1e6d5b734f29c9163809ae06b6f986a1400f5313227c3cc40af400677ab84d2b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
Size

344KB
MD5

d0f74590cab23dc9c9d284bafc5dce73
SHA1

0ddd60208833280c4fbafbca6cb519d0539a3c51
SHA256

1e6d5b734f29c9163809ae06b6f986a1400f5313227c3cc40af400677ab84d2b
SHA512

684e5ccd91ddc669a72bea505c386a8b87b7e6a2d0cce60294b876029efff18fbc38ede734bd261551127a09892fd0ae73157d2c0da5d20fd7e4b5d324053ae2
SSDEEP

3072:mEGh0oelEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGAlqOe2MUVg3v2IneKcAEcA

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{815ED5AA-0C0F-4e60-8864-DE9764A882D5}\stubpath = "C:\\Windows\\{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe"	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC8976BF-B1BB-4604-B85B-D803B7622998}	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{086319D3-1113-415a-B721-935520C32D92}	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{086319D3-1113-415a-B721-935520C32D92}\stubpath = "C:\\Windows\\{086319D3-1113-415a-B721-935520C32D92}.exe"	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C87FB13F-B49E-42d4-BC3B-94681B214DF8}\stubpath = "C:\\Windows\\{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe"	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}	{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD52B7C9-7D82-4db6-B94A-14F1102E899A}\stubpath = "C:\\Windows\\{BD52B7C9-7D82-4db6-B94A-14F1102E899A}.exe"	{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{815ED5AA-0C0F-4e60-8864-DE9764A882D5}	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC8976BF-B1BB-4604-B85B-D803B7622998}\stubpath = "C:\\Windows\\{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe"	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C212AD84-DF7D-4f5e-B8A2-024D604F657F}	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3398C44F-56C2-42cd-A99B-F03AE64511D3}	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3398C44F-56C2-42cd-A99B-F03AE64511D3}\stubpath = "C:\\Windows\\{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe"	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}	{086319D3-1113-415a-B721-935520C32D92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}\stubpath = "C:\\Windows\\{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe"	{086319D3-1113-415a-B721-935520C32D92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}\stubpath = "C:\\Windows\\{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe"	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}\stubpath = "C:\\Windows\\{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}.exe"	{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2FCF36B-5680-4d45-9694-DDE960DC08A0}	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2FCF36B-5680-4d45-9694-DDE960DC08A0}\stubpath = "C:\\Windows\\{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe"	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C212AD84-DF7D-4f5e-B8A2-024D604F657F}\stubpath = "C:\\Windows\\{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe"	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C87FB13F-B49E-42d4-BC3B-94681B214DF8}	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}\stubpath = "C:\\Windows\\{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe"	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD52B7C9-7D82-4db6-B94A-14F1102E899A}	{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}.exe

Executes dropped EXE 12 IoCs

pid	Process
2360	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe
332	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe
1432	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe
3524	{086319D3-1113-415a-B721-935520C32D92}.exe
2980	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe
5024	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe
3208	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe
2072	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe
2864	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe
3876	{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe
1436	{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}.exe
400	{BD52B7C9-7D82-4db6-B94A-14F1102E899A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BD52B7C9-7D82-4db6-B94A-14F1102E899A}.exe	{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}.exe
File created	C:\Windows\{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe	{086319D3-1113-415a-B721-935520C32D92}.exe
File created	C:\Windows\{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}.exe	{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe
File created	C:\Windows\{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe
File created	C:\Windows\{086319D3-1113-415a-B721-935520C32D92}.exe	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe
File created	C:\Windows\{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe
File created	C:\Windows\{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe
File created	C:\Windows\{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe
File created	C:\Windows\{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe
File created	C:\Windows\{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
File created	C:\Windows\{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe
File created	C:\Windows\{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{086319D3-1113-415a-B721-935520C32D92}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD52B7C9-7D82-4db6-B94A-14F1102E899A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5064	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2360	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe
Token: SeIncBasePriorityPrivilege	332	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe
Token: SeIncBasePriorityPrivilege	1432	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe
Token: SeIncBasePriorityPrivilege	3524	{086319D3-1113-415a-B721-935520C32D92}.exe
Token: SeIncBasePriorityPrivilege	2980	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe
Token: SeIncBasePriorityPrivilege	5024	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe
Token: SeIncBasePriorityPrivilege	3208	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe
Token: SeIncBasePriorityPrivilege	2072	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe
Token: SeIncBasePriorityPrivilege	2864	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe
Token: SeIncBasePriorityPrivilege	3876	{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe
Token: SeIncBasePriorityPrivilege	1436	{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2360	5064	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	89
PID 5064 wrote to memory of 2360	5064	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	89
PID 5064 wrote to memory of 2360	5064	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	89
PID 5064 wrote to memory of 4268	5064	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	90
PID 5064 wrote to memory of 4268	5064	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	90
PID 5064 wrote to memory of 4268	5064	2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe	90
PID 2360 wrote to memory of 332	2360	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe	91
PID 2360 wrote to memory of 332	2360	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe	91
PID 2360 wrote to memory of 332	2360	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe	91
PID 2360 wrote to memory of 716	2360	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe	92
PID 2360 wrote to memory of 716	2360	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe	92
PID 2360 wrote to memory of 716	2360	{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe	92
PID 332 wrote to memory of 1432	332	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe	96
PID 332 wrote to memory of 1432	332	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe	96
PID 332 wrote to memory of 1432	332	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe	96
PID 332 wrote to memory of 3240	332	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe	97
PID 332 wrote to memory of 3240	332	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe	97
PID 332 wrote to memory of 3240	332	{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe	97
PID 1432 wrote to memory of 3524	1432	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe	98
PID 1432 wrote to memory of 3524	1432	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe	98
PID 1432 wrote to memory of 3524	1432	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe	98
PID 1432 wrote to memory of 4172	1432	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe	99
PID 1432 wrote to memory of 4172	1432	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe	99
PID 1432 wrote to memory of 4172	1432	{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe	99
PID 3524 wrote to memory of 2980	3524	{086319D3-1113-415a-B721-935520C32D92}.exe	100
PID 3524 wrote to memory of 2980	3524	{086319D3-1113-415a-B721-935520C32D92}.exe	100
PID 3524 wrote to memory of 2980	3524	{086319D3-1113-415a-B721-935520C32D92}.exe	100
PID 3524 wrote to memory of 3964	3524	{086319D3-1113-415a-B721-935520C32D92}.exe	101
PID 3524 wrote to memory of 3964	3524	{086319D3-1113-415a-B721-935520C32D92}.exe	101
PID 3524 wrote to memory of 3964	3524	{086319D3-1113-415a-B721-935520C32D92}.exe	101
PID 2980 wrote to memory of 5024	2980	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe	102
PID 2980 wrote to memory of 5024	2980	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe	102
PID 2980 wrote to memory of 5024	2980	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe	102
PID 2980 wrote to memory of 3584	2980	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe	103
PID 2980 wrote to memory of 3584	2980	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe	103
PID 2980 wrote to memory of 3584	2980	{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe	103
PID 5024 wrote to memory of 3208	5024	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe	104
PID 5024 wrote to memory of 3208	5024	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe	104
PID 5024 wrote to memory of 3208	5024	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe	104
PID 5024 wrote to memory of 1652	5024	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe	105
PID 5024 wrote to memory of 1652	5024	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe	105
PID 5024 wrote to memory of 1652	5024	{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe	105
PID 3208 wrote to memory of 2072	3208	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe	108
PID 3208 wrote to memory of 2072	3208	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe	108
PID 3208 wrote to memory of 2072	3208	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe	108
PID 3208 wrote to memory of 4988	3208	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe	109
PID 3208 wrote to memory of 4988	3208	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe	109
PID 3208 wrote to memory of 4988	3208	{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe	109
PID 2072 wrote to memory of 2864	2072	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe	110
PID 2072 wrote to memory of 2864	2072	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe	110
PID 2072 wrote to memory of 2864	2072	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe	110
PID 2072 wrote to memory of 4568	2072	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe	111
PID 2072 wrote to memory of 4568	2072	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe	111
PID 2072 wrote to memory of 4568	2072	{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe	111
PID 2864 wrote to memory of 3876	2864	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe	112
PID 2864 wrote to memory of 3876	2864	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe	112
PID 2864 wrote to memory of 3876	2864	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe	112
PID 2864 wrote to memory of 1356	2864	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe	113
PID 2864 wrote to memory of 1356	2864	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe	113
PID 2864 wrote to memory of 1356	2864	{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe	113
PID 3876 wrote to memory of 1436	3876	{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe	114
PID 3876 wrote to memory of 1436	3876	{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe	114
PID 3876 wrote to memory of 1436	3876	{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe	114
PID 3876 wrote to memory of 716	3876	{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_d0f74590cab23dc9c9d284bafc5dce73_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe
  C:\Windows\{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe
    C:\Windows\{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe
      C:\Windows\{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\{086319D3-1113-415a-B721-935520C32D92}.exe
        
        C:\Windows\{086319D3-1113-415a-B721-935520C32D92}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
      - C:\Windows\{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe
        
        C:\Windows\{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe
        
        C:\Windows\{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe
        
        C:\Windows\{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe
        
        C:\Windows\{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe
        
        C:\Windows\{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe
        
        C:\Windows\{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}.exe
        
        C:\Windows\{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\{BD52B7C9-7D82-4db6-B94A-14F1102E899A}.exe
        
        C:\Windows\{BD52B7C9-7D82-4db6-B94A-14F1102E899A}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C574~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC897~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{815ED~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C31F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E4EF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C87FB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8ACC1~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08631~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3398C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C212A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2FCF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{086319D3-1113-415a-B721-935520C32D92}.exe

Filesize
344KB

MD5
7fd25fdd2dafe1d1a53a6e871ed16df1

SHA1
dce9a0b1fad731a2d8f6577bb125231181c9f8d0

SHA256
6c4c1d2cd5b8b2f7996c11fc2b2531e4376b61544b9dfd5cc2071d42b5aa6875

SHA512
a8e9e0e93825b430edffe14ce0a8a25016f821e7f9d8fdea0c48515ec3c50d6f39388309b0913bb970ec1798c31e4b7ca047035a97d235bfa943abacde72e0f5

Download Submit
C:\Windows\{3398C44F-56C2-42cd-A99B-F03AE64511D3}.exe

Filesize
344KB

MD5
3e8320b53927f9cf5b363dccb91592f0

SHA1
5697da2a2aec9faf5a083d4d3fa2aa0ce5594f93

SHA256
647960724aa76118a23ab30975445051177d67976defbf334a97f48830a57bd2

SHA512
5ccb43dc98215fab8c26a961970b8fdb551fa72e4db5595bc4b29189f31cf108d7ef53ef129c217867a569d5d81a2eeeab923baf5ddae3c5aaf0c05e86fc8439

Download Submit
C:\Windows\{3C31F4C4-92A3-4ade-8EF5-A8E59EC0EEE5}.exe

Filesize
344KB

MD5
6629cab3d6c99dfaae42d50ff82117fe

SHA1
ac1a10c0d61b3994b072c5e1ad11651eb6504fdb

SHA256
4391e8b95bf2d886c6000e50c9bbdd1fc7da2ac11ac1045acac78469d4f787ff

SHA512
ed99cab6a41a08eb1cfec7651439d7efcfe523a463ebebef6b5c67075090724af61ed141e6a2111f2d16169aaf5a009f9f7e95e51c98b511e0d71b325d68b2b5

Download Submit
C:\Windows\{3E4EF916-CAA6-40c1-ADE1-B8AC4875062B}.exe

Filesize
344KB

MD5
fcada77bdcd7ec9bbe629c069ab036bb

SHA1
566d2e62b738eeb4865c49ad3682dd47f2a0b03b

SHA256
1446053e488fd8278d85e080c0b9a0ec29ebb9f70b3adaeecc5acd27aec7416b

SHA512
0a8a10eb0f6f4135793d903e7fb839effd74db3e4f52457bf28bf907f7a07e9f45997e0341698d9ff5eb3ea8b6610492f4c081f70e3dfcc74e300066130258c6

Download Submit
C:\Windows\{5C574985-3E93-49f0-BFE1-AF7C7E7B3279}.exe

Filesize
344KB

MD5
9269f7808ddcb63401568d07fa58fd1e

SHA1
f1c5bcefaccc040f3b2483e431099430f1332f65

SHA256
82196b4b57521e22b50842ff1112aff34df2e9bd29a8095805c3727a2166e403

SHA512
b5fe7c56dd53c6603565e29969bb4726b546c855b01c3eb065edf07557dad5593b370e52e29ea5f692f897e903357b99cd88b4a59ed44d0a1bb8b81f90f557ef

Download Submit
C:\Windows\{815ED5AA-0C0F-4e60-8864-DE9764A882D5}.exe

Filesize
344KB

MD5
378759a2f36ebb3b3902adba78a27196

SHA1
5a6bf12e07815b726f84c6b8c2fe4ddbd36ceecb

SHA256
4346775ae2a25551f0ecdfa0034cd24e0fccf7859a9a228a9d64dcbe3dea719d

SHA512
2b4034112625aa6ce8b699bfc77b2d8105847f2482fc34f42ed25e054cf8c0f3cc6603ee63cdbeb552fae2eb1d9cc9af10a908bae9c40b29d1d744c3d725a02f

Download Submit
C:\Windows\{8ACC1BFE-88EE-48a2-8997-9DCB85AEFC17}.exe

Filesize
344KB

MD5
9dc1d5e362d043ceee43356a639c6509

SHA1
6b25503d00d9a9838977fbaf664538690e4d75e1

SHA256
d47e8c794ef875d3023b46dc2b52ed9ad520feb000be3546890301b48407679e

SHA512
528191db47d69dddc6be73123c0dccff4d84bf58c8e5930dae17ecbac5193740622d4f8e14c0f9ed87a4bc9dbba49f6c9f77a8c472053980a98ec76b3a21f1de

Download Submit
C:\Windows\{B2FCF36B-5680-4d45-9694-DDE960DC08A0}.exe

Filesize
344KB

MD5
4c26d0ece7d772128bdcf072036a3442

SHA1
05c1cce9b6003592a882e397fcdd4d2c34511b78

SHA256
a772166a3924be160acc0c6db3827363263ced7abfc736d8d614f7968d711da4

SHA512
43fae431b3135ae83a4bd7cbc01cf9d978ecfe9a34d20bf236c7cd951d7982f976b5c78ad319cc3e9aa5b5216fb75706c4b2d6a03a01b2d9945efcb88f7d7024

Download Submit
C:\Windows\{BC8976BF-B1BB-4604-B85B-D803B7622998}.exe

Filesize
344KB

MD5
254ec43e2b58010dcafdab4ac52d6736

SHA1
4fd55698b62b985fa9f1f9275dc27eab8fd5a561

SHA256
44a1f5c407dda4832877d62ca713717a506ca382026252614779e65953893992

SHA512
68776763fac5e3a1116f2271d519551669a149b1cf1c8855ae15d6907a52d1116e054cbf8b60d5df073e5ffcfe965fa31e8c75e1c904a20dbd74346481468cb5

Download Submit
C:\Windows\{BD52B7C9-7D82-4db6-B94A-14F1102E899A}.exe

Filesize
344KB

MD5
d43cca9d03b1dd7b05bc52d1c550d568

SHA1
9533643d62417ab626af3506e6b5adc12e5eea56

SHA256
46a9c537412b257ab4862a3bb02f8606af8af2d82b35648e867f138952535073

SHA512
78da9e670c1478b7f53f7239bb8b6eab323f638fb5656d744180bf3a0821121200a351e5c64ee0a0235e542776e76306ec69493682970966979e755ef5684fb3

Download Submit
C:\Windows\{C212AD84-DF7D-4f5e-B8A2-024D604F657F}.exe

Filesize
344KB

MD5
d517c1c1da836e14df18196295d03cab

SHA1
aa7b552f16e0040b8075664edd4abf03747bf901

SHA256
25f81dde4b555a4b5d0f931a2414d37c61154b5b73496703b50e2e0ac0082739

SHA512
c9b9a04165c10b114dc2c983da2100c2456fc969d321ae8ba97fec61689ef1e1b3431bac99880627b7b5255204ee1f545e34c772870024680c6bcbb11fdb41f5

Download Submit
C:\Windows\{C87FB13F-B49E-42d4-BC3B-94681B214DF8}.exe

Filesize
344KB

MD5
e909409c4f3fc4311e2b0d0d2b2d00f4

SHA1
696cd15cac5384dd1a727e4294bf2a08b85acb31

SHA256
09a4b89b45b72f6b892144ef1ce3a6123755f2e26cfb4355af69ce0ab7c6ed1a

SHA512
15e67906df1f369e9d7b8efcfdc16ebaf273a4cc83b2efc2a8c154d5ac068f640342adb96109b70f93638f38563a5ddec44f10aa0d0b0e62bb771854ff552a0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads