a9c833e4b6be9edde1f53691408b71f15776e1b5a0f8153bcae3ed637e38f0d0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
Size

216KB
MD5

69c29adcfc9c93864b8c8d44ef6761f8
SHA1

47f3dd1692d6e08b85aec98436cda39145ca1bf2
SHA256

a9c833e4b6be9edde1f53691408b71f15776e1b5a0f8153bcae3ed637e38f0d0
SHA512

67f8538aa367a00b958c08cabe7c0c3452ceda5bd81bc1160e233859e97c040237d40905ad04df5f37d04cf594fad03fe8fb0090abf7032da5307a724b8cb57f
SSDEEP

3072:jEGh0o+l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGslEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0011C743-EFA1-42d6-9105-5CF6107A5642}\stubpath = "C:\\Windows\\{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe"	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F424D9DB-C624-488b-AAA5-38F4028AFBE5}	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D03E551-3873-485d-BA98-E1BAD920E712}	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539CD6CF-1255-440d-B227-336E1342219E}\stubpath = "C:\\Windows\\{539CD6CF-1255-440d-B227-336E1342219E}.exe"	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B401AE0C-E7AB-4341-B422-B5BCD91347DE}	{3358E961-C12B-49f7-9F22-005FE70CB408}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{112D6BB1-021F-4884-91B8-F9C8C43A6347}	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4F0A690-4071-45de-88D5-862AAEF3837D}	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6451BEAA-24D3-4494-ADFC-91638CF12F04}\stubpath = "C:\\Windows\\{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe"	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539CD6CF-1255-440d-B227-336E1342219E}	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3358E961-C12B-49f7-9F22-005FE70CB408}\stubpath = "C:\\Windows\\{3358E961-C12B-49f7-9F22-005FE70CB408}.exe"	{539CD6CF-1255-440d-B227-336E1342219E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6451BEAA-24D3-4494-ADFC-91638CF12F04}	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}\stubpath = "C:\\Windows\\{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe"	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0011C743-EFA1-42d6-9105-5CF6107A5642}	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D03E551-3873-485d-BA98-E1BAD920E712}\stubpath = "C:\\Windows\\{3D03E551-3873-485d-BA98-E1BAD920E712}.exe"	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE0D449E-97A1-42a2-B9B5-44322AD679AB}	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE0D449E-97A1-42a2-B9B5-44322AD679AB}\stubpath = "C:\\Windows\\{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe"	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3358E961-C12B-49f7-9F22-005FE70CB408}	{539CD6CF-1255-440d-B227-336E1342219E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4F0A690-4071-45de-88D5-862AAEF3837D}\stubpath = "C:\\Windows\\{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe"	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}\stubpath = "C:\\Windows\\{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe"	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F424D9DB-C624-488b-AAA5-38F4028AFBE5}\stubpath = "C:\\Windows\\{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe"	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B401AE0C-E7AB-4341-B422-B5BCD91347DE}\stubpath = "C:\\Windows\\{B401AE0C-E7AB-4341-B422-B5BCD91347DE}.exe"	{3358E961-C12B-49f7-9F22-005FE70CB408}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{112D6BB1-021F-4884-91B8-F9C8C43A6347}\stubpath = "C:\\Windows\\{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe"	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
2384	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe
948	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe
4100	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe
5032	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe
1808	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe
4876	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe
4264	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe
3648	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe
3080	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe
1680	{539CD6CF-1255-440d-B227-336E1342219E}.exe
3024	{3358E961-C12B-49f7-9F22-005FE70CB408}.exe
2384	{B401AE0C-E7AB-4341-B422-B5BCD91347DE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe
File created	C:\Windows\{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe
File created	C:\Windows\{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe
File created	C:\Windows\{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe
File created	C:\Windows\{3D03E551-3873-485d-BA98-E1BAD920E712}.exe	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe
File created	C:\Windows\{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe
File created	C:\Windows\{B401AE0C-E7AB-4341-B422-B5BCD91347DE}.exe	{3358E961-C12B-49f7-9F22-005FE70CB408}.exe
File created	C:\Windows\{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
File created	C:\Windows\{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe
File created	C:\Windows\{539CD6CF-1255-440d-B227-336E1342219E}.exe	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe
File created	C:\Windows\{3358E961-C12B-49f7-9F22-005FE70CB408}.exe	{539CD6CF-1255-440d-B227-336E1342219E}.exe
File created	C:\Windows\{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B401AE0C-E7AB-4341-B422-B5BCD91347DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3358E961-C12B-49f7-9F22-005FE70CB408}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{539CD6CF-1255-440d-B227-336E1342219E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2960	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2384	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe
Token: SeIncBasePriorityPrivilege	948	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe
Token: SeIncBasePriorityPrivilege	4100	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe
Token: SeIncBasePriorityPrivilege	5032	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe
Token: SeIncBasePriorityPrivilege	1808	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe
Token: SeIncBasePriorityPrivilege	4876	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe
Token: SeIncBasePriorityPrivilege	4264	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe
Token: SeIncBasePriorityPrivilege	3648	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe
Token: SeIncBasePriorityPrivilege	3080	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe
Token: SeIncBasePriorityPrivilege	1680	{539CD6CF-1255-440d-B227-336E1342219E}.exe
Token: SeIncBasePriorityPrivilege	3024	{3358E961-C12B-49f7-9F22-005FE70CB408}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2384	2960	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	83
PID 2960 wrote to memory of 2384	2960	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	83
PID 2960 wrote to memory of 2384	2960	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	83
PID 2960 wrote to memory of 3584	2960	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	84
PID 2960 wrote to memory of 3584	2960	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	84
PID 2960 wrote to memory of 3584	2960	2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe	84
PID 2384 wrote to memory of 948	2384	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe	85
PID 2384 wrote to memory of 948	2384	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe	85
PID 2384 wrote to memory of 948	2384	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe	85
PID 2384 wrote to memory of 1164	2384	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe	86
PID 2384 wrote to memory of 1164	2384	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe	86
PID 2384 wrote to memory of 1164	2384	{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe	86
PID 948 wrote to memory of 4100	948	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe	89
PID 948 wrote to memory of 4100	948	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe	89
PID 948 wrote to memory of 4100	948	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe	89
PID 948 wrote to memory of 2864	948	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe	90
PID 948 wrote to memory of 2864	948	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe	90
PID 948 wrote to memory of 2864	948	{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe	90
PID 4100 wrote to memory of 5032	4100	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe	91
PID 4100 wrote to memory of 5032	4100	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe	91
PID 4100 wrote to memory of 5032	4100	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe	91
PID 4100 wrote to memory of 4824	4100	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe	92
PID 4100 wrote to memory of 4824	4100	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe	92
PID 4100 wrote to memory of 4824	4100	{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe	92
PID 5032 wrote to memory of 1808	5032	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe	93
PID 5032 wrote to memory of 1808	5032	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe	93
PID 5032 wrote to memory of 1808	5032	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe	93
PID 5032 wrote to memory of 3184	5032	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe	94
PID 5032 wrote to memory of 3184	5032	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe	94
PID 5032 wrote to memory of 3184	5032	{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe	94
PID 1808 wrote to memory of 4876	1808	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe	95
PID 1808 wrote to memory of 4876	1808	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe	95
PID 1808 wrote to memory of 4876	1808	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe	95
PID 1808 wrote to memory of 692	1808	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe	96
PID 1808 wrote to memory of 692	1808	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe	96
PID 1808 wrote to memory of 692	1808	{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe	96
PID 4876 wrote to memory of 4264	4876	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe	97
PID 4876 wrote to memory of 4264	4876	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe	97
PID 4876 wrote to memory of 4264	4876	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe	97
PID 4876 wrote to memory of 2224	4876	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe	98
PID 4876 wrote to memory of 2224	4876	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe	98
PID 4876 wrote to memory of 2224	4876	{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe	98
PID 4264 wrote to memory of 3648	4264	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe	105
PID 4264 wrote to memory of 3648	4264	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe	105
PID 4264 wrote to memory of 3648	4264	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe	105
PID 4264 wrote to memory of 4224	4264	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe	106
PID 4264 wrote to memory of 4224	4264	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe	106
PID 4264 wrote to memory of 4224	4264	{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe	106
PID 3648 wrote to memory of 3080	3648	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe	107
PID 3648 wrote to memory of 3080	3648	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe	107
PID 3648 wrote to memory of 3080	3648	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe	107
PID 3648 wrote to memory of 1540	3648	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe	108
PID 3648 wrote to memory of 1540	3648	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe	108
PID 3648 wrote to memory of 1540	3648	{3D03E551-3873-485d-BA98-E1BAD920E712}.exe	108
PID 3080 wrote to memory of 1680	3080	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe	109
PID 3080 wrote to memory of 1680	3080	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe	109
PID 3080 wrote to memory of 1680	3080	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe	109
PID 3080 wrote to memory of 2236	3080	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe	110
PID 3080 wrote to memory of 2236	3080	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe	110
PID 3080 wrote to memory of 2236	3080	{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe	110
PID 1680 wrote to memory of 3024	1680	{539CD6CF-1255-440d-B227-336E1342219E}.exe	111
PID 1680 wrote to memory of 3024	1680	{539CD6CF-1255-440d-B227-336E1342219E}.exe	111
PID 1680 wrote to memory of 3024	1680	{539CD6CF-1255-440d-B227-336E1342219E}.exe	111
PID 1680 wrote to memory of 3232	1680	{539CD6CF-1255-440d-B227-336E1342219E}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_69c29adcfc9c93864b8c8d44ef6761f8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe
  C:\Windows\{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe
    C:\Windows\{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe
      C:\Windows\{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Windows\{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe
        
        C:\Windows\{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
      - C:\Windows\{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe
        
        C:\Windows\{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe
        
        C:\Windows\{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe
        
        C:\Windows\{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\{3D03E551-3873-485d-BA98-E1BAD920E712}.exe
        
        C:\Windows\{3D03E551-3873-485d-BA98-E1BAD920E712}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe
        
        C:\Windows\{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\{539CD6CF-1255-440d-B227-336E1342219E}.exe
        
        C:\Windows\{539CD6CF-1255-440d-B227-336E1342219E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{3358E961-C12B-49f7-9F22-005FE70CB408}.exe
        
        C:\Windows\{3358E961-C12B-49f7-9F22-005FE70CB408}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\{B401AE0C-E7AB-4341-B422-B5BCD91347DE}.exe
        
        C:\Windows\{B401AE0C-E7AB-4341-B422-B5BCD91347DE}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3358E~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{539CD~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE0D4~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D03E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F424D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0011C~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63AC7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6451B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4F0A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{25C54~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{112D6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0011C743-EFA1-42d6-9105-5CF6107A5642}.exe

Filesize
216KB

MD5
27ac9c28f1db711b2f09c71c6543cc1f

SHA1
29a8de6523be07373111c368dad57ec8f2df77c3

SHA256
b0b807c59e05a8b5088769eb7a8de273bc1b6990a07a6e3f23005e483d5de390

SHA512
9d8c322758c5e992864bea3da2250b91160c82b4565bd85d4346afbd8b6076f54b245dbcc2bec4c3979385517e45d5282f5be5c83f5fcb218aa647ea4c422dbe

Download Submit
C:\Windows\{112D6BB1-021F-4884-91B8-F9C8C43A6347}.exe

Filesize
216KB

MD5
097a8253865ee56ec770d9828f607dee

SHA1
a9d5d7ad6997932022b04993d93f5f0fd7f100c9

SHA256
0101eb31480a50106b975da4450596a2738110135212aa4b5629c5be6a6d0e3e

SHA512
b70bac68a555c92d8a54a419dbe30c38ef053bfa91fbef12b3cde167184c41529058ec830e47303569b37467c273836e729defadd0adfb90bf7322f052a55e04

Download Submit
C:\Windows\{25C5445A-FE42-45ac-9CF0-CB96F5C5EFAE}.exe

Filesize
216KB

MD5
618ccc89ea451928681619886550d2d3

SHA1
d27afc480caf5e582635d3152da929ec0b425c1a

SHA256
14729df28e0c1c5a7049f22246cb0ef1adb22f136b5f1116bfad108a6073a1e2

SHA512
c4e91153d1a2e9c472ec73392229cf3d7ad2111bcf2532b802999d2544cc78950d3654b9ac979bb1dd0a12d75c2898b371aa4a385a046a219859a437345111d4

Download Submit
C:\Windows\{3358E961-C12B-49f7-9F22-005FE70CB408}.exe

Filesize
216KB

MD5
fbb1cd8bf19319597f57d395a7b211fe

SHA1
6dea56c7c6b05b5332e07fb367c06f0594be72f4

SHA256
7d0eb6bf008553a7211c9c935c6d6a5f4ce890131e61d69299093111e83a774a

SHA512
ca3a645e9530115b92067db28ccf1916e1cfa221da6806ccdaef26ca4483818757dea4130f7f8450eb3b210917c2cb7ad551c584cc1ed8e6b0865399306bb7cf

Download Submit
C:\Windows\{3D03E551-3873-485d-BA98-E1BAD920E712}.exe

Filesize
216KB

MD5
c8206984dfce6ab6129eac7627665da8

SHA1
6b8e3f78ba3ae683a9fab7c80d29c32446bfc0ad

SHA256
69a3ccde01fac5e84fa8b8e3506b92359229890de4afa6b380618b5f4006a004

SHA512
96b0765ba27c02125899e6b31260a3e2ca29841d67a9d35628db9a42223629a705b094e193a59d666bf9a4be45a6a32d4119c5f0c6e9d01362a026ae313fc41e

Download Submit
C:\Windows\{539CD6CF-1255-440d-B227-336E1342219E}.exe

Filesize
216KB

MD5
807e86e928a2cf7233c4c9059eca0f9b

SHA1
2f9b9eb7251b04f259683b22a17e796c1a340641

SHA256
d10a092134995f5a651c218fdc30994602fd2434d5678958a4a98bb5e5ac25fa

SHA512
69ef55afeccade2d1807038adc01a4993b0bad85041b00858facf9951fc6f395158463b746e361658c819ff66d344dc5d1c39d7b15580c7e901327e0dacc598a

Download Submit
C:\Windows\{63AC76FC-04C0-44ec-9CC3-E450A33D7C30}.exe

Filesize
216KB

MD5
a4b908bb98ddd3b357cb243cd1046537

SHA1
c763ee28b38c244a13be153e30dcc42060364b98

SHA256
63435b485a7df72cec7023c486c515c5f1aec4bd99dc3949d284f0f95d6bdc31

SHA512
42f0ccb671c7a57b6ce96144d7c021598cd8517d47ec9890b12b662c8070b2e58d5b096d0f827a03317e915b075d12470a06720803b0ffaff2d99523c8cb058a

Download Submit
C:\Windows\{6451BEAA-24D3-4494-ADFC-91638CF12F04}.exe

Filesize
216KB

MD5
cb3a56aba38c0e537e9176522953a1bd

SHA1
28138a5e2183e5223d72fb1af40c705a007c2bde

SHA256
ce74aecbc12525327ea6e1ef42d199b1ae903e7779d93de0d4af95c7ac7a15b6

SHA512
52b09b1ef689c7eddafe09d53db0866a01a182be0f6a3b14e778bf544389f74d11675c8ea6c29a16c3e4e08e4ab37bc63dca6e3de24139c47a8c10bb432a335b

Download Submit
C:\Windows\{B401AE0C-E7AB-4341-B422-B5BCD91347DE}.exe

Filesize
216KB

MD5
0503b35420495d96f98fda9b445977da

SHA1
8271eacd3931b3e390ef316004db46cf5f60ce45

SHA256
a3e328f5f5ebaaf39ec8884aa03d3a470d5b3c062758a53920c7b8813c7fbb49

SHA512
45dc47eeff02d739dff5ec0d265fd2ef429088eb5073cc5fce89ecdf0f5bbb24c3294c3f0f6fa531fb918570636b4637a26965ca0c3907fc267310f7e7a8e3d5

Download Submit
C:\Windows\{C4F0A690-4071-45de-88D5-862AAEF3837D}.exe

Filesize
216KB

MD5
b8c3688a9167ca4d6d9840e0d458c825

SHA1
65e5e8853ce94301cc0c25d06b7bd4aae762032c

SHA256
c8eb834f373f51afb8ce1136c24112489aadd5cb5e8a602b5d1abc8b447160b5

SHA512
e089b773dfd4f8c0507c168222f997c364af6331b6353cbc82ede7bd6de709ff421e905f31863785d35ff194ae02a1076d623ab1bcbbc8a02652ae9b37763cce

Download Submit
C:\Windows\{F424D9DB-C624-488b-AAA5-38F4028AFBE5}.exe

Filesize
216KB

MD5
9a29aadf12107054278b11c39a2bc562

SHA1
201454c7454d05d0a74c7c00a76ba0076a67e1d4

SHA256
7fcc32f53bb42a847c8bcec84194d09ff8ff328cc72098c2f1af9c7b2e00cf87

SHA512
dfeb93fc76931254244595e8763c2262292c1d34888d1de0f1977b03161d2b322f9c2f6b64f44380f7553eecb664130c5a43b2cf95a80d24a8bc39850215aa44

Download Submit
C:\Windows\{FE0D449E-97A1-42a2-B9B5-44322AD679AB}.exe

Filesize
216KB

MD5
87215fc42bf56cefb82f0eee22282541

SHA1
1a684ffccd3273acfeba9d9fd2eaf88b3b7a6598

SHA256
2f020a71b1b56988a3ac72201b1888f6461140e15f21ab5382e559670dc9a45b

SHA512
8a7c014978bbc041e234b1abdbe1442a2e86945a13ba2365d2957fcbbf7ddeaacb1a40f840fec366ca193e64fb070e15938346c41543a77df7680a794e60a55c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads