054432a5ff2cbda08c8a2114588c1e06087998399aa8a2b8aee8ab9814bbbf76

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe
Size

180KB
MD5

2413457564c4054ca86b0f97858ad5ef
SHA1

df380522c1149359096571917ad5348c4a445b5c
SHA256

054432a5ff2cbda08c8a2114588c1e06087998399aa8a2b8aee8ab9814bbbf76
SHA512

e371d392c917749b2673d37590616070fc05db41966ce0d18d71ee4e7ee50d9b108d5042498385d7b79df6539547d0bef5d871be7f181494c035d9f0ffa6a183
SSDEEP

3072:jEGh0oslfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGOl5eKcAEc

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}\stubpath = "C:\\Windows\\{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe"	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC3260B-7CA5-482e-8434-8C985513006C}\stubpath = "C:\\Windows\\{AEC3260B-7CA5-482e-8434-8C985513006C}.exe"	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5A4B751-82AD-4746-B643-A83E1DF52832}\stubpath = "C:\\Windows\\{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe"	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}\stubpath = "C:\\Windows\\{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe"	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73AC91FA-3ACA-47fb-8D65-4A72499237A1}	2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}\stubpath = "C:\\Windows\\{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe"	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9024E94A-9A88-4e05-BC22-464979ADB124}\stubpath = "C:\\Windows\\{9024E94A-9A88-4e05-BC22-464979ADB124}.exe"	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEC3260B-7CA5-482e-8434-8C985513006C}	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14FD46D3-2E47-457c-A732-6A1920DF8B67}\stubpath = "C:\\Windows\\{14FD46D3-2E47-457c-A732-6A1920DF8B67}.exe"	{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B78743D3-66CA-406f-BCB5-7E932CA1D485}	{14FD46D3-2E47-457c-A732-6A1920DF8B67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B78743D3-66CA-406f-BCB5-7E932CA1D485}\stubpath = "C:\\Windows\\{B78743D3-66CA-406f-BCB5-7E932CA1D485}.exe"	{14FD46D3-2E47-457c-A732-6A1920DF8B67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73AC91FA-3ACA-47fb-8D65-4A72499237A1}\stubpath = "C:\\Windows\\{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe"	2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6618C86F-DACA-45a4-AE30-63D500D0BBC1}\stubpath = "C:\\Windows\\{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe"	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}\stubpath = "C:\\Windows\\{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe"	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}\stubpath = "C:\\Windows\\{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe"	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14FD46D3-2E47-457c-A732-6A1920DF8B67}	{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6618C86F-DACA-45a4-AE30-63D500D0BBC1}	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9024E94A-9A88-4e05-BC22-464979ADB124}	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5A4B751-82AD-4746-B643-A83E1DF52832}	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe

Executes dropped EXE 12 IoCs

pid	Process
2680	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe
3252	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe
3596	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe
3044	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe
4848	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe
4288	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe
3200	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe
4372	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe
4576	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe
920	{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe
1368	{14FD46D3-2E47-457c-A732-6A1920DF8B67}.exe
4804	{B78743D3-66CA-406f-BCB5-7E932CA1D485}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B78743D3-66CA-406f-BCB5-7E932CA1D485}.exe	{14FD46D3-2E47-457c-A732-6A1920DF8B67}.exe
File created	C:\Windows\{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe
File created	C:\Windows\{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe
File created	C:\Windows\{AEC3260B-7CA5-482e-8434-8C985513006C}.exe	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe
File created	C:\Windows\{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe
File created	C:\Windows\{14FD46D3-2E47-457c-A732-6A1920DF8B67}.exe	{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe
File created	C:\Windows\{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe
File created	C:\Windows\{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe	2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe
File created	C:\Windows\{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe
File created	C:\Windows\{9024E94A-9A88-4e05-BC22-464979ADB124}.exe	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe
File created	C:\Windows\{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe
File created	C:\Windows\{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14FD46D3-2E47-457c-A732-6A1920DF8B67}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B78743D3-66CA-406f-BCB5-7E932CA1D485}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2136	2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2680	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe
Token: SeIncBasePriorityPrivilege	3252	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe
Token: SeIncBasePriorityPrivilege	3596	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe
Token: SeIncBasePriorityPrivilege	3044	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe
Token: SeIncBasePriorityPrivilege	4848	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe
Token: SeIncBasePriorityPrivilege	4288	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe
Token: SeIncBasePriorityPrivilege	3200	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe
Token: SeIncBasePriorityPrivilege	4372	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe
Token: SeIncBasePriorityPrivilege	4576	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe
Token: SeIncBasePriorityPrivilege	920	{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe
Token: SeIncBasePriorityPrivilege	1368	{14FD46D3-2E47-457c-A732-6A1920DF8B67}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2680	2136	2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe	87
PID 2136 wrote to memory of 2680	2136	2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe	87
PID 2136 wrote to memory of 2680	2136	2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe	87
PID 2136 wrote to memory of 3080	2136	2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe	88
PID 2136 wrote to memory of 3080	2136	2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe	88
PID 2136 wrote to memory of 3080	2136	2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe	88
PID 2680 wrote to memory of 3252	2680	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe	89
PID 2680 wrote to memory of 3252	2680	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe	89
PID 2680 wrote to memory of 3252	2680	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe	89
PID 2680 wrote to memory of 4116	2680	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe	90
PID 2680 wrote to memory of 4116	2680	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe	90
PID 2680 wrote to memory of 4116	2680	{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe	90
PID 3252 wrote to memory of 3596	3252	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe	94
PID 3252 wrote to memory of 3596	3252	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe	94
PID 3252 wrote to memory of 3596	3252	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe	94
PID 3252 wrote to memory of 3160	3252	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe	95
PID 3252 wrote to memory of 3160	3252	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe	95
PID 3252 wrote to memory of 3160	3252	{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe	95
PID 3596 wrote to memory of 3044	3596	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe	96
PID 3596 wrote to memory of 3044	3596	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe	96
PID 3596 wrote to memory of 3044	3596	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe	96
PID 3596 wrote to memory of 1816	3596	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe	97
PID 3596 wrote to memory of 1816	3596	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe	97
PID 3596 wrote to memory of 1816	3596	{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe	97
PID 3044 wrote to memory of 4848	3044	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe	98
PID 3044 wrote to memory of 4848	3044	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe	98
PID 3044 wrote to memory of 4848	3044	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe	98
PID 3044 wrote to memory of 3528	3044	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe	99
PID 3044 wrote to memory of 3528	3044	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe	99
PID 3044 wrote to memory of 3528	3044	{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe	99
PID 4848 wrote to memory of 4288	4848	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe	100
PID 4848 wrote to memory of 4288	4848	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe	100
PID 4848 wrote to memory of 4288	4848	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe	100
PID 4848 wrote to memory of 244	4848	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe	101
PID 4848 wrote to memory of 244	4848	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe	101
PID 4848 wrote to memory of 244	4848	{9024E94A-9A88-4e05-BC22-464979ADB124}.exe	101
PID 4288 wrote to memory of 3200	4288	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe	102
PID 4288 wrote to memory of 3200	4288	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe	102
PID 4288 wrote to memory of 3200	4288	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe	102
PID 4288 wrote to memory of 3004	4288	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe	103
PID 4288 wrote to memory of 3004	4288	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe	103
PID 4288 wrote to memory of 3004	4288	{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe	103
PID 3200 wrote to memory of 4372	3200	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe	107
PID 3200 wrote to memory of 4372	3200	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe	107
PID 3200 wrote to memory of 4372	3200	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe	107
PID 3200 wrote to memory of 1300	3200	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe	108
PID 3200 wrote to memory of 1300	3200	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe	108
PID 3200 wrote to memory of 1300	3200	{AEC3260B-7CA5-482e-8434-8C985513006C}.exe	108
PID 4372 wrote to memory of 4576	4372	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe	109
PID 4372 wrote to memory of 4576	4372	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe	109
PID 4372 wrote to memory of 4576	4372	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe	109
PID 4372 wrote to memory of 4836	4372	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe	110
PID 4372 wrote to memory of 4836	4372	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe	110
PID 4372 wrote to memory of 4836	4372	{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe	110
PID 4576 wrote to memory of 920	4576	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe	111
PID 4576 wrote to memory of 920	4576	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe	111
PID 4576 wrote to memory of 920	4576	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe	111
PID 4576 wrote to memory of 2968	4576	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe	112
PID 4576 wrote to memory of 2968	4576	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe	112
PID 4576 wrote to memory of 2968	4576	{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe	112
PID 920 wrote to memory of 1368	920	{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe	113
PID 920 wrote to memory of 1368	920	{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe	113
PID 920 wrote to memory of 1368	920	{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe	113
PID 920 wrote to memory of 1044	920	{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_2413457564c4054ca86b0f97858ad5ef_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe
  C:\Windows\{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe
    C:\Windows\{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Windows\{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe
      C:\Windows\{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Windows\{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe
        
        C:\Windows\{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\{9024E94A-9A88-4e05-BC22-464979ADB124}.exe
        
        C:\Windows\{9024E94A-9A88-4e05-BC22-464979ADB124}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe
        
        C:\Windows\{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{AEC3260B-7CA5-482e-8434-8C985513006C}.exe
        
        C:\Windows\{AEC3260B-7CA5-482e-8434-8C985513006C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe
        
        C:\Windows\{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe
        
        C:\Windows\{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe
        
        C:\Windows\{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\{14FD46D3-2E47-457c-A732-6A1920DF8B67}.exe
        
        C:\Windows\{14FD46D3-2E47-457c-A732-6A1920DF8B67}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\{B78743D3-66CA-406f-BCB5-7E932CA1D485}.exe
        
        C:\Windows\{B78743D3-66CA-406f-BCB5-7E932CA1D485}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14FD4~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBDB1~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5A4B~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{011B4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEC32~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE5E5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9024E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A9A4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6618C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EE79C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{73AC9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{011B4DCD-A46B-4c5a-931C-EC7C589A5C14}.exe

Filesize
180KB

MD5
881ac4bc502362840ff1d01ba910fd12

SHA1
8c840995187072977d0ccd183f1c45ff4b73a60b

SHA256
c451190c067979ef5b33175d3258db4eaebe8dd13554d792dd26f623a7efd09b

SHA512
7897adc765cfc632a0089c964ef7aaa78115aeea95dccded1aa90684196b4438600c0ec44ff7856ecbf257f5f17b8f0fc5ae8b51f0d269af1a0fb2d9b4cd8419

Download Submit
C:\Windows\{14FD46D3-2E47-457c-A732-6A1920DF8B67}.exe

Filesize
180KB

MD5
9310e16d36c183cb0de7b279ef7a5404

SHA1
a050aab7f3a153daf7342253e7d6c3053870a6e9

SHA256
ba4461a8af3a0fb56ad140febcd20c1a0b61e9dbef259fd5f1c4813ece208349

SHA512
3bf2cd8c1c1c08eaef19449ae3df258ed6e0df249ebdf553ebd7d47d310294ded335df2df5b475386ab24b7d08b164ed00518351b21607630326cb85d162643b

Download Submit
C:\Windows\{6618C86F-DACA-45a4-AE30-63D500D0BBC1}.exe

Filesize
180KB

MD5
4a6310d27007a748b89aac0eecf77058

SHA1
d67efe8513f5c2dd808b2119f591c1710f8f522b

SHA256
2dcd91231beeeb63e2df9d76ffb0bfd66a8c9c8b457880e84a38575ec2ce381d

SHA512
8926e7df5803c4450141656605d0e72372131579c67f2862aeeced9fd6f07478a82134406c4d6530bb983a8fec09973b66cd36ddb5710d2cbf6a4fa9a6dfeb77

Download Submit
C:\Windows\{73AC91FA-3ACA-47fb-8D65-4A72499237A1}.exe

Filesize
180KB

MD5
1148ac1384b7ba12e8102e192840f6f1

SHA1
f4b4fc42d6c45b149eae7d0c76325116b71bea92

SHA256
a60beb0301c1083b7e3479f114a0c9b661352511ea53d6931a8e0d2644728796

SHA512
b83bb794c66688fe1301444bd39d69262095b39f7df913fd3b0c8bb6239397427a329ba631ed7dfaf930cc2687b758934522555726eb7962fe467a16c22eb6ad

Download Submit
C:\Windows\{9024E94A-9A88-4e05-BC22-464979ADB124}.exe

Filesize
180KB

MD5
0b0e9889b60be6bd9cb8862f62d9c18f

SHA1
ba20b43c7151c6e96ff3f6a675413fa380fd5e57

SHA256
126d5ba57ed497cb4b9ef0d1fe3f2701a9abbbd15bd39e4721a5cd5660c3c0da

SHA512
fadb4b9d047ddf1a73abe5f3540545a10163e998fd071c9c7b1d7b1a5fe2919b7a80f05bf30ddb3a149dd307fa928c83d6644692b9f2a83e84613d37daa18589

Download Submit
C:\Windows\{9A9A4CDC-4875-40b1-96BA-F4E088BA9FC8}.exe

Filesize
180KB

MD5
f8fa645507a51cf22581a505be234d0d

SHA1
fbbd570efd53aee0f4c68beebdb9851946e36ec2

SHA256
7baf9c329e1d8a16b9dd8bcac330d29a71a29d16036de623f2106ffd50a65ba2

SHA512
0508391a05875d8bdc62dce0cdd4ad3ff66f544454d7f285f683369966a0e0b19852e340a45d6441d4ab6a97e5873f85a293008b1d130122045365d520c17424

Download Submit
C:\Windows\{AEC3260B-7CA5-482e-8434-8C985513006C}.exe

Filesize
180KB

MD5
0f829ec5396be6895a6a89e882dd782e

SHA1
326b2732bdbd36ca89e7cfbf8790dc293e2c0034

SHA256
036b8737c59aa2c04100a0f4e786c2e28f7967f0931a66421263ad41246da219

SHA512
b8cb38ebbc9924d6c0020e3053f01f245d04ecaf5a6d09e98259cd8fbc53ecf269666e6c52aab3e24a64fe3cb7b6267db47d83775da5a30fddffc884a77b341d

Download Submit
C:\Windows\{B78743D3-66CA-406f-BCB5-7E932CA1D485}.exe

Filesize
180KB

MD5
b63caed7b6d57838abac4602323c88a2

SHA1
0d809b14da2efbfb24d07a2f1f152c5bff8a014f

SHA256
596b8a339ea9f84ba38e259dd9706fda7decc5e0406c3394f349ed91011f9d0c

SHA512
72050602b5e5a54ef783dab8e17a4d0a9e6495d7aedca4954a0a74169a8d4335d97c5ad9e502fe3e4643005fc5549b06446dfd1a8b0892024c8c502c3a514b1f

Download Submit
C:\Windows\{BE5E58E3-DA52-4c3c-A695-15EB60D38C60}.exe

Filesize
180KB

MD5
a23cc3155a1fdeec3155ad74aff3bbe4

SHA1
709aef14d7c28a6059e7b47a8f7280e6e7f7b08c

SHA256
18d02c999fe5d5af0d0318b29d985456d63efc9ab22f602f6a8711b6940db21a

SHA512
124018033c0cb18a2a6bd088868711ba3b3a8dc2a4a4fb699e1b4a82b46fdc486b7e78f288e35872dc6ec67f6ecb885b80fb468160c08be584b9a5f05139e7a9

Download Submit
C:\Windows\{CBDB1E5E-ED21-408d-9B0F-4840D0D86EAA}.exe

Filesize
180KB

MD5
d4df6f916d74d9f090bc34ce8c50fa87

SHA1
a7ac1af81ea2234d1b1a32f3e37ff146400aaf29

SHA256
86321ecab1405362b28908e692b2bc0e1729ae1e40040e429345c16fbc9763d7

SHA512
7f152979c30c9a1822bc6076940e0186e2db73fb5e01259def0a55bd5bf17f9a2ef3a876786703913521a1b573b05854e49a4c990720e49a193c77fbf22bd4c9

Download Submit
C:\Windows\{E5A4B751-82AD-4746-B643-A83E1DF52832}.exe

Filesize
180KB

MD5
11057b74b31fdccb787c7d3b426601aa

SHA1
096ac64a21b797c1f95d899186eed16040f7aeb0

SHA256
9682e3d9f866979cdca7a82dbd88e5542a51dbc6742e8f61a9f917783d2d2673

SHA512
070b6cceb20a716f660611d37dc19150b4b922635a3c989ed0059395b1a66fed247015f17116270ae4bd6eb50b5156d35d894983b67820c524c5f8b5b6891cb8

Download Submit
C:\Windows\{EE79C1A1-4A04-4daf-82DC-4A4635F6248A}.exe

Filesize
180KB

MD5
62547c17fabd584d8064efa038bd190d

SHA1
8f25891d3e49dfcc45974b7d1f6f56c73363f53a

SHA256
f6708a174a3792726c011fb7092101c1acede15414225030b9effd185b5d138e

SHA512
7f314bcb98a554df36c954df42109805389a1f9a99bd7bb048b197c47d17542b95071d6f5f7e5a62f986455772061bdbc64b6284b831451a0ac8ef0b1ad61864

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads