bde35e900bdb9a168941fdb113b07115012f27765e9f995bf7d868823d115e8c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
Size

192KB
MD5

e05a4709520074f18c63fe96c5b8db31
SHA1

76e3de89f7640038f909ab7597d373e02032f158
SHA256

bde35e900bdb9a168941fdb113b07115012f27765e9f995bf7d868823d115e8c
SHA512

3d476ba16c768c1f5c3599c74b83a5e9da8ec033618df2f2b2c60bd5a0115304c6e2f33b763878ef07385fac4ffb9f15599724721b84e6ede07acb5b3c874a0b
SSDEEP

1536:1EGh0oXl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oXl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA3869D4-AE11-40e5-85EA-54BD70458715}	{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0694AA2C-8279-4882-8626-AD1E510BD3D1}	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}\stubpath = "C:\\Windows\\{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe"	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16CD0229-6E5F-4b7d-8637-6E65ABD57313}\stubpath = "C:\\Windows\\{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe"	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}\stubpath = "C:\\Windows\\{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe"	{60BA7F50-9F5E-43f8-854E-0205EA56A58B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E626BEEB-DF98-41ba-AA9F-D491169DDB27}	{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E626BEEB-DF98-41ba-AA9F-D491169DDB27}\stubpath = "C:\\Windows\\{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe"	{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}\stubpath = "C:\\Windows\\{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe"	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0694AA2C-8279-4882-8626-AD1E510BD3D1}\stubpath = "C:\\Windows\\{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe"	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8A120AD-4B5E-42e7-ABEE-830678F20698}\stubpath = "C:\\Windows\\{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe"	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AF29301-4A8E-471d-A26A-83DD03A66AA1}\stubpath = "C:\\Windows\\{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe"	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}\stubpath = "C:\\Windows\\{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe"	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16CD0229-6E5F-4b7d-8637-6E65ABD57313}	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}	{60BA7F50-9F5E-43f8-854E-0205EA56A58B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60BA7F50-9F5E-43f8-854E-0205EA56A58B}\stubpath = "C:\\Windows\\{60BA7F50-9F5E-43f8-854E-0205EA56A58B}.exe"	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AF29301-4A8E-471d-A26A-83DD03A66AA1}	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}\stubpath = "C:\\Windows\\{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe"	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA3869D4-AE11-40e5-85EA-54BD70458715}\stubpath = "C:\\Windows\\{FA3869D4-AE11-40e5-85EA-54BD70458715}.exe"	{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8A120AD-4B5E-42e7-ABEE-830678F20698}	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60BA7F50-9F5E-43f8-854E-0205EA56A58B}	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe

Executes dropped EXE 11 IoCs

pid	Process
2132	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe
1672	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe
4172	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe
1460	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe
620	{60BA7F50-9F5E-43f8-854E-0205EA56A58B}.exe
4444	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe
4528	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe
220	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe
5108	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe
4516	{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe
3552	{FA3869D4-AE11-40e5-85EA-54BD70458715}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe
File created	C:\Windows\{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe
File created	C:\Windows\{FA3869D4-AE11-40e5-85EA-54BD70458715}.exe	{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe
File created	C:\Windows\{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
File created	C:\Windows\{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe
File created	C:\Windows\{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe	{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe
File created	C:\Windows\{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe
File created	C:\Windows\{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe
File created	C:\Windows\{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe
File created	C:\Windows\{60BA7F50-9F5E-43f8-854E-0205EA56A58B}.exe	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe
File created	C:\Windows\{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA3869D4-AE11-40e5-85EA-54BD70458715}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{60BA7F50-9F5E-43f8-854E-0205EA56A58B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2016	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2132	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe
Token: SeIncBasePriorityPrivilege	1672	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe
Token: SeIncBasePriorityPrivilege	4172	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe
Token: SeIncBasePriorityPrivilege	1460	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe
Token: SeIncBasePriorityPrivilege	4696	{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe
Token: SeIncBasePriorityPrivilege	4444	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe
Token: SeIncBasePriorityPrivilege	4528	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe
Token: SeIncBasePriorityPrivilege	220	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe
Token: SeIncBasePriorityPrivilege	5108	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe
Token: SeIncBasePriorityPrivilege	4516	{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2132	2016	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	94
PID 2016 wrote to memory of 2132	2016	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	94
PID 2016 wrote to memory of 2132	2016	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	94
PID 2016 wrote to memory of 5040	2016	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	95
PID 2016 wrote to memory of 5040	2016	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	95
PID 2016 wrote to memory of 5040	2016	2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe	95
PID 2132 wrote to memory of 1672	2132	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe	96
PID 2132 wrote to memory of 1672	2132	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe	96
PID 2132 wrote to memory of 1672	2132	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe	96
PID 2132 wrote to memory of 2596	2132	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe	97
PID 2132 wrote to memory of 2596	2132	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe	97
PID 2132 wrote to memory of 2596	2132	{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe	97
PID 1672 wrote to memory of 4172	1672	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe	101
PID 1672 wrote to memory of 4172	1672	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe	101
PID 1672 wrote to memory of 4172	1672	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe	101
PID 1672 wrote to memory of 4684	1672	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe	102
PID 1672 wrote to memory of 4684	1672	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe	102
PID 1672 wrote to memory of 4684	1672	{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe	102
PID 4172 wrote to memory of 1460	4172	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe	103
PID 4172 wrote to memory of 1460	4172	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe	103
PID 4172 wrote to memory of 1460	4172	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe	103
PID 4172 wrote to memory of 2904	4172	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe	104
PID 4172 wrote to memory of 2904	4172	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe	104
PID 4172 wrote to memory of 2904	4172	{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe	104
PID 1460 wrote to memory of 620	1460	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe	105
PID 1460 wrote to memory of 620	1460	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe	105
PID 1460 wrote to memory of 620	1460	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe	105
PID 1460 wrote to memory of 4332	1460	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe	106
PID 1460 wrote to memory of 4332	1460	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe	106
PID 1460 wrote to memory of 4332	1460	{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe	106
PID 4696 wrote to memory of 4444	4696	{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe	110
PID 4696 wrote to memory of 4444	4696	{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe	110
PID 4696 wrote to memory of 4444	4696	{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe	110
PID 4696 wrote to memory of 1828	4696	{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe	111
PID 4696 wrote to memory of 1828	4696	{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe	111
PID 4696 wrote to memory of 1828	4696	{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe	111
PID 4444 wrote to memory of 4528	4444	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe	116
PID 4444 wrote to memory of 4528	4444	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe	116
PID 4444 wrote to memory of 4528	4444	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe	116
PID 4444 wrote to memory of 1480	4444	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe	117
PID 4444 wrote to memory of 1480	4444	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe	117
PID 4444 wrote to memory of 1480	4444	{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe	117
PID 4528 wrote to memory of 220	4528	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe	122
PID 4528 wrote to memory of 220	4528	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe	122
PID 4528 wrote to memory of 220	4528	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe	122
PID 4528 wrote to memory of 4220	4528	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe	123
PID 4528 wrote to memory of 4220	4528	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe	123
PID 4528 wrote to memory of 4220	4528	{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe	123
PID 220 wrote to memory of 5108	220	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe	124
PID 220 wrote to memory of 5108	220	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe	124
PID 220 wrote to memory of 5108	220	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe	124
PID 220 wrote to memory of 4416	220	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe	125
PID 220 wrote to memory of 4416	220	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe	125
PID 220 wrote to memory of 4416	220	{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe	125
PID 5108 wrote to memory of 4516	5108	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe	126
PID 5108 wrote to memory of 4516	5108	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe	126
PID 5108 wrote to memory of 4516	5108	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe	126
PID 5108 wrote to memory of 3976	5108	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe	127
PID 5108 wrote to memory of 3976	5108	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe	127
PID 5108 wrote to memory of 3976	5108	{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe	127
PID 4516 wrote to memory of 3552	4516	{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe	131
PID 4516 wrote to memory of 3552	4516	{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe	131
PID 4516 wrote to memory of 3552	4516	{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe	131
PID 4516 wrote to memory of 4412	4516	{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_e05a4709520074f18c63fe96c5b8db31_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe
  C:\Windows\{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe
    C:\Windows\{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe
      C:\Windows\{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe
        
        C:\Windows\{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\{60BA7F50-9F5E-43f8-854E-0205EA56A58B}.exe
        
        C:\Windows\{60BA7F50-9F5E-43f8-854E-0205EA56A58B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe
        
        C:\Windows\{7C34CD92-0298-4b17-ACD7-9B3996B9F5D9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe
        
        C:\Windows\{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe
        
        C:\Windows\{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe
        
        C:\Windows\{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe
        
        C:\Windows\{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe
        
        C:\Windows\{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\{FA3869D4-AE11-40e5-85EA-54BD70458715}.exe
        
        C:\Windows\{FA3869D4-AE11-40e5-85EA-54BD70458715}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD74E~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89E76~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B4CB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AF29~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E626B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C34C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60BA7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AF4F~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16CD0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F8A12~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0694A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0694AA2C-8279-4882-8626-AD1E510BD3D1}.exe

Filesize
192KB

MD5
dbcfd72fb0d0dda6d71fa5a0337d970e

SHA1
125d523d5df153a0a7578ee2fa277b844aebeeeb

SHA256
e2abc4f52e8efad4ff5a9f4f841d9444e6c5351d64c47f449b8fdce81c401ac7

SHA512
06cf41c1609733a1122a57da5e6192dfa07a5f8934713d0d306e2d9e94a01b008f5091d4bd82b7aff16f8dcf5e9b616ff729063d05cd7757aeabc52898463481

Download Submit
C:\Windows\{16CD0229-6E5F-4b7d-8637-6E65ABD57313}.exe

Filesize
192KB

MD5
2c28b932324b4fa2e17a78147b710002

SHA1
ed87db8c394aa4f9b7393ecc3826f7030ba26d65

SHA256
f1b14336e1a2fc245382e02146eb774691a310bb0ab18a7117c48728b94adb1d

SHA512
c24a55e455e025e988a04e7fd45fc1dce31b3995e4e60723e9d0fd6fcdd6cdac692a2207fafe8589b84c1980bfb005d63101cfcbf3209a3a2d6305d587f5247d

Download Submit
C:\Windows\{1AF29301-4A8E-471d-A26A-83DD03A66AA1}.exe

Filesize
192KB

MD5
ed0080c25c3985a18cb7bc9d2e917c59

SHA1
1529ba5637b675d24334577d7af53cdf5109ad1b

SHA256
2f3dc684392a86615def47b3dbd2c75c9fcb1ca9e2a4171d93625388fd3ad585

SHA512
65a1d799b0bc5f00e58b7996532739bfec8b5157ffcb204d4e169a848335cc1a8ab38ed6f8eb532af2509c81d2fa186559fbbfa3e9a5e3a3b0275f7ca3192853

Download Submit
C:\Windows\{2AF4FCFE-B508-4198-AA7D-255B67D73C8F}.exe

Filesize
192KB

MD5
0770efd1138f72a1c2175c04a448a677

SHA1
8edd0ffa8a524e9c911b66bc93094ed6eecfe562

SHA256
9252c4d7b7631c5a105ea0e677b5859914532f413f0e5f863c676b772778c9b2

SHA512
36883bbdf1e29647ee0589465c19fa9b168f62cd98e5ef98f479a84fe21054d785a3f7454a46602569441b4b6d9ddfb94ce24d274e6bdd555c7cfca378957d29

Download Submit
C:\Windows\{60BA7F50-9F5E-43f8-854E-0205EA56A58B}.exe

Filesize
192KB

MD5
90660c1dfd053cb355533d4d4d604744

SHA1
48f8c2878204b0b2b7cc52c881827e4b8b35b2c1

SHA256
8f59a88d7b3ee1b2c2f8c7fbeefc9af72edf8e1df1473bb44e4ded5de8d4e1f6

SHA512
2284a6d6762ac672502a5a46f432add39e80c263dfec897955d8692e05c1fba9d587bced379d47105928375c3071ed605c052ddb3ee93f71fcedcc95bd4c4df7

Download Submit
C:\Windows\{89E76391-D8B2-4ed8-836A-1EA5F8DA7FB0}.exe

Filesize
192KB

MD5
0d1d7a5770c8c1fb1bfeea6761247cb8

SHA1
f1a6a6bde6707546fe2c812b0b67c5ce36ee4202

SHA256
efad32ad668cb9fe57cf86f0ac1181fe36631d8bd30a04c3ebe00faf15e87789

SHA512
1258bd619fdc8788ccbbd3420848cbdcdeb56642e39a36e4b3d96f4d0cbbe82bda957f4ed631884300fd2fc45a7dae29384a62dd0b2eec7e9a7d5902edde541b

Download Submit
C:\Windows\{9B4CB960-70B0-4cba-BAB0-F9ECB39EE290}.exe

Filesize
192KB

MD5
346ade6286f86336227cb614f1baf042

SHA1
87f01a5505260f819c95912b2de26fad8c2a644c

SHA256
41db3f4f5a3c35a0d3808eae81187230136201dc7a31a695279a113d5582d38e

SHA512
761c61d35201a756cefa5f0e9b8969c6341e7f977266139fd8d1354f5735d7df5320f1d3d7e865a43cda5504339861b236846f50fa122a8d3870d7e779f9ba1a

Download Submit
C:\Windows\{BD74ECD4-C91D-4fc2-8477-56BF10A492CB}.exe

Filesize
192KB

MD5
4c2b247e08a6ecc03101441582c0f32a

SHA1
d70763ddb9613c977502a0d9acfe66e02bd30039

SHA256
4da098a0bba7a8afa5fc2761d2f3ca1612db6964278b02e034cddf661312aeef

SHA512
f14a9b9c4ccaa15e59aef8b8b201ecb3feb08ee36937df1e09402fa2228dc2407e18acb6c8279d74fb41e1f4b7f0a68576d3ffcc03f927080d585d51fcf5e563

Download Submit
C:\Windows\{E626BEEB-DF98-41ba-AA9F-D491169DDB27}.exe

Filesize
192KB

MD5
c97a977733cc451ad3a73c4b404a46a6

SHA1
ea3647abc1b8ae231857aaab9c9323e1522e2aa1

SHA256
0199a18be88f4da9e9b1d9abc47ada397f86ab8bb958c33e6899db5ba17249d5

SHA512
da5658a6e7cd98d90036c06bc670bec33a6e549d93566bada7c49025737d4dba5ee60cc874d9ae524cd978b6b723ccfcba2b8d82fd4abf682c329e8cc85b6e94

Download Submit
C:\Windows\{F8A120AD-4B5E-42e7-ABEE-830678F20698}.exe

Filesize
192KB

MD5
125db3f515a037e8b58b7bd5fdb38a7e

SHA1
afc5ca96a3379bd57ae760a2cee69429cece2fa4

SHA256
9a46cbfc23dfb83be570a901465aaa931ba525c6a1fffcd0ac7c231687171ad9

SHA512
d7987d827bf10a8cf5b6a9c8c881cedbcec7560a0fb9bf57af652c4fb8b3d925657a73de35766f0428275c32bd970a6c40ddcc95cda3374ec120d3a1b41f597c

Download Submit
C:\Windows\{FA3869D4-AE11-40e5-85EA-54BD70458715}.exe

Filesize
192KB

MD5
fc03d06920458c48a673441e54581554

SHA1
4e9783e4dd4264f8a520703053a945a76302b7f1

SHA256
25af7e45f5e1e1ab232f02360dcebb8565721671de6e90db28cb6261bc400a88

SHA512
73594b1a1b8cf27946d94e1fa3fcc236468453fd2245dc497fd01d7e0d24f12bdf11e4249f569e34aec3b86e4640c9ed8d6b169661a86132627161f69f52f23d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads