79941d1fcddc7a69d4c12082a81b525cf50c042b4b5d65fd218633a41366676c

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 17:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe
Size

372KB
MD5

649aea642e115b2beb06192eab10b604
SHA1

76496aa9ae49a33c1e14ec996c951d1325a839b7
SHA256

79941d1fcddc7a69d4c12082a81b525cf50c042b4b5d65fd218633a41366676c
SHA512

8e21a4c44dbf1b18ad5480040e9a68ce40c6f3cbad87749fe6ab0ed4c0eed4a3b39701343486ae00b3866d6f1ccfd4f7bc72e16179a95fee6a0ed6c216bcad85
SSDEEP

3072:CEGh0oblMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGZlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8613CB1-0DA9-4073-851B-111ADC548052}	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8613CB1-0DA9-4073-851B-111ADC548052}\stubpath = "C:\\Windows\\{A8613CB1-0DA9-4073-851B-111ADC548052}.exe"	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{969698C0-918A-4deb-8DFB-E662EAE8AD11}\stubpath = "C:\\Windows\\{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe"	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCC0FAA9-716B-4ff8-A8E3-611E21072400}	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}	{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A0DA706-1693-48d6-8977-4B8E63A5F319}\stubpath = "C:\\Windows\\{3A0DA706-1693-48d6-8977-4B8E63A5F319}.exe"	{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}\stubpath = "C:\\Windows\\{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe"	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}	2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{969698C0-918A-4deb-8DFB-E662EAE8AD11}	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}\stubpath = "C:\\Windows\\{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe"	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}\stubpath = "C:\\Windows\\{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe"	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8061DFF6-20DE-4699-95A1-F12D868F594F}	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8061DFF6-20DE-4699-95A1-F12D868F594F}\stubpath = "C:\\Windows\\{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe"	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCC0FAA9-716B-4ff8-A8E3-611E21072400}\stubpath = "C:\\Windows\\{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe"	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E28781-BD6C-4934-BBBD-4573F716E77C}\stubpath = "C:\\Windows\\{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe"	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A0DA706-1693-48d6-8977-4B8E63A5F319}	{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}\stubpath = "C:\\Windows\\{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe"	2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}\stubpath = "C:\\Windows\\{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe"	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8E28781-BD6C-4934-BBBD-4573F716E77C}	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}\stubpath = "C:\\Windows\\{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}.exe"	{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4956	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe
1640	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe
4324	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe
1348	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe
4100	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe
4272	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe
2516	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe
2080	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe
4280	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe
4036	{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe
3784	{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}.exe
1476	{3A0DA706-1693-48d6-8977-4B8E63A5F319}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe	2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe
File created	C:\Windows\{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe
File created	C:\Windows\{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe
File created	C:\Windows\{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe
File created	C:\Windows\{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe
File created	C:\Windows\{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe
File created	C:\Windows\{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}.exe	{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe
File created	C:\Windows\{A8613CB1-0DA9-4073-851B-111ADC548052}.exe	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe
File created	C:\Windows\{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe
File created	C:\Windows\{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe
File created	C:\Windows\{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe
File created	C:\Windows\{3A0DA706-1693-48d6-8977-4B8E63A5F319}.exe	{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A0DA706-1693-48d6-8977-4B8E63A5F319}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3784	2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4956	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe
Token: SeIncBasePriorityPrivilege	1640	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe
Token: SeIncBasePriorityPrivilege	4324	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe
Token: SeIncBasePriorityPrivilege	1348	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe
Token: SeIncBasePriorityPrivilege	4100	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe
Token: SeIncBasePriorityPrivilege	4272	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe
Token: SeIncBasePriorityPrivilege	2516	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe
Token: SeIncBasePriorityPrivilege	2080	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe
Token: SeIncBasePriorityPrivilege	4280	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe
Token: SeIncBasePriorityPrivilege	4036	{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe
Token: SeIncBasePriorityPrivilege	3784	{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 4956	3784	2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe	86
PID 3784 wrote to memory of 4956	3784	2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe	86
PID 3784 wrote to memory of 4956	3784	2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe	86
PID 3784 wrote to memory of 4468	3784	2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe	87
PID 3784 wrote to memory of 4468	3784	2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe	87
PID 3784 wrote to memory of 4468	3784	2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe	87
PID 4956 wrote to memory of 1640	4956	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe	88
PID 4956 wrote to memory of 1640	4956	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe	88
PID 4956 wrote to memory of 1640	4956	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe	88
PID 4956 wrote to memory of 4764	4956	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe	89
PID 4956 wrote to memory of 4764	4956	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe	89
PID 4956 wrote to memory of 4764	4956	{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe	89
PID 1640 wrote to memory of 4324	1640	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe	94
PID 1640 wrote to memory of 4324	1640	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe	94
PID 1640 wrote to memory of 4324	1640	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe	94
PID 1640 wrote to memory of 2644	1640	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe	95
PID 1640 wrote to memory of 2644	1640	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe	95
PID 1640 wrote to memory of 2644	1640	{A8613CB1-0DA9-4073-851B-111ADC548052}.exe	95
PID 4324 wrote to memory of 1348	4324	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe	97
PID 4324 wrote to memory of 1348	4324	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe	97
PID 4324 wrote to memory of 1348	4324	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe	97
PID 4324 wrote to memory of 556	4324	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe	98
PID 4324 wrote to memory of 556	4324	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe	98
PID 4324 wrote to memory of 556	4324	{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe	98
PID 1348 wrote to memory of 4100	1348	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe	100
PID 1348 wrote to memory of 4100	1348	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe	100
PID 1348 wrote to memory of 4100	1348	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe	100
PID 1348 wrote to memory of 2188	1348	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe	101
PID 1348 wrote to memory of 2188	1348	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe	101
PID 1348 wrote to memory of 2188	1348	{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe	101
PID 4100 wrote to memory of 4272	4100	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe	102
PID 4100 wrote to memory of 4272	4100	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe	102
PID 4100 wrote to memory of 4272	4100	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe	102
PID 4100 wrote to memory of 3472	4100	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe	103
PID 4100 wrote to memory of 3472	4100	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe	103
PID 4100 wrote to memory of 3472	4100	{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe	103
PID 4272 wrote to memory of 2516	4272	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe	104
PID 4272 wrote to memory of 2516	4272	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe	104
PID 4272 wrote to memory of 2516	4272	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe	104
PID 4272 wrote to memory of 3136	4272	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe	105
PID 4272 wrote to memory of 3136	4272	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe	105
PID 4272 wrote to memory of 3136	4272	{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe	105
PID 2516 wrote to memory of 2080	2516	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe	106
PID 2516 wrote to memory of 2080	2516	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe	106
PID 2516 wrote to memory of 2080	2516	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe	106
PID 2516 wrote to memory of 3280	2516	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe	107
PID 2516 wrote to memory of 3280	2516	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe	107
PID 2516 wrote to memory of 3280	2516	{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe	107
PID 2080 wrote to memory of 4280	2080	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe	108
PID 2080 wrote to memory of 4280	2080	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe	108
PID 2080 wrote to memory of 4280	2080	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe	108
PID 2080 wrote to memory of 3080	2080	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe	109
PID 2080 wrote to memory of 3080	2080	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe	109
PID 2080 wrote to memory of 3080	2080	{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe	109
PID 4280 wrote to memory of 4036	4280	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe	110
PID 4280 wrote to memory of 4036	4280	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe	110
PID 4280 wrote to memory of 4036	4280	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe	110
PID 4280 wrote to memory of 4740	4280	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe	111
PID 4280 wrote to memory of 4740	4280	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe	111
PID 4280 wrote to memory of 4740	4280	{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe	111
PID 4036 wrote to memory of 3784	4036	{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe	112
PID 4036 wrote to memory of 3784	4036	{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe	112
PID 4036 wrote to memory of 3784	4036	{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe	112
PID 4036 wrote to memory of 620	4036	{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_649aea642e115b2beb06192eab10b604_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe
  C:\Windows\{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\{A8613CB1-0DA9-4073-851B-111ADC548052}.exe
    C:\Windows\{A8613CB1-0DA9-4073-851B-111ADC548052}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe
      C:\Windows\{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe
        
        C:\Windows\{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe
        
        C:\Windows\{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe
        
        C:\Windows\{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe
        
        C:\Windows\{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe
        
        C:\Windows\{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe
        
        C:\Windows\{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe
        
        C:\Windows\{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}.exe
        
        C:\Windows\{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
        
        C:\Windows\{3A0DA706-1693-48d6-8977-4B8E63A5F319}.exe
        
        C:\Windows\{3A0DA706-1693-48d6-8977-4B8E63A5F319}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAFBF~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5F5D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFBAC~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8E28~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E30BA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCC0F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{196B9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96969~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8061D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A8613~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A9B61~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{196B9B7E-2B6B-4c6f-990A-1B2BB41F4AC9}.exe

Filesize
372KB

MD5
8445ba720d97716d85a0c49190d8a607

SHA1
ee682f2b70e2728e28cd8becb3ccb33e770f77e3

SHA256
2a8a112b29d1416919617e235d7e7c568bf2b41f750c6aec4edca02d346ec9ba

SHA512
f08c7eb1c7e9722abc2d315f4de60364d3cdcc6488155c5fc126f6bae7af53f6fdf3524f2371b6ce875957152ecaaab33c4cfda051a73201c3d85d9d7f9a05f8

Download Submit
C:\Windows\{3A0DA706-1693-48d6-8977-4B8E63A5F319}.exe

Filesize
372KB

MD5
910754b7566f65ad577bc6d3d5d872bb

SHA1
6c262b59282bedab75410ce8c1a7d651d79e8dc3

SHA256
41d1232ea2c9e9afba90bc9ecd6ab69371bd0084ca4694b82ed6f144a2eb81de

SHA512
e1643032e46321370cefeecf724288e979673f8f2d41f281f056f0b0bb8a7c711104eaa6b8947d79763aa7fa175279a0620b0b8c74a2c89d43d855252f13d5ba

Download Submit
C:\Windows\{8061DFF6-20DE-4699-95A1-F12D868F594F}.exe

Filesize
372KB

MD5
347984ed7538ea5ece5ccd82046f7dc3

SHA1
5c4c2b0ba41fee36d27f96e94ee1760238d27c42

SHA256
5ebd375df276ee4cac7427b605c082c459a398b9735682e3fe099a4afea01c21

SHA512
f24050feb32b104373acb97e046e0472937725ec50f5d304e368825bb105c65b384a738d4b35f12378a75f9c08a70dbd560dd2fe466ad78f4a8e69a78533f25e

Download Submit
C:\Windows\{969698C0-918A-4deb-8DFB-E662EAE8AD11}.exe

Filesize
372KB

MD5
de71d00ab64a14fa7a79c3ebf72822d4

SHA1
26265b82894b40b59aa8005204d88c5a08086870

SHA256
e4702f8871f8ad5b3d685c8c03bb011845bcbaf99efa65c528f9c38d68f753a2

SHA512
ed24d12ac5b42ae2cd2eff2cd25a46241f237cef12997e348228f8b4f3916d3474ee4498da21bbdaac969c0a9814397a3405a664e3631acf83a44ec74e4caae0

Download Submit
C:\Windows\{A8613CB1-0DA9-4073-851B-111ADC548052}.exe

Filesize
372KB

MD5
22b37e5a0cd51b17f1d1d8043c55e7fd

SHA1
149e2ce4ca2446caf2f24e56875acfdfec6c7f73

SHA256
c7316bdfd05e42c1399b8832f0909d9cb5bfbc628cf73f25996368ae61551398

SHA512
4b64a1e8cc543aa0ff932456dbda977c20963a0cae56a08f531f240b3ff53225d914e16802224a7f07ee5cb1c3bce260b4e168553a28bcfb04c01d45b5eee32d

Download Submit
C:\Windows\{A9B61C0B-BCD8-47b9-82FD-9CE3929308C8}.exe

Filesize
372KB

MD5
37b02c96a7ee88f34663a8cfe48be6ae

SHA1
1ddf3f464ac8131d84537dbfb4c7b3465f0aa983

SHA256
e311e4c72acfb45287175830c642a4a907935dc2323ba3c4b1dae9a695776d35

SHA512
d91e9ab9fcaa4466529561d011482c7a6f1464b59824b9c3954e04fb97ac112759f0ade2e1762267d808b429119c0f19077d930585da33efc32116b5fd4a7930

Download Submit
C:\Windows\{AAFBF91E-AA5C-448f-8E74-83B523A86CCB}.exe

Filesize
372KB

MD5
a73be9d2f18e108e65664409b1ed0e39

SHA1
427231aad0f0926657493457ed0db1ac9d0bbc05

SHA256
3936bd9a5883490c2427638b88fc1e1712e11577b511d84e58fe36d0c5f85d1d

SHA512
e002e382c3171c8be2cfc206d680d74bbe8e30bc5b05394dceda9f25a8f5478d353d7214a3767c4545e32ac0981f50e98b4e16ec35de8c8598dd338ad70660b6

Download Submit
C:\Windows\{B8E28781-BD6C-4934-BBBD-4573F716E77C}.exe

Filesize
372KB

MD5
af1cedc4c8fa7648a571e28d3c0a771d

SHA1
9acf941a425f061490c225c54fbe5fb97f2cdf54

SHA256
87496103be35a3eedd187fedbbe3e2152df90fa76994a805520be2e734e7a376

SHA512
b1a82f03beeee8ded071cd2c0d8f67259d99d5f45649908aee0cffa87d88f542d12bc8f327f16f2a1d2189bba9242792ac6b4ec26770d31460a4af2a76adebb2

Download Submit
C:\Windows\{DCC0FAA9-716B-4ff8-A8E3-611E21072400}.exe

Filesize
372KB

MD5
c426ad43fbbfdebd91f6abc7918b75c8

SHA1
e72fa7b4f60b72a9b35140504a9673450d597056

SHA256
46227cb41508885c92b220ddf31f4a0e18c27bb7a011de58a1bb0c434acfe48c

SHA512
06504521b7b8074fde0f50c74f7553d4f4ab69c66dbe41893914e3516bb91fad431b5e126f3d11316f70c34f7baf9df81989465411d6d1d68721957bd195de48

Download Submit
C:\Windows\{E30BA9B5-2CFC-4e21-888B-ADC925C85B77}.exe

Filesize
372KB

MD5
297c67c6f94594178f89816a09ba99d5

SHA1
37189f9718a224b197ccd8fcd41aab5410de15da

SHA256
6a13488350f4a54e6fd6c8fefa90861d5767051d88cab7da9c85e8f81aab19d3

SHA512
6a021334cf30923b113e699ec4719fd667c8f0a57ab53591e6a732569337945c4909a37a6d9f9c7c11ed1524fa9d5c0a2cb5f1744f58e412569509118f38d64a

Download Submit
C:\Windows\{E5F5D399-56ED-47ce-A3CC-50357FB8FC6A}.exe

Filesize
372KB

MD5
951f5bbfbf47468ae12356830e8a86fe

SHA1
e3ca28f815b3a2989fa4b74d1f0becfd6e7a6e88

SHA256
78e0ef8383aba7b07e771bbe74e9ae1d7c758bfd7ff775d6d7d8cc6d44cbc61d

SHA512
10eb548f4e2d4437346c1640cefde284a875ffd952c7245f0af82d8bc549eeed442c686acc30d253fef6e2e3af5970dc20d6bebf2a0ab18948fffe807a2460c4

Download Submit
C:\Windows\{FFBAC412-D5AD-4bcf-8E1C-BB02ECCCEFE7}.exe

Filesize
372KB

MD5
76c231ceed841c8730ca52f7f9d09a59

SHA1
5b9eb80d6b753b809c122b6885bbedd4bdea0a59

SHA256
d7ea861b00f6d3e8f6fac5e673ccb2dcd114702aa86b940257d893572fe202c8

SHA512
5d8e8a622ae883dca0138982e5633cf1836469a9f59c4b9b0bb4865bc4992e9ac6af9b54f5d11e42a6275d470832e5f7809b2777adc807c0fc380fd1cc20a278

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads