91a2c4e0d74584e844b7c902becb983c7ad5e4436d1673a14de7703a17a4c32d

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
Size

204KB
MD5

b096666ffff0403239dfe0fa0e7dd251
SHA1

29c84f549b5fad661920ac0486209269d08c2870
SHA256

91a2c4e0d74584e844b7c902becb983c7ad5e4436d1673a14de7703a17a4c32d
SHA512

1bfc8d1e548f4227c3361aa016a10b138f152238a46112bf31445f9f6f0c140fcf86a0ee7968fc3219070d095dba11dca102634f81a2622adf004f8b57e09f54
SSDEEP

1536:1EGh0okl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0okl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA3179BD-D636-47b9-84B0-176F3AD38D9E}	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{546A9148-ED11-4450-9ABD-0EFE53B71D3B}	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A9ABB5-CF94-4df2-91F3-31CC0D072639}\stubpath = "C:\\Windows\\{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe"	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C6E7804-73D5-4749-972A-060F365A89F2}	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C6E7804-73D5-4749-972A-060F365A89F2}\stubpath = "C:\\Windows\\{2C6E7804-73D5-4749-972A-060F365A89F2}.exe"	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBB4E135-7909-466b-8535-D23EC8C689A0}	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64E4C3A0-CC20-424e-9E0F-71C20D558306}	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}\stubpath = "C:\\Windows\\{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe"	{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}	{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27A9ABB5-CF94-4df2-91F3-31CC0D072639}	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64E4C3A0-CC20-424e-9E0F-71C20D558306}\stubpath = "C:\\Windows\\{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe"	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}\stubpath = "C:\\Windows\\{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe"	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}\stubpath = "C:\\Windows\\{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe"	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}	{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}\stubpath = "C:\\Windows\\{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}.exe"	{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{546A9148-ED11-4450-9ABD-0EFE53B71D3B}\stubpath = "C:\\Windows\\{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe"	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}\stubpath = "C:\\Windows\\{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe"	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBB4E135-7909-466b-8535-D23EC8C689A0}\stubpath = "C:\\Windows\\{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe"	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA3179BD-D636-47b9-84B0-176F3AD38D9E}\stubpath = "C:\\Windows\\{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe"	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}\stubpath = "C:\\Windows\\{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe"	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe

Executes dropped EXE 12 IoCs

pid	Process
376	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe
4464	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe
3808	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe
3152	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe
4848	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe
3356	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe
2136	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe
4312	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe
216	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe
4372	{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe
3940	{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe
1948	{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe
File created	C:\Windows\{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe
File created	C:\Windows\{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe
File created	C:\Windows\{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe
File created	C:\Windows\{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}.exe	{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe
File created	C:\Windows\{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe
File created	C:\Windows\{2C6E7804-73D5-4749-972A-060F365A89F2}.exe	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe
File created	C:\Windows\{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe
File created	C:\Windows\{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe	{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe
File created	C:\Windows\{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
File created	C:\Windows\{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe
File created	C:\Windows\{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4532	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
Token: SeIncBasePriorityPrivilege	376	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe
Token: SeIncBasePriorityPrivilege	4464	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe
Token: SeIncBasePriorityPrivilege	3808	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe
Token: SeIncBasePriorityPrivilege	3152	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe
Token: SeIncBasePriorityPrivilege	4848	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe
Token: SeIncBasePriorityPrivilege	3356	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe
Token: SeIncBasePriorityPrivilege	2136	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe
Token: SeIncBasePriorityPrivilege	4312	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe
Token: SeIncBasePriorityPrivilege	216	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe
Token: SeIncBasePriorityPrivilege	4372	{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe
Token: SeIncBasePriorityPrivilege	3940	{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 376	4532	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	88
PID 4532 wrote to memory of 376	4532	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	88
PID 4532 wrote to memory of 376	4532	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	88
PID 4532 wrote to memory of 3564	4532	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	89
PID 4532 wrote to memory of 3564	4532	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	89
PID 4532 wrote to memory of 3564	4532	2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe	89
PID 376 wrote to memory of 4464	376	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe	90
PID 376 wrote to memory of 4464	376	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe	90
PID 376 wrote to memory of 4464	376	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe	90
PID 376 wrote to memory of 3848	376	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe	91
PID 376 wrote to memory of 3848	376	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe	91
PID 376 wrote to memory of 3848	376	{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe	91
PID 4464 wrote to memory of 3808	4464	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe	94
PID 4464 wrote to memory of 3808	4464	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe	94
PID 4464 wrote to memory of 3808	4464	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe	94
PID 4464 wrote to memory of 4820	4464	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe	95
PID 4464 wrote to memory of 4820	4464	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe	95
PID 4464 wrote to memory of 4820	4464	{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe	95
PID 3808 wrote to memory of 3152	3808	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe	97
PID 3808 wrote to memory of 3152	3808	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe	97
PID 3808 wrote to memory of 3152	3808	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe	97
PID 3808 wrote to memory of 2448	3808	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe	98
PID 3808 wrote to memory of 2448	3808	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe	98
PID 3808 wrote to memory of 2448	3808	{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe	98
PID 3152 wrote to memory of 4848	3152	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe	99
PID 3152 wrote to memory of 4848	3152	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe	99
PID 3152 wrote to memory of 4848	3152	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe	99
PID 3152 wrote to memory of 2248	3152	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe	100
PID 3152 wrote to memory of 2248	3152	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe	100
PID 3152 wrote to memory of 2248	3152	{2C6E7804-73D5-4749-972A-060F365A89F2}.exe	100
PID 4848 wrote to memory of 3356	4848	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe	101
PID 4848 wrote to memory of 3356	4848	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe	101
PID 4848 wrote to memory of 3356	4848	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe	101
PID 4848 wrote to memory of 2168	4848	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe	102
PID 4848 wrote to memory of 2168	4848	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe	102
PID 4848 wrote to memory of 2168	4848	{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe	102
PID 3356 wrote to memory of 2136	3356	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe	103
PID 3356 wrote to memory of 2136	3356	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe	103
PID 3356 wrote to memory of 2136	3356	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe	103
PID 3356 wrote to memory of 1612	3356	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe	104
PID 3356 wrote to memory of 1612	3356	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe	104
PID 3356 wrote to memory of 1612	3356	{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe	104
PID 2136 wrote to memory of 4312	2136	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe	105
PID 2136 wrote to memory of 4312	2136	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe	105
PID 2136 wrote to memory of 4312	2136	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe	105
PID 2136 wrote to memory of 3656	2136	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe	106
PID 2136 wrote to memory of 3656	2136	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe	106
PID 2136 wrote to memory of 3656	2136	{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe	106
PID 4312 wrote to memory of 216	4312	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe	107
PID 4312 wrote to memory of 216	4312	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe	107
PID 4312 wrote to memory of 216	4312	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe	107
PID 4312 wrote to memory of 4544	4312	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe	108
PID 4312 wrote to memory of 4544	4312	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe	108
PID 4312 wrote to memory of 4544	4312	{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe	108
PID 216 wrote to memory of 4372	216	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe	109
PID 216 wrote to memory of 4372	216	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe	109
PID 216 wrote to memory of 4372	216	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe	109
PID 216 wrote to memory of 1928	216	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe	110
PID 216 wrote to memory of 1928	216	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe	110
PID 216 wrote to memory of 1928	216	{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe	110
PID 4372 wrote to memory of 3940	4372	{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe	111
PID 4372 wrote to memory of 3940	4372	{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe	111
PID 4372 wrote to memory of 3940	4372	{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe	111
PID 4372 wrote to memory of 4472	4372	{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_b096666ffff0403239dfe0fa0e7dd251_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe
  C:\Windows\{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe
    C:\Windows\{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe
      C:\Windows\{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Windows\{2C6E7804-73D5-4749-972A-060F365A89F2}.exe
        
        C:\Windows\{2C6E7804-73D5-4749-972A-060F365A89F2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3152
      - C:\Windows\{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe
        
        C:\Windows\{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe
        
        C:\Windows\{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe
        
        C:\Windows\{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe
        
        C:\Windows\{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe
        
        C:\Windows\{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe
        
        C:\Windows\{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe
        
        C:\Windows\{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}.exe
        
        C:\Windows\{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7C3B~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1344C~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA317~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA31E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A1E4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64E4C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBB4E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C6E7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27A9A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E7CF0~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{546A9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1344CD8F-6A6B-4c15-B6E5-ACA35AF99EAC}.exe

Filesize
204KB

MD5
22e729fff1474a31e8aa284e2be4c742

SHA1
499d9f75519405e6712d4755d1440c1d32caa4a7

SHA256
c89a2df36bb542f91c4a1ec50d865e0ddd975518c70d7f517cb234e2be45bafc

SHA512
3934bc951bc3aaaf3ef792e85f718fb2a9ab09b9fef6f4d8e50dec88fac6718d7ee38c81aad21dd4d3f73254cee70142d92e5832341cc839a66d68ff5c0aebc8

Download Submit
C:\Windows\{27A9ABB5-CF94-4df2-91F3-31CC0D072639}.exe

Filesize
204KB

MD5
6ff60c81a55814e0ed27fec72d139cec

SHA1
4b5e897f6429c863b21968d918bc5486ce3f38fb

SHA256
08d703861df384fa8547924fb9538a19cb8067a415f3233bb8b1f010639fcd23

SHA512
f36b5a59d3d7ed4f339afd8160f617955d846900c04ee7bbeca846b343f88f73370f3485e608b9ad85bc73ff442ae1796429cf5db722e0d82039a3f30b6777a1

Download Submit
C:\Windows\{2C6E7804-73D5-4749-972A-060F365A89F2}.exe

Filesize
204KB

MD5
f4cc1db65a500c985cffc9bcf4b3dfff

SHA1
255cf3b6daf0750c79729ac2613e93edb1017c5f

SHA256
acbae5fb9f488fe0604cd56ac0140c92d9fbfb690b914be8bd277bff8574b65e

SHA512
133596ada96c225b0e1df99dda76aca74a63eebff50443900033c1fbe118f90d50eb48def093da0cf44578dac3e479dd6fd3de8722d383d6cf80ce9ffb82f58a

Download Submit
C:\Windows\{3A59B77E-8D4D-4432-86ED-B5E4D441FB96}.exe

Filesize
204KB

MD5
20eb5729240d81cac078a46ef5ab46e2

SHA1
1cbed6a30a7904003e7ffb0b1839891a2cc0e14d

SHA256
8f799ce01381633ceca6332d00eae686a82eea87bbad68019b85202e367e054d

SHA512
b4439ab4dbf013225a553aa0af0fc3f40e6d1b33f73decb4095f8e59e27a2bfd53dd547ec0187d69cff8529c2b9fcafb36d318cef304aec04301afaf55c4bd5f

Download Submit
C:\Windows\{4A1E46C1-0CE1-4087-8C4E-AD62690D2966}.exe

Filesize
204KB

MD5
3f0f2d4520127e1a43fdb604a5372dad

SHA1
879f60c4ae50822214d7b6dfb6501f82c5946c7b

SHA256
431789ac854e80bcd49454bdb77db4a31e21ba6df95120fe4e740bb0856f439b

SHA512
775e76e8a50daea8cfebdf65238e69cb9c47b6dd1851586c65d2c01994ccbc5e3e1e596e1dab7fd871f2b475a7a5e9ec099d8e36fbe74e01dc3a089a5ea2ffdb

Download Submit
C:\Windows\{546A9148-ED11-4450-9ABD-0EFE53B71D3B}.exe

Filesize
204KB

MD5
68db882af7ecc7d13482954be1b65500

SHA1
269ba75c95654b834f9954aacd3392acfcd20ffe

SHA256
5e82b45d65a7c9c9a4f3b84c61bc89376a781dbb495287bc2574aadf13d21dca

SHA512
2cf45a648d912a0097fe581d9ff16ded3e79d7c1e0706bd511fbdb1ccbc003e79075cb778135da00e0524f04a35b5e7fdcd6ae5d35181c5f4318dda801bf826e

Download Submit
C:\Windows\{64E4C3A0-CC20-424e-9E0F-71C20D558306}.exe

Filesize
204KB

MD5
c9d4a3bdcce306d6d2b9dc3867ded1d4

SHA1
140a9dac2ac4fc2a310c678957550a6127fd0922

SHA256
8fe1e0210eca4d1232ad85278e129d62e8e035c8863f7617c5fbff6c69bbc41b

SHA512
45d1535f3d2e4e9a7b06af1832ca6217f429a608d387c21d6c8e94af9123523a6393d6f4135083a24a041c2a9938fe3175256565135962c088cfe2de8223b5a2

Download Submit
C:\Windows\{CA3179BD-D636-47b9-84B0-176F3AD38D9E}.exe

Filesize
204KB

MD5
16538d16caf01461b452226ee45b3244

SHA1
9a805a2bda1b06fa4a7ef0315f6acf2732eed524

SHA256
7f9c49890bce94c97ba0471d2d4c06d76c2bc72a49c68cfa91c270a0df0b5d2e

SHA512
fdd43b8a1576a0b93820c0457833eff37346a703dac7104320eff30ba59f0b556cc6b57290c41d4e8b85b618c0ad06927466e22bad8abe4516395f989f15bdd1

Download Submit
C:\Windows\{CBB4E135-7909-466b-8535-D23EC8C689A0}.exe

Filesize
204KB

MD5
07d259dd6dad74c57bc52eb46cce7cec

SHA1
7556e44f1776cd93b0ef98f82530af087ec26af0

SHA256
9efc6f4ff5db3381dd3b9526cd4fe263eaa2fad413b89eb6e892bab368034d99

SHA512
8f946cde280faebc9b8abaa797ed0322d8a8860b1982c818f33a80db8048763f444a04fd48e4f2e158d3d04d1b811c2bdfcd5db255e6e79f6043fc44c6b6205d

Download Submit
C:\Windows\{DA31EAC7-0F10-4339-8FC7-FE1621A70DD7}.exe

Filesize
204KB

MD5
7417529ba3e2d4d8655ef5012387dcdf

SHA1
5578ec7d9ce61bf4213f7f656c9d5ebf41f282d7

SHA256
ffc2761603654844e4df04b4f7ef9428a9bfca841c876e851e0ff36168d17930

SHA512
b59a4356ad9c50f89607494914d2c35ccbec6450801ced9e6bf8fd9f705878005d1ba92dba9fac3d041db381493df9e22c82abac2a5ff5b076dbc5adf143d56e

Download Submit
C:\Windows\{E7CF0992-9D6C-49d0-BDFB-82CE48F9E27B}.exe

Filesize
204KB

MD5
6c0ec7b294b286eac40b44a789e56e30

SHA1
67c107bfefecca640ca8a2db3f2d347c2a8e2f84

SHA256
95ea0c6ab1a3b3db31eae37309df10e6d4aeb1002da43ec0d349c79fcb014dee

SHA512
84c04dd341bba45761bc261585b06cd7b257f4d910fed1c5f508e9627ec685332197239299445b11209c5e08f6f6a53935a5c704908d1999f8d6edb4144863a6

Download Submit
C:\Windows\{F7C3B5C5-D2F4-402f-9A70-498DF66C954A}.exe

Filesize
204KB

MD5
99ee5794b7885737d4802f16ce53f0cb

SHA1
a76f2482ad73937c906f3cc86c6e025b2e69cf9f

SHA256
223184b17ae39d8c70a86b937a6064629c00cb8ce8ea92412c6f6f0b374c62b7

SHA512
971b31f30c3eb1188cccfca3c1f171654589c2c8f743e407c739e09f83d91b529a95a64c00c1f809a208253ea3264755f7d3da92c7d26d47ad9b183c512ef9f1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads