201ded16869efd77c17f64b7a97a75250b8bbb25639174cd2ee449424702f5d0

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
Size

344KB
MD5

4a4b63035071f312fd7a8fd6a0db86bf
SHA1

38bfe00d6861e48ab945bb170b2a7fc1ace3439b
SHA256

201ded16869efd77c17f64b7a97a75250b8bbb25639174cd2ee449424702f5d0
SHA512

5f7a986bc291aa36df39f1ae2797743c721d28b191af8e22e5e92c0bfea0f794d80fafba845dc577e8ac1261e083901eea979d8ce50650dd12a74be841998b66
SSDEEP

3072:mEGh0oalVOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGIlVOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{631A2E62-17D5-47bc-84FC-1710A1843B6D}\stubpath = "C:\\Windows\\{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe"	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}\stubpath = "C:\\Windows\\{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe"	{34C4E7C2-2417-4020-9801-938813213E3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}\stubpath = "C:\\Windows\\{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe"	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3D572C8-CC18-456b-9603-C4604CD4A45E}	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57254CEB-FEB4-45e6-89B0-3447E888D1A8}	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63A2A70A-E056-49f0-807D-D86CCBA9EB70}	{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{631A2E62-17D5-47bc-84FC-1710A1843B6D}	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63A2A70A-E056-49f0-807D-D86CCBA9EB70}\stubpath = "C:\\Windows\\{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe"	{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC782C6C-C65A-482e-81EE-DA37B2EB466B}\stubpath = "C:\\Windows\\{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe"	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F220589-E02F-4976-807E-25BD0D16146B}	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F220589-E02F-4976-807E-25BD0D16146B}\stubpath = "C:\\Windows\\{8F220589-E02F-4976-807E-25BD0D16146B}.exe"	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}	{34C4E7C2-2417-4020-9801-938813213E3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3D572C8-CC18-456b-9603-C4604CD4A45E}\stubpath = "C:\\Windows\\{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe"	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC782C6C-C65A-482e-81EE-DA37B2EB466B}	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34C4E7C2-2417-4020-9801-938813213E3D}	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EFC7898-5A62-4625-8E9B-3D946478D993}	{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}\stubpath = "C:\\Windows\\{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe"	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F320F7C5-FC63-495e-83C1-127B676F2646}\stubpath = "C:\\Windows\\{F320F7C5-FC63-495e-83C1-127B676F2646}.exe"	{8F220589-E02F-4976-807E-25BD0D16146B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34C4E7C2-2417-4020-9801-938813213E3D}\stubpath = "C:\\Windows\\{34C4E7C2-2417-4020-9801-938813213E3D}.exe"	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57254CEB-FEB4-45e6-89B0-3447E888D1A8}\stubpath = "C:\\Windows\\{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe"	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EFC7898-5A62-4625-8E9B-3D946478D993}\stubpath = "C:\\Windows\\{3EFC7898-5A62-4625-8E9B-3D946478D993}.exe"	{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F320F7C5-FC63-495e-83C1-127B676F2646}	{8F220589-E02F-4976-807E-25BD0D16146B}.exe

Executes dropped EXE 12 IoCs

pid	Process
2656	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe
3128	{8F220589-E02F-4976-807E-25BD0D16146B}.exe
4896	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe
1644	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe
4576	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe
3956	{34C4E7C2-2417-4020-9801-938813213E3D}.exe
4288	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe
4384	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe
3316	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe
4988	{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe
1608	{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe
4772	{3EFC7898-5A62-4625-8E9B-3D946478D993}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F320F7C5-FC63-495e-83C1-127B676F2646}.exe	{8F220589-E02F-4976-807E-25BD0D16146B}.exe
File created	C:\Windows\{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe
File created	C:\Windows\{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe	{34C4E7C2-2417-4020-9801-938813213E3D}.exe
File created	C:\Windows\{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe
File created	C:\Windows\{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe
File created	C:\Windows\{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe	{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe
File created	C:\Windows\{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
File created	C:\Windows\{8F220589-E02F-4976-807E-25BD0D16146B}.exe	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe
File created	C:\Windows\{3EFC7898-5A62-4625-8E9B-3D946478D993}.exe	{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe
File created	C:\Windows\{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe
File created	C:\Windows\{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe
File created	C:\Windows\{34C4E7C2-2417-4020-9801-938813213E3D}.exe	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F220589-E02F-4976-807E-25BD0D16146B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3EFC7898-5A62-4625-8E9B-3D946478D993}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34C4E7C2-2417-4020-9801-938813213E3D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4012	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2656	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe
Token: SeIncBasePriorityPrivilege	3128	{8F220589-E02F-4976-807E-25BD0D16146B}.exe
Token: SeIncBasePriorityPrivilege	4896	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe
Token: SeIncBasePriorityPrivilege	1644	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe
Token: SeIncBasePriorityPrivilege	4576	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe
Token: SeIncBasePriorityPrivilege	3956	{34C4E7C2-2417-4020-9801-938813213E3D}.exe
Token: SeIncBasePriorityPrivilege	4288	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe
Token: SeIncBasePriorityPrivilege	4384	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe
Token: SeIncBasePriorityPrivilege	3316	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe
Token: SeIncBasePriorityPrivilege	4988	{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe
Token: SeIncBasePriorityPrivilege	1608	{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 2656	4012	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	89
PID 4012 wrote to memory of 2656	4012	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	89
PID 4012 wrote to memory of 2656	4012	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	89
PID 4012 wrote to memory of 2052	4012	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	90
PID 4012 wrote to memory of 2052	4012	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	90
PID 4012 wrote to memory of 2052	4012	2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe	90
PID 2656 wrote to memory of 3128	2656	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe	91
PID 2656 wrote to memory of 3128	2656	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe	91
PID 2656 wrote to memory of 3128	2656	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe	91
PID 2656 wrote to memory of 620	2656	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe	92
PID 2656 wrote to memory of 620	2656	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe	92
PID 2656 wrote to memory of 620	2656	{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe	92
PID 3128 wrote to memory of 4896	3128	{8F220589-E02F-4976-807E-25BD0D16146B}.exe	95
PID 3128 wrote to memory of 4896	3128	{8F220589-E02F-4976-807E-25BD0D16146B}.exe	95
PID 3128 wrote to memory of 4896	3128	{8F220589-E02F-4976-807E-25BD0D16146B}.exe	95
PID 3128 wrote to memory of 4188	3128	{8F220589-E02F-4976-807E-25BD0D16146B}.exe	96
PID 3128 wrote to memory of 4188	3128	{8F220589-E02F-4976-807E-25BD0D16146B}.exe	96
PID 3128 wrote to memory of 4188	3128	{8F220589-E02F-4976-807E-25BD0D16146B}.exe	96
PID 4896 wrote to memory of 1644	4896	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe	97
PID 4896 wrote to memory of 1644	4896	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe	97
PID 4896 wrote to memory of 1644	4896	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe	97
PID 4896 wrote to memory of 2148	4896	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe	98
PID 4896 wrote to memory of 2148	4896	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe	98
PID 4896 wrote to memory of 2148	4896	{F320F7C5-FC63-495e-83C1-127B676F2646}.exe	98
PID 1644 wrote to memory of 4576	1644	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe	99
PID 1644 wrote to memory of 4576	1644	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe	99
PID 1644 wrote to memory of 4576	1644	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe	99
PID 1644 wrote to memory of 4552	1644	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe	100
PID 1644 wrote to memory of 4552	1644	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe	100
PID 1644 wrote to memory of 4552	1644	{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe	100
PID 4576 wrote to memory of 3956	4576	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe	101
PID 4576 wrote to memory of 3956	4576	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe	101
PID 4576 wrote to memory of 3956	4576	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe	101
PID 4576 wrote to memory of 4520	4576	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe	102
PID 4576 wrote to memory of 4520	4576	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe	102
PID 4576 wrote to memory of 4520	4576	{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe	102
PID 3956 wrote to memory of 4288	3956	{34C4E7C2-2417-4020-9801-938813213E3D}.exe	103
PID 3956 wrote to memory of 4288	3956	{34C4E7C2-2417-4020-9801-938813213E3D}.exe	103
PID 3956 wrote to memory of 4288	3956	{34C4E7C2-2417-4020-9801-938813213E3D}.exe	103
PID 3956 wrote to memory of 1092	3956	{34C4E7C2-2417-4020-9801-938813213E3D}.exe	104
PID 3956 wrote to memory of 1092	3956	{34C4E7C2-2417-4020-9801-938813213E3D}.exe	104
PID 3956 wrote to memory of 1092	3956	{34C4E7C2-2417-4020-9801-938813213E3D}.exe	104
PID 4288 wrote to memory of 4384	4288	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe	105
PID 4288 wrote to memory of 4384	4288	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe	105
PID 4288 wrote to memory of 4384	4288	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe	105
PID 4288 wrote to memory of 2804	4288	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe	106
PID 4288 wrote to memory of 2804	4288	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe	106
PID 4288 wrote to memory of 2804	4288	{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe	106
PID 4384 wrote to memory of 3316	4384	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe	107
PID 4384 wrote to memory of 3316	4384	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe	107
PID 4384 wrote to memory of 3316	4384	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe	107
PID 4384 wrote to memory of 3272	4384	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe	108
PID 4384 wrote to memory of 3272	4384	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe	108
PID 4384 wrote to memory of 3272	4384	{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe	108
PID 3316 wrote to memory of 4988	3316	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe	109
PID 3316 wrote to memory of 4988	3316	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe	109
PID 3316 wrote to memory of 4988	3316	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe	109
PID 3316 wrote to memory of 1700	3316	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe	110
PID 3316 wrote to memory of 1700	3316	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe	110
PID 3316 wrote to memory of 1700	3316	{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe	110
PID 4988 wrote to memory of 1608	4988	{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe	111
PID 4988 wrote to memory of 1608	4988	{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe	111
PID 4988 wrote to memory of 1608	4988	{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe	111
PID 4988 wrote to memory of 5064	4988	{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_4a4b63035071f312fd7a8fd6a0db86bf_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe
  C:\Windows\{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\{8F220589-E02F-4976-807E-25BD0D16146B}.exe
    C:\Windows\{8F220589-E02F-4976-807E-25BD0D16146B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\{F320F7C5-FC63-495e-83C1-127B676F2646}.exe
      C:\Windows\{F320F7C5-FC63-495e-83C1-127B676F2646}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe
        
        C:\Windows\{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Windows\{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe
        
        C:\Windows\{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\{34C4E7C2-2417-4020-9801-938813213E3D}.exe
        
        C:\Windows\{34C4E7C2-2417-4020-9801-938813213E3D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe
        
        C:\Windows\{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe
        
        C:\Windows\{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe
        
        C:\Windows\{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe
        
        C:\Windows\{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe
        
        C:\Windows\{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\{3EFC7898-5A62-4625-8E9B-3D946478D993}.exe
        
        C:\Windows\{3EFC7898-5A62-4625-8E9B-3D946478D993}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63A2A~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57254~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3D57~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C16~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05FDD~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34C4E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2DDF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{631A2~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F320F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8F220~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CC782~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05FDD052-BE75-4ae8-AC0B-61ED07512FDB}.exe

Filesize
344KB

MD5
3f33ae226531012f0c26954516f95009

SHA1
76b5c7f2f69eb9a0060e7bb01e9f8888d3814157

SHA256
6cdc7fecdec4ac6814fb2e7c9e368917752d5893156e8a0abf1b6311c58e54f5

SHA512
0c7242fc722e06c1aad7cc97b979bd8b8ea10de90b5953a4d3d2b5d3ca9b8b01dd73d8d11ded163292d13966ad352253f79feca3cc5bf159f81fa980f994e60c

Download Submit
C:\Windows\{34C4E7C2-2417-4020-9801-938813213E3D}.exe

Filesize
344KB

MD5
c10fd2adbed9765d8cdf22d794ac4add

SHA1
b11d8b5e9f5e6c61904483dabad5d7fc748f1f4b

SHA256
ea312434537c9fdf2e3876acde5e048e80987c462c4f5f4359f73f75307d72de

SHA512
6c6b52bdf194d0f41514906d5a01911a1ca10b83cdf355bfd4e24f89552b8e564374ed8be1ae61f369ff247688d9f5c943011a926911f01d83d8d62dcf205741

Download Submit
C:\Windows\{3EFC7898-5A62-4625-8E9B-3D946478D993}.exe

Filesize
344KB

MD5
e500d16b8d13128d7d93b6cf7b6cf809

SHA1
b0725673a782c9722c2b2249e88a3c38a69a71ea

SHA256
2bccfc28bfcd6d3e240bd5a95c960e050b4ca92ba1dcf224c43940a462d6b568

SHA512
0d5aee63562f658bcf8190e102e6d1d7b7aeddda0e8005595dd35cc8ab77140e32af23073a9a52a0e113f2422dbd47c2570f65b3a2437ebe72cd5937cd862b75

Download Submit
C:\Windows\{57254CEB-FEB4-45e6-89B0-3447E888D1A8}.exe

Filesize
344KB

MD5
62889d763f988e183fea6ef38953135a

SHA1
198db8f38c0dcff99e450c3cef3f45ff7dd33b20

SHA256
5189683bf387c60f5c6d77f122004c520847177b9c99fd10a8ecca87c5c6e1f7

SHA512
19b0cc751ab3e842c1425a47c7bcc3a7001c79ac15f18350f1d1bacdd0460c130f17a4ce9e5ca952b096d4fde82a55b2accec9e4bcfc863edc2bb96262802d92

Download Submit
C:\Windows\{631A2E62-17D5-47bc-84FC-1710A1843B6D}.exe

Filesize
344KB

MD5
ad66c50f823b35c8987d86a6fba4e4d1

SHA1
1402e0b4ee9559dbc5028a7b9e5c1ee0cb757ebf

SHA256
982a27f271a201be5cf6af0b2151f987879adeced75b1c07e1da62376d198997

SHA512
eb4ac2af6405113d2f71a8eaa1125ec84217e9e57470a24b477235613cd070d76059282add08f673f18b9dc29a0c19e189c8caa40a40ff581f2a9278ed8b4b84

Download Submit
C:\Windows\{63A2A70A-E056-49f0-807D-D86CCBA9EB70}.exe

Filesize
344KB

MD5
e457317229c3cd86f84ad79f3f63cb8d

SHA1
a8cbf2453a3bae06687231f166658ec8f0660399

SHA256
e1a80b6a8dc3086b6296210d1d344d58255b8a259e61b0a27fb63f0cda820ba9

SHA512
86ac2de5942d67413c8106119a34e3bba4446ca11a344eca9c5ceec674d21ed1d97d220f03ea1fac170c5559ce79d162b7d0af3eb45d6b2eaaa46ef8640f215e

Download Submit
C:\Windows\{8F220589-E02F-4976-807E-25BD0D16146B}.exe

Filesize
344KB

MD5
466f0bf53e63f97a49aa13a26206dff6

SHA1
96e169b0a79b5ce7df5303064935b4cbf28840cf

SHA256
3dcd53af44114410c3df2ad524304f86ff4b195827fc396591c395717c9cfbb8

SHA512
01c216dd6498b927c0fcdd94a5a15ad371bdf57caaf7b8bdd0daf4e530a3e8775bb94417b6f3bde3a8b8279387bf61e4c25e2633c4b34345606cbaf94bf93257

Download Submit
C:\Windows\{A1C161E2-B6AA-4df9-B7E6-A9C506D887C1}.exe

Filesize
344KB

MD5
d997e26e8252fbdf27d2eabb3ad3b524

SHA1
6a841a9377df856f38628ebf7498cc012d52b17b

SHA256
11b4bdc1f35f77f4f136c994e93f957dac0e0a8dd94a9af51c1d9a03d6fa70e7

SHA512
8ba21cce63457e7a805d7ed58b56e4098eda5738c86a90f5e770b39a5b128f2ad8348b47bdac433ddc834645831ae02f3f4525172f21dca2a51563189ec7a1dc

Download Submit
C:\Windows\{CC782C6C-C65A-482e-81EE-DA37B2EB466B}.exe

Filesize
344KB

MD5
5163e66734ca34b231e505d125ef89c4

SHA1
ed948e97cdc93f262b87db1e5266d158b98fd6a6

SHA256
37b9cfb85033eb5ef3b0505af61e838235160dd6495914b6f2ceb41ec7794f27

SHA512
d07aa35eec203fed36075ab6533a462357eaac7c0a4dfc7c6c050e911729d91914c21ab395316fbaa8ed39ca8a315ff47a0f338a29eb1471d4caf7c8f3d6d6e0

Download Submit
C:\Windows\{D2DDF82F-0D53-426c-813F-FE33FCA6D5F8}.exe

Filesize
344KB

MD5
11cdf0cb75d2794eed2e9aabfc236df8

SHA1
e9e902542d80f8c26f0c259d5f4c14c036a4a269

SHA256
13f29d20f8045ba7b75b341ffe17beeb995c6eac72426e85c3294722f8529fd0

SHA512
ac305a63ce5e206f6e693b33767a770fbbe113b9d63880131f0f20d8a48602df432075ef5c675bbce4c41c70e5a9c0fbc43a2c7fc1d45af1e7bfc59284daf18c

Download Submit
C:\Windows\{D3D572C8-CC18-456b-9603-C4604CD4A45E}.exe

Filesize
344KB

MD5
05778866a6de73ebc86000329a2ea50b

SHA1
1c0ac1a138130011b347dc9180c399b8b12933b5

SHA256
e71974c6ccf5eafe1b18e2bbb3e2a68f344e784ad1f77f38db7598fcb738f5dd

SHA512
f852bf86048ce31a5d486a2b9d2c3a5ea20bcf3ae1d3a5be7ab47436df18c55885332237a609643cc28e8d0966bb9272ace5903f5252faf1f238b25d19e6eafb

Download Submit
C:\Windows\{F320F7C5-FC63-495e-83C1-127B676F2646}.exe

Filesize
344KB

MD5
723c52ac3fbdf7c699a95db11b2f91e3

SHA1
5126ddf5a04311bcac631d41545d2270ff58250f

SHA256
9db214088d71327d0cab1b3b238bf6a05bb69df303e832355bd126f673c3d139

SHA512
4efa7d204ace60c3a9b6e7e6b877c8d9e3a29450ac8e88bd366775287cc6951c514a6875dca24bc4be4d7f7999df0af18c509c7123056bb41ad9b746121e6b5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads