ff3ea2abc932cd69002f47eb7e92157f8a43fea2e3d1c5d6b529760dd6d6d004

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
Size

380KB
MD5

0ece39ba2e3f44647774f23bb76803b0
SHA1

5b90ed455ca376c486f1ab1d480828f0c9b23efa
SHA256

ff3ea2abc932cd69002f47eb7e92157f8a43fea2e3d1c5d6b529760dd6d6d004
SHA512

351cd26de5649883d3e6b42066c59812933a16e2ab5da0e67848d94fff7c2a4fcc3a5278bbed6d52c37b49d1e4e7ba509b6c7cc53dc8ac530dc1e9a3e091ae17
SSDEEP

3072:mEGh0oqlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGIl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}\stubpath = "C:\\Windows\\{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}.exe"	{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF9EF6E-8A2D-44f2-9157-6644269D545B}	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8582FD1A-F777-4117-9732-1801E500D515}	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78C4EF18-F949-453b-BDA5-A8C31959E691}	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}	{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A30F6517-CA91-4c6f-9762-3F1B5E85301A}	{8582FD1A-F777-4117-9732-1801E500D515}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A30F6517-CA91-4c6f-9762-3F1B5E85301A}\stubpath = "C:\\Windows\\{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe"	{8582FD1A-F777-4117-9732-1801E500D515}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C7D3E57-9CEB-41c8-A1A1-87D97B38C18A}	{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78C4EF18-F949-453b-BDA5-A8C31959E691}\stubpath = "C:\\Windows\\{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe"	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C7D3E57-9CEB-41c8-A1A1-87D97B38C18A}\stubpath = "C:\\Windows\\{1C7D3E57-9CEB-41c8-A1A1-87D97B38C18A}.exe"	{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22F38F7D-061D-4127-9053-EC31B49AED1F}	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}\stubpath = "C:\\Windows\\{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe"	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}\stubpath = "C:\\Windows\\{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe"	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}\stubpath = "C:\\Windows\\{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe"	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8582FD1A-F777-4117-9732-1801E500D515}\stubpath = "C:\\Windows\\{8582FD1A-F777-4117-9732-1801E500D515}.exe"	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22F38F7D-061D-4127-9053-EC31B49AED1F}\stubpath = "C:\\Windows\\{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe"	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF9EF6E-8A2D-44f2-9157-6644269D545B}\stubpath = "C:\\Windows\\{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe"	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}\stubpath = "C:\\Windows\\{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe"	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60DA6944-15E5-4096-9C8D-D370F90CB5D0}	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60DA6944-15E5-4096-9C8D-D370F90CB5D0}\stubpath = "C:\\Windows\\{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe"	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe

Executes dropped EXE 12 IoCs

pid	Process
3308	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe
5076	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe
1176	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe
1348	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe
2980	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe
1784	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe
1824	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe
4132	{8582FD1A-F777-4117-9732-1801E500D515}.exe
2152	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe
1088	{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe
3668	{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}.exe
2168	{1C7D3E57-9CEB-41c8-A1A1-87D97B38C18A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe
File created	C:\Windows\{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe
File created	C:\Windows\{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe	{8582FD1A-F777-4117-9732-1801E500D515}.exe
File created	C:\Windows\{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}.exe	{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe
File created	C:\Windows\{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe
File created	C:\Windows\{8582FD1A-F777-4117-9732-1801E500D515}.exe	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe
File created	C:\Windows\{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe
File created	C:\Windows\{1C7D3E57-9CEB-41c8-A1A1-87D97B38C18A}.exe	{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}.exe
File created	C:\Windows\{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
File created	C:\Windows\{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe
File created	C:\Windows\{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe
File created	C:\Windows\{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8582FD1A-F777-4117-9732-1801E500D515}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C7D3E57-9CEB-41c8-A1A1-87D97B38C18A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4944	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3308	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe
Token: SeIncBasePriorityPrivilege	5076	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe
Token: SeIncBasePriorityPrivilege	1176	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe
Token: SeIncBasePriorityPrivilege	1348	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe
Token: SeIncBasePriorityPrivilege	2980	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe
Token: SeIncBasePriorityPrivilege	1784	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe
Token: SeIncBasePriorityPrivilege	1824	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe
Token: SeIncBasePriorityPrivilege	4132	{8582FD1A-F777-4117-9732-1801E500D515}.exe
Token: SeIncBasePriorityPrivilege	2152	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe
Token: SeIncBasePriorityPrivilege	1088	{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe
Token: SeIncBasePriorityPrivilege	3668	{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3308	4944	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	86
PID 4944 wrote to memory of 3308	4944	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	86
PID 4944 wrote to memory of 3308	4944	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	86
PID 4944 wrote to memory of 2060	4944	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	87
PID 4944 wrote to memory of 2060	4944	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	87
PID 4944 wrote to memory of 2060	4944	2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe	87
PID 3308 wrote to memory of 5076	3308	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe	88
PID 3308 wrote to memory of 5076	3308	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe	88
PID 3308 wrote to memory of 5076	3308	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe	88
PID 3308 wrote to memory of 100	3308	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe	89
PID 3308 wrote to memory of 100	3308	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe	89
PID 3308 wrote to memory of 100	3308	{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe	89
PID 5076 wrote to memory of 1176	5076	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe	92
PID 5076 wrote to memory of 1176	5076	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe	92
PID 5076 wrote to memory of 1176	5076	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe	92
PID 5076 wrote to memory of 5036	5076	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe	93
PID 5076 wrote to memory of 5036	5076	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe	93
PID 5076 wrote to memory of 5036	5076	{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe	93
PID 1176 wrote to memory of 1348	1176	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe	96
PID 1176 wrote to memory of 1348	1176	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe	96
PID 1176 wrote to memory of 1348	1176	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe	96
PID 1176 wrote to memory of 1956	1176	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe	97
PID 1176 wrote to memory of 1956	1176	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe	97
PID 1176 wrote to memory of 1956	1176	{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe	97
PID 1348 wrote to memory of 2980	1348	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe	98
PID 1348 wrote to memory of 2980	1348	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe	98
PID 1348 wrote to memory of 2980	1348	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe	98
PID 1348 wrote to memory of 1156	1348	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe	99
PID 1348 wrote to memory of 1156	1348	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe	99
PID 1348 wrote to memory of 1156	1348	{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe	99
PID 2980 wrote to memory of 1784	2980	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe	100
PID 2980 wrote to memory of 1784	2980	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe	100
PID 2980 wrote to memory of 1784	2980	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe	100
PID 2980 wrote to memory of 1752	2980	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe	101
PID 2980 wrote to memory of 1752	2980	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe	101
PID 2980 wrote to memory of 1752	2980	{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe	101
PID 1784 wrote to memory of 1824	1784	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe	102
PID 1784 wrote to memory of 1824	1784	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe	102
PID 1784 wrote to memory of 1824	1784	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe	102
PID 1784 wrote to memory of 4896	1784	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe	103
PID 1784 wrote to memory of 4896	1784	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe	103
PID 1784 wrote to memory of 4896	1784	{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe	103
PID 1824 wrote to memory of 4132	1824	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe	104
PID 1824 wrote to memory of 4132	1824	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe	104
PID 1824 wrote to memory of 4132	1824	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe	104
PID 1824 wrote to memory of 2668	1824	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe	105
PID 1824 wrote to memory of 2668	1824	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe	105
PID 1824 wrote to memory of 2668	1824	{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe	105
PID 4132 wrote to memory of 2152	4132	{8582FD1A-F777-4117-9732-1801E500D515}.exe	106
PID 4132 wrote to memory of 2152	4132	{8582FD1A-F777-4117-9732-1801E500D515}.exe	106
PID 4132 wrote to memory of 2152	4132	{8582FD1A-F777-4117-9732-1801E500D515}.exe	106
PID 4132 wrote to memory of 3996	4132	{8582FD1A-F777-4117-9732-1801E500D515}.exe	107
PID 4132 wrote to memory of 3996	4132	{8582FD1A-F777-4117-9732-1801E500D515}.exe	107
PID 4132 wrote to memory of 3996	4132	{8582FD1A-F777-4117-9732-1801E500D515}.exe	107
PID 2152 wrote to memory of 1088	2152	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe	108
PID 2152 wrote to memory of 1088	2152	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe	108
PID 2152 wrote to memory of 1088	2152	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe	108
PID 2152 wrote to memory of 3232	2152	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe	109
PID 2152 wrote to memory of 3232	2152	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe	109
PID 2152 wrote to memory of 3232	2152	{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe	109
PID 1088 wrote to memory of 3668	1088	{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe	110
PID 1088 wrote to memory of 3668	1088	{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe	110
PID 1088 wrote to memory of 3668	1088	{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe	110
PID 1088 wrote to memory of 1284	1088	{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_0ece39ba2e3f44647774f23bb76803b0_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe
  C:\Windows\{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe
    C:\Windows\{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe
      C:\Windows\{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Windows\{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe
        
        C:\Windows\{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe
        
        C:\Windows\{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe
        
        C:\Windows\{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe
        
        C:\Windows\{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{8582FD1A-F777-4117-9732-1801E500D515}.exe
        
        C:\Windows\{8582FD1A-F777-4117-9732-1801E500D515}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe
        
        C:\Windows\{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe
        
        C:\Windows\{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}.exe
        
        C:\Windows\{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
        
        C:\Windows\{1C7D3E57-9CEB-41c8-A1A1-87D97B38C18A}.exe
        
        C:\Windows\{1C7D3E57-9CEB-41c8-A1A1-87D97B38C18A}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91A09~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78C4E~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A30F6~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8582F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60DA6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1ACF~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F541F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FDC4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BA6C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FFF9E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{22F38~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C7D3E57-9CEB-41c8-A1A1-87D97B38C18A}.exe

Filesize
380KB

MD5
159af1b3b607b3b7a3d18092f64c72b0

SHA1
f6d0fb6066ca552e9130aa3555dd72c85e7bbccc

SHA256
02e39dd7c2c76026643e61bf439821dcc41aedb4096568e043587744a8506479

SHA512
b169648da7ba40bf5b37a3a184db51f6e742e20d8e64a3d7d3f1e161a8ea830e0649258aba3a6ee47fcd1cb5252806b3a73dfc48cefe35f5d63775cee662063f

Download Submit
C:\Windows\{22F38F7D-061D-4127-9053-EC31B49AED1F}.exe

Filesize
380KB

MD5
a3533092643e29a559b36dfd7632a2aa

SHA1
f6afa1a54c1bb2795c682726ffebb3acd75626e4

SHA256
835cdbf4e886fdf3ea38a1f3a22a7d12e2041b7c1c5978177fef2a24e0c09952

SHA512
a1fb4d68c1b46514ef58e70ad5eb642f864dfe32252a06cd021196f01b64136d1f6f865f4459a5537c06d407844b361a1a0ce39521d3dceb8037006a64bba6b0

Download Submit
C:\Windows\{60DA6944-15E5-4096-9C8D-D370F90CB5D0}.exe

Filesize
380KB

MD5
1f1bc9b45c1ab7ef8e4f70813d798187

SHA1
52b78d69882643a91b515e963a49f6ca197a575a

SHA256
c7d80a2caded52fd79fc7828e423a1f1d0711e543ed28d9a065850f6358ae6e0

SHA512
2443785bd4f8b981905db27ffb597c9318fa1cfc50923d6441300bd5a89a9f499cc84e05cd67b9e9128816b4c5b2dfa7da88ac64af4c2f7696a6f58e04b6b15d

Download Submit
C:\Windows\{6FDC42BB-80A8-4a36-B858-F40C8C8BAAF2}.exe

Filesize
380KB

MD5
f972d9d18860a67440700cfed3aec14c

SHA1
f577bb07bf5f0d52b13315c56f3799385c23c9b0

SHA256
8158ae8455f22f433fb5cad5bc83b0417ec85c0801ccbc8a561db29acb5d2107

SHA512
31ae710eaf48d651944151d9e578105c5e8f797d6e96996c1c96d2e1b8bb58704eb5d041942243565d8e1537765da63de093ebb3a017cda46474f511155389c5

Download Submit
C:\Windows\{78C4EF18-F949-453b-BDA5-A8C31959E691}.exe

Filesize
380KB

MD5
1f0f64fa20a6f7ebe3c8677466a6a43e

SHA1
41121ac7df4e482d919f80c6d37e9a3068b20a7c

SHA256
fd56ff5a1be028722590ca34fd54caa8683ac29ccb2e7d7e3476970b3f80b6b4

SHA512
1cf582930b7d7d8e470e5009060ea8342de5b41c9a57b3c9d56094ddb81678a8cab916700e5d4cbd163c08a5f25fbb6be13022e5bd2b2ac66c1e77f7d276eca5

Download Submit
C:\Windows\{8582FD1A-F777-4117-9732-1801E500D515}.exe

Filesize
380KB

MD5
508152c3b0fbc6ef5b6510fedb6ecd29

SHA1
5def3dc5477db558fce3a8a36aa90a74cae36a09

SHA256
1ea6d739d075518b807accb9dccad01531c69198db13186182dd8a45ffb25eb1

SHA512
36eb1134614aeaec778609f41bcf3008571d9b0e95631b1c1cddd5e2c14ad6bcd10b560bf8722471e777ed516ecd8f3583d079aaf29572b702823f6ebad9c64c

Download Submit
C:\Windows\{91A090CC-5E4B-4152-B7E8-0F4533C0BD6C}.exe

Filesize
380KB

MD5
f889e99c1040fbd20c2a09090c263955

SHA1
1503ab68014e14af22ef8ec63bca052a753a2c2d

SHA256
0dc7d7b52b412201ae476f3200eadc245508ee9e442375ea81c3c7fb42b020bf

SHA512
c5ab1b70ccae6439c861c4ef7539870cd7c519026ede3aacafc0d7268d91192c0e051dbad5b33689b0f3754038a0f13cde13d5148f6e5159824e1e79d86f4ba1

Download Submit
C:\Windows\{9BA6C088-FAB9-4fff-82BB-D100868AD4AF}.exe

Filesize
380KB

MD5
dee904ce1379370ee44b3ed233c5e020

SHA1
f9a58efa9de309c9e0479acb78b977d7821993df

SHA256
4c440bbd960afddec11a8226b49ebf49c5ae364e6ebcbdfda947131d0abdf31b

SHA512
cfab6fc4a4e3695e6b047f93ac3ce85769d45ff1159e300c31765c3b1287661cb4ffc5abd37efd5acbcecb65cffb7045d64eca6a674d327cef91963d2cb675c9

Download Submit
C:\Windows\{A1ACF861-93E4-4abc-B5D4-BE0F9EB4531C}.exe

Filesize
380KB

MD5
ec98d42fb4bddf11f9d6d6420dd900f0

SHA1
1c84020d4c6c7b3a6ee71b98cc4d191bed13fce9

SHA256
35786ffe4d9d791e74051cb592c1787dc0a76cb8fa6958d4dc00664f94a83661

SHA512
edaa4d6df5b23190ac603025bbf1aad71db7a28e547e7239b5d73cd2ca431188189de82f3dcdfb1fa6d0e53f80a2e232f4b3581faf67424e1c7dae8f42a2d33f

Download Submit
C:\Windows\{A30F6517-CA91-4c6f-9762-3F1B5E85301A}.exe

Filesize
380KB

MD5
14e3a66c9615100b8877d0eb5b0d75d4

SHA1
f0a143cda77827709351ec03adc3ab53da59ed9f

SHA256
cc1b9a50ada6f9e6de77d60a0fb8dfb9ef9f9f5b932fdb1cb57291f0bd5d8042

SHA512
b5c1b1942e9c9e9b0dd05a1674eadabea6ea9ce94c46ea157d52faa457758d89d6fa815ff965c1eeccb5f37c71f9658658fa718a903d473bf0590921cd61bbb4

Download Submit
C:\Windows\{F541F125-DB35-485b-A2FE-BD6DE8D9A64C}.exe

Filesize
380KB

MD5
23f767221d224fabb62723cd65a22738

SHA1
2913a69ef78d34f2204e38886ba407078f6b21b8

SHA256
45580aea5e7c352daf6c0f41a04c2640651871b9742051c3e6b479a9eb1f15b7

SHA512
d40e6894806fa2c6c7a35407b7b9a43a71f2833cb6932f1e07b6c8ec44e18690f294cd1b97f3bc2b6ae8642ef751559c3dbfb17dbafdd222fbcf6fc68818979b

Download Submit
C:\Windows\{FFF9EF6E-8A2D-44f2-9157-6644269D545B}.exe

Filesize
380KB

MD5
9f1422eff391b63a6962dd379ff739ba

SHA1
087b5586b8d38978b7fa3a572e3c80d18c052833

SHA256
00946580738d800cfc9b0c69dd849d9a7ff4c87b121da509c538060b771ff30e

SHA512
5e5e9f5765153dada35df140ab05e0e500059749367c29cbf4c9fa51f7834a826a042310fb209057e8a31464d8c79b8db40060a0b5094d6cce21e249ecfc6d00

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads