84022a542402ff42acfc624e88c77173e0262f64ac20ef74869b7488e3861e67

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
Size

380KB
MD5

5372648664cdd5e18ae5248351fc0ecc
SHA1

581fecc7931bf7d9f7d389d14a386a0bf9a0a3a4
SHA256

84022a542402ff42acfc624e88c77173e0262f64ac20ef74869b7488e3861e67
SHA512

f598de50a5cc46cdef632bb978dd4aae969a174b7f4ebc24728ac3725fa84bcbfb031e24b55f0f9bc7f43dd08feb1a63435c40505d0bbc0b1a26c8d34297237f
SSDEEP

3072:mEGh0ojlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGFl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}\stubpath = "C:\\Windows\\{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe"	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05A97C4-8E71-438c-8CB9-0BE9550340AC}	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}\stubpath = "C:\\Windows\\{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe"	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}\stubpath = "C:\\Windows\\{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe"	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{387BE3AF-E753-4883-ACE0-914923A34316}\stubpath = "C:\\Windows\\{387BE3AF-E753-4883-ACE0-914923A34316}.exe"	{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEF60CD1-F219-4e86-BA05-74444078E1F6}	{387BE3AF-E753-4883-ACE0-914923A34316}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51AE0594-21E5-41d3-9358-E1A769F1D4BE}	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06624289-0FA2-45e5-8348-25845C0A6FC4}	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19C22AB8-C6A8-40c3-B9A2-A70D30359110}	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19C22AB8-C6A8-40c3-B9A2-A70D30359110}\stubpath = "C:\\Windows\\{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe"	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{387BE3AF-E753-4883-ACE0-914923A34316}	{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEF60CD1-F219-4e86-BA05-74444078E1F6}\stubpath = "C:\\Windows\\{EEF60CD1-F219-4e86-BA05-74444078E1F6}.exe"	{387BE3AF-E753-4883-ACE0-914923A34316}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}\stubpath = "C:\\Windows\\{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe"	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5869F4B3-794A-4b0a-9DFC-61D2868D247A}	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5869F4B3-794A-4b0a-9DFC-61D2868D247A}\stubpath = "C:\\Windows\\{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe"	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}\stubpath = "C:\\Windows\\{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe"	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05A97C4-8E71-438c-8CB9-0BE9550340AC}\stubpath = "C:\\Windows\\{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe"	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51AE0594-21E5-41d3-9358-E1A769F1D4BE}\stubpath = "C:\\Windows\\{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe"	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06624289-0FA2-45e5-8348-25845C0A6FC4}\stubpath = "C:\\Windows\\{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe"	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe

Executes dropped EXE 12 IoCs

pid	Process
1504	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe
540	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe
4588	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe
2672	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe
1988	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe
2736	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe
2236	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe
3096	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe
1984	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe
5100	{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe
4952	{387BE3AF-E753-4883-ACE0-914923A34316}.exe
3928	{EEF60CD1-F219-4e86-BA05-74444078E1F6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe
File created	C:\Windows\{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe
File created	C:\Windows\{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe
File created	C:\Windows\{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe
File created	C:\Windows\{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe
File created	C:\Windows\{EEF60CD1-F219-4e86-BA05-74444078E1F6}.exe	{387BE3AF-E753-4883-ACE0-914923A34316}.exe
File created	C:\Windows\{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
File created	C:\Windows\{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe
File created	C:\Windows\{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe
File created	C:\Windows\{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe
File created	C:\Windows\{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe
File created	C:\Windows\{387BE3AF-E753-4883-ACE0-914923A34316}.exe	{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EEF60CD1-F219-4e86-BA05-74444078E1F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{387BE3AF-E753-4883-ACE0-914923A34316}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1680	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1504	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe
Token: SeIncBasePriorityPrivilege	540	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe
Token: SeIncBasePriorityPrivilege	4588	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe
Token: SeIncBasePriorityPrivilege	2672	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe
Token: SeIncBasePriorityPrivilege	1988	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe
Token: SeIncBasePriorityPrivilege	2736	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe
Token: SeIncBasePriorityPrivilege	2236	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe
Token: SeIncBasePriorityPrivilege	3096	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe
Token: SeIncBasePriorityPrivilege	1984	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe
Token: SeIncBasePriorityPrivilege	5100	{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe
Token: SeIncBasePriorityPrivilege	4952	{387BE3AF-E753-4883-ACE0-914923A34316}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1504	1680	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	86
PID 1680 wrote to memory of 1504	1680	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	86
PID 1680 wrote to memory of 1504	1680	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	86
PID 1680 wrote to memory of 4996	1680	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	87
PID 1680 wrote to memory of 4996	1680	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	87
PID 1680 wrote to memory of 4996	1680	2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe	87
PID 1504 wrote to memory of 540	1504	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe	88
PID 1504 wrote to memory of 540	1504	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe	88
PID 1504 wrote to memory of 540	1504	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe	88
PID 1504 wrote to memory of 2128	1504	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe	89
PID 1504 wrote to memory of 2128	1504	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe	89
PID 1504 wrote to memory of 2128	1504	{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe	89
PID 540 wrote to memory of 4588	540	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe	92
PID 540 wrote to memory of 4588	540	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe	92
PID 540 wrote to memory of 4588	540	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe	92
PID 540 wrote to memory of 2480	540	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe	93
PID 540 wrote to memory of 2480	540	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe	93
PID 540 wrote to memory of 2480	540	{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe	93
PID 4588 wrote to memory of 2672	4588	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe	96
PID 4588 wrote to memory of 2672	4588	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe	96
PID 4588 wrote to memory of 2672	4588	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe	96
PID 4588 wrote to memory of 1640	4588	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe	97
PID 4588 wrote to memory of 1640	4588	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe	97
PID 4588 wrote to memory of 1640	4588	{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe	97
PID 2672 wrote to memory of 1988	2672	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe	98
PID 2672 wrote to memory of 1988	2672	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe	98
PID 2672 wrote to memory of 1988	2672	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe	98
PID 2672 wrote to memory of 3520	2672	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe	99
PID 2672 wrote to memory of 3520	2672	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe	99
PID 2672 wrote to memory of 3520	2672	{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe	99
PID 1988 wrote to memory of 2736	1988	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe	100
PID 1988 wrote to memory of 2736	1988	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe	100
PID 1988 wrote to memory of 2736	1988	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe	100
PID 1988 wrote to memory of 2956	1988	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe	101
PID 1988 wrote to memory of 2956	1988	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe	101
PID 1988 wrote to memory of 2956	1988	{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe	101
PID 2736 wrote to memory of 2236	2736	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe	102
PID 2736 wrote to memory of 2236	2736	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe	102
PID 2736 wrote to memory of 2236	2736	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe	102
PID 2736 wrote to memory of 2060	2736	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe	103
PID 2736 wrote to memory of 2060	2736	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe	103
PID 2736 wrote to memory of 2060	2736	{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe	103
PID 2236 wrote to memory of 3096	2236	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe	104
PID 2236 wrote to memory of 3096	2236	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe	104
PID 2236 wrote to memory of 3096	2236	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe	104
PID 2236 wrote to memory of 4420	2236	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe	105
PID 2236 wrote to memory of 4420	2236	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe	105
PID 2236 wrote to memory of 4420	2236	{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe	105
PID 3096 wrote to memory of 1984	3096	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe	106
PID 3096 wrote to memory of 1984	3096	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe	106
PID 3096 wrote to memory of 1984	3096	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe	106
PID 3096 wrote to memory of 2252	3096	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe	107
PID 3096 wrote to memory of 2252	3096	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe	107
PID 3096 wrote to memory of 2252	3096	{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe	107
PID 1984 wrote to memory of 5100	1984	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe	108
PID 1984 wrote to memory of 5100	1984	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe	108
PID 1984 wrote to memory of 5100	1984	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe	108
PID 1984 wrote to memory of 704	1984	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe	109
PID 1984 wrote to memory of 704	1984	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe	109
PID 1984 wrote to memory of 704	1984	{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe	109
PID 5100 wrote to memory of 4952	5100	{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe	110
PID 5100 wrote to memory of 4952	5100	{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe	110
PID 5100 wrote to memory of 4952	5100	{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe	110
PID 5100 wrote to memory of 1964	5100	{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_5372648664cdd5e18ae5248351fc0ecc_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe
  C:\Windows\{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe
    C:\Windows\{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe
      C:\Windows\{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe
        
        C:\Windows\{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe
        
        C:\Windows\{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe
        
        C:\Windows\{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe
        
        C:\Windows\{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe
        
        C:\Windows\{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe
        
        C:\Windows\{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe
        
        C:\Windows\{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{387BE3AF-E753-4883-ACE0-914923A34316}.exe
        
        C:\Windows\{387BE3AF-E753-4883-ACE0-914923A34316}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\{EEF60CD1-F219-4e86-BA05-74444078E1F6}.exe
        
        C:\Windows\{EEF60CD1-F219-4e86-BA05-74444078E1F6}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{387BE~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B04A5~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19C22~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD889~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{883CC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5869F~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B1DF~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06624~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51AE0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F818C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C05A9~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06624289-0FA2-45e5-8348-25845C0A6FC4}.exe

Filesize
380KB

MD5
1bedcc50758cbc44a6188a084177fa23

SHA1
267668259d5feb3f353512516af75cb49f1849e1

SHA256
9d6d0ceca43ac2bcbe1444fab37ac07979c546f27fe505979dcff498eb7204e5

SHA512
f9afb40e46053881dccc0d7360474de90440e2ab3f0a9e6897bd63cdaa023bdcfd7ff652d714fc5e6861abf4709078b8632f88c941dc616ab6bddb49d4fcef3f

Download Submit
C:\Windows\{19C22AB8-C6A8-40c3-B9A2-A70D30359110}.exe

Filesize
380KB

MD5
addbbac1acc00e2cad81cd2ea31ebaf1

SHA1
ece7fa1fa157ab78e88b09eb16b2d378e7744e2f

SHA256
99b4ecea36f8648da0da13106c55dde7a968add7aa5eec2f865549fd4d50c333

SHA512
d4148ff0c8df77880bc34b822a50c9948e496e8130094859379e6fbbc4bfd31b47e4be3c608d976787b734c41b6d0557718e2dfafd8000d77936f1b8f54ce950

Download Submit
C:\Windows\{387BE3AF-E753-4883-ACE0-914923A34316}.exe

Filesize
380KB

MD5
7c99bb5316a64e176b4350f874366ba0

SHA1
4d1aa3727752414080a261a266cad6243ecb41c2

SHA256
682d008dff1e99457b8476fe4432f6c0c9401efe4dcc4b596ba1f45d94a563d5

SHA512
7ec5c763ebaebf4269c4e216aa67faf71b52fcf6add260609fb60d2f59446356d343fc73012ca3033b409c0e11b1535876d93ee2d77360461d0a0c6e06394934

Download Submit
C:\Windows\{51AE0594-21E5-41d3-9358-E1A769F1D4BE}.exe

Filesize
380KB

MD5
ce8f767731ce33d2de4e989f5a19b50e

SHA1
e9e1fb51f85a160c26a0aece20822d85fa1aa560

SHA256
ee60ea884326783cfd3bf2c09e131e99b36c86eb905398037528633a8d917eb9

SHA512
14a886d06be47f81d310779324ac7a9708211f84bac0ffe7cbba77dbf204b0171d6c4c50260bc687801e2e405120f9c5e1723d7a8765027234afd3f2df461ddb

Download Submit
C:\Windows\{5869F4B3-794A-4b0a-9DFC-61D2868D247A}.exe

Filesize
380KB

MD5
edbbc5cf17f0c3dbb94ce85911b37001

SHA1
00b93eaf652ee15e39b2bde54cada65bac2496d2

SHA256
eda47191eb71c81b7b0963f7e0a12330cdf6245877d1c7efa68d4f5f6f646159

SHA512
ef33f708370c6aacceceb2bc2c45dd907803d6626cfe199542df1bbc88d025d4f6a354ddc35d82dc53170098720911cd09530cc23d9c74086896c8bcb4b8a571

Download Submit
C:\Windows\{883CCF0F-94A5-43f0-9F5A-25B2AC3BF278}.exe

Filesize
380KB

MD5
6e469b11b6ac813eb2a0c497edd6162c

SHA1
7798208d354ee14e60820ca773d9556a61b89da4

SHA256
15ec0f0f15e5b5de65839c47a1a83ab564ec9c10f6712f73ecd9d064b30e104f

SHA512
369d32c3135bb3104c969864c131095dfe381afac5212c5ec97d33022f0dfdc2d00305bbb6ccecaf06660fb49b186abc9a2609c942d9a3837b6755eccfb2ec5a

Download Submit
C:\Windows\{8B1DFCB1-3A6B-49e2-A8B2-D43B1A33728B}.exe

Filesize
380KB

MD5
9ee327e7e2fa5c9dac3a47a2d6a5a4a5

SHA1
eeb4fa7c81e2ce829c49cfabd4cb275f023cf752

SHA256
ead058229e43b2674ddb2a51299aa31d19e7669b8a234efab5098680bce01292

SHA512
a39e98f7bfd45ba79b44d55343646bcaf76b1247491204a88747bdde2a524c478fab951e92552da44000c4358b0484024c6e0339c8df2b4af6459d952d8b9811

Download Submit
C:\Windows\{B04A5DEF-4CC2-497b-8E6D-53ABB272678F}.exe

Filesize
380KB

MD5
fa64c4deeeb1fc55a4d5dd99e1af5947

SHA1
da88feb8acd73d815343905d533c231651cce111

SHA256
71104da35f37144fce40e99322cdd71e99a7fd06e0a6577cc21921bed9b6cce9

SHA512
6386e10ecc98cfcbdcd63ab99298cb116e1573dedcedb8035776d0246d3ab622d64f4a079279979d73deb64740588b0eaeec834b20ddb1e7cb1ce28e7044a58c

Download Submit
C:\Windows\{BD889D5E-640A-4daf-8CEA-7F66A324D5B7}.exe

Filesize
380KB

MD5
c9e102697e5e828f200740a4b85da5b1

SHA1
009a6d2625190518f1d0ed78abec46b267778688

SHA256
0df7c07daac96889246caefae032c85db5cba137bcb5ee69427f9cceb31248e2

SHA512
f5a45db2c0230ba77457b4c3464e028806759084818be6e632b0a7960d93432c42220a3cdfc982a87a5caba6c9c676ba6b97c2b16b78464942876d0ad6485b1f

Download Submit
C:\Windows\{C05A97C4-8E71-438c-8CB9-0BE9550340AC}.exe

Filesize
380KB

MD5
ceae63a1fd9f120f251f4dda44e279e3

SHA1
7c2d4e97e48adff286999b882ad61c7b19eb25ea

SHA256
f0024b56e85e280a8c4c7b81bcedbd371fc24eecd9dceab64856f78c19b34c5c

SHA512
bd07cdf4c1df518951a94444d59c57ce12cdd8360f63471145c151a889001b409e0ce277f8614d0ddc59b9d19b66c138806e40b6d18d3abc755004143736d1c8

Download Submit
C:\Windows\{EEF60CD1-F219-4e86-BA05-74444078E1F6}.exe

Filesize
380KB

MD5
fad660e8b475306d7dc437174c050947

SHA1
f919b8212c7468f332b6e1f576d30b7259641f23

SHA256
b1863219811b2e756c88c11d1089b280900d241141c15bdf816fc87b565842ad

SHA512
e95e23c30f9286245791ad16c33ac9aad8b1bd852d83e1e51421f024052cee068cd851e9a831a5fe23af4346d6456d83e29ec478d1a0cab4bab5682bce45c86c

Download Submit
C:\Windows\{F818CD15-D636-41b0-86FB-C7C2BCBE9B6E}.exe

Filesize
380KB

MD5
2e452232256e84e308e244bfb0a01070

SHA1
79040d89a135a405728b0eeebd0e6fef6901b40c

SHA256
f581b5029ea3fd77e1bc72db244f105b3b7e4c343bbea03e0f2c4f4667f92e71

SHA512
830a869d4d0ad7a94fe35d99aa3446ab6500c2155480e158b8f85f4bf2c634f55e86df1291990e583d4a56804d5550d5dbc6fedf6933a2cc29052179bbcb8fab

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads