11ba81b7f7e2dd99798cebc32f20312d57450aa4429c95835624d0b4594c09f7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe
Size

380KB
MD5

97a1bd24f122d479820a3dc08eeb7940
SHA1

819d420b7d3e31ddeee73ac3f66e81b22cdd71cd
SHA256

11ba81b7f7e2dd99798cebc32f20312d57450aa4429c95835624d0b4594c09f7
SHA512

2ee6be333d564b318042c155e4cecc35131ec88fe3f7cbad144629a7c9fa8cb84a1f052ebe47212f77607d2a8e7804b19430c9b84e11cb6d3621df1390589876
SSDEEP

3072:mEGh0oKlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGUl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1225E52D-1932-4926-9061-3E0A061338F0}\stubpath = "C:\\Windows\\{1225E52D-1932-4926-9061-3E0A061338F0}.exe"	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB729013-3D67-4968-9BA9-049AA8732AA3}	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DE640D1-799B-4ddd-A513-ED0832F443D9}	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DE640D1-799B-4ddd-A513-ED0832F443D9}\stubpath = "C:\\Windows\\{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe"	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8D7C846-D96F-4663-A29D-006BC75FE10E}\stubpath = "C:\\Windows\\{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe"	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8D7C846-D96F-4663-A29D-006BC75FE10E}	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7821C1B-5217-4ee1-874C-82250F6302B1}	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}\stubpath = "C:\\Windows\\{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe"	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}\stubpath = "C:\\Windows\\{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe"	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}	2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA50A094-5C14-4144-9BA4-392FCD8FC577}	{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB729013-3D67-4968-9BA9-049AA8732AA3}\stubpath = "C:\\Windows\\{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe"	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1225E52D-1932-4926-9061-3E0A061338F0}	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}	{1225E52D-1932-4926-9061-3E0A061338F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}\stubpath = "C:\\Windows\\{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe"	{1225E52D-1932-4926-9061-3E0A061338F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}\stubpath = "C:\\Windows\\{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe"	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7821C1B-5217-4ee1-874C-82250F6302B1}\stubpath = "C:\\Windows\\{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe"	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA50A094-5C14-4144-9BA4-392FCD8FC577}\stubpath = "C:\\Windows\\{FA50A094-5C14-4144-9BA4-392FCD8FC577}.exe"	{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}\stubpath = "C:\\Windows\\{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe"	2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBC042E7-A4A7-4a37-A78A-B3E88BE1936B}\stubpath = "C:\\Windows\\{BBC042E7-A4A7-4a37-A78A-B3E88BE1936B}.exe"	{FA50A094-5C14-4144-9BA4-392FCD8FC577}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBC042E7-A4A7-4a37-A78A-B3E88BE1936B}	{FA50A094-5C14-4144-9BA4-392FCD8FC577}.exe

Executes dropped EXE 12 IoCs

pid	Process
4904	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe
1648	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe
3992	{1225E52D-1932-4926-9061-3E0A061338F0}.exe
2200	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe
1856	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe
4540	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe
3524	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe
2840	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe
4560	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe
4496	{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe
180	{FA50A094-5C14-4144-9BA4-392FCD8FC577}.exe
2344	{BBC042E7-A4A7-4a37-A78A-B3E88BE1936B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe	{1225E52D-1932-4926-9061-3E0A061338F0}.exe
File created	C:\Windows\{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe
File created	C:\Windows\{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe
File created	C:\Windows\{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe
File created	C:\Windows\{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe
File created	C:\Windows\{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe	2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe
File created	C:\Windows\{1225E52D-1932-4926-9061-3E0A061338F0}.exe	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe
File created	C:\Windows\{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe
File created	C:\Windows\{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe
File created	C:\Windows\{FA50A094-5C14-4144-9BA4-392FCD8FC577}.exe	{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe
File created	C:\Windows\{BBC042E7-A4A7-4a37-A78A-B3E88BE1936B}.exe	{FA50A094-5C14-4144-9BA4-392FCD8FC577}.exe
File created	C:\Windows\{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BBC042E7-A4A7-4a37-A78A-B3E88BE1936B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1225E52D-1932-4926-9061-3E0A061338F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FA50A094-5C14-4144-9BA4-392FCD8FC577}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4436	2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4904	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe
Token: SeIncBasePriorityPrivilege	1648	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe
Token: SeIncBasePriorityPrivilege	3992	{1225E52D-1932-4926-9061-3E0A061338F0}.exe
Token: SeIncBasePriorityPrivilege	2200	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe
Token: SeIncBasePriorityPrivilege	1856	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe
Token: SeIncBasePriorityPrivilege	4540	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe
Token: SeIncBasePriorityPrivilege	3524	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe
Token: SeIncBasePriorityPrivilege	2840	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe
Token: SeIncBasePriorityPrivilege	4560	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe
Token: SeIncBasePriorityPrivilege	4496	{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe
Token: SeIncBasePriorityPrivilege	180	{FA50A094-5C14-4144-9BA4-392FCD8FC577}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 4904	4436	2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe	86
PID 4436 wrote to memory of 4904	4436	2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe	86
PID 4436 wrote to memory of 4904	4436	2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe	86
PID 4436 wrote to memory of 3340	4436	2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe	87
PID 4436 wrote to memory of 3340	4436	2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe	87
PID 4436 wrote to memory of 3340	4436	2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe	87
PID 4904 wrote to memory of 1648	4904	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe	88
PID 4904 wrote to memory of 1648	4904	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe	88
PID 4904 wrote to memory of 1648	4904	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe	88
PID 4904 wrote to memory of 5020	4904	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe	89
PID 4904 wrote to memory of 5020	4904	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe	89
PID 4904 wrote to memory of 5020	4904	{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe	89
PID 1648 wrote to memory of 3992	1648	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe	92
PID 1648 wrote to memory of 3992	1648	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe	92
PID 1648 wrote to memory of 3992	1648	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe	92
PID 1648 wrote to memory of 1880	1648	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe	93
PID 1648 wrote to memory of 1880	1648	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe	93
PID 1648 wrote to memory of 1880	1648	{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe	93
PID 3992 wrote to memory of 2200	3992	{1225E52D-1932-4926-9061-3E0A061338F0}.exe	96
PID 3992 wrote to memory of 2200	3992	{1225E52D-1932-4926-9061-3E0A061338F0}.exe	96
PID 3992 wrote to memory of 2200	3992	{1225E52D-1932-4926-9061-3E0A061338F0}.exe	96
PID 3992 wrote to memory of 4168	3992	{1225E52D-1932-4926-9061-3E0A061338F0}.exe	97
PID 3992 wrote to memory of 4168	3992	{1225E52D-1932-4926-9061-3E0A061338F0}.exe	97
PID 3992 wrote to memory of 4168	3992	{1225E52D-1932-4926-9061-3E0A061338F0}.exe	97
PID 2200 wrote to memory of 1856	2200	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe	98
PID 2200 wrote to memory of 1856	2200	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe	98
PID 2200 wrote to memory of 1856	2200	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe	98
PID 2200 wrote to memory of 4776	2200	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe	99
PID 2200 wrote to memory of 4776	2200	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe	99
PID 2200 wrote to memory of 4776	2200	{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe	99
PID 1856 wrote to memory of 4540	1856	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe	100
PID 1856 wrote to memory of 4540	1856	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe	100
PID 1856 wrote to memory of 4540	1856	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe	100
PID 1856 wrote to memory of 4572	1856	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe	101
PID 1856 wrote to memory of 4572	1856	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe	101
PID 1856 wrote to memory of 4572	1856	{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe	101
PID 4540 wrote to memory of 3524	4540	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe	102
PID 4540 wrote to memory of 3524	4540	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe	102
PID 4540 wrote to memory of 3524	4540	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe	102
PID 4540 wrote to memory of 3516	4540	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe	103
PID 4540 wrote to memory of 3516	4540	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe	103
PID 4540 wrote to memory of 3516	4540	{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe	103
PID 3524 wrote to memory of 2840	3524	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe	104
PID 3524 wrote to memory of 2840	3524	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe	104
PID 3524 wrote to memory of 2840	3524	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe	104
PID 3524 wrote to memory of 2852	3524	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe	105
PID 3524 wrote to memory of 2852	3524	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe	105
PID 3524 wrote to memory of 2852	3524	{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe	105
PID 2840 wrote to memory of 4560	2840	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe	106
PID 2840 wrote to memory of 4560	2840	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe	106
PID 2840 wrote to memory of 4560	2840	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe	106
PID 2840 wrote to memory of 4104	2840	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe	107
PID 2840 wrote to memory of 4104	2840	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe	107
PID 2840 wrote to memory of 4104	2840	{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe	107
PID 4560 wrote to memory of 4496	4560	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe	108
PID 4560 wrote to memory of 4496	4560	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe	108
PID 4560 wrote to memory of 4496	4560	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe	108
PID 4560 wrote to memory of 4896	4560	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe	109
PID 4560 wrote to memory of 4896	4560	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe	109
PID 4560 wrote to memory of 4896	4560	{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe	109
PID 4496 wrote to memory of 180	4496	{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe	110
PID 4496 wrote to memory of 180	4496	{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe	110
PID 4496 wrote to memory of 180	4496	{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe	110
PID 4496 wrote to memory of 1328	4496	{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_97a1bd24f122d479820a3dc08eeb7940_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe
  C:\Windows\{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe
    C:\Windows\{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\{1225E52D-1932-4926-9061-3E0A061338F0}.exe
      C:\Windows\{1225E52D-1932-4926-9061-3E0A061338F0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Windows\{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe
        
        C:\Windows\{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe
        
        C:\Windows\{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe
        
        C:\Windows\{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe
        
        C:\Windows\{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe
        
        C:\Windows\{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe
        
        C:\Windows\{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe
        
        C:\Windows\{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\{FA50A094-5C14-4144-9BA4-392FCD8FC577}.exe
        
        C:\Windows\{FA50A094-5C14-4144-9BA4-392FCD8FC577}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:180
        
        C:\Windows\{BBC042E7-A4A7-4a37-A78A-B3E88BE1936B}.exe
        
        C:\Windows\{BBC042E7-A4A7-4a37-A78A-B3E88BE1936B}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA50A~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0773A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4A84~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DE64~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7821~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB729~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80C0B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F1E5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1225E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A8D7C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5F311~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0773A6ED-DAD6-427e-AC3E-A2EDC529258C}.exe

Filesize
380KB

MD5
35a4982f6232fd7e4fa5019a06fd57c8

SHA1
709c16eea9e6270667af5ea3050dd9e1347b38a7

SHA256
82bd9b2cef634b314bf294e6587f34fcef767da57ef50a7b5dbbf8b65faff25f

SHA512
55e007c9549d25f9af02125afa60aec63111808b611c0788565c9ae35497192ae7fc51c5317d2ad615f0a3ebc4fe62ec53d49dd579be25bf383ee1f299711cdf

Download Submit
C:\Windows\{0DE640D1-799B-4ddd-A513-ED0832F443D9}.exe

Filesize
380KB

MD5
55bf1871fff8dfa2085809202be26359

SHA1
c3d59907482559ea156255038117eb99526eae7e

SHA256
875f4abfd3ee1b5d763c14bd57a84c90eb5226557aa21833e533d55d89a3e10e

SHA512
5df6943e17d86f32c5398e49c8a4a8c17d107310c08c53e0c371d7424ec12f0ad9706d8759fcca7ce5ab322c455b56346b85cd2d110242b223ce67223d10693e

Download Submit
C:\Windows\{0F1E5DB3-D5A3-4eb5-8FF5-B6F2F31A4AE7}.exe

Filesize
380KB

MD5
c75408f2d7d06b74d95d06a4b35754d1

SHA1
8e988a7953582ace46b39e6d7d0c10fd61a6a471

SHA256
a09323ee85b5426d201a2231c5a7e4743748fb4555b07c04a8c88646d0921c95

SHA512
342cf294b934b3a08b311421502a9de4b6cc30d310da012f1efade640a2ac34aaf5db629118e669e974b7fc1b3f3f2cabd399702c855f4d2c4b8d8ff1019721d

Download Submit
C:\Windows\{1225E52D-1932-4926-9061-3E0A061338F0}.exe

Filesize
380KB

MD5
d8c5eac0d6568c663f85f27831351366

SHA1
62c81091df025c0202e5c005454e3901da02d005

SHA256
8d7abd672de7732ce4b2164645eca836692a0e75409f41c34cb3749a401ce7b6

SHA512
8511e7152fa2198d9fdcaa444270d032db02b476d174d45761019dced6e80bb3629f88929bbc9e17d9d1e9a082f1109302fc22de5755594f7fe3db233dcb4308

Download Submit
C:\Windows\{5F3111C4-1E01-49fb-8DDC-816F7B5AB9C5}.exe

Filesize
380KB

MD5
2b89c6597c8da0f17ef579fdeb2c7f3d

SHA1
6d8fbbb408ddd4828a703c577aa791f57549127c

SHA256
205fd30cf6b42b2d0127e11d7e8fb7e613c0fe557e50148b310d8976becf16c3

SHA512
e87dd01f215c9bd44620d960811be43e120056116e21aa6a27b2f29a10f56b3852a2ebaf324bfdf08ea92266846889f03b10702955ead7ec206787ef6b55cad2

Download Submit
C:\Windows\{80C0BA22-72E0-4bc1-9427-1E0F449D6B43}.exe

Filesize
380KB

MD5
852c69d77ddb625116aba070c3a71d3a

SHA1
f6e5867ac15ac286db25fb87557d180901723dae

SHA256
7e84b11d96fcd4e7b507298f07280a606c7861a1318dcf3c66120f7ef4a463c6

SHA512
0bc2b3177ed84e6f1a5d49265be86ac79935bb542820e2772f033f6d9602e24d0bfc3990daaee148b3b728c15ee33bf18d398b3f72bd536b32924b17e946f207

Download Submit
C:\Windows\{A8D7C846-D96F-4663-A29D-006BC75FE10E}.exe

Filesize
380KB

MD5
9b7a2c711aa216403546369ed22deb57

SHA1
62b57892eaafe63a179592c16a2d08c948b7c442

SHA256
74173f5f921ed9e9abb6c059ca185b8ef7f13826ea5b7d9f01c9378675b5ce4a

SHA512
e0896de7fd6d7479b1c9899960be82bed6e50d9a3be5dc2bdfb2e98d7050ee8aef9f8bf65336c0a15b27ad36cf5c249f5e7b699b3201d390d5cea105c30a232e

Download Submit
C:\Windows\{BBC042E7-A4A7-4a37-A78A-B3E88BE1936B}.exe

Filesize
380KB

MD5
d182252c7d0897e81de5c06ebb376554

SHA1
ca91a08cfdfee1b18c9bd2af74ce24044c5fb142

SHA256
cdfa015c33ccbde5dee95b995c79154b36ab624e1ba082a6b836a00162a4692c

SHA512
72e6a61add61df9ca84886b0999924285ce995338aa1fb6fccb997b844deaac43c51800cd03356e6443aae12f191f3b8358733ee8ea6af46f45dcec03e7af48d

Download Submit
C:\Windows\{CB729013-3D67-4968-9BA9-049AA8732AA3}.exe

Filesize
380KB

MD5
f6ce39bef0ffe494c3adbd82b44b19d5

SHA1
73fd5cbe6692e6c6690bd30e9f3ca3ceb1f623dd

SHA256
ca44e5d63ee5c55a70571a8aacccdb79741f77153a10c6e383c4f50289d0b369

SHA512
6588d6714a44c2ec436fe62bde6899a9dc0332ef44f3b8e95325f3573a16171155e9f859639def5f48a86f22ece2bc8f70bddee6a4d8340558caac881af26376

Download Submit
C:\Windows\{D4A8477D-BBC8-45cd-9E0E-F62DBDCA2783}.exe

Filesize
380KB

MD5
3cc89bd72c2359957a10abb16975baba

SHA1
d8f25960598f8e7fbf743d81cce710724fc92a90

SHA256
50efe6c06801786f6fd9085e70498ff94169a7e190457408a16c88057d83d9f8

SHA512
cd757285ccd06f4ba0cfee17984956d465dc2d390ff52d603282f5c2c24d2f857f8e0fe1d1c133ab34009086e9fc313e95e0d57334e5e02dab0bd64af2b5dbdb

Download Submit
C:\Windows\{F7821C1B-5217-4ee1-874C-82250F6302B1}.exe

Filesize
380KB

MD5
4e3edb63f3dc7f66031292e76112a847

SHA1
d5fac5726ebbfb8d2f860c7b667a53d73cdafa8b

SHA256
7366c83a7dc8889bece19346b7b3494b74f6d3fa34f97c189a04b48d8115194a

SHA512
2177537194e1326474f75ead004d1a9eac6fa54e804f4073ba139293e2703c3a93df5ca451df510e9321a90c017b21cbee97beb02336efa2180b7d2f06da6748

Download Submit
C:\Windows\{FA50A094-5C14-4144-9BA4-392FCD8FC577}.exe

Filesize
380KB

MD5
d80d600eafbfe3a950a5d9853442b57b

SHA1
82a1d67d297b7086f6a26579879a0199d6dfbe8f

SHA256
489cddf6d5d21488b0202b317496258bb8dadb26c0b71eaf604556af3caa4991

SHA512
1498cd5c80afa6ba846e130d85b8f9628bec3923a72475b1ef6b66e95b84b15e8c931757252a5b3c28e55a2647fb36d5b6f40668dc68a10d2d3e8d01e95f1eab

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads