFB9D7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe
File created	C:\Windows\{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe
File created	C:\Windows\{4061C121-0257-4c09-826F-93B37BACF7C9}.exe	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe
File created	C:\Windows\{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe
File created	C:\Windows\{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe
File created	C:\Windows\{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe
File created	C:\Windows\{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}.exe	{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe
File created	C:\Windows\{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe
File created	C:\Windows\{0F99321E-9201-482b-9D1D-A50AF3AFB9D7}.exe	{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}.exe
File created	C:\Windows\{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe
File created	C:\Windows\{F2EEDD03-334E-4955-B484-79116FD837A8}.exe	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe
File created	C:\Windows\{D538FA9F-88AB-4045-82F6-18E839C02734}.exe	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F99321E-9201-482b-9D1D-A50AF3AFB9D7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2880	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1856	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe
Token: SeIncBasePriorityPrivilege	4960	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe
Token: SeIncBasePriorityPrivilege	3108	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe
Token: SeIncBasePriorityPrivilege	864	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe
Token: SeIncBasePriorityPrivilege	1716	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe
Token: SeIncBasePriorityPrivilege	4540	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe
Token: SeIncBasePriorityPrivilege	1444	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe
Token: SeIncBasePriorityPrivilege	2688	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe
Token: SeIncBasePriorityPrivilege	2088	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe
Token: SeIncBasePriorityPrivilege	3532	{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe
Token: SeIncBasePriorityPrivilege	4348	{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 1856	2880	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	87
PID 2880 wrote to memory of 1856	2880	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	87
PID 2880 wrote to memory of 1856	2880	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	87
PID 2880 wrote to memory of 1936	2880	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	88
PID 2880 wrote to memory of 1936	2880	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	88
PID 2880 wrote to memory of 1936	2880	2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe	88
PID 1856 wrote to memory of 4960	1856	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe	91
PID 1856 wrote to memory of 4960	1856	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe	91
PID 1856 wrote to memory of 4960	1856	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe	91
PID 1856 wrote to memory of 4500	1856	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe	92
PID 1856 wrote to memory of 4500	1856	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe	92
PID 1856 wrote to memory of 4500	1856	{D538FA9F-88AB-4045-82F6-18E839C02734}.exe	92
PID 4960 wrote to memory of 3108	4960	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe	95
PID 4960 wrote to memory of 3108	4960	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe	95
PID 4960 wrote to memory of 3108	4960	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe	95
PID 4960 wrote to memory of 4896	4960	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe	96
PID 4960 wrote to memory of 4896	4960	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe	96
PID 4960 wrote to memory of 4896	4960	{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe	96
PID 3108 wrote to memory of 864	3108	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe	97
PID 3108 wrote to memory of 864	3108	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe	97
PID 3108 wrote to memory of 864	3108	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe	97
PID 3108 wrote to memory of 1644	3108	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe	98
PID 3108 wrote to memory of 1644	3108	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe	98
PID 3108 wrote to memory of 1644	3108	{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe	98
PID 864 wrote to memory of 1716	864	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe	99
PID 864 wrote to memory of 1716	864	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe	99
PID 864 wrote to memory of 1716	864	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe	99
PID 864 wrote to memory of 4716	864	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe	100
PID 864 wrote to memory of 4716	864	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe	100
PID 864 wrote to memory of 4716	864	{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe	100
PID 1716 wrote to memory of 4540	1716	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe	101
PID 1716 wrote to memory of 4540	1716	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe	101
PID 1716 wrote to memory of 4540	1716	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe	101
PID 1716 wrote to memory of 3016	1716	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe	102
PID 1716 wrote to memory of 3016	1716	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe	102
PID 1716 wrote to memory of 3016	1716	{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe	102
PID 4540 wrote to memory of 1444	4540	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe	103
PID 4540 wrote to memory of 1444	4540	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe	103
PID 4540 wrote to memory of 1444	4540	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe	103
PID 4540 wrote to memory of 1472	4540	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe	104
PID 4540 wrote to memory of 1472	4540	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe	104
PID 4540 wrote to memory of 1472	4540	{F2EEDD03-334E-4955-B484-79116FD837A8}.exe	104
PID 1444 wrote to memory of 2688	1444	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe	105
PID 1444 wrote to memory of 2688	1444	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe	105
PID 1444 wrote to memory of 2688	1444	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe	105
PID 1444 wrote to memory of 4664	1444	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe	106
PID 1444 wrote to memory of 4664	1444	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe	106
PID 1444 wrote to memory of 4664	1444	{4061C121-0257-4c09-826F-93B37BACF7C9}.exe	106
PID 2688 wrote to memory of 2088	2688	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe	107
PID 2688 wrote to memory of 2088	2688	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe	107
PID 2688 wrote to memory of 2088	2688	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe	107
PID 2688 wrote to memory of 2884	2688	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe	108
PID 2688 wrote to memory of 2884	2688	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe	108
PID 2688 wrote to memory of 2884	2688	{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe	108
PID 2088 wrote to memory of 3532	2088	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe	109
PID 2088 wrote to memory of 3532	2088	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe	109
PID 2088 wrote to memory of 3532	2088	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe	109
PID 2088 wrote to memory of 4948	2088	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe	110
PID 2088 wrote to memory of 4948	2088	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe	110
PID 2088 wrote to memory of 4948	2088	{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe	110
PID 3532 wrote to memory of 4348	3532	{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe	111
PID 3532 wrote to memory of 4348	3532	{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe	111
PID 3532 wrote to memory of 4348	3532	{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe	111
PID 3532 wrote to memory of 3968	3532	{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_ff2451f94026a59134c9a4312abf2b33_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\{D538FA9F-88AB-4045-82F6-18E839C02734}.exe
  C:\Windows\{D538FA9F-88AB-4045-82F6-18E839C02734}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe
    C:\Windows\{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe
      C:\Windows\{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe
        
        C:\Windows\{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe
        
        C:\Windows\{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\{F2EEDD03-334E-4955-B484-79116FD837A8}.exe
        
        C:\Windows\{F2EEDD03-334E-4955-B484-79116FD837A8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{4061C121-0257-4c09-826F-93B37BACF7C9}.exe
        
        C:\Windows\{4061C121-0257-4c09-826F-93B37BACF7C9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe
        
        C:\Windows\{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe
        
        C:\Windows\{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe
        
        C:\Windows\{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}.exe
        
        C:\Windows\{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Windows\{0F99321E-9201-482b-9D1D-A50AF3AFB9D7}.exe
        
        C:\Windows\{0F99321E-9201-482b-9D1D-A50AF3AFB9D7}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8587~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72CB5~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CBF8~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F568~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4061C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2EED~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7FDE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0724~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A375~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C88C2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D538F~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CBF8338-5A30-4acb-B655-A180ECF51FCA}.exe

Filesize
204KB

MD5
ac6390741ec5ebbe805e99e4c09217f3

SHA1
cf2b1843079de19ac203cd73abed72b67f524c88

SHA256
78f48507e255673533133dc57a13232e22de42f60a8537b4bee2f0c79b86d0ef

SHA512
9984bb8c2fe55e75079c53e9b5c9a11639338418b39df72c63e42537060799e655ef879adea02aa14d29de8d626a1ee895a7d820f6730731af1d5c763da0b29b

Download Submit
C:\Windows\{0F99321E-9201-482b-9D1D-A50AF3AFB9D7}.exe

Filesize
204KB

MD5
d595c65378910e2e8b64ac532dce7cd8

SHA1
bd89f29235dd9a87759bd6ce244ced37db50adaf

SHA256
f503332974659d7065a6d3a52d07ade51c3ea718e88c2b7c0f97360feba2842f

SHA512
1de6929611526e32c95ca5c9b993de99ae47e890b4c24c05a03af26899dd427fcb04498d8c080c2ef283d11903d91a832e58b21355c88a395da3027d35d34e27

Download Submit
C:\Windows\{1F5682C2-A6D6-4743-BD29-FE0D88653199}.exe

Filesize
204KB

MD5
ca7d269d662438ceae1f1747d83535e2

SHA1
462e40d2485d5476319b9a568e2973a1ada26521

SHA256
817700ad5059b8363e0abd29feb46089f862bbb40bf3621906dd07bd6f726c67

SHA512
9a40a170cd17801a490095714038a5cd0e600389461bb3e03621f0f73e1684c9e4728426923fecfad915e5eaf40b5115c0aa7767ce7d30edbed58e8e8d377eea

Download Submit
C:\Windows\{2A3752F4-62FB-4a47-B6B1-B0C2CE425BA7}.exe

Filesize
204KB

MD5
0089c4f29218ec5a1e2ef2c9ec4f3ea6

SHA1
089ff9cb845e98618ba0422037819735ad7ed759

SHA256
845b0fcac8544219cae64871f0cae4a4c86afddf5637e630f4293bc2266b0717

SHA512
58b483433fb6e4265c384a3047b409898760550a135abf375b57d0858139c7696f6828fda31f9e493b0df9d8210ec3d2024b28a4bc31ebe5572a8560a6e7a635

Download Submit
C:\Windows\{4061C121-0257-4c09-826F-93B37BACF7C9}.exe

Filesize
204KB

MD5
79ef5fb3aa82d4b6e3b896b39e10215d

SHA1
4397e2a1580c4e1d231edac2637fd9b79cba7f69

SHA256
8a76bf7ca077ef4f4bec3ca379e51c4b70f06c98b599467d24ab9388af789765

SHA512
81f3c88d574e478420a9a49c5ba747360ef09197156b8037636f789b1ba57314ca5d796e84ecaa81ccae5268362c67c318fb15e45b13c58308d7b65dc48110dd

Download Submit
C:\Windows\{72CB59AE-A09B-4521-8A51-5F09AA5C922C}.exe

Filesize
204KB

MD5
f037489937fe18520c4902a175810474

SHA1
1b56e5fcfb0c1eecd3fd0fcbf6b919d6e44d2e1a

SHA256
517a6554213172468e188c58a11ab6687449b9295095b6731d1d02e43e3cf411

SHA512
f46e4d50c524691f8829f1d356f6775983c815706639fd3daa9b24f59c8c9bae05a0088ec0c1dd01660c6093ea9c102d916262e063fc94da55e635d6e596769b

Download Submit
C:\Windows\{C88C26D2-5D26-4bed-AB9E-8FB738699F00}.exe

Filesize
204KB

MD5
f389328998bc75ae3cd431b24e951f24

SHA1
df5346e757c31659bfb0d202f60ac6742eb816a6

SHA256
d41d81c8f9863d196f9c4e5e3543e5f54e89e0a8c294a1d37e6d5e8319797cd8

SHA512
ada5b69b0f82f6e3aef3f14ff65f20d7ad072dbc44b7c4dd60657595311543cdf82f69b775c1863e96c29fdc529106d6472b40074e4240cbe68f64ea3e5a9c57

Download Submit
C:\Windows\{D538FA9F-88AB-4045-82F6-18E839C02734}.exe

Filesize
204KB

MD5
5ddde391eb2c512aac1e82bbfd80502a

SHA1
ab6206b5144ed5566b50efb9e7b1ea5ccbb42692

SHA256
4d8d402c8fffcd8e3f13f1625535f246211f270e3044b5102adcef6b58f23fd8

SHA512
f77d686b1622fab7c8414cb6f2e63c1efa766754b0117bb7dd46e149cb453e72f036ae5cbb2e5c745a29d7890d2e12804eca3648ae3987c9ee00c2416ffd97d6

Download Submit
C:\Windows\{D7FDED31-495A-4b3d-89E6-6A9A4444CE1E}.exe

Filesize
204KB

MD5
aa1a72ddf5e02f50d70dcea951d606e5

SHA1
e949f10249a4fef772624ab049d6038afb5d8e12

SHA256
8e6506c34fb968a3aa727fa1989b64cda16a85e9541998ef70535246a4a13e7f

SHA512
a01e1b7e7b21d09c82b243d0fc9a42b970e3f6a0cd4b4b895e7bbcd1832f53848db61c81c1f8baf51346dde4ac815c43c030395b4d3246bc9ddedf05b86afbb8

Download Submit
C:\Windows\{D858787D-DFA1-4170-AA47-BD60C3EF8B6D}.exe

Filesize
204KB

MD5
84d143a8876753fcf91b39c7f8d07987

SHA1
879b844369b16026377ebf3fe8024b836de6e590

SHA256
f4b8749df4856865a5087115309429d7e6177385ddd667b351feb2cdd2c41550

SHA512
c94cbc8b715c5ba875426078f978e22236ad80d2a5f872c9e381b6eeb49530a16e9de0e1edac27bbe11144bc521219db914759051fafa1ef8e9d803f835e5f29

Download Submit
C:\Windows\{E072493B-DA9F-4895-968E-40AC78CD8EB6}.exe

Filesize
204KB

MD5
e362ebd69c5e1648680cfcab2f328da8

SHA1
14b9c1c10963ae0810e2d0283f24c933d0c697a6

SHA256
cca331cd2c9bc5cb8d000c5c76cebbab00404d3a9c71927c35a13a83ce2a2e5a

SHA512
58a7e63adf5dd2ceafcc3aab82850c05553bf3a4a6dacbf691ea9f17d743693aa82b4831d58044aae77ebac93513d6de1bd03a20503ebf750453afff2e486a04

Download Submit
C:\Windows\{F2EEDD03-334E-4955-B484-79116FD837A8}.exe

Filesize
204KB

MD5
b7a6f5943992e0ab8219840f383253a1

SHA1
5c43b0194f5e59d92cceea31bbfbd647e3bd1e87

SHA256
41b445ad33afd1ea1382590f51501fc19be3d250f26f19c68ad72ce70eb8ca48

SHA512
28121e42ab3043c4905e6971db609813077802a708146d33fdddad366e708736a1f2ebc26ae3c0783221bce2391fde5ffbd78a68218b6d1d46d4d84a04b878de

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads