7bbb26088bab575db17cac4ca497efeb8b4d8af4e8d4a2bc0048d7a81d127dd7

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe
Size

344KB
MD5

0a31ec7040547f354751f0718fc72519
SHA1

32c71d13117340c71a3d62be92964bfc062a9f51
SHA256

7bbb26088bab575db17cac4ca497efeb8b4d8af4e8d4a2bc0048d7a81d127dd7
SHA512

ccff12d22c938a3a2936957912acd47238afd9336ea3c3aa078713f2a47b9c226e847770a749b7d513eacb1afefd80b5c9d1edf5c8056877ea46146380ce7baf
SSDEEP

3072:mEGh0oNlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG/lqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}\stubpath = "C:\\Windows\\{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe"	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}	{5800D56A-922E-4938-903D-55D486C44149}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}\stubpath = "C:\\Windows\\{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe"	{5800D56A-922E-4938-903D-55D486C44149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1BD4263-3A5D-4d35-A549-08B36F0E2A0B}	{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{757B10B4-92F5-49a1-B1DC-A513310C6DE6}	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}\stubpath = "C:\\Windows\\{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe"	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF2F5350-D6CB-4873-8A70-1BA4005C146E}	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1BD4263-3A5D-4d35-A549-08B36F0E2A0B}\stubpath = "C:\\Windows\\{C1BD4263-3A5D-4d35-A549-08B36F0E2A0B}.exe"	{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5800D56A-922E-4938-903D-55D486C44149}\stubpath = "C:\\Windows\\{5800D56A-922E-4938-903D-55D486C44149}.exe"	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF2F5350-D6CB-4873-8A70-1BA4005C146E}\stubpath = "C:\\Windows\\{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe"	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}	{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}\stubpath = "C:\\Windows\\{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe"	2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E4BF29-BD22-404b-91EC-343911E51F0C}\stubpath = "C:\\Windows\\{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe"	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{757B10B4-92F5-49a1-B1DC-A513310C6DE6}\stubpath = "C:\\Windows\\{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe"	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}\stubpath = "C:\\Windows\\{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe"	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}\stubpath = "C:\\Windows\\{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}.exe"	{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}\stubpath = "C:\\Windows\\{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe"	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}	2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6E4BF29-BD22-404b-91EC-343911E51F0C}	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5800D56A-922E-4938-903D-55D486C44149}	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe

Executes dropped EXE 12 IoCs

pid	Process
1596	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe
2216	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe
4248	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe
2276	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe
2456	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe
3848	{5800D56A-922E-4938-903D-55D486C44149}.exe
4560	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe
2596	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe
4140	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe
2756	{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe
932	{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}.exe
1376	{C1BD4263-3A5D-4d35-A549-08B36F0E2A0B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C1BD4263-3A5D-4d35-A549-08B36F0E2A0B}.exe	{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}.exe
File created	C:\Windows\{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe
File created	C:\Windows\{5800D56A-922E-4938-903D-55D486C44149}.exe	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe
File created	C:\Windows\{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe	{5800D56A-922E-4938-903D-55D486C44149}.exe
File created	C:\Windows\{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe
File created	C:\Windows\{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe
File created	C:\Windows\{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe
File created	C:\Windows\{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe
File created	C:\Windows\{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}.exe	{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe
File created	C:\Windows\{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe	2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe
File created	C:\Windows\{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe
File created	C:\Windows\{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1BD4263-3A5D-4d35-A549-08B36F0E2A0B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5800D56A-922E-4938-903D-55D486C44149}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1552	2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1596	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe
Token: SeIncBasePriorityPrivilege	2216	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe
Token: SeIncBasePriorityPrivilege	4248	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe
Token: SeIncBasePriorityPrivilege	2276	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe
Token: SeIncBasePriorityPrivilege	2456	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe
Token: SeIncBasePriorityPrivilege	3848	{5800D56A-922E-4938-903D-55D486C44149}.exe
Token: SeIncBasePriorityPrivilege	4560	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe
Token: SeIncBasePriorityPrivilege	2596	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe
Token: SeIncBasePriorityPrivilege	4140	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe
Token: SeIncBasePriorityPrivilege	2756	{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe
Token: SeIncBasePriorityPrivilege	932	{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1596	1552	2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe	86
PID 1552 wrote to memory of 1596	1552	2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe	86
PID 1552 wrote to memory of 1596	1552	2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe	86
PID 1552 wrote to memory of 1840	1552	2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe	87
PID 1552 wrote to memory of 1840	1552	2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe	87
PID 1552 wrote to memory of 1840	1552	2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe	87
PID 1596 wrote to memory of 2216	1596	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe	88
PID 1596 wrote to memory of 2216	1596	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe	88
PID 1596 wrote to memory of 2216	1596	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe	88
PID 1596 wrote to memory of 4368	1596	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe	89
PID 1596 wrote to memory of 4368	1596	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe	89
PID 1596 wrote to memory of 4368	1596	{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe	89
PID 2216 wrote to memory of 4248	2216	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe	93
PID 2216 wrote to memory of 4248	2216	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe	93
PID 2216 wrote to memory of 4248	2216	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe	93
PID 2216 wrote to memory of 3528	2216	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe	94
PID 2216 wrote to memory of 3528	2216	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe	94
PID 2216 wrote to memory of 3528	2216	{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe	94
PID 4248 wrote to memory of 2276	4248	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe	95
PID 4248 wrote to memory of 2276	4248	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe	95
PID 4248 wrote to memory of 2276	4248	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe	95
PID 4248 wrote to memory of 652	4248	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe	96
PID 4248 wrote to memory of 652	4248	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe	96
PID 4248 wrote to memory of 652	4248	{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe	96
PID 2276 wrote to memory of 2456	2276	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe	97
PID 2276 wrote to memory of 2456	2276	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe	97
PID 2276 wrote to memory of 2456	2276	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe	97
PID 2276 wrote to memory of 5088	2276	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe	98
PID 2276 wrote to memory of 5088	2276	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe	98
PID 2276 wrote to memory of 5088	2276	{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe	98
PID 2456 wrote to memory of 3848	2456	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe	99
PID 2456 wrote to memory of 3848	2456	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe	99
PID 2456 wrote to memory of 3848	2456	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe	99
PID 2456 wrote to memory of 4920	2456	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe	100
PID 2456 wrote to memory of 4920	2456	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe	100
PID 2456 wrote to memory of 4920	2456	{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe	100
PID 3848 wrote to memory of 4560	3848	{5800D56A-922E-4938-903D-55D486C44149}.exe	101
PID 3848 wrote to memory of 4560	3848	{5800D56A-922E-4938-903D-55D486C44149}.exe	101
PID 3848 wrote to memory of 4560	3848	{5800D56A-922E-4938-903D-55D486C44149}.exe	101
PID 3848 wrote to memory of 700	3848	{5800D56A-922E-4938-903D-55D486C44149}.exe	102
PID 3848 wrote to memory of 700	3848	{5800D56A-922E-4938-903D-55D486C44149}.exe	102
PID 3848 wrote to memory of 700	3848	{5800D56A-922E-4938-903D-55D486C44149}.exe	102
PID 4560 wrote to memory of 2596	4560	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe	103
PID 4560 wrote to memory of 2596	4560	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe	103
PID 4560 wrote to memory of 2596	4560	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe	103
PID 4560 wrote to memory of 2616	4560	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe	104
PID 4560 wrote to memory of 2616	4560	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe	104
PID 4560 wrote to memory of 2616	4560	{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe	104
PID 2596 wrote to memory of 4140	2596	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe	105
PID 2596 wrote to memory of 4140	2596	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe	105
PID 2596 wrote to memory of 4140	2596	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe	105
PID 2596 wrote to memory of 4984	2596	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe	106
PID 2596 wrote to memory of 4984	2596	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe	106
PID 2596 wrote to memory of 4984	2596	{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe	106
PID 4140 wrote to memory of 2756	4140	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe	107
PID 4140 wrote to memory of 2756	4140	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe	107
PID 4140 wrote to memory of 2756	4140	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe	107
PID 4140 wrote to memory of 2972	4140	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe	108
PID 4140 wrote to memory of 2972	4140	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe	108
PID 4140 wrote to memory of 2972	4140	{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe	108
PID 2756 wrote to memory of 932	2756	{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe	109
PID 2756 wrote to memory of 932	2756	{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe	109
PID 2756 wrote to memory of 932	2756	{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe	109
PID 2756 wrote to memory of 3892	2756	{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_0a31ec7040547f354751f0718fc72519_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe
  C:\Windows\{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe
    C:\Windows\{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe
      C:\Windows\{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Windows\{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe
        
        C:\Windows\{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe
        
        C:\Windows\{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\{5800D56A-922E-4938-903D-55D486C44149}.exe
        
        C:\Windows\{5800D56A-922E-4938-903D-55D486C44149}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe
        
        C:\Windows\{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe
        
        C:\Windows\{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe
        
        C:\Windows\{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe
        
        C:\Windows\{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}.exe
        
        C:\Windows\{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\{C1BD4263-3A5D-4d35-A549-08B36F0E2A0B}.exe
        
        C:\Windows\{C1BD4263-3A5D-4d35-A549-08B36F0E2A0B}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADFE5~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF2F5~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFD70~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F739C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C0CD~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5800D~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8EB0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{757B1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E4B~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B5AEA~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EAA21~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3C0CD141-B64D-470a-ABD0-7B55AF5E7A93}.exe

Filesize
344KB

MD5
84436caf9970021ecf7bb435f3c5c34e

SHA1
0b8eb0414daf5f1ee250ce703a8d98f2e6ff62ae

SHA256
08c7987e3ba314f43048827ec947f890f91b83044a0c0f1440081858eea2c0c5

SHA512
9df44b906c62d8a368b2f137902f9409682a96bf4c7cec3bae081d3e952ea58a4567da9195246caffaaea09350e727b752c536e183a08c31d02dc7ce552e9962

Download Submit
C:\Windows\{5800D56A-922E-4938-903D-55D486C44149}.exe

Filesize
344KB

MD5
9329dbd4af7c2b1c778c480db6c661cd

SHA1
16465339a4ad13def31d0af1b51c922c0dba7cef

SHA256
5161ad5adbbad3422429e53ad1b4a7b886ffede1be6a1a27aae828482c082fdd

SHA512
419618b2859e2a5e1c30d4ffd2851e9eaf0ae502a04995e9cc2f51a4978c846452756b9b8510560d1a21d80f247bfc4686bd38b778a8fec50cf9dc18b040e211

Download Submit
C:\Windows\{757B10B4-92F5-49a1-B1DC-A513310C6DE6}.exe

Filesize
344KB

MD5
227ba8f4dd4696c9caa935b33e9f540d

SHA1
8dda3e33f586a411c7a004d1074499552385f362

SHA256
02480500a6b4cc4db87aa352d3534b4a3df3c8244a5955c3b5aa14e6ae322a9e

SHA512
21ce8505a48cb1019dcc70bcff35f7a64e6e97a06b02954a4a4cc155b6fb15653e25ca7ffb920627e7ec0dc6d31af1889ced8b9e2a382f5b8cd11abbd8e432d8

Download Submit
C:\Windows\{ADFE5FD0-D7B2-46db-8FC7-F964E5E3A4F8}.exe

Filesize
344KB

MD5
a475de04c3e52e7e0c3ead66f092aff5

SHA1
b05db49f7075758f347fb473aa45960b7eeb9098

SHA256
dcf54b1c038280b23f14d5a409a1547685c088696fbd82162ecb359f156e41cb

SHA512
262f0bee13a30edff6d91dee0776340a72f76169bb3323f298f8cac9d6281927bc29c11a9a27d16f5b8cf5092048532a693202cf62f9620508bc8b960ad9bdd6

Download Submit
C:\Windows\{B5AEA856-60A4-49c3-B35E-E0F90619F4C9}.exe

Filesize
344KB

MD5
900a76722644c21b47c5470c8242692c

SHA1
24f998206df1aad846471facdfde527938f98f91

SHA256
3e454f65fc91145186d6be54e46ad6581c707b420761f9e0b3a475a54648cd18

SHA512
1917fbdd380ece8032c88c6cea0434ab16090b14a5f9eaf687ef0aa4889c550d53a8a70962392c015ef06a42d0165196885e36a6f0bd39b15373a949f239f4b8

Download Submit
C:\Windows\{BF2F5350-D6CB-4873-8A70-1BA4005C146E}.exe

Filesize
344KB

MD5
e48e3aa467c48ee689bb40cc875fd6e5

SHA1
2de6172d93d39e6744b1e6b25bc3be082607593e

SHA256
63af45e950718cec4a1850390a6f33b3f57b735f7f8681397b68abc1e517a28c

SHA512
d5fe23b218a8510d3f90f20915f54285e0cee17dddca26dd734e1b2cd7471765ffc05298cdc2f059bd5722e6b60e350dd1e2f973422805f6f8a5abfbc90aa22e

Download Submit
C:\Windows\{C1BD4263-3A5D-4d35-A549-08B36F0E2A0B}.exe

Filesize
344KB

MD5
c64cdeccbb0b28bcea01fee9f1125c64

SHA1
6a680b73963c6f68a06175dbaef78644478202c4

SHA256
3a27d236bb935959452de918b44380afcd3bd5c222099dd972ce0fc2aafb1525

SHA512
f45bcce46891a366f8756094bd4ee3f9f09a87924e3a4ba639d3bc5ff3dcf5448153e618aae8e70cbb7057c7d58baeb78dfdf92476b1a8331fda554e4d6cb90a

Download Submit
C:\Windows\{C6E4BF29-BD22-404b-91EC-343911E51F0C}.exe

Filesize
344KB

MD5
c1f6f9853f594031448994ed726a4e93

SHA1
fc3cabed0598a50a85795c1bbcae1ad843140614

SHA256
9b3eb8881e1f469086a53628f3612ec74fe7da1816f8293210e5605892cd2fcd

SHA512
81b8ffe1f8f7921a4eec1e5baad80d73d855a506a494642da0b5751da45a3ffa56e9de6d544bc88ef0bfe08d961c535a564898f5bc46252bcf9bc23fb4a97c0e

Download Submit
C:\Windows\{DFD70979-E3BB-4e36-A36A-A0CC27C8AA6D}.exe

Filesize
344KB

MD5
79073d3d4e7d5bc6bd4e2878f3456fa2

SHA1
c5be251f725c4c4ed2ea33dc45f94f3138c16248

SHA256
06b1f2df9b6bc19821d8c16f62891c5061b36e31b739d43c2b515652da92b4da

SHA512
a1cb3be769f9c0ba4c33ba66ee31c20d0cf9f91bd8d27d0b878260f2805ed133e4611f027e7a1f1026561f9bc0e044a58f5ac93667fd573063b27d9221deae52

Download Submit
C:\Windows\{EAA21CF8-5A79-4025-B84B-BC1BDCFEF9DF}.exe

Filesize
344KB

MD5
89224e29a1c53bf716323ffd4c5a50cd

SHA1
eda897849f05490e81622b5833065f07dcb74bb6

SHA256
d4d6f99720d57761697d7158861cfd1f6ab8b4526498b03b8e0cb9187d84d8d5

SHA512
a01451f4c1f7e6616adcd288fb5bfadd28a29bd3542ffa84a6d0042b5c52c730c334550ea4e17593c4b08a3b4aa7a5f16e361ef124a56a7c764a302aad847e72

Download Submit
C:\Windows\{F739C6F8-E50C-4e05-95BF-B2B33F2967E3}.exe

Filesize
344KB

MD5
4436d21db1e51c9baf0cd1f56fea826f

SHA1
5776edc69ee7eb41ec305108b9244d6d50ed1387

SHA256
6ce649d6eab88a58d7ee360053fc3829a294a6f6556a3243454f99f6811f2427

SHA512
5d49bfa8e7c62c1244b573bdc871848140d7e4ceed20c0ca1954471f234af30322e5f4f883254aebf2ed2dd6428b47447e7180650420e0eef303cf0a5c35e5b6

Download Submit
C:\Windows\{F8EB0643-6CEA-47ab-BC95-FA5E0E06884E}.exe

Filesize
344KB

MD5
92ee9b2b05365357b6368692768e8f11

SHA1
0b191c6935d13939ee14950160cfa976cc296c38

SHA256
c18b5857a1f2d1e5e3cba39c6bbd7c3b39af59e2bd848173dd63f53b8420431c

SHA512
31dc7e322808dc889540468f5341de0265f1ecf8cc88835820003068d8592b8011cd46997c108fc4dbb627c74f3662997a29c18554dfafa4bdfdfb06aa5db6f2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads