1e376628cccd44fdf577f025c57391f359e9611c0153a5db49b718cf9b5e9d1a

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe
Size

168KB
MD5

ff3096404099df6df0b3ab73f94850ee
SHA1

46fe57291ed5c6a386e9ca617f6bfb9b0e98f82e
SHA256

1e376628cccd44fdf577f025c57391f359e9611c0153a5db49b718cf9b5e9d1a
SHA512

096675d920e62cf972b0cfa6255b827ce716eda5e09f845854c799e2e07d7978ccea923a461843c9f69d36d9d3e639d891bc53d9b701c10b8d1d9e59a61fba05
SSDEEP

1536:1EGh0oolq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oolqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4690342-D544-4cef-9AEA-E6E40DD615F0}	2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}\stubpath = "C:\\Windows\\{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe"	{CAADC031-F720-4d20-A062-768EFE97C491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613C07CF-206E-4354-89DD-6D983205B135}	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74E1C42D-DEE1-404c-955D-B204B322CA9E}\stubpath = "C:\\Windows\\{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe"	{613C07CF-206E-4354-89DD-6D983205B135}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC25CB46-6239-4c5a-8F02-BA176F2579DA}	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA9A317-BD5C-4f2f-8E3C-AA13B5077366}	{5B919CE9-88DA-4617-B3B5-32076D37F51C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613C07CF-206E-4354-89DD-6D983205B135}\stubpath = "C:\\Windows\\{613C07CF-206E-4354-89DD-6D983205B135}.exe"	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C2D0E18-018C-4f66-83FA-499CEEC4120A}	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C2D0E18-018C-4f66-83FA-499CEEC4120A}\stubpath = "C:\\Windows\\{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe"	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B919CE9-88DA-4617-B3B5-32076D37F51C}	{D589529E-28A5-49b2-8B77-F05193635C26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4690342-D544-4cef-9AEA-E6E40DD615F0}\stubpath = "C:\\Windows\\{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe"	2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}	{CAADC031-F720-4d20-A062-768EFE97C491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC25CB46-6239-4c5a-8F02-BA176F2579DA}\stubpath = "C:\\Windows\\{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe"	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D589529E-28A5-49b2-8B77-F05193635C26}	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D589529E-28A5-49b2-8B77-F05193635C26}\stubpath = "C:\\Windows\\{D589529E-28A5-49b2-8B77-F05193635C26}.exe"	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA9A317-BD5C-4f2f-8E3C-AA13B5077366}\stubpath = "C:\\Windows\\{2BA9A317-BD5C-4f2f-8E3C-AA13B5077366}.exe"	{5B919CE9-88DA-4617-B3B5-32076D37F51C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}\stubpath = "C:\\Windows\\{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe"	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAADC031-F720-4d20-A062-768EFE97C491}	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAADC031-F720-4d20-A062-768EFE97C491}\stubpath = "C:\\Windows\\{CAADC031-F720-4d20-A062-768EFE97C491}.exe"	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}\stubpath = "C:\\Windows\\{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe"	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74E1C42D-DEE1-404c-955D-B204B322CA9E}	{613C07CF-206E-4354-89DD-6D983205B135}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B919CE9-88DA-4617-B3B5-32076D37F51C}\stubpath = "C:\\Windows\\{5B919CE9-88DA-4617-B3B5-32076D37F51C}.exe"	{D589529E-28A5-49b2-8B77-F05193635C26}.exe

Executes dropped EXE 12 IoCs

pid	Process
3524	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe
4400	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe
1708	{CAADC031-F720-4d20-A062-768EFE97C491}.exe
4288	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe
2052	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe
3744	{613C07CF-206E-4354-89DD-6D983205B135}.exe
1896	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe
1456	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe
1952	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe
4044	{D589529E-28A5-49b2-8B77-F05193635C26}.exe
3660	{5B919CE9-88DA-4617-B3B5-32076D37F51C}.exe
3972	{2BA9A317-BD5C-4f2f-8E3C-AA13B5077366}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe
File created	C:\Windows\{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe	{CAADC031-F720-4d20-A062-768EFE97C491}.exe
File created	C:\Windows\{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe
File created	C:\Windows\{613C07CF-206E-4354-89DD-6D983205B135}.exe	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe
File created	C:\Windows\{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe
File created	C:\Windows\{D589529E-28A5-49b2-8B77-F05193635C26}.exe	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe
File created	C:\Windows\{2BA9A317-BD5C-4f2f-8E3C-AA13B5077366}.exe	{5B919CE9-88DA-4617-B3B5-32076D37F51C}.exe
File created	C:\Windows\{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe	2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe
File created	C:\Windows\{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe	{613C07CF-206E-4354-89DD-6D983205B135}.exe
File created	C:\Windows\{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe
File created	C:\Windows\{5B919CE9-88DA-4617-B3B5-32076D37F51C}.exe	{D589529E-28A5-49b2-8B77-F05193635C26}.exe
File created	C:\Windows\{CAADC031-F720-4d20-A062-768EFE97C491}.exe	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CAADC031-F720-4d20-A062-768EFE97C491}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B919CE9-88DA-4617-B3B5-32076D37F51C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2BA9A317-BD5C-4f2f-8E3C-AA13B5077366}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D589529E-28A5-49b2-8B77-F05193635C26}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{613C07CF-206E-4354-89DD-6D983205B135}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3732	2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3524	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe
Token: SeIncBasePriorityPrivilege	4400	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe
Token: SeIncBasePriorityPrivilege	1708	{CAADC031-F720-4d20-A062-768EFE97C491}.exe
Token: SeIncBasePriorityPrivilege	4288	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe
Token: SeIncBasePriorityPrivilege	2052	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe
Token: SeIncBasePriorityPrivilege	3744	{613C07CF-206E-4354-89DD-6D983205B135}.exe
Token: SeIncBasePriorityPrivilege	1896	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe
Token: SeIncBasePriorityPrivilege	1456	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe
Token: SeIncBasePriorityPrivilege	1952	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe
Token: SeIncBasePriorityPrivilege	4044	{D589529E-28A5-49b2-8B77-F05193635C26}.exe
Token: SeIncBasePriorityPrivilege	3660	{5B919CE9-88DA-4617-B3B5-32076D37F51C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 3524	3732	2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe	86
PID 3732 wrote to memory of 3524	3732	2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe	86
PID 3732 wrote to memory of 3524	3732	2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe	86
PID 3732 wrote to memory of 4500	3732	2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe	87
PID 3732 wrote to memory of 4500	3732	2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe	87
PID 3732 wrote to memory of 4500	3732	2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe	87
PID 3524 wrote to memory of 4400	3524	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe	88
PID 3524 wrote to memory of 4400	3524	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe	88
PID 3524 wrote to memory of 4400	3524	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe	88
PID 3524 wrote to memory of 1140	3524	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe	89
PID 3524 wrote to memory of 1140	3524	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe	89
PID 3524 wrote to memory of 1140	3524	{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe	89
PID 4400 wrote to memory of 1708	4400	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe	94
PID 4400 wrote to memory of 1708	4400	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe	94
PID 4400 wrote to memory of 1708	4400	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe	94
PID 4400 wrote to memory of 2572	4400	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe	95
PID 4400 wrote to memory of 2572	4400	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe	95
PID 4400 wrote to memory of 2572	4400	{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe	95
PID 1708 wrote to memory of 4288	1708	{CAADC031-F720-4d20-A062-768EFE97C491}.exe	97
PID 1708 wrote to memory of 4288	1708	{CAADC031-F720-4d20-A062-768EFE97C491}.exe	97
PID 1708 wrote to memory of 4288	1708	{CAADC031-F720-4d20-A062-768EFE97C491}.exe	97
PID 1708 wrote to memory of 2164	1708	{CAADC031-F720-4d20-A062-768EFE97C491}.exe	98
PID 1708 wrote to memory of 2164	1708	{CAADC031-F720-4d20-A062-768EFE97C491}.exe	98
PID 1708 wrote to memory of 2164	1708	{CAADC031-F720-4d20-A062-768EFE97C491}.exe	98
PID 4288 wrote to memory of 2052	4288	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe	100
PID 4288 wrote to memory of 2052	4288	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe	100
PID 4288 wrote to memory of 2052	4288	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe	100
PID 4288 wrote to memory of 4760	4288	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe	101
PID 4288 wrote to memory of 4760	4288	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe	101
PID 4288 wrote to memory of 4760	4288	{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe	101
PID 2052 wrote to memory of 3744	2052	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe	102
PID 2052 wrote to memory of 3744	2052	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe	102
PID 2052 wrote to memory of 3744	2052	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe	102
PID 2052 wrote to memory of 1392	2052	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe	103
PID 2052 wrote to memory of 1392	2052	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe	103
PID 2052 wrote to memory of 1392	2052	{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe	103
PID 3744 wrote to memory of 1896	3744	{613C07CF-206E-4354-89DD-6D983205B135}.exe	104
PID 3744 wrote to memory of 1896	3744	{613C07CF-206E-4354-89DD-6D983205B135}.exe	104
PID 3744 wrote to memory of 1896	3744	{613C07CF-206E-4354-89DD-6D983205B135}.exe	104
PID 3744 wrote to memory of 4012	3744	{613C07CF-206E-4354-89DD-6D983205B135}.exe	105
PID 3744 wrote to memory of 4012	3744	{613C07CF-206E-4354-89DD-6D983205B135}.exe	105
PID 3744 wrote to memory of 4012	3744	{613C07CF-206E-4354-89DD-6D983205B135}.exe	105
PID 1896 wrote to memory of 1456	1896	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe	106
PID 1896 wrote to memory of 1456	1896	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe	106
PID 1896 wrote to memory of 1456	1896	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe	106
PID 1896 wrote to memory of 2852	1896	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe	107
PID 1896 wrote to memory of 2852	1896	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe	107
PID 1896 wrote to memory of 2852	1896	{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe	107
PID 1456 wrote to memory of 1952	1456	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe	108
PID 1456 wrote to memory of 1952	1456	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe	108
PID 1456 wrote to memory of 1952	1456	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe	108
PID 1456 wrote to memory of 1888	1456	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe	109
PID 1456 wrote to memory of 1888	1456	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe	109
PID 1456 wrote to memory of 1888	1456	{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe	109
PID 1952 wrote to memory of 4044	1952	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe	110
PID 1952 wrote to memory of 4044	1952	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe	110
PID 1952 wrote to memory of 4044	1952	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe	110
PID 1952 wrote to memory of 3172	1952	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe	111
PID 1952 wrote to memory of 3172	1952	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe	111
PID 1952 wrote to memory of 3172	1952	{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe	111
PID 4044 wrote to memory of 3660	4044	{D589529E-28A5-49b2-8B77-F05193635C26}.exe	112
PID 4044 wrote to memory of 3660	4044	{D589529E-28A5-49b2-8B77-F05193635C26}.exe	112
PID 4044 wrote to memory of 3660	4044	{D589529E-28A5-49b2-8B77-F05193635C26}.exe	112
PID 4044 wrote to memory of 3696	4044	{D589529E-28A5-49b2-8B77-F05193635C26}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_ff3096404099df6df0b3ab73f94850ee_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Windows\{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe
  C:\Windows\{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe
    C:\Windows\{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\{CAADC031-F720-4d20-A062-768EFE97C491}.exe
      C:\Windows\{CAADC031-F720-4d20-A062-768EFE97C491}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe
        
        C:\Windows\{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
      - C:\Windows\{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe
        
        C:\Windows\{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{613C07CF-206E-4354-89DD-6D983205B135}.exe
        
        C:\Windows\{613C07CF-206E-4354-89DD-6D983205B135}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe
        
        C:\Windows\{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe
        
        C:\Windows\{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe
        
        C:\Windows\{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{D589529E-28A5-49b2-8B77-F05193635C26}.exe
        
        C:\Windows\{D589529E-28A5-49b2-8B77-F05193635C26}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\{5B919CE9-88DA-4617-B3B5-32076D37F51C}.exe
        
        C:\Windows\{5B919CE9-88DA-4617-B3B5-32076D37F51C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
        
        C:\Windows\{2BA9A317-BD5C-4f2f-8E3C-AA13B5077366}.exe
        
        C:\Windows\{2BA9A317-BD5C-4f2f-8E3C-AA13B5077366}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B919~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5895~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C2D0~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC25C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74E1C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{613C0~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83CEC~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EB17~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAADC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{02963~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F4690~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02963F5C-9A78-40bb-9B3C-D5E7D0DAA784}.exe

Filesize
168KB

MD5
d2e11dbf7ade33d6055db7e3bf154b05

SHA1
e39c527c14d590e2109a7fe0e35027e915c50333

SHA256
b319e16d35e694f0fcb389697e44431f1a0cacf283ea990bea1c5a2d68445b93

SHA512
daa330c6b8f80ecd943b1c3e2509a5a81d0812ded107ff4f8aa3eeb5a8c5571d48ac41b941ad22ffc6633617ccd74663cd2abf330fc7ada98a10ae981773ebd0

Download Submit
C:\Windows\{2BA9A317-BD5C-4f2f-8E3C-AA13B5077366}.exe

Filesize
168KB

MD5
20c52633303a7463c91c8a3a964cb383

SHA1
9efe2d75d926797d497eb7a0ace960add4d96a8f

SHA256
8748f4d07e6c18aa57f73df4d7d5385b65b242fc27b3a60e51f03da5fa9214f1

SHA512
e2b89aea504b96e56717f324aa89becebd53fc472ee7dc6f654766fd4778bf29110d42105abb0a8b75f7035cda8b05fb2359f89c05897913bec92daeb742b2f1

Download Submit
C:\Windows\{2C2D0E18-018C-4f66-83FA-499CEEC4120A}.exe

Filesize
168KB

MD5
b19f71eb3495a4f838c2c83d813b7adf

SHA1
c182873b7d86ddaf0dce291e146ababc6a92461f

SHA256
7f33d019c5434ae000285795855fe35f4388c3310fb31cd8acdd0a52a21ec376

SHA512
e8675fecca1769b7efc2cadbb20d3a1d0bb2be6452339e2667606c1172c2cea7030f09b3240226a1449d6b288a58b5774bbd3416b53b4a438edbd4a19ab259bb

Download Submit
C:\Windows\{5B919CE9-88DA-4617-B3B5-32076D37F51C}.exe

Filesize
168KB

MD5
6a5f9f69f12e1175973c1b58350c153e

SHA1
b274cfc765eca0da54d26bd9b475b64e20e3f449

SHA256
015c4353f0cbd079701610f8d0e2e113af857bb5bbcc6fb1ab58444cdea2f2f4

SHA512
dbada93c9f0362d54ba015477e27525e901da9c301f21ff4616c21d50d92fcb7c9037b5669a44866b093b2b9872e8634d767d5faed3f7406bf4a651513e5a366

Download Submit
C:\Windows\{5EB17E25-8BCA-4daa-82FC-3B94EFDB7026}.exe

Filesize
168KB

MD5
d71271e204fbb36fdb455beed5e04475

SHA1
64c4c42f64aa04a153095a0c52b5339601b45d9d

SHA256
b7cd8f222a4bad0cfb3c28e67052816075b856fec547eb99d5d0475b2bfe914e

SHA512
aa6a583fe006e0960300dd2dcc92a4c2c420d73ff402b847f2f3a2be3fc4890d4c3d9d600e3b9ee6838366d5fafb05e3fa54367aa11dbaf30237adf560fa3da1

Download Submit
C:\Windows\{613C07CF-206E-4354-89DD-6D983205B135}.exe

Filesize
168KB

MD5
c80cef28ba55e1636499119372169e1d

SHA1
a6ee61ecf9036a34df763a8a7fc0da9f7e4b3f65

SHA256
6a69f28c7f9f5cfb60884a53357a624f825a07578a75591900f51721573ea9a2

SHA512
419e47c928da957893f34870f0bdce92b8bda0139fb466ecaa92f087e2b688b1f6b9fd19633e0a88462ce8bc9fa522f2aa28a9519bd10fe878b5ec0268972ed5

Download Submit
C:\Windows\{74E1C42D-DEE1-404c-955D-B204B322CA9E}.exe

Filesize
168KB

MD5
cdf880c9f55b4c8aeae888490be43822

SHA1
839bc65f6dc4f2d7c2a535659f9840e61a497e67

SHA256
2d4d3e6add99788ff3114a801e3b1001d7d3fc3f63cb0c8e509e7b88fd0b2ed7

SHA512
f72267980a0344a2d38c64befaed8156b9116dc314414e59adb76c1bb7c4a70dbc828dee4ff21e32145a9350d41a44953a11ce78fe9053e3a2eb054cb6b8df0d

Download Submit
C:\Windows\{83CEC23F-2529-4bf6-A1D4-94E4C794DDE3}.exe

Filesize
168KB

MD5
f80b0949f9371379efa47a800e594c3f

SHA1
cdc0062a33ce6c3461b2d25eb3251f4384d1cb6d

SHA256
4ddc64c187add44741ebf0551f49396843269d4ee7e260063117a528951d650c

SHA512
ee00c88d08ebb6ae00f19ca6dc55fdca65e6b0fd563a53b853773eed0b1ef5c90906809e9e68df6cc11eda041ac152cc246d95f54e16560d6fee16c3e61e8963

Download Submit
C:\Windows\{BC25CB46-6239-4c5a-8F02-BA176F2579DA}.exe

Filesize
168KB

MD5
047c961aa6dbfba8f000a7cebdb4c61d

SHA1
f7c2d30abd2bd6f0c964f8892770e7f89b63c4c5

SHA256
cf603fd7ac4c7788cd088c05725d5f9f4eac15b1a75f7c7d6642e29a207449dd

SHA512
782b1074c843bd27c565d26fd2e4fc86adbaabd08b41a79d447757cc2770886d310f246ad676467daed078f34e0ceeca5b7c77dd10a198c1897611979da45a5e

Download Submit
C:\Windows\{CAADC031-F720-4d20-A062-768EFE97C491}.exe

Filesize
168KB

MD5
86bcffd47f6a2ee7c98a9fdec9b57661

SHA1
2ed0f672d9ac50696b722229a9d2c627ac85d892

SHA256
ecdb451dde55f6b12ecb6b78b28771de056641df5d251ffee3e133d74b959c58

SHA512
984591be9cd7f76332bf2be283bc34b8d16b993202715ea9d21756906a55e3852fde833bfca862472381439c2de10197619b5b2836263faff66641ed6789277b

Download Submit
C:\Windows\{D589529E-28A5-49b2-8B77-F05193635C26}.exe

Filesize
168KB

MD5
bf5f5bd9e98c3af011934d020eac328d

SHA1
0489d7ef8a1a005e77d74af960fe677027acf303

SHA256
864f81a8c14b4a3ffb4ee52427dd9da152b53b7ab4b70cf9204c8adaacf47929

SHA512
20a929052cd409b078ba4696b8af352b7fc8c56f5f2786cf3b1f1e4db6989538e1bcd30c52f4757c17ad1d2f93808b0b4e8b6440a51287798844d29e9c578c7f

Download Submit
C:\Windows\{F4690342-D544-4cef-9AEA-E6E40DD615F0}.exe

Filesize
168KB

MD5
137993125d455078dfbcfd88a285cfde

SHA1
da3e53411953899d72b08980fc374864dba4415e

SHA256
f1ebb8107de5fd9bbe95e9b65a1b26e91de0779df348b0353e5e046fb47b7da7

SHA512
2c64834f69bd3f6ff597f86e8e7aaac3618435cbbbe94a60781fa3f11a592488ee86ba3bd50baae8d99214b71e9119b918c40af3130373becf8b7b8c888661d3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads