948bc65704a0e3c0cdf4a3f32a7b321e7b8e1b2d354d8c9bfe3d0c4b6a989840

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe
Size

216KB
MD5

f1c7b46cb8b085fb80151b3449e6f514
SHA1

19909fa73a62a965cfc614b2e330f37830636cde
SHA256

948bc65704a0e3c0cdf4a3f32a7b321e7b8e1b2d354d8c9bfe3d0c4b6a989840
SHA512

e40d4e0889b9c6938f254eb4d77f57b5153b7260dec59049b8f720714e7de6fd6d602298c3e5d65bdca025fa33e974224ec5bd94157c592f157b407e15154a2d
SSDEEP

3072:jEGh0oZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGzlEeKcAEcGy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09D2454D-08AB-4561-AABA-C3212B39413D}\stubpath = "C:\\Windows\\{09D2454D-08AB-4561-AABA-C3212B39413D}.exe"	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}\stubpath = "C:\\Windows\\{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe"	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A92AF8-9E85-471c-9B8F-390FA5B4D580}	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54AB20B-33D7-4556-A019-9B1E7FE19C52}\stubpath = "C:\\Windows\\{F54AB20B-33D7-4556-A019-9B1E7FE19C52}.exe"	{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09D2454D-08AB-4561-AABA-C3212B39413D}	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A364420-DD96-4eb1-88BF-BA7A65C519FA}	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CE80BD9-6391-490a-AD02-432D092B8AEB}\stubpath = "C:\\Windows\\{7CE80BD9-6391-490a-AD02-432D092B8AEB}.exe"	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47BACDD8-1A77-4995-936F-6A2285424CC2}	{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47BACDD8-1A77-4995-936F-6A2285424CC2}\stubpath = "C:\\Windows\\{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe"	{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86A92AF8-9E85-471c-9B8F-390FA5B4D580}\stubpath = "C:\\Windows\\{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe"	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54AB20B-33D7-4556-A019-9B1E7FE19C52}	{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}	2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}\stubpath = "C:\\Windows\\{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe"	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}\stubpath = "C:\\Windows\\{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe"	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A364420-DD96-4eb1-88BF-BA7A65C519FA}\stubpath = "C:\\Windows\\{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe"	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}\stubpath = "C:\\Windows\\{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe"	2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}\stubpath = "C:\\Windows\\{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe"	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CE80BD9-6391-490a-AD02-432D092B8AEB}	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93B7A69E-340C-4240-9DAD-4AC10E105819}	{7CE80BD9-6391-490a-AD02-432D092B8AEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93B7A69E-340C-4240-9DAD-4AC10E105819}\stubpath = "C:\\Windows\\{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe"	{7CE80BD9-6391-490a-AD02-432D092B8AEB}.exe

Executes dropped EXE 11 IoCs

pid	Process
4616	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe
3772	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe
4216	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe
4956	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe
4628	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe
3148	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe
1620	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe
3480	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe
4132	{7CE80BD9-6391-490a-AD02-432D092B8AEB}.exe
2792	{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe
4316	{F54AB20B-33D7-4556-A019-9B1E7FE19C52}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe
File created	C:\Windows\{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe
File created	C:\Windows\{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe
File created	C:\Windows\{F54AB20B-33D7-4556-A019-9B1E7FE19C52}.exe	{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe
File created	C:\Windows\{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe
File created	C:\Windows\{09D2454D-08AB-4561-AABA-C3212B39413D}.exe	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe
File created	C:\Windows\{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe
File created	C:\Windows\{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe	{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe
File created	C:\Windows\{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe	2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe
File created	C:\Windows\{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe
File created	C:\Windows\{7CE80BD9-6391-490a-AD02-432D092B8AEB}.exe	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F54AB20B-33D7-4556-A019-9B1E7FE19C52}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7CE80BD9-6391-490a-AD02-432D092B8AEB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2112	2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4616	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe
Token: SeIncBasePriorityPrivilege	3772	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe
Token: SeIncBasePriorityPrivilege	4216	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe
Token: SeIncBasePriorityPrivilege	4956	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe
Token: SeIncBasePriorityPrivilege	4628	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe
Token: SeIncBasePriorityPrivilege	3148	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe
Token: SeIncBasePriorityPrivilege	1620	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe
Token: SeIncBasePriorityPrivilege	3480	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe
Token: SeIncBasePriorityPrivilege	1864	{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe
Token: SeIncBasePriorityPrivilege	2792	{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 4616	2112	2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe	88
PID 2112 wrote to memory of 4616	2112	2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe	88
PID 2112 wrote to memory of 4616	2112	2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe	88
PID 2112 wrote to memory of 860	2112	2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe	89
PID 2112 wrote to memory of 860	2112	2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe	89
PID 2112 wrote to memory of 860	2112	2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe	89
PID 4616 wrote to memory of 3772	4616	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe	93
PID 4616 wrote to memory of 3772	4616	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe	93
PID 4616 wrote to memory of 3772	4616	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe	93
PID 4616 wrote to memory of 4808	4616	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe	94
PID 4616 wrote to memory of 4808	4616	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe	94
PID 4616 wrote to memory of 4808	4616	{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe	94
PID 3772 wrote to memory of 4216	3772	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe	97
PID 3772 wrote to memory of 4216	3772	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe	97
PID 3772 wrote to memory of 4216	3772	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe	97
PID 3772 wrote to memory of 2616	3772	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe	98
PID 3772 wrote to memory of 2616	3772	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe	98
PID 3772 wrote to memory of 2616	3772	{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe	98
PID 4216 wrote to memory of 4956	4216	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe	99
PID 4216 wrote to memory of 4956	4216	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe	99
PID 4216 wrote to memory of 4956	4216	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe	99
PID 4216 wrote to memory of 4516	4216	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe	100
PID 4216 wrote to memory of 4516	4216	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe	100
PID 4216 wrote to memory of 4516	4216	{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe	100
PID 4956 wrote to memory of 4628	4956	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe	101
PID 4956 wrote to memory of 4628	4956	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe	101
PID 4956 wrote to memory of 4628	4956	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe	101
PID 4956 wrote to memory of 4432	4956	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe	102
PID 4956 wrote to memory of 4432	4956	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe	102
PID 4956 wrote to memory of 4432	4956	{09D2454D-08AB-4561-AABA-C3212B39413D}.exe	102
PID 4628 wrote to memory of 3148	4628	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe	103
PID 4628 wrote to memory of 3148	4628	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe	103
PID 4628 wrote to memory of 3148	4628	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe	103
PID 4628 wrote to memory of 3564	4628	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe	104
PID 4628 wrote to memory of 3564	4628	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe	104
PID 4628 wrote to memory of 3564	4628	{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe	104
PID 3148 wrote to memory of 1620	3148	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe	105
PID 3148 wrote to memory of 1620	3148	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe	105
PID 3148 wrote to memory of 1620	3148	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe	105
PID 3148 wrote to memory of 1908	3148	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe	106
PID 3148 wrote to memory of 1908	3148	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe	106
PID 3148 wrote to memory of 1908	3148	{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe	106
PID 1620 wrote to memory of 3480	1620	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe	107
PID 1620 wrote to memory of 3480	1620	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe	107
PID 1620 wrote to memory of 3480	1620	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe	107
PID 1620 wrote to memory of 2572	1620	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe	108
PID 1620 wrote to memory of 2572	1620	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe	108
PID 1620 wrote to memory of 2572	1620	{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe	108
PID 3480 wrote to memory of 4132	3480	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe	109
PID 3480 wrote to memory of 4132	3480	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe	109
PID 3480 wrote to memory of 4132	3480	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe	109
PID 3480 wrote to memory of 4368	3480	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe	110
PID 3480 wrote to memory of 4368	3480	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe	110
PID 3480 wrote to memory of 4368	3480	{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe	110
PID 1864 wrote to memory of 2792	1864	{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe	113
PID 1864 wrote to memory of 2792	1864	{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe	113
PID 1864 wrote to memory of 2792	1864	{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe	113
PID 1864 wrote to memory of 4832	1864	{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe	114
PID 1864 wrote to memory of 4832	1864	{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe	114
PID 1864 wrote to memory of 4832	1864	{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe	114
PID 2792 wrote to memory of 4316	2792	{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe	115
PID 2792 wrote to memory of 4316	2792	{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe	115
PID 2792 wrote to memory of 4316	2792	{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe	115
PID 2792 wrote to memory of 3928	2792	{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-06_f1c7b46cb8b085fb80151b3449e6f514_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe
  C:\Windows\{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe
    C:\Windows\{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Windows\{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe
      C:\Windows\{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Windows\{09D2454D-08AB-4561-AABA-C3212B39413D}.exe
        
        C:\Windows\{09D2454D-08AB-4561-AABA-C3212B39413D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - C:\Windows\{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe
        
        C:\Windows\{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe
        
        C:\Windows\{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe
        
        C:\Windows\{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe
        
        C:\Windows\{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\{7CE80BD9-6391-490a-AD02-432D092B8AEB}.exe
        
        C:\Windows\{7CE80BD9-6391-490a-AD02-432D092B8AEB}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe
        
        C:\Windows\{93B7A69E-340C-4240-9DAD-4AC10E105819}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe
        
        C:\Windows\{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{F54AB20B-33D7-4556-A019-9B1E7FE19C52}.exe
        
        C:\Windows\{F54AB20B-33D7-4556-A019-9B1E7FE19C52}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47BAC~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93B7A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CE80~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86A92~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A364~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0143E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A50CD~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09D24~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0B02~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D9250~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7B619~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0143E45F-D519-48d1-AAB9-FB1EC26DD8B3}.exe

Filesize
216KB

MD5
c2f9f859e933e4c08466101cc1ecf851

SHA1
97230b986fbb20907f93a16e1cbf5e5607e217d9

SHA256
763203986ca0ea89bb07410590a5c7da029ba6ee1b38271fa7492f5e0b8c906a

SHA512
db15f3e61165050c9ec4ee97a304477a988c902d8c836800bbd9991d0baf0224790242ba9b8a50c4dea54b4df174e1df598a0961baa10913dd44e101cf8fc866

Download Submit
C:\Windows\{09D2454D-08AB-4561-AABA-C3212B39413D}.exe

Filesize
216KB

MD5
af0e499062918783395adb84399232ab

SHA1
79b39bfcdb2ea7b2167875a53d4149d7e6d5c78c

SHA256
73e3ce6e971f567cc8151174c84389de8452f9650c7594c37a1510c2a52d6900

SHA512
6eca7d3317f221faf0ad21be423500c1309e9fc0051c25af7f72732329d3b6b7c65ea35b1464cc7a3d195f6125eccf4785cd86ebc844e1fee1bb5e8262accd5d

Download Submit
C:\Windows\{47BACDD8-1A77-4995-936F-6A2285424CC2}.exe

Filesize
216KB

MD5
d8d260027861594dc04c91d81fa07d8a

SHA1
89f30f78ee27bf3d7f0d1d1735da8cc711d72d71

SHA256
391d31c4b7f9ff8d06ffc40d241b5e3c649df12437487fc727602cf9eef0cf88

SHA512
00eb9a349fc9b30425c76e36d0e0f81dac3000aaf053df30b6a526597ab0a49b5367bc45a7b1bc95e5ec242fbe823335cee0da865a1c114486d6550dcc169375

Download Submit
C:\Windows\{4A364420-DD96-4eb1-88BF-BA7A65C519FA}.exe

Filesize
216KB

MD5
ad48a75d00fc18e98b69c5527bc4cd23

SHA1
20ea5c5bb45e0965d1d911c36670e32b39b73d30

SHA256
43bbcee5423078c71857930ab4aa4bde6fab74e22fe0d4d88932d795f3ead3bf

SHA512
3265d18ccc169c34ca7251c6054cba9bd61a875ed10b7e835dea6da267b610dfb32107eda59c5552bc6b86b187484fc71498e7ef80288609b6bb807a6dea83b7

Download Submit
C:\Windows\{7B6195F6-6455-477b-A5F5-0D8A66F2E06A}.exe

Filesize
216KB

MD5
bbad05b583cd3a5119cfd8be3b24ae19

SHA1
e0df4c7ed05271be489c8ea081bdb29a591492f8

SHA256
3bf7c59b12c56c183eb40c1c6f1c7f0c2ac8db3d83fe7f25deee6b0f342dd6d6

SHA512
89c5bb178a94d0e727732cbeefc825cb70d8537606c19a17faad8c1d7a7d94bd2f7f7f9574fe8e0ff36feb103948720ae3b6b60b6a7281bad8bd2241402f4d3e

Download Submit
C:\Windows\{7CE80BD9-6391-490a-AD02-432D092B8AEB}.exe

Filesize
216KB

MD5
92914a7edb0bcb2a6a0348ff9c7b9d59

SHA1
36e323c98ac13e2280bc587db3250825e21ad83f

SHA256
f55346d7f6e581eefd256b450f9e9c2f55c1853ad9c9bee779aabb1cc37bb269

SHA512
0f07ac66043890fee36118ca6cc559ded9c7c672846d3a2c11301c9e710fd18e05a0615692f6309341682dfbdb5ea7a344ccff7bcf4c79d25dd50df337220f85

Download Submit
C:\Windows\{86A92AF8-9E85-471c-9B8F-390FA5B4D580}.exe

Filesize
216KB

MD5
acd42b10830e13c1aeb7f6ff719e67f4

SHA1
b9c54cacfb7709d1b49d2cbfe8af9ee3657f5344

SHA256
66fdc29e50066dc82659caa2443eb7df71939374340caef6229eebb39c61644a

SHA512
2ea5e42433b263abf358c3ff332b776e80cb3504d099b8126d9370227a9a387089b5ccadac53c98a8c0df6e80c6cef1e8c9b2f742dc8727905dfa7a97826832f

Download Submit
C:\Windows\{A50CD4D5-19F5-4a26-9EEF-589BE007B5B3}.exe

Filesize
216KB

MD5
2c3d64d3a1c5786975a3496d9ef5e49f

SHA1
0d4d9aee0240724915bcf0503bf46caef47d5456

SHA256
ce04636bea6c738176011b50309e954144f5d76370b8e44403a8b9c3d054bbbf

SHA512
90c58dce469ba771a1db82f590b3431155e5f47610e6f23f60f544ab3237b5e82cf9430d0d19a7d9b7cd64be623571e92599880f7afc7f22bcbf11a5ac73afb7

Download Submit
C:\Windows\{D9250405-E0D2-48dc-9CC4-F43CF5E0DAA7}.exe

Filesize
216KB

MD5
5ef28588e64859ed5c54e6b395926048

SHA1
7691d36e40cbd2a6d0b2d997dac4d7eaee29277d

SHA256
2c74ff4e2c66cb017777c4d169cf0e9f5e25d4f6d58e3e9939afb6d57c00477b

SHA512
bf742c1b4842cb96b0463954f55736b9871723324b902dc0d90b946c2cb0423bbe02d218ed1f317ddbe211f6711224171ac4bdb3401ecd3bb56fcc61fdc19c45

Download Submit
C:\Windows\{E0B028B4-BDFF-41bb-AA57-60B3E35EB7B3}.exe

Filesize
216KB

MD5
5dc89fe1720e84fc4ff27a5771708888

SHA1
2b9e471c56929a1879ef186d2982570c1f2c51e3

SHA256
155d33508d4c40ce4e45cf2cde07227863bd3d3e7aeb73f76ebb78ff41e229c3

SHA512
a943729f322f160361636098a773d078b1cf85dfb21dc3ae6d77260a10655911203aa648b4970ecd3825f1a5b71add90e9b9afba06fd6bc7534f6210d829fecd

Download Submit
C:\Windows\{F54AB20B-33D7-4556-A019-9B1E7FE19C52}.exe

Filesize
216KB

MD5
05af6e9dbf824f932938534738158ab8

SHA1
1b93f06d940c70cd6c23a7968e560e70f25fe887

SHA256
579fb2319c7960d1815aadac2007c937de2ed8ff5ec039f8078e56d697373dd6

SHA512
9abd28dfa85dd4fc75c0d968f5f4848b2082f6fbe969e245bf61df91237d295ba2a6536f9b8e183d9b552ac12d9a7515d1e57d7226a316d43754c2bf1bcce160

Download Submit
memory/4132-35-0x0000000003920000-0x00000000039FB000-memory.dmp

Filesize
876KB

Download
memory/4132-36-0x0000000003A00000-0x0000000003ADB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads