feff2466a92f4bb5cb464c9906cee2bbd40439c202c0c6b0c51fd03aa6b1e4dd

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe
Size

372KB
MD5

14b6b14a4638fd2a041364710e48cfd0
SHA1

43430afa6bc2db36cca902c7613ffca3151ef903
SHA256

feff2466a92f4bb5cb464c9906cee2bbd40439c202c0c6b0c51fd03aa6b1e4dd
SHA512

925de9f30829e8eb82a4d227bce8a991b22749daa24e0275ffa66db6951da87b21ce878dd254ae41eadc3815d9ab4dea5aa3844a7693778100af30ec8a109cb7
SSDEEP

3072:CEGh0oHlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGRlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7BC3988-903B-4f8f-909D-3F8BA14F6739}\stubpath = "C:\\Windows\\{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe"	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F101303-EC18-4cc7-8334-65771CF2E0F7}\stubpath = "C:\\Windows\\{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe"	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}\stubpath = "C:\\Windows\\{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe"	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FED23376-B763-4949-B8E6-B51E0DEF750B}\stubpath = "C:\\Windows\\{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe"	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78CDE554-F778-40b5-8690-C935769BEF80}\stubpath = "C:\\Windows\\{78CDE554-F778-40b5-8690-C935769BEF80}.exe"	{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C340CB8A-949C-44da-8F7D-793AB8C5F614}	{78CDE554-F778-40b5-8690-C935769BEF80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7BC3988-903B-4f8f-909D-3F8BA14F6739}	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}\stubpath = "C:\\Windows\\{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe"	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F101303-EC18-4cc7-8334-65771CF2E0F7}	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}	{91B58549-8950-40b0-A464-2F24C62397B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FED23376-B763-4949-B8E6-B51E0DEF750B}	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}	2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91B58549-8950-40b0-A464-2F24C62397B9}	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF188195-B3C0-4936-AA5C-7F9A166D3422}	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF188195-B3C0-4936-AA5C-7F9A166D3422}\stubpath = "C:\\Windows\\{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe"	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}\stubpath = "C:\\Windows\\{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe"	2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91B58549-8950-40b0-A464-2F24C62397B9}\stubpath = "C:\\Windows\\{91B58549-8950-40b0-A464-2F24C62397B9}.exe"	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}\stubpath = "C:\\Windows\\{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe"	{91B58549-8950-40b0-A464-2F24C62397B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78CDE554-F778-40b5-8690-C935769BEF80}	{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C340CB8A-949C-44da-8F7D-793AB8C5F614}\stubpath = "C:\\Windows\\{C340CB8A-949C-44da-8F7D-793AB8C5F614}.exe"	{78CDE554-F778-40b5-8690-C935769BEF80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}\stubpath = "C:\\Windows\\{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe"	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe

Executes dropped EXE 12 IoCs

pid	Process
960	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe
5064	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe
852	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe
3916	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe
1848	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe
1148	{91B58549-8950-40b0-A464-2F24C62397B9}.exe
3868	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe
4720	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe
4660	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe
1600	{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe
1496	{78CDE554-F778-40b5-8690-C935769BEF80}.exe
3160	{C340CB8A-949C-44da-8F7D-793AB8C5F614}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe	2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe
File created	C:\Windows\{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe
File created	C:\Windows\{91B58549-8950-40b0-A464-2F24C62397B9}.exe	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe
File created	C:\Windows\{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe
File created	C:\Windows\{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe
File created	C:\Windows\{C340CB8A-949C-44da-8F7D-793AB8C5F614}.exe	{78CDE554-F778-40b5-8690-C935769BEF80}.exe
File created	C:\Windows\{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe
File created	C:\Windows\{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe
File created	C:\Windows\{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe
File created	C:\Windows\{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe	{91B58549-8950-40b0-A464-2F24C62397B9}.exe
File created	C:\Windows\{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe
File created	C:\Windows\{78CDE554-F778-40b5-8690-C935769BEF80}.exe	{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{78CDE554-F778-40b5-8690-C935769BEF80}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C340CB8A-949C-44da-8F7D-793AB8C5F614}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91B58549-8950-40b0-A464-2F24C62397B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2500	2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	960	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe
Token: SeIncBasePriorityPrivilege	5064	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe
Token: SeIncBasePriorityPrivilege	852	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe
Token: SeIncBasePriorityPrivilege	3916	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe
Token: SeIncBasePriorityPrivilege	1848	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe
Token: SeIncBasePriorityPrivilege	1148	{91B58549-8950-40b0-A464-2F24C62397B9}.exe
Token: SeIncBasePriorityPrivilege	3868	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe
Token: SeIncBasePriorityPrivilege	4720	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe
Token: SeIncBasePriorityPrivilege	4660	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe
Token: SeIncBasePriorityPrivilege	1600	{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe
Token: SeIncBasePriorityPrivilege	1496	{78CDE554-F778-40b5-8690-C935769BEF80}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 960	2500	2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe	87
PID 2500 wrote to memory of 960	2500	2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe	87
PID 2500 wrote to memory of 960	2500	2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe	87
PID 2500 wrote to memory of 3040	2500	2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe	88
PID 2500 wrote to memory of 3040	2500	2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe	88
PID 2500 wrote to memory of 3040	2500	2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe	88
PID 960 wrote to memory of 5064	960	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe	91
PID 960 wrote to memory of 5064	960	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe	91
PID 960 wrote to memory of 5064	960	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe	91
PID 960 wrote to memory of 4452	960	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe	92
PID 960 wrote to memory of 4452	960	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe	92
PID 960 wrote to memory of 4452	960	{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe	92
PID 5064 wrote to memory of 852	5064	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe	95
PID 5064 wrote to memory of 852	5064	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe	95
PID 5064 wrote to memory of 852	5064	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe	95
PID 5064 wrote to memory of 2584	5064	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe	96
PID 5064 wrote to memory of 2584	5064	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe	96
PID 5064 wrote to memory of 2584	5064	{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe	96
PID 852 wrote to memory of 3916	852	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe	97
PID 852 wrote to memory of 3916	852	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe	97
PID 852 wrote to memory of 3916	852	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe	97
PID 852 wrote to memory of 2676	852	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe	98
PID 852 wrote to memory of 2676	852	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe	98
PID 852 wrote to memory of 2676	852	{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe	98
PID 3916 wrote to memory of 1848	3916	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe	99
PID 3916 wrote to memory of 1848	3916	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe	99
PID 3916 wrote to memory of 1848	3916	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe	99
PID 3916 wrote to memory of 3496	3916	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe	100
PID 3916 wrote to memory of 3496	3916	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe	100
PID 3916 wrote to memory of 3496	3916	{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe	100
PID 1848 wrote to memory of 1148	1848	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe	101
PID 1848 wrote to memory of 1148	1848	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe	101
PID 1848 wrote to memory of 1148	1848	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe	101
PID 1848 wrote to memory of 1140	1848	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe	102
PID 1848 wrote to memory of 1140	1848	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe	102
PID 1848 wrote to memory of 1140	1848	{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe	102
PID 1148 wrote to memory of 3868	1148	{91B58549-8950-40b0-A464-2F24C62397B9}.exe	103
PID 1148 wrote to memory of 3868	1148	{91B58549-8950-40b0-A464-2F24C62397B9}.exe	103
PID 1148 wrote to memory of 3868	1148	{91B58549-8950-40b0-A464-2F24C62397B9}.exe	103
PID 1148 wrote to memory of 912	1148	{91B58549-8950-40b0-A464-2F24C62397B9}.exe	104
PID 1148 wrote to memory of 912	1148	{91B58549-8950-40b0-A464-2F24C62397B9}.exe	104
PID 1148 wrote to memory of 912	1148	{91B58549-8950-40b0-A464-2F24C62397B9}.exe	104
PID 3868 wrote to memory of 4720	3868	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe	105
PID 3868 wrote to memory of 4720	3868	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe	105
PID 3868 wrote to memory of 4720	3868	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe	105
PID 3868 wrote to memory of 1712	3868	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe	106
PID 3868 wrote to memory of 1712	3868	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe	106
PID 3868 wrote to memory of 1712	3868	{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe	106
PID 4720 wrote to memory of 4660	4720	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe	107
PID 4720 wrote to memory of 4660	4720	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe	107
PID 4720 wrote to memory of 4660	4720	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe	107
PID 4720 wrote to memory of 4092	4720	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe	108
PID 4720 wrote to memory of 4092	4720	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe	108
PID 4720 wrote to memory of 4092	4720	{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe	108
PID 4660 wrote to memory of 1600	4660	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe	109
PID 4660 wrote to memory of 1600	4660	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe	109
PID 4660 wrote to memory of 1600	4660	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe	109
PID 4660 wrote to memory of 5100	4660	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe	110
PID 4660 wrote to memory of 5100	4660	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe	110
PID 4660 wrote to memory of 5100	4660	{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe	110
PID 1600 wrote to memory of 1496	1600	{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe	111
PID 1600 wrote to memory of 1496	1600	{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe	111
PID 1600 wrote to memory of 1496	1600	{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe	111
PID 1600 wrote to memory of 4768	1600	{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_14b6b14a4638fd2a041364710e48cfd0_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe
  C:\Windows\{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe
    C:\Windows\{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe
      C:\Windows\{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Windows\{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe
        
        C:\Windows\{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe
        
        C:\Windows\{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\{91B58549-8950-40b0-A464-2F24C62397B9}.exe
        
        C:\Windows\{91B58549-8950-40b0-A464-2F24C62397B9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe
        
        C:\Windows\{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe
        
        C:\Windows\{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe
        
        C:\Windows\{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe
        
        C:\Windows\{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{78CDE554-F778-40b5-8690-C935769BEF80}.exe
        
        C:\Windows\{78CDE554-F778-40b5-8690-C935769BEF80}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\{C340CB8A-949C-44da-8F7D-793AB8C5F614}.exe
        
        C:\Windows\{C340CB8A-949C-44da-8F7D-793AB8C5F614}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78CDE~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF188~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FED23~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AFC4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A4F6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91B58~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F101~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ED5D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0E94~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E7BC3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A20BD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F101303-EC18-4cc7-8334-65771CF2E0F7}.exe

Filesize
372KB

MD5
f07771eb0e42027516d26a7819df0d90

SHA1
e0f59d0da2c5cbbd706535a9c9a3fa1942c152cf

SHA256
20b111bcef359f03f096a7824ec27994430cc5f3f28b78f847f1a5e4fb6105cd

SHA512
18114ad268fcace36db99913270ae89b4f4d403c99a9110313d9f9ec7ac259669ddf7148a806d1d24c2e9c067f2a86fe633e4f2d6bcc27c5777daf695d682906

Download Submit
C:\Windows\{4A4F6FED-70FC-4d47-BAB6-1CAA8F2819FB}.exe

Filesize
372KB

MD5
f0cd32e6ab28a2f77471cc44d68476a1

SHA1
75c404578b45b061e2831216dd3a6dcca1b628c3

SHA256
0468de3c810b759bd2e775914ccc89a8252c979f1d504875139f5e0ee1834b5a

SHA512
e52c1a9f3b725363185971ed5da2fa90e1ce3ac6f9818117788f8a72cee3494041767be0f2c001369617aa2be4784618051c1affa676005ca074ebb87de2c5bb

Download Submit
C:\Windows\{4ED5DF7E-D102-402d-8798-B506BA9BC9F0}.exe

Filesize
372KB

MD5
64b5c95a6d83dc20d596cbe6fed16ce8

SHA1
795a053821c6a5f79b19ce006f6d50b85e6c428a

SHA256
797118ec7ad1d9d124b8d1da0189806afc35fb576777fa42a24a59abe9f72d5f

SHA512
655d57cefa388e54a307203ff4421b3c17925670496303f3abd067e6a73f61a66e12bc7937d22d887a98c49c784cda7a9bc7a46ef4ae39313c919b6aaa02a865

Download Submit
C:\Windows\{78CDE554-F778-40b5-8690-C935769BEF80}.exe

Filesize
372KB

MD5
2fca63f6dcceb5e7ff93ef13e990b943

SHA1
4fe02afb15c3dbd821df90954bba95ddb359e407

SHA256
a305c0d6757da2065a68d7db65ee7aa0d2fc10905bbf39746c6a39c2ad9e3f19

SHA512
4719b3331f99973b366011dd201dc5f8557d9dc2860507a5f8db04193a312aa9f97a05a4309ea6dd34d1aaa82504f408d1efa8e181cc89346aecdbbf0393e694

Download Submit
C:\Windows\{7AFC4651-6A36-4028-82A1-2A7A70B6E02D}.exe

Filesize
372KB

MD5
b1656d26244bc459fcca5a616c0690a0

SHA1
839c0bbfdfa103d4f22ae804bc5f972657d018a2

SHA256
71878076ec8a41540796250a2d3b6c78008fe3c8f73296e07df2a4037f4f43ee

SHA512
4c44d983c02d15b148f0fe283e62c0c119c92638ab73452e80d1ffcb651ae0fbcfa8c481526551a1147c39487017c8d8404e5ea2f8e377eb259cd6f9789e21cd

Download Submit
C:\Windows\{91B58549-8950-40b0-A464-2F24C62397B9}.exe

Filesize
372KB

MD5
9246e0e25ea6ed76cff8ce7b9bfe825c

SHA1
60b730fd2ce3f5e801c812ebcb98f3b8ef01c444

SHA256
97416940401594726dd18c534edd9e7a5e868791672a594995125a3b511ee150

SHA512
cc3ca35775333262b3c0888963647f41ae20412400506f57a14164a44f5b2df4ab269e7b30b3a29070ddc6724201e6930024bc2919d83210c508959ebfd435fe

Download Submit
C:\Windows\{A20BD308-8E6C-418d-A5CD-4A8AAACE5422}.exe

Filesize
372KB

MD5
8ab0004177c14717be1544b95ff96643

SHA1
00410dcc069885ce9ab33ca02163842ccd8466bc

SHA256
a90af40116755bb27d553500ad8ce642aa6468725e09db8c67a0b506f0a5cdb8

SHA512
a6f86ce10ef3623a18c99c67159e3758ff1a556c6c87faa34ffa0fde01e1af347469d52e1790cbd8dc2e3c5db13db62404aaeeb5dc2f76305c915d0149a12181

Download Submit
C:\Windows\{C0E942D8-40E8-4e21-A5DE-ADC14B0692E8}.exe

Filesize
372KB

MD5
b1397f1c501f2916f4224aa1487d6d49

SHA1
c910ee9e8dd2443d1f8050bb8596cd9f69cdaa3c

SHA256
afa32aebbaa8ad541191fe11194cb968199644c1daaecb1f33db2dc1c799ad95

SHA512
e8d2d021c817178399402493009236ee171db8742a9fdf796534794ee2158d0698ff39eaeb35ea2588d36bc5bb331d282e0aa54b747ce32b46ef7c7828202088

Download Submit
C:\Windows\{C340CB8A-949C-44da-8F7D-793AB8C5F614}.exe

Filesize
372KB

MD5
2abd8badc0ce5f01a15ee5a5a7cbb699

SHA1
73feecd01cb0c93e58f6da78f818511d66803b2c

SHA256
527fa61718e4dd552db868bf5e72f18850abcebc16365e8e15801ee85aa49985

SHA512
49be0cc62e82f8efeefe80862010dec16f54b5c9db48c6e0f89fb10e64542d1e5e359d0a11c831150ee611fc178ee6207b9cc0577a91e4b8a2392808cbdd2677

Download Submit
C:\Windows\{CF188195-B3C0-4936-AA5C-7F9A166D3422}.exe

Filesize
372KB

MD5
8a3f9339e52f897c7b7d027f64b58ba9

SHA1
661a67a90992a3afb5f4e80f7e08b35a8d82ac8d

SHA256
af827d30d05052014e4a295baf48a19e8ed55ab80630470f418947b4fb891317

SHA512
765c274f9b5cfb2e6f4e9dbae9c3b0deff0534292db803e8d6d37861d9dc91dc94976b21c689fa8d2fd06a596f6d670465014fcaeedab109dd55194bb8773a18

Download Submit
C:\Windows\{E7BC3988-903B-4f8f-909D-3F8BA14F6739}.exe

Filesize
372KB

MD5
9c1695ae7e7c40c76499a7e8608061ae

SHA1
b30214e7dff1995edb4e55284dbd726839643e1b

SHA256
de4ec7931a2fc3a4d7dc459858c9ff6b6509024327a1f9fcb4b5e09f4b416dec

SHA512
3af117774214d1ff5e45fbdcf3a0e3fd59e38d9919a5de836c6041ff2607217c2e57d2e6090ecc611ba49d71c6aa68cc257a6702c88b0d446b64ebe622abf073

Download Submit
C:\Windows\{FED23376-B763-4949-B8E6-B51E0DEF750B}.exe

Filesize
372KB

MD5
fdafec2962b7fa2cbe3b79a1a834c2d2

SHA1
8311c345a01982e987899a1e385f59842cc554d9

SHA256
5f11c5ed21761bb42f90fcf33ea3e5d7baa72d5c57a998225766027a72eb322d

SHA512
d12e4014d0fc2bfda433391db8409d34d70b1a647ee658806dc931356160c3ee81bb65343529dfd1e0e078b22f60a1e27d6407f4b8becfbf598bef96d66173e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads