5c7b5f93d8c9911ece05fdd616ec80f0bafc57f5d43f882fb34bef5ad67db53c

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe
Size

168KB
MD5

a5a0622ba63ee5a8f25a8b41940f0c9f
SHA1

ef8f1a070796a16e230836a1eb1b55333cd1294b
SHA256

5c7b5f93d8c9911ece05fdd616ec80f0bafc57f5d43f882fb34bef5ad67db53c
SHA512

f340ffd20300226a076463ed4a0ac972e248781fcc6e8a0a36923e9182e3760b7a73ccc8689a6a60dfaf613e43eee2ac02a3f56299f72ea86b99d578111b8e33
SSDEEP

1536:1EGh0omlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0omlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}\stubpath = "C:\\Windows\\{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe"	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C450BDE4-F368-42fe-9226-1548E9B215A6}\stubpath = "C:\\Windows\\{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe"	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50630238-7C29-46ad-8803-E3CC29AAC77C}\stubpath = "C:\\Windows\\{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe"	2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83B6C642-C56A-4ba4-944C-616C6BAD56CF}\stubpath = "C:\\Windows\\{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe"	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D0A889D-D2A9-46cd-8B15-33FB352886F0}\stubpath = "C:\\Windows\\{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe"	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19BC3B73-C200-43c3-97C8-ABDA39219AF6}\stubpath = "C:\\Windows\\{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe"	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B726358-252A-4278-8C7A-99DCDE1FCED9}	{11450EE1-C43D-404b-A009-AB2B9755101B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D0A889D-D2A9-46cd-8B15-33FB352886F0}	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CCE6394-80BF-4b78-9A19-DF404488594C}	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CCE6394-80BF-4b78-9A19-DF404488594C}\stubpath = "C:\\Windows\\{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe"	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11450EE1-C43D-404b-A009-AB2B9755101B}	{2A773F58-501D-4dee-B67E-731A159A8572}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B726358-252A-4278-8C7A-99DCDE1FCED9}\stubpath = "C:\\Windows\\{9B726358-252A-4278-8C7A-99DCDE1FCED9}.exe"	{11450EE1-C43D-404b-A009-AB2B9755101B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50630238-7C29-46ad-8803-E3CC29AAC77C}	2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C450BDE4-F368-42fe-9226-1548E9B215A6}	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A773F58-501D-4dee-B67E-731A159A8572}	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A773F58-501D-4dee-B67E-731A159A8572}\stubpath = "C:\\Windows\\{2A773F58-501D-4dee-B67E-731A159A8572}.exe"	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11450EE1-C43D-404b-A009-AB2B9755101B}\stubpath = "C:\\Windows\\{11450EE1-C43D-404b-A009-AB2B9755101B}.exe"	{2A773F58-501D-4dee-B67E-731A159A8572}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83B6C642-C56A-4ba4-944C-616C6BAD56CF}	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}\stubpath = "C:\\Windows\\{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe"	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19BC3B73-C200-43c3-97C8-ABDA39219AF6}	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}\stubpath = "C:\\Windows\\{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe"	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe

Executes dropped EXE 12 IoCs

pid	Process
3504	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe
2404	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe
2332	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe
2736	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe
5096	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe
4296	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe
4600	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe
1196	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe
3424	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe
5056	{2A773F58-501D-4dee-B67E-731A159A8572}.exe
768	{11450EE1-C43D-404b-A009-AB2B9755101B}.exe
3940	{9B726358-252A-4278-8C7A-99DCDE1FCED9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe	2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe
File created	C:\Windows\{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe
File created	C:\Windows\{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe
File created	C:\Windows\{2A773F58-501D-4dee-B67E-731A159A8572}.exe	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe
File created	C:\Windows\{11450EE1-C43D-404b-A009-AB2B9755101B}.exe	{2A773F58-501D-4dee-B67E-731A159A8572}.exe
File created	C:\Windows\{9B726358-252A-4278-8C7A-99DCDE1FCED9}.exe	{11450EE1-C43D-404b-A009-AB2B9755101B}.exe
File created	C:\Windows\{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe
File created	C:\Windows\{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe
File created	C:\Windows\{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe
File created	C:\Windows\{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe
File created	C:\Windows\{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe
File created	C:\Windows\{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A773F58-501D-4dee-B67E-731A159A8572}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11450EE1-C43D-404b-A009-AB2B9755101B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B726358-252A-4278-8C7A-99DCDE1FCED9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4776	2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3504	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe
Token: SeIncBasePriorityPrivilege	2404	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe
Token: SeIncBasePriorityPrivilege	2332	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe
Token: SeIncBasePriorityPrivilege	2736	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe
Token: SeIncBasePriorityPrivilege	5096	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe
Token: SeIncBasePriorityPrivilege	4296	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe
Token: SeIncBasePriorityPrivilege	4600	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe
Token: SeIncBasePriorityPrivilege	1196	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe
Token: SeIncBasePriorityPrivilege	3424	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe
Token: SeIncBasePriorityPrivilege	5056	{2A773F58-501D-4dee-B67E-731A159A8572}.exe
Token: SeIncBasePriorityPrivilege	768	{11450EE1-C43D-404b-A009-AB2B9755101B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 3504	4776	2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe	87
PID 4776 wrote to memory of 3504	4776	2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe	87
PID 4776 wrote to memory of 3504	4776	2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe	87
PID 4776 wrote to memory of 2528	4776	2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe	88
PID 4776 wrote to memory of 2528	4776	2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe	88
PID 4776 wrote to memory of 2528	4776	2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe	88
PID 3504 wrote to memory of 2404	3504	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe	91
PID 3504 wrote to memory of 2404	3504	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe	91
PID 3504 wrote to memory of 2404	3504	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe	91
PID 3504 wrote to memory of 404	3504	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe	92
PID 3504 wrote to memory of 404	3504	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe	92
PID 3504 wrote to memory of 404	3504	{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe	92
PID 2404 wrote to memory of 2332	2404	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe	95
PID 2404 wrote to memory of 2332	2404	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe	95
PID 2404 wrote to memory of 2332	2404	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe	95
PID 2404 wrote to memory of 5104	2404	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe	96
PID 2404 wrote to memory of 5104	2404	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe	96
PID 2404 wrote to memory of 5104	2404	{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe	96
PID 2332 wrote to memory of 2736	2332	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe	97
PID 2332 wrote to memory of 2736	2332	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe	97
PID 2332 wrote to memory of 2736	2332	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe	97
PID 2332 wrote to memory of 5084	2332	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe	98
PID 2332 wrote to memory of 5084	2332	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe	98
PID 2332 wrote to memory of 5084	2332	{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe	98
PID 2736 wrote to memory of 5096	2736	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe	99
PID 2736 wrote to memory of 5096	2736	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe	99
PID 2736 wrote to memory of 5096	2736	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe	99
PID 2736 wrote to memory of 3956	2736	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe	100
PID 2736 wrote to memory of 3956	2736	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe	100
PID 2736 wrote to memory of 3956	2736	{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe	100
PID 5096 wrote to memory of 4296	5096	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe	101
PID 5096 wrote to memory of 4296	5096	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe	101
PID 5096 wrote to memory of 4296	5096	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe	101
PID 5096 wrote to memory of 2936	5096	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe	102
PID 5096 wrote to memory of 2936	5096	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe	102
PID 5096 wrote to memory of 2936	5096	{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe	102
PID 4296 wrote to memory of 4600	4296	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe	103
PID 4296 wrote to memory of 4600	4296	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe	103
PID 4296 wrote to memory of 4600	4296	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe	103
PID 4296 wrote to memory of 2156	4296	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe	104
PID 4296 wrote to memory of 2156	4296	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe	104
PID 4296 wrote to memory of 2156	4296	{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe	104
PID 4600 wrote to memory of 1196	4600	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe	105
PID 4600 wrote to memory of 1196	4600	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe	105
PID 4600 wrote to memory of 1196	4600	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe	105
PID 4600 wrote to memory of 464	4600	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe	106
PID 4600 wrote to memory of 464	4600	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe	106
PID 4600 wrote to memory of 464	4600	{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe	106
PID 1196 wrote to memory of 3424	1196	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe	107
PID 1196 wrote to memory of 3424	1196	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe	107
PID 1196 wrote to memory of 3424	1196	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe	107
PID 1196 wrote to memory of 2224	1196	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe	108
PID 1196 wrote to memory of 2224	1196	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe	108
PID 1196 wrote to memory of 2224	1196	{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe	108
PID 3424 wrote to memory of 5056	3424	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe	109
PID 3424 wrote to memory of 5056	3424	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe	109
PID 3424 wrote to memory of 5056	3424	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe	109
PID 3424 wrote to memory of 2872	3424	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe	110
PID 3424 wrote to memory of 2872	3424	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe	110
PID 3424 wrote to memory of 2872	3424	{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe	110
PID 5056 wrote to memory of 768	5056	{2A773F58-501D-4dee-B67E-731A159A8572}.exe	111
PID 5056 wrote to memory of 768	5056	{2A773F58-501D-4dee-B67E-731A159A8572}.exe	111
PID 5056 wrote to memory of 768	5056	{2A773F58-501D-4dee-B67E-731A159A8572}.exe	111
PID 5056 wrote to memory of 2688	5056	{2A773F58-501D-4dee-B67E-731A159A8572}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_a5a0622ba63ee5a8f25a8b41940f0c9f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe
  C:\Windows\{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe
    C:\Windows\{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe
      C:\Windows\{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe
        
        C:\Windows\{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe
        
        C:\Windows\{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe
        
        C:\Windows\{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe
        
        C:\Windows\{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe
        
        C:\Windows\{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe
        
        C:\Windows\{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\{2A773F58-501D-4dee-B67E-731A159A8572}.exe
        
        C:\Windows\{2A773F58-501D-4dee-B67E-731A159A8572}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\{11450EE1-C43D-404b-A009-AB2B9755101B}.exe
        
        C:\Windows\{11450EE1-C43D-404b-A009-AB2B9755101B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\{9B726358-252A-4278-8C7A-99DCDE1FCED9}.exe
        
        C:\Windows\{9B726358-252A-4278-8C7A-99DCDE1FCED9}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11450~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A773~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C450B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CCE6~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFD1F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F4DD~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19BC3~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D0A8~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E35AD~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{83B6C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{50630~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11450EE1-C43D-404b-A009-AB2B9755101B}.exe

Filesize
168KB

MD5
cba637b536ba20f998f32920f3e01149

SHA1
48c6142c42115018596a433c9c3a7d02fce514b0

SHA256
84d506273f1943b26e808462cfb6850d89f6bac651d410555e9659dc6567f84d

SHA512
363661b4d826d7e175c3b6af841df503e797bb248f3e9a2e087853ece3f2b57e8db31484fdd5e5e1a75f99ab50709385558d0cc6cec06b0c2bb78e0f5373cf6c

Download Submit
C:\Windows\{19BC3B73-C200-43c3-97C8-ABDA39219AF6}.exe

Filesize
168KB

MD5
1302b324c4387398336d23414ed5b5a3

SHA1
baee32ff1393fdef049195705caa5c782d87637b

SHA256
42c308527d03bd2a7bf01a3cd8e63036ac39b2642a6f32050defbc668ee0df27

SHA512
b4c981ad4a4d59f3c7c7c8826127142f8646490a40f8c9d85a0904d49defdb8972dd121ecefe646745be4454bac7c6f942ef8bff85062c7c8717687be5a87e01

Download Submit
C:\Windows\{1F4DDED6-71CA-4776-BA94-0B558FB4DCDB}.exe

Filesize
168KB

MD5
bb8c8a2a544acf0bfc38322fe5fb376d

SHA1
d7ea0bdcd4baa8d7b595cdbf1448cf9e37da7980

SHA256
6486f41734bece9208eaca2753e4715e072fcff51a21385175f25ad6dc83ac14

SHA512
2832b9f08714bcfe461fe4d376f569ba74a2bdf8e75d11487fca0bccb84dcec24c25abd92bddf3e0dc8eda65cd90066ad1b1be89ba6b1cf47384a753765f30a6

Download Submit
C:\Windows\{2A773F58-501D-4dee-B67E-731A159A8572}.exe

Filesize
168KB

MD5
f8c58c24cd0676ea77b0978588dfc41c

SHA1
182abdebd823b69920ac3b674d77d9a57e182498

SHA256
af17dd90ba1e1cbc52e50e637c799cbdaf1a046ce023f379a59c06a61569df09

SHA512
020b498079ff487ed457549ad82623ec1aecb1bb7007839005345fdfeb409bfd097f76e289802b0f72c1aca01bf5da56fea89e4d9a602f743c92b4be97c71651

Download Submit
C:\Windows\{50630238-7C29-46ad-8803-E3CC29AAC77C}.exe

Filesize
168KB

MD5
01427762eee931371e067e24f405450c

SHA1
727ec46140ff64044b5e456222c7611a3ebfad19

SHA256
c3fc2ea93503c6129da2514b0b6475d68583542b3cd44a82fcfd80eeba7b0b58

SHA512
a290914cb65ac266acc401a605a32a6f636618e237cbff3fced0a46cd6bea655f06b6ce89a1b92b3c060a97f553cc8141ef6e53c10be36ca5857736446dbbc2d

Download Submit
C:\Windows\{5CCE6394-80BF-4b78-9A19-DF404488594C}.exe

Filesize
168KB

MD5
2a99bb591370edc23d2e4cab8e8a708a

SHA1
4bd6817c20380390c996efed6ce2f3f14c177734

SHA256
e355736057e7d85918caf1ebf82ed9a41a1c18d6e6542b2e2f82471b0ecb8792

SHA512
146ef0774bff43c47cce08dd368104a5ad5fccf8fcef96c47c576292aea5a6a5487eca09af213df6e02e1d9fe68aebed6c0be6bf2fda86e23d6eb6f0ae0ee369

Download Submit
C:\Windows\{6D0A889D-D2A9-46cd-8B15-33FB352886F0}.exe

Filesize
168KB

MD5
72128f3150fc320b818b7c6750c61093

SHA1
26ec18dc341417d6223cbb814bf32cb517c1e24f

SHA256
898cd9d06631e1710b1964b8cbccc9f966bf3e25e776f8ba8305adb6f4239cf9

SHA512
9d56612f86a507d2f4465bbe28701e3a84b8cb55d55ab193e0894935d68fc8ffce47d868046e4ad7b8a5e6380fa5240a3ca11d4c6f2963cb46b56bdc34c960b4

Download Submit
C:\Windows\{83B6C642-C56A-4ba4-944C-616C6BAD56CF}.exe

Filesize
168KB

MD5
877145557357d59563469478769c2227

SHA1
a6b11bb583449b3cbe7071574fc1ea7fa3e0dde6

SHA256
1bb610feccaf06802691d66c4c7db18b1f8b0b5837230b3245200f9ba3800c2a

SHA512
f40762c2ef773a580319dfe4621dd04a34bfbfc049507add17dc0a1b83f2455b4a06443f107c2a0d2764b3baf88c2276887af29a3bef8f0f75c67cfac37fa7a1

Download Submit
C:\Windows\{9B726358-252A-4278-8C7A-99DCDE1FCED9}.exe

Filesize
168KB

MD5
82db7d9e03867c40bf76f7980a116809

SHA1
67bb82b17d75004608b9b0a4e8f77691dc05f2d2

SHA256
1d7a7ba304fad27d4cae75df79a9e50a17d14c9a73d56bfe292c85b340889211

SHA512
22f4d02f94b057d66d8eaac9bcde5605ccf57f2e280664b03d4482e850e4fa2bd7fe40078a18de86f0f6929b5aa4964663fd46f7072bc4ad71b96d434546a683

Download Submit
C:\Windows\{C450BDE4-F368-42fe-9226-1548E9B215A6}.exe

Filesize
168KB

MD5
002c97ac997d25489c478488dd04baf2

SHA1
da0cee55f19d08ed1d0d3974ea58ef60b7b1a352

SHA256
bf493c95b093f92dd9cc4e30ef65e9bb3153795e0357810eaabb1e81f4d237b6

SHA512
57d10f6332813c95d1054c28756f27f3713bc4612c1d57f6c8980767982651419748597b994aee17813c9748bfc2f2cd3b0280e7c9fd3799c529181ddec8d1f9

Download Submit
C:\Windows\{E35AD023-2241-4a7e-97DF-7C3D3AA11CCB}.exe

Filesize
168KB

MD5
79ca4a30f7fa09b6686741957e1a9f30

SHA1
932e116721d38d164a6df0e94079c4381118db35

SHA256
ad5b67cd2fa043072a2b726e02f4f2750c66c5db8d7574b885ab0ce7bf9e3733

SHA512
95e6f390573e213bece1d0bde12a97199058c22304eb01cbeee3dc29b9062b28337f200c3202123661123791f1e276b3eadde49c3e12e82d38b350760567415e

Download Submit
C:\Windows\{FFD1F670-65BB-4bbb-AB5E-E250EB29BD2E}.exe

Filesize
168KB

MD5
cf3c8b0a364e76749e918969e4360793

SHA1
e0ef95144557f12a09afbf60dbb58a6c859f80f7

SHA256
b0648c1df64e3ee324581c8cde46a59f2f056dffaa3c56e958e1b024aea76853

SHA512
9b1206b99ac07a2d3e4a0d98c6c16d2013ef44debf2c16bebfb5718245cf502ed1a2532ee02f5359fe4c4f0b62ff47ff99f25edb8478dd692ed3d57f3d403a69

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads