6a06e947380a9fc3df7822b5a76e344e4d725deff627900cf15a9323c29f9e22

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe
Size

180KB
MD5

cacfd063d386abc10d049f18c8a1a59b
SHA1

ab7984ae095a22cf2fcfcbce3f67a55407fbaee6
SHA256

6a06e947380a9fc3df7822b5a76e344e4d725deff627900cf15a9323c29f9e22
SHA512

a8ee3f99cbab1d4d7b5c0b019925fc1715f0c0a9413f6c325cbc0d18b56f2c01f5d50ee132998a9e286a68d72c64ad2394f677b3e56eeed0d12c210b3934f7e5
SSDEEP

3072:jEGh0ojlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8564321E-9EB9-4791-9891-6EF345F9C808}\stubpath = "C:\\Windows\\{8564321E-9EB9-4791-9891-6EF345F9C808}.exe"	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}\stubpath = "C:\\Windows\\{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe"	2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}	{4835918F-D96C-4c34-8932-A7A426952679}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDAE1FE9-807D-4c6c-A6E0-92081493184C}	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}\stubpath = "C:\\Windows\\{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe"	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}\stubpath = "C:\\Windows\\{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe"	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}\stubpath = "C:\\Windows\\{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}.exe"	{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}	2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4835918F-D96C-4c34-8932-A7A426952679}	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4835918F-D96C-4c34-8932-A7A426952679}\stubpath = "C:\\Windows\\{4835918F-D96C-4c34-8932-A7A426952679}.exe"	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}	{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B89929D8-04F1-4c09-B302-9BB900C0E099}	{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B89929D8-04F1-4c09-B302-9BB900C0E099}\stubpath = "C:\\Windows\\{B89929D8-04F1-4c09-B302-9BB900C0E099}.exe"	{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDAE1FE9-807D-4c6c-A6E0-92081493184C}\stubpath = "C:\\Windows\\{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe"	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD4353C3-D605-4100-B7A3-B8513260FA78}	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD4353C3-D605-4100-B7A3-B8513260FA78}\stubpath = "C:\\Windows\\{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe"	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}\stubpath = "C:\\Windows\\{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe"	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}\stubpath = "C:\\Windows\\{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe"	{4835918F-D96C-4c34-8932-A7A426952679}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8564321E-9EB9-4791-9891-6EF345F9C808}	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}\stubpath = "C:\\Windows\\{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe"	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe

Executes dropped EXE 12 IoCs

pid	Process
1812	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe
4920	{4835918F-D96C-4c34-8932-A7A426952679}.exe
4428	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe
3276	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe
5012	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe
3600	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe
864	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe
1780	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe
4364	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe
3132	{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe
5000	{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}.exe
5024	{B89929D8-04F1-4c09-B302-9BB900C0E099}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe
File created	C:\Windows\{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe
File created	C:\Windows\{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe
File created	C:\Windows\{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}.exe	{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe
File created	C:\Windows\{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe
File created	C:\Windows\{4835918F-D96C-4c34-8932-A7A426952679}.exe	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe
File created	C:\Windows\{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe	{4835918F-D96C-4c34-8932-A7A426952679}.exe
File created	C:\Windows\{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe
File created	C:\Windows\{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe
File created	C:\Windows\{8564321E-9EB9-4791-9891-6EF345F9C808}.exe	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe
File created	C:\Windows\{B89929D8-04F1-4c09-B302-9BB900C0E099}.exe	{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}.exe
File created	C:\Windows\{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe	2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B89929D8-04F1-4c09-B302-9BB900C0E099}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4835918F-D96C-4c34-8932-A7A426952679}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2572	2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1812	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe
Token: SeIncBasePriorityPrivilege	4920	{4835918F-D96C-4c34-8932-A7A426952679}.exe
Token: SeIncBasePriorityPrivilege	4428	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe
Token: SeIncBasePriorityPrivilege	3276	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe
Token: SeIncBasePriorityPrivilege	5012	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe
Token: SeIncBasePriorityPrivilege	3600	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe
Token: SeIncBasePriorityPrivilege	864	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe
Token: SeIncBasePriorityPrivilege	1780	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe
Token: SeIncBasePriorityPrivilege	4364	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe
Token: SeIncBasePriorityPrivilege	3132	{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe
Token: SeIncBasePriorityPrivilege	5000	{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1812	2572	2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe	86
PID 2572 wrote to memory of 1812	2572	2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe	86
PID 2572 wrote to memory of 1812	2572	2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe	86
PID 2572 wrote to memory of 3220	2572	2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe	87
PID 2572 wrote to memory of 3220	2572	2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe	87
PID 2572 wrote to memory of 3220	2572	2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe	87
PID 1812 wrote to memory of 4920	1812	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe	88
PID 1812 wrote to memory of 4920	1812	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe	88
PID 1812 wrote to memory of 4920	1812	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe	88
PID 1812 wrote to memory of 1852	1812	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe	89
PID 1812 wrote to memory of 1852	1812	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe	89
PID 1812 wrote to memory of 1852	1812	{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe	89
PID 4920 wrote to memory of 4428	4920	{4835918F-D96C-4c34-8932-A7A426952679}.exe	93
PID 4920 wrote to memory of 4428	4920	{4835918F-D96C-4c34-8932-A7A426952679}.exe	93
PID 4920 wrote to memory of 4428	4920	{4835918F-D96C-4c34-8932-A7A426952679}.exe	93
PID 4920 wrote to memory of 2208	4920	{4835918F-D96C-4c34-8932-A7A426952679}.exe	94
PID 4920 wrote to memory of 2208	4920	{4835918F-D96C-4c34-8932-A7A426952679}.exe	94
PID 4920 wrote to memory of 2208	4920	{4835918F-D96C-4c34-8932-A7A426952679}.exe	94
PID 4428 wrote to memory of 3276	4428	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe	95
PID 4428 wrote to memory of 3276	4428	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe	95
PID 4428 wrote to memory of 3276	4428	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe	95
PID 4428 wrote to memory of 1452	4428	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe	96
PID 4428 wrote to memory of 1452	4428	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe	96
PID 4428 wrote to memory of 1452	4428	{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe	96
PID 3276 wrote to memory of 5012	3276	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe	97
PID 3276 wrote to memory of 5012	3276	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe	97
PID 3276 wrote to memory of 5012	3276	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe	97
PID 3276 wrote to memory of 4912	3276	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe	98
PID 3276 wrote to memory of 4912	3276	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe	98
PID 3276 wrote to memory of 4912	3276	{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe	98
PID 5012 wrote to memory of 3600	5012	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe	99
PID 5012 wrote to memory of 3600	5012	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe	99
PID 5012 wrote to memory of 3600	5012	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe	99
PID 5012 wrote to memory of 1580	5012	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe	100
PID 5012 wrote to memory of 1580	5012	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe	100
PID 5012 wrote to memory of 1580	5012	{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe	100
PID 3600 wrote to memory of 864	3600	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe	101
PID 3600 wrote to memory of 864	3600	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe	101
PID 3600 wrote to memory of 864	3600	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe	101
PID 3600 wrote to memory of 2776	3600	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe	102
PID 3600 wrote to memory of 2776	3600	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe	102
PID 3600 wrote to memory of 2776	3600	{8564321E-9EB9-4791-9891-6EF345F9C808}.exe	102
PID 864 wrote to memory of 1780	864	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe	103
PID 864 wrote to memory of 1780	864	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe	103
PID 864 wrote to memory of 1780	864	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe	103
PID 864 wrote to memory of 2520	864	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe	104
PID 864 wrote to memory of 2520	864	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe	104
PID 864 wrote to memory of 2520	864	{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe	104
PID 1780 wrote to memory of 4364	1780	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe	105
PID 1780 wrote to memory of 4364	1780	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe	105
PID 1780 wrote to memory of 4364	1780	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe	105
PID 1780 wrote to memory of 1536	1780	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe	106
PID 1780 wrote to memory of 1536	1780	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe	106
PID 1780 wrote to memory of 1536	1780	{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe	106
PID 4364 wrote to memory of 3132	4364	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe	107
PID 4364 wrote to memory of 3132	4364	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe	107
PID 4364 wrote to memory of 3132	4364	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe	107
PID 4364 wrote to memory of 1052	4364	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe	108
PID 4364 wrote to memory of 1052	4364	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe	108
PID 4364 wrote to memory of 1052	4364	{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe	108
PID 3132 wrote to memory of 5000	3132	{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe	109
PID 3132 wrote to memory of 5000	3132	{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe	109
PID 3132 wrote to memory of 5000	3132	{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe	109
PID 3132 wrote to memory of 4880	3132	{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_cacfd063d386abc10d049f18c8a1a59b_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe
  C:\Windows\{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\{4835918F-D96C-4c34-8932-A7A426952679}.exe
    C:\Windows\{4835918F-D96C-4c34-8932-A7A426952679}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe
      C:\Windows\{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Windows\{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe
        
        C:\Windows\{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Windows\{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe
        
        C:\Windows\{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{8564321E-9EB9-4791-9891-6EF345F9C808}.exe
        
        C:\Windows\{8564321E-9EB9-4791-9891-6EF345F9C808}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe
        
        C:\Windows\{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe
        
        C:\Windows\{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe
        
        C:\Windows\{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe
        
        C:\Windows\{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}.exe
        
        C:\Windows\{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Windows\{B89929D8-04F1-4c09-B302-9BB900C0E099}.exe
        
        C:\Windows\{B89929D8-04F1-4c09-B302-9BB900C0E099}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4048~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E24EF~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{273CE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD435~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20BF1~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85643~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AA9F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDAE1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E8DA~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{48359~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A8EBB~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AA9F47D-E92A-4f04-BA78-33660F36BCE1}.exe

Filesize
180KB

MD5
1230b72fb4d32acd3d02f3421726bea6

SHA1
e40d7722d9bf35eb4342116436bda011c5d08215

SHA256
41de86a24f104ab839ff837dd54837885a8c3a6b2c0c3bc4f6e16feab4fae520

SHA512
08f548d134c0fb6cfd0d2ede414eb14490e4bdd85d99395913b909df80f9ee2d386209a6d2a1c142c5a4cddf3d063013199d7cef48630253b04af79ed41e48e8

Download Submit
C:\Windows\{20BF1E57-5671-4c99-AD21-9E1AC0477ADD}.exe

Filesize
180KB

MD5
6b961a2630a59e2d6db855442042dc0f

SHA1
ff40c8aa3ceb2ed247e929f0c047765cfbd64801

SHA256
61f9c2493a6b304b9c6e4b7913d3a918ce32c6a0e613ee4661263e544ef5f7ed

SHA512
cc727b26564e7c73b3cdb626cb5551344a484adc686cb1240d5f8929c0374a733e07d618318947feb630767ece29289080911ca7a8d03aae0d34fda40b128062

Download Submit
C:\Windows\{273CEC5A-BA1D-40fe-A9E4-F992F0902D5B}.exe

Filesize
180KB

MD5
d2d64a143531af199c3b5011d1dfe0f3

SHA1
f6768b0d8c759cc9d558f4c44ee439ad5da55de1

SHA256
1a0ddd95dfdf14b99a480849045475b7824c0b56dcd05505415b91cb70e3c276

SHA512
4435390105545151cbbb9008f387782767343a00f0d201dd9ca987f7d1f6170da4abb3f8404f98d0869e2d57121f387e3a512d4cb7b374c89580564ee0ff3bce

Download Submit
C:\Windows\{4835918F-D96C-4c34-8932-A7A426952679}.exe

Filesize
180KB

MD5
06ca2b933ea26da0e3c656a0cab9b69c

SHA1
75ea9a84e96276b75ab5b63ba5f6299d0cd9d413

SHA256
222f557e7dac7ec023e4a31d3bdef8dcd54e7dc2c487c3e364efa57e96d5d546

SHA512
927505db8e248652c3df0175f39528638517f8f9eb7c3de96851b7a0099596bdfb40f32b8c6860429b578f5b2f277548c4144de07a2513c9be987b58fb9e64ca

Download Submit
C:\Windows\{5E8DAF17-72B6-4ed5-911F-62B80914D2C9}.exe

Filesize
180KB

MD5
84134765a057ac3c87717e701d38654a

SHA1
46050de45b41209693f6381f38f93bef36ef38cf

SHA256
a17524b4d44473ff5e8290bc904df078df4f2bd313f75c8e2fe6733c33335ab3

SHA512
f6d041ad8f9772b62db6e782d43e18fafcb8106eb648976f5f48f1ff25b5a243556a11195f88ebdf65514ebfa16bc63fe10be040494f39c6055eb3e2485b27cb

Download Submit
C:\Windows\{8564321E-9EB9-4791-9891-6EF345F9C808}.exe

Filesize
180KB

MD5
68eb821e9768b7cf1ea3d51ef54b30de

SHA1
0ad77f377d007ddb518e5b3a574a1e610f817c76

SHA256
b182825ca7cee7a65f598542405c2a2d12e5ea5334c8a742c91926b4e84f4aed

SHA512
0c5d531e1ed17f5c9e24ec750661baadb8f4fb01b4cd995048755aef6e909a21f0d9e5111f0069bb1b44ddfd70c6788f4295d84a87987e8f97aa2a81842c855e

Download Submit
C:\Windows\{A40481E9-4AD6-4c95-9AFD-C7DA249C5C81}.exe

Filesize
180KB

MD5
a3bcdc9d7b2dd819a20302b268b8126c

SHA1
7a5322fa9483df7c67befaff43bb96b16c80d88c

SHA256
abc5c9ea401b45f9080623d3fe9bfc8bc93d8fa66ebecc078aa616762fe8bc8d

SHA512
308598f9e327394135ae64b16de9f54074f8595ee88456bb91cfc9fae5ed7595a0f0b8d1b4afa43d3acf5690c530b6e96f3ead986761077c3038c54d4e6a2420

Download Submit
C:\Windows\{A8EBB530-DB5A-4c6e-B021-AEE5496E5178}.exe

Filesize
180KB

MD5
d41068f9277f0673ad8c4adfb3f99978

SHA1
8129921e52ab13454e640615a46671f17a9478fc

SHA256
992ee9de06e321b0eaaa9c06cbeef6713ae0c3e1c3fcbd49513efd030821e373

SHA512
c747087fce4e2a0aa69c9aa5d0ccae885b56ef82bc601b838c9e3f56903b123cdd3aedbe853fa8cfc72fb2cb988f87fef8ebd918f535f72683723ad4ba208194

Download Submit
C:\Windows\{AD4353C3-D605-4100-B7A3-B8513260FA78}.exe

Filesize
180KB

MD5
451018bfbca1a285fa7dad53ce630d86

SHA1
b529a74f40a14597b9e81d2214d469d38a2f2894

SHA256
b2ea7d99c76b7fae4c4b90de0f5fc0ecaef727ea40e8fca4b8441485a692f8a8

SHA512
c0968c908cd488b4e441be0d708df73c6767d3138895d4eddd3e127488b640f6a626258e74d2a410dc17a02c886c6a442178dc30b4589cc8fd95942bcc3f22ed

Download Submit
C:\Windows\{B89929D8-04F1-4c09-B302-9BB900C0E099}.exe

Filesize
180KB

MD5
9ae16724fbcea444d6d539034dd40666

SHA1
22599f1eaae3fb8dc5fe919b56b036a5827fad37

SHA256
65fb6ed46e7fb0066e7b63cf45fed707a5fae163e4911af063cd29e17be8883b

SHA512
3d2e01481fb62f3dd11969e006c85a51ad6c4cad20d6c1ff63163c835859a71df35c634c77c51375c5e83c6f8e62798d44533a467576c587eac5d30c1123b116

Download Submit
C:\Windows\{CDAE1FE9-807D-4c6c-A6E0-92081493184C}.exe

Filesize
180KB

MD5
dd1eb4a399f4ede2265b827cbd7529d4

SHA1
679902df6e4913d9e2072a876e59d8d3be79d86a

SHA256
53bab37ec6f627a712ea46c34e6e727b9f9799650be4e2044b345a80896ff65a

SHA512
e39911c141ed9237075a7f0c265f25844ce7b332a6dea3e9aa32fad00d3dfcb43136905b423dff775abd6d4aa73d619d0be6ee57189944bbdd48e2e91a8eda7d

Download Submit
C:\Windows\{E24EFFF4-16CC-406d-B3BC-36B5BF398AEF}.exe

Filesize
180KB

MD5
13247582fa6ff06d977bba4ef6f51e70

SHA1
60de6cdb273295eeaf126c2554a1f33cd72fbc4f

SHA256
03eb0a6451886d0cc1fa7ff37c6018f0234ecce3f1ccb0ab961c0623591a6e90

SHA512
c04da6dbbbda251c41fae052a99bab49231636edbf3337debd897424630d42583c90d914546c95b4776d9468054befb9c9de4be3855f27eeb82061fbd55e5495

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads