58f5af79b6f1c514db5b05d25b75d620b27fa544eb281b1f957a9f131d1c39d2

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe
Size

168KB
MD5

03a0ec4e9d736a377870b1600d5e71b6
SHA1

5fe1ae9c8987468ee3d0a59aa722ba0ba64c6687
SHA256

58f5af79b6f1c514db5b05d25b75d620b27fa544eb281b1f957a9f131d1c39d2
SHA512

3e3558836b18fedb1d107a08aebdaf29e9aaae4fa4944449f02130b9ad75f705a7a9bdad6e38d7411b6b340c4438c068752145bf227b5b8e6222827afa66dc4e
SSDEEP

1536:1EGh0oKlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oKlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}\stubpath = "C:\\Windows\\{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe"	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80D8438F-6A8F-4f3a-94A0-555EBE96D5C9}\stubpath = "C:\\Windows\\{80D8438F-6A8F-4f3a-94A0-555EBE96D5C9}.exe"	{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074264CC-ADEF-4ee3-8353-571ED656C1A3}\stubpath = "C:\\Windows\\{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe"	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{391B3730-3FCB-47fd-A8C6-20569FE91E78}	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{391B3730-3FCB-47fd-A8C6-20569FE91E78}\stubpath = "C:\\Windows\\{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe"	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80D8438F-6A8F-4f3a-94A0-555EBE96D5C9}	{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}	2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEE6F716-2ED0-44dd-B459-61D687A80D37}\stubpath = "C:\\Windows\\{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe"	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074264CC-ADEF-4ee3-8353-571ED656C1A3}	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC96476-6AA8-404e-BB25-A8A20472414B}\stubpath = "C:\\Windows\\{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe"	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75683003-5EB8-4e67-A038-DA8587885410}	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}	{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}\stubpath = "C:\\Windows\\{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}.exe"	{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}\stubpath = "C:\\Windows\\{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe"	2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEE6F716-2ED0-44dd-B459-61D687A80D37}	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}\stubpath = "C:\\Windows\\{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe"	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC96476-6AA8-404e-BB25-A8A20472414B}	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75683003-5EB8-4e67-A038-DA8587885410}\stubpath = "C:\\Windows\\{75683003-5EB8-4e67-A038-DA8587885410}.exe"	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{564484EB-AB24-4edd-8819-C89C2AEF498F}	{75683003-5EB8-4e67-A038-DA8587885410}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{564484EB-AB24-4edd-8819-C89C2AEF498F}\stubpath = "C:\\Windows\\{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe"	{75683003-5EB8-4e67-A038-DA8587885410}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}\stubpath = "C:\\Windows\\{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe"	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4616	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe
4168	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe
1584	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe
2284	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe
1576	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe
2212	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe
1892	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe
3116	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe
776	{75683003-5EB8-4e67-A038-DA8587885410}.exe
2664	{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe
2316	{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}.exe
4204	{80D8438F-6A8F-4f3a-94A0-555EBE96D5C9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe
File created	C:\Windows\{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe
File created	C:\Windows\{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe
File created	C:\Windows\{75683003-5EB8-4e67-A038-DA8587885410}.exe	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe
File created	C:\Windows\{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe	{75683003-5EB8-4e67-A038-DA8587885410}.exe
File created	C:\Windows\{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}.exe	{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe
File created	C:\Windows\{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe
File created	C:\Windows\{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe
File created	C:\Windows\{80D8438F-6A8F-4f3a-94A0-555EBE96D5C9}.exe	{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}.exe
File created	C:\Windows\{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe
File created	C:\Windows\{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe	2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe
File created	C:\Windows\{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75683003-5EB8-4e67-A038-DA8587885410}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80D8438F-6A8F-4f3a-94A0-555EBE96D5C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2000	2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4616	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe
Token: SeIncBasePriorityPrivilege	4168	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe
Token: SeIncBasePriorityPrivilege	1584	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe
Token: SeIncBasePriorityPrivilege	2284	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe
Token: SeIncBasePriorityPrivilege	1576	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe
Token: SeIncBasePriorityPrivilege	2212	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe
Token: SeIncBasePriorityPrivilege	1892	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe
Token: SeIncBasePriorityPrivilege	3116	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe
Token: SeIncBasePriorityPrivilege	776	{75683003-5EB8-4e67-A038-DA8587885410}.exe
Token: SeIncBasePriorityPrivilege	2664	{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe
Token: SeIncBasePriorityPrivilege	2316	{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 4616	2000	2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe	86
PID 2000 wrote to memory of 4616	2000	2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe	86
PID 2000 wrote to memory of 4616	2000	2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe	86
PID 2000 wrote to memory of 1492	2000	2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe	87
PID 2000 wrote to memory of 1492	2000	2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe	87
PID 2000 wrote to memory of 1492	2000	2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe	87
PID 4616 wrote to memory of 4168	4616	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe	88
PID 4616 wrote to memory of 4168	4616	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe	88
PID 4616 wrote to memory of 4168	4616	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe	88
PID 4616 wrote to memory of 3976	4616	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe	89
PID 4616 wrote to memory of 3976	4616	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe	89
PID 4616 wrote to memory of 3976	4616	{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe	89
PID 4168 wrote to memory of 1584	4168	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe	94
PID 4168 wrote to memory of 1584	4168	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe	94
PID 4168 wrote to memory of 1584	4168	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe	94
PID 4168 wrote to memory of 4856	4168	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe	95
PID 4168 wrote to memory of 4856	4168	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe	95
PID 4168 wrote to memory of 4856	4168	{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe	95
PID 1584 wrote to memory of 2284	1584	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe	96
PID 1584 wrote to memory of 2284	1584	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe	96
PID 1584 wrote to memory of 2284	1584	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe	96
PID 1584 wrote to memory of 732	1584	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe	97
PID 1584 wrote to memory of 732	1584	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe	97
PID 1584 wrote to memory of 732	1584	{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe	97
PID 2284 wrote to memory of 1576	2284	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe	98
PID 2284 wrote to memory of 1576	2284	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe	98
PID 2284 wrote to memory of 1576	2284	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe	98
PID 2284 wrote to memory of 2544	2284	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe	99
PID 2284 wrote to memory of 2544	2284	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe	99
PID 2284 wrote to memory of 2544	2284	{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe	99
PID 1576 wrote to memory of 2212	1576	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe	100
PID 1576 wrote to memory of 2212	1576	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe	100
PID 1576 wrote to memory of 2212	1576	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe	100
PID 1576 wrote to memory of 4108	1576	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe	101
PID 1576 wrote to memory of 4108	1576	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe	101
PID 1576 wrote to memory of 4108	1576	{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe	101
PID 2212 wrote to memory of 1892	2212	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe	102
PID 2212 wrote to memory of 1892	2212	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe	102
PID 2212 wrote to memory of 1892	2212	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe	102
PID 2212 wrote to memory of 4548	2212	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe	103
PID 2212 wrote to memory of 4548	2212	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe	103
PID 2212 wrote to memory of 4548	2212	{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe	103
PID 1892 wrote to memory of 3116	1892	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe	104
PID 1892 wrote to memory of 3116	1892	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe	104
PID 1892 wrote to memory of 3116	1892	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe	104
PID 1892 wrote to memory of 1068	1892	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe	105
PID 1892 wrote to memory of 1068	1892	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe	105
PID 1892 wrote to memory of 1068	1892	{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe	105
PID 3116 wrote to memory of 776	3116	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe	106
PID 3116 wrote to memory of 776	3116	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe	106
PID 3116 wrote to memory of 776	3116	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe	106
PID 3116 wrote to memory of 2700	3116	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe	107
PID 3116 wrote to memory of 2700	3116	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe	107
PID 3116 wrote to memory of 2700	3116	{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe	107
PID 776 wrote to memory of 2664	776	{75683003-5EB8-4e67-A038-DA8587885410}.exe	108
PID 776 wrote to memory of 2664	776	{75683003-5EB8-4e67-A038-DA8587885410}.exe	108
PID 776 wrote to memory of 2664	776	{75683003-5EB8-4e67-A038-DA8587885410}.exe	108
PID 776 wrote to memory of 3472	776	{75683003-5EB8-4e67-A038-DA8587885410}.exe	109
PID 776 wrote to memory of 3472	776	{75683003-5EB8-4e67-A038-DA8587885410}.exe	109
PID 776 wrote to memory of 3472	776	{75683003-5EB8-4e67-A038-DA8587885410}.exe	109
PID 2664 wrote to memory of 2316	2664	{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe	110
PID 2664 wrote to memory of 2316	2664	{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe	110
PID 2664 wrote to memory of 2316	2664	{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe	110
PID 2664 wrote to memory of 2904	2664	{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_03a0ec4e9d736a377870b1600d5e71b6_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe
  C:\Windows\{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe
    C:\Windows\{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe
      C:\Windows\{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe
        
        C:\Windows\{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe
        
        C:\Windows\{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe
        
        C:\Windows\{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe
        
        C:\Windows\{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe
        
        C:\Windows\{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\{75683003-5EB8-4e67-A038-DA8587885410}.exe
        
        C:\Windows\{75683003-5EB8-4e67-A038-DA8587885410}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe
        
        C:\Windows\{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}.exe
        
        C:\Windows\{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{80D8438F-6A8F-4f3a-94A0-555EBE96D5C9}.exe
        
        C:\Windows\{80D8438F-6A8F-4f3a-94A0-555EBE96D5C9}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC8BC~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56448~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75683~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABC96~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B6CE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1069~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{391B3~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07426~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEE6F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9814D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{46887~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{074264CC-ADEF-4ee3-8353-571ED656C1A3}.exe

Filesize
168KB

MD5
e295318cdb4bd172a527d1a81ef3a496

SHA1
a84e3ba504b866cf9c55e7dfe5b48d7bb8aa6bda

SHA256
ec66a1451d5a4b3b0182cd17e42311d784de6f633a19f0891b8338a5ac1b45bc

SHA512
12b1fb1cce0efac1489e16e67077584e1f1cbee1a3c1504aeabe1b968b0a855f07f86c140785e0679e59faf84d051a18b875cab7d8c434aed1bd9ed5c44c4634

Download Submit
C:\Windows\{2B6CEF09-72DF-49a2-BB34-ED07C9284BC0}.exe

Filesize
168KB

MD5
bd2203c0e8be59ea0bb97b60913e4e2e

SHA1
74aba3980c63ae9d0abd914f6317c5ba29182712

SHA256
6b641ecef42ce9f87022ba6b265d9a819c9c2c1dd75ac79c42a2afa1a051681d

SHA512
fb8537602a3e5ef78de7da535c3fa32bb2f7c3695b94172c1c8f8eb3234686ee8e4258b2fde302c74289b3b3c60cd47991f9b29006251fec50f21c934fbf69ec

Download Submit
C:\Windows\{391B3730-3FCB-47fd-A8C6-20569FE91E78}.exe

Filesize
168KB

MD5
d1a0448249a77fde247da4bed31f828a

SHA1
be202c6f2f5ae50b51312e06e467980f0ef004b9

SHA256
556245283cfccc99e69c3cad3c77f805e6308617235bd98ee19a08b75ecfa9da

SHA512
f5a21b76527b3e1d86659aba9bf4c02810e68b54edbb6b6c9dcd2ffe6189c24a92eb829f906d4ba8cf487f6529a98d5031280fc5ea5cb889d8c6be9be5527573

Download Submit
C:\Windows\{468875FF-9C7D-4749-8CC1-1A676B4ACD8A}.exe

Filesize
168KB

MD5
a12de9053802a9c78f7609d5afde7c60

SHA1
2eda6ddbede46d98280ea3a60ecafd474c7f0e37

SHA256
072c9f832dfe8432812a7ed6dfed64456b837ca79935de9f3a2bd38e121c7abe

SHA512
8649eb33f1f5ccb374a28b411d71ec6b97e27c2b9f0f6f51de8e0d8c72eb2688140ab1a02f07f7d10fd2f8e4b90b39cc9cdf4f17a73f1053cef9970ec30366bf

Download Submit
C:\Windows\{564484EB-AB24-4edd-8819-C89C2AEF498F}.exe

Filesize
168KB

MD5
f1bba183747c849c065552b3c199b741

SHA1
61ddc0b1749c63f1e556962786d9929436f8e09c

SHA256
b4c0630f0106cb76a08ba172509ff2bb7b23df158025bfbf3d51d56d3107de14

SHA512
f30f2ed0c41e5450bfa56896b392dad4bc4ce0435fa882441b3c828adb0593ad87181fd8d17c9feffc5dd8aca622272d5966223d1322d5c980991be8feb78447

Download Submit
C:\Windows\{75683003-5EB8-4e67-A038-DA8587885410}.exe

Filesize
168KB

MD5
494f8b62931185d1aad1b8bf530f22c1

SHA1
16357c06e052164ccdbc102182319f12f5b64bfa

SHA256
feba207d6060133ddb9523e6d00ecc01ce11d323557f94004b24c6990adee921

SHA512
0c5a1e8a9a479012c4c77436e6b2cbe1be36467afe179b12a8f3b9cd4825245db32b3602beaf23822d4d9a512baf1753f50de74a5db6773324798a24d3f5f8d8

Download Submit
C:\Windows\{80D8438F-6A8F-4f3a-94A0-555EBE96D5C9}.exe

Filesize
168KB

MD5
26ff634c24d514ce2a6ab3af981da498

SHA1
71a7037dea79eeb05b790cdce42d72685213fc21

SHA256
6f80b1a75cebe903a63a6874bef3e0da2994fbfe0a888d787b7b7db80ccaf8b3

SHA512
a438ca52043f8a31f9ecb0485314656a26c2879149f5449bc147082eb997ace80e9cf0d711e4ec2156b7aaadce8b9d967e6fa8c37c9b91aa1e7c9e8d66b4c2c3

Download Submit
C:\Windows\{9814D82D-CD6F-4cb0-BC56-01C50718CFB9}.exe

Filesize
168KB

MD5
ea5c445ebc0cedfcf8e7a251a52b35da

SHA1
52d0bafde0a72b8534994ec24dc3503ec86d8645

SHA256
7a9d9ea509ea6af4b62a883f89e90fd6d75220c03e2846b0347cb29b5ec198ca

SHA512
c3a3fd14af662cbac517d3a3d7e68519f6affcdb6e88d98e4df7ff403237011efb1be7be495af3a883e85d2a1e965743f91f988ad6372fcee30ee6fb1a6b02f7

Download Submit
C:\Windows\{ABC96476-6AA8-404e-BB25-A8A20472414B}.exe

Filesize
168KB

MD5
5eed4e0cd7c86143cbdc128bdfcbe5d6

SHA1
ffaa03e31130089cc99da199ab800f73690ac291

SHA256
cf2dd69be09723e2ccbb1d79345648b6044997e1399f03ce210a29aeca4d5e6a

SHA512
f556cb8ed35bea08c1ca299a5cfdc996627fa71ef2b1a1ac003205275dc714c3780e097b21ff1aea67e4f3f0a80d4b8188476152a7c7cdbed6a2de1f9142c23a

Download Submit
C:\Windows\{AC8BCEE6-76CB-42b6-ADF0-C0E6AC62EAD4}.exe

Filesize
168KB

MD5
cac974a0e314b32c4a71e9d6214ea6b9

SHA1
e9621266d5f8ff624e546ff920f61e00d2459048

SHA256
467a9cdcc1a3ce644f9f348a6894e90f7ebac9c4d07c29053c2f61916a46fed6

SHA512
eccf47281cbd818b258aa357bcb4c9807c6710b154d80ad1a2080ee3fbdf73b76d1380c24dd27bdf2b20efe46479c8e94754ec5331f077f525b591e1472dd290

Download Submit
C:\Windows\{B10697F8-9DCB-4f8f-9F01-4A423AAB5194}.exe

Filesize
168KB

MD5
140ec519d8bdcd4e95cae2818e8e0995

SHA1
c46a6b846f07fc7eb8206c6e8f595fe0a85e372c

SHA256
99d78340471e898d61c0d2f13535f1525cdddb29b0ab9babc737429d1dd3d623

SHA512
00e32d09653db9df76a2a704b1b490ed731ba77562718b8734f7e3b8b9e3d9781c54c4100d03f6a31f8126735cc114e30c87a6555c13b1adbbf5b43f292ed1e8

Download Submit
C:\Windows\{DEE6F716-2ED0-44dd-B459-61D687A80D37}.exe

Filesize
168KB

MD5
e7c84a7fbee72b6c9a01f634224d91ac

SHA1
e87dd4e793703ebd803f17f7428b835e8c156009

SHA256
2eb1dfd4182661eda8595425f09cd2f6a34d87e92b11d4302f26840d9b02bfe1

SHA512
224035dfdefc24788c42d3c2d5e119377452df93ab072e951ca9832e7dfcb8461a4fa5f31a22428678c3b49ea4729a04574bd3d64cf507236b9c34ff7aff80d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads