0aa3d5dcf0ad8c7ec2f1de64db03598c1509646faecad97afab02db2d04ca475

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
Size

168KB
MD5

cccb9c7da08a6516534bd10d52582951
SHA1

87e3e9fb352426d081d976f8178b07ec7e1a8e7f
SHA256

0aa3d5dcf0ad8c7ec2f1de64db03598c1509646faecad97afab02db2d04ca475
SHA512

6521e7927d301082787ee46a86fc9a1a62b128449711824822e8e9a721799539e7f3d1b3163723a9ff0f86a079a739a7a5b18ab3ab8873081bc9a50164e0e18e
SSDEEP

1536:1EGh0oYlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oYlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F95864BB-1C44-4983-86E1-705C9D7613CE}	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F95864BB-1C44-4983-86E1-705C9D7613CE}\stubpath = "C:\\Windows\\{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe"	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{695E3FA7-1521-47d0-B40A-F888ACB76D2A}\stubpath = "C:\\Windows\\{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe"	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5908D37-2412-4e8b-A55B-1EB6490D47D4}\stubpath = "C:\\Windows\\{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe"	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21EFA02C-3605-4923-9331-0448B7FE57DE}	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729C3311-C40F-4bf3-A265-4DC72397B6C4}	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47011303-4CCD-4377-A60A-74E4C569E8F9}	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB181427-39E8-47fe-8E59-935C7685C334}	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6339063-D309-414e-88C7-164CB016C2DA}\stubpath = "C:\\Windows\\{E6339063-D309-414e-88C7-164CB016C2DA}.exe"	{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21EFA02C-3605-4923-9331-0448B7FE57DE}\stubpath = "C:\\Windows\\{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe"	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}\stubpath = "C:\\Windows\\{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe"	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}\stubpath = "C:\\Windows\\{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe"	{BB181427-39E8-47fe-8E59-935C7685C334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}\stubpath = "C:\\Windows\\{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe"	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{695E3FA7-1521-47d0-B40A-F888ACB76D2A}	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}	{BB181427-39E8-47fe-8E59-935C7685C334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6339063-D309-414e-88C7-164CB016C2DA}	{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729C3311-C40F-4bf3-A265-4DC72397B6C4}\stubpath = "C:\\Windows\\{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe"	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89433D8A-E34D-4ec9-914A-B35C790B2C8D}	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89433D8A-E34D-4ec9-914A-B35C790B2C8D}\stubpath = "C:\\Windows\\{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe"	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47011303-4CCD-4377-A60A-74E4C569E8F9}\stubpath = "C:\\Windows\\{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe"	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5908D37-2412-4e8b-A55B-1EB6490D47D4}	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB181427-39E8-47fe-8E59-935C7685C334}\stubpath = "C:\\Windows\\{BB181427-39E8-47fe-8E59-935C7685C334}.exe"	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe

Executes dropped EXE 12 IoCs

pid	Process
4472	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe
3700	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe
5100	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe
376	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe
2328	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe
4052	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe
2220	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe
1444	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe
4368	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe
3532	{BB181427-39E8-47fe-8E59-935C7685C334}.exe
3296	{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe
5020	{E6339063-D309-414e-88C7-164CB016C2DA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
File created	C:\Windows\{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe
File created	C:\Windows\{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe
File created	C:\Windows\{BB181427-39E8-47fe-8E59-935C7685C334}.exe	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe
File created	C:\Windows\{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe	{BB181427-39E8-47fe-8E59-935C7685C334}.exe
File created	C:\Windows\{E6339063-D309-414e-88C7-164CB016C2DA}.exe	{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe
File created	C:\Windows\{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe
File created	C:\Windows\{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe
File created	C:\Windows\{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe
File created	C:\Windows\{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe
File created	C:\Windows\{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe
File created	C:\Windows\{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6339063-D309-414e-88C7-164CB016C2DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BB181427-39E8-47fe-8E59-935C7685C334}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	432	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4472	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe
Token: SeIncBasePriorityPrivilege	3700	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe
Token: SeIncBasePriorityPrivilege	5100	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe
Token: SeIncBasePriorityPrivilege	376	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe
Token: SeIncBasePriorityPrivilege	2328	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe
Token: SeIncBasePriorityPrivilege	4052	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe
Token: SeIncBasePriorityPrivilege	2220	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe
Token: SeIncBasePriorityPrivilege	1444	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe
Token: SeIncBasePriorityPrivilege	4368	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe
Token: SeIncBasePriorityPrivilege	3532	{BB181427-39E8-47fe-8E59-935C7685C334}.exe
Token: SeIncBasePriorityPrivilege	3296	{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 4472	432	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	86
PID 432 wrote to memory of 4472	432	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	86
PID 432 wrote to memory of 4472	432	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	86
PID 432 wrote to memory of 3796	432	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	87
PID 432 wrote to memory of 3796	432	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	87
PID 432 wrote to memory of 3796	432	2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe	87
PID 4472 wrote to memory of 3700	4472	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe	88
PID 4472 wrote to memory of 3700	4472	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe	88
PID 4472 wrote to memory of 3700	4472	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe	88
PID 4472 wrote to memory of 4824	4472	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe	89
PID 4472 wrote to memory of 4824	4472	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe	89
PID 4472 wrote to memory of 4824	4472	{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe	89
PID 3700 wrote to memory of 5100	3700	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe	94
PID 3700 wrote to memory of 5100	3700	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe	94
PID 3700 wrote to memory of 5100	3700	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe	94
PID 3700 wrote to memory of 4492	3700	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe	95
PID 3700 wrote to memory of 4492	3700	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe	95
PID 3700 wrote to memory of 4492	3700	{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe	95
PID 5100 wrote to memory of 376	5100	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe	96
PID 5100 wrote to memory of 376	5100	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe	96
PID 5100 wrote to memory of 376	5100	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe	96
PID 5100 wrote to memory of 1488	5100	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe	97
PID 5100 wrote to memory of 1488	5100	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe	97
PID 5100 wrote to memory of 1488	5100	{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe	97
PID 376 wrote to memory of 2328	376	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe	98
PID 376 wrote to memory of 2328	376	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe	98
PID 376 wrote to memory of 2328	376	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe	98
PID 376 wrote to memory of 3656	376	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe	99
PID 376 wrote to memory of 3656	376	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe	99
PID 376 wrote to memory of 3656	376	{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe	99
PID 2328 wrote to memory of 4052	2328	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe	100
PID 2328 wrote to memory of 4052	2328	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe	100
PID 2328 wrote to memory of 4052	2328	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe	100
PID 2328 wrote to memory of 2080	2328	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe	101
PID 2328 wrote to memory of 2080	2328	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe	101
PID 2328 wrote to memory of 2080	2328	{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe	101
PID 4052 wrote to memory of 2220	4052	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe	102
PID 4052 wrote to memory of 2220	4052	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe	102
PID 4052 wrote to memory of 2220	4052	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe	102
PID 4052 wrote to memory of 4648	4052	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe	103
PID 4052 wrote to memory of 4648	4052	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe	103
PID 4052 wrote to memory of 4648	4052	{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe	103
PID 2220 wrote to memory of 1444	2220	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe	104
PID 2220 wrote to memory of 1444	2220	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe	104
PID 2220 wrote to memory of 1444	2220	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe	104
PID 2220 wrote to memory of 368	2220	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe	105
PID 2220 wrote to memory of 368	2220	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe	105
PID 2220 wrote to memory of 368	2220	{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe	105
PID 1444 wrote to memory of 4368	1444	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe	106
PID 1444 wrote to memory of 4368	1444	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe	106
PID 1444 wrote to memory of 4368	1444	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe	106
PID 1444 wrote to memory of 428	1444	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe	107
PID 1444 wrote to memory of 428	1444	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe	107
PID 1444 wrote to memory of 428	1444	{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe	107
PID 4368 wrote to memory of 3532	4368	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe	108
PID 4368 wrote to memory of 3532	4368	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe	108
PID 4368 wrote to memory of 3532	4368	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe	108
PID 4368 wrote to memory of 1940	4368	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe	109
PID 4368 wrote to memory of 1940	4368	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe	109
PID 4368 wrote to memory of 1940	4368	{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe	109
PID 3532 wrote to memory of 3296	3532	{BB181427-39E8-47fe-8E59-935C7685C334}.exe	110
PID 3532 wrote to memory of 3296	3532	{BB181427-39E8-47fe-8E59-935C7685C334}.exe	110
PID 3532 wrote to memory of 3296	3532	{BB181427-39E8-47fe-8E59-935C7685C334}.exe	110
PID 3532 wrote to memory of 2776	3532	{BB181427-39E8-47fe-8E59-935C7685C334}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_cccb9c7da08a6516534bd10d52582951_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe
  C:\Windows\{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe
    C:\Windows\{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe
      C:\Windows\{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe
        
        C:\Windows\{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
      - C:\Windows\{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe
        
        C:\Windows\{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe
        
        C:\Windows\{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe
        
        C:\Windows\{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe
        
        C:\Windows\{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe
        
        C:\Windows\{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\{BB181427-39E8-47fe-8E59-935C7685C334}.exe
        
        C:\Windows\{BB181427-39E8-47fe-8E59-935C7685C334}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe
        
        C:\Windows\{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3296
        
        C:\Windows\{E6339063-D309-414e-88C7-164CB016C2DA}.exe
        
        C:\Windows\{E6339063-D309-414e-88C7-164CB016C2DA}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FB4B~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB181~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5908~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{695E3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9586~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A085~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47011~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B543~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89433~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{729C3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{21EFA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21EFA02C-3605-4923-9331-0448B7FE57DE}.exe

Filesize
168KB

MD5
4f9f521ffaad494e72dbeeddaca003bd

SHA1
042f67c1302b69c6e254f00b5017ad0d1356b832

SHA256
68f9b4d784d8329ff96581a72d1952c3323ab2b065397c03ba2ef8a2e0e4c7c8

SHA512
f8fda3fe4844008adb6cffb792c68e76942310ca00d42b6251ad2d8418b5480af82a3b69407c369a840e33f9668f40ff3e2bafae4a8696b43eb3ddf7e582b043

Download Submit
C:\Windows\{47011303-4CCD-4377-A60A-74E4C569E8F9}.exe

Filesize
168KB

MD5
6cb62225e8f233a37aabab2bac42cf7d

SHA1
c443b9a2694fd3443e3bf8f62144059d2d1fe5a2

SHA256
03326dcf53fa7bcacd1ec83d8c8000884d13d1cabde94c486b3591427aba9142

SHA512
2c7ed9b311fa95637aca6775b022b1d765432e9b4ba6555bcac239d1855156b2f7636c21bfa899ad06a287ae03b32962b525b664f296d15235a9cdd46cd38774

Download Submit
C:\Windows\{5B543B15-EFCB-460e-B8BD-4742FA9D6BFF}.exe

Filesize
168KB

MD5
a9295979fd1bb7510d6a012f37ede8e3

SHA1
3069da29a3eac2d314a37799eee255c10f8cfd56

SHA256
2c578423583b71dd77d93796888ee520ab65cbae656bc14d3bcdc5442a447fc1

SHA512
da671b6ea35fc72e697898f2988343f8e41d432f1443d6272efa3c574067873ee5b2025576c2e3cb2decb2dbb9ed2f2b4f75ec8725e8eccda977d566886da1f2

Download Submit
C:\Windows\{695E3FA7-1521-47d0-B40A-F888ACB76D2A}.exe

Filesize
168KB

MD5
1d1274beb197ad70ac185c2b87ff0455

SHA1
cdc0397610e27d9f4c4ddd5bf2f0e86793f927ff

SHA256
b181da9b1140fe05b7cebfd1ee9c21f82d654423bca5d6a03d9b0840339f4ac8

SHA512
ae236b31762e24f725ac4d7fa20fe91dca176e94daf590dbd2c6fd3d66ad4eca3f86b7c34fe2106eba8c55a367e6fe41c40f954b6c98a20b7b9aa29d321b7795

Download Submit
C:\Windows\{729C3311-C40F-4bf3-A265-4DC72397B6C4}.exe

Filesize
168KB

MD5
ae0f61e241c0e8e5e3d92a231c174ad0

SHA1
9b731455a01550ca9d4fcae36708c7d0e712bd12

SHA256
5ef8e13d9f2fe9ccd13829a06c85edd76e637429dd1dc0ddaa65896fdd61ac4e

SHA512
d5542dde21fc09de6696fb738ba699423d71499e71f8992bc576f6f61aa7f56ec6fe2ff9d2578f840fccc09d8fea76cfa3b1df70bb1f7f02e104d6f95a0e2cc5

Download Submit
C:\Windows\{7A085D30-5969-4bbb-ADA8-4AB2B10057A9}.exe

Filesize
168KB

MD5
2f6786b7aa07bc29c1d85e21f1508cfd

SHA1
96166658a4d4ae42c28365ca7156529851cf0669

SHA256
1b7a2aaefea7d11c0a3702af713005ea89fc49f18a5b9a67d35b55b6a96e142d

SHA512
a80efa88a0cb2c016881df55f1e80e26de8ad4701d1f0484a4ea030dbe59a1bd1021a369c64cbfce6fdd2e7d3fb2cc94f0b4eae5191f312920bb6361502e50ba

Download Submit
C:\Windows\{7FB4BF35-FC7B-4628-9BB5-40791BBEA929}.exe

Filesize
168KB

MD5
f3b3b51e5ee88cdcf7403e3e573a7a75

SHA1
fc5a8a5fbbbce4709d4aec790df333128ee0a6a3

SHA256
bf36865e6df539c484e426e27aba13a06f70419bf1ac2c07f994b7b9cc3bbea8

SHA512
d42862f4f45bdc89ac92ead789f08580239300bbc4605d47598b3b52ba61b64750a3e3c9f7e273a2927a4ba4dc95a6851360782495e8abe4543579dc624356e8

Download Submit
C:\Windows\{89433D8A-E34D-4ec9-914A-B35C790B2C8D}.exe

Filesize
168KB

MD5
3ae402e67b5b7d93231919c48ad70072

SHA1
16b5545d393662386a2147ff0c119d9bffd9a674

SHA256
54d994845db93f006e58d03c3ae2d53e829fc1145db9ddc0ab53d9d2f3b77986

SHA512
9819cb7cd37644831efd86e79d852e0de2a5d5273abd535f801204b0f7728261bcaf12fdbd5854dd414d8a5bc4e0059a91dfc08e7222f37673ae45ed23452ec0

Download Submit
C:\Windows\{A5908D37-2412-4e8b-A55B-1EB6490D47D4}.exe

Filesize
168KB

MD5
4b0578afe938d3f8e7beed936b9155b6

SHA1
98a465050a282eeeaf225c67061b98fd2396f49e

SHA256
038f3c2869d41f89a56c4d0476e348d91fde027d29172dffb20a67fa4cc58aed

SHA512
ac090c2a6e7fe46d5b590ffa2c6590ad9fb6f5b1a944485940f3b8d0f4460157dc51084a66fc5d6724c1fc5c28b6462729e1ec544c4d154a1f8cd61f414ff99d

Download Submit
C:\Windows\{BB181427-39E8-47fe-8E59-935C7685C334}.exe

Filesize
168KB

MD5
930f49226be88a3fc14ba152ab664309

SHA1
0a55a8f072e09d5e02acb3c84fee895caaafa355

SHA256
6755878b39dbad88e49b357e6df27a9ec44b99bb97545f650a5cd1100b396416

SHA512
bdd05c8e60d6ae391898e6b2984e17485da1b48b4b8c279c284f4505396af68408958f589468984276b92dcdfb2db2d2b94b6cef15e719f01441107fa068c2d7

Download Submit
C:\Windows\{E6339063-D309-414e-88C7-164CB016C2DA}.exe

Filesize
168KB

MD5
c653c53c319c6e41c73ad193d88cf482

SHA1
18380671a7f9a3a4070835ac7e0359f255a95e72

SHA256
4b5d8f189d37c050369e48180ec0b0b64fb525732dde4b3dc0797dfc08a9c90d

SHA512
f10a206d7e4b5be843e48d3f893a52e4abae57f95a40fb66d4d0dd7b78fee499d5b11eafa5b636f4a670f54bb6d7cba68b29acfefd386f884b2beece4e588153

Download Submit
C:\Windows\{F95864BB-1C44-4983-86E1-705C9D7613CE}.exe

Filesize
168KB

MD5
979fd9cdbdf6360537bf55f54347735c

SHA1
8ece46c1f3bdc21e633c10a8ea324cea70e7525d

SHA256
afd155189529385942b0c655f22974734086913b90cf26892fc4e04331a5cd89

SHA512
046d9dd8ed9c4138c2aac6f1b48716ecc76813b461ae90060267017c51554bb2978c51080b84517a8653336124f4b1713b57420d6edf94b7914abc96ca798a76

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads