cc987d9a18ddedd0deb8081a0cde8127753e982ef3ed2df8674f8e6eb07f1b9b

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe
Size

408KB
MD5

a46f44d83e516aa5529d86db755e7cb9
SHA1

2fd83e95faa1195d2c08831c5b1415340be09992
SHA256

cc987d9a18ddedd0deb8081a0cde8127753e982ef3ed2df8674f8e6eb07f1b9b
SHA512

847ab4fffb1f412b3b00a32d5233b4c22ecf80f53f11afdc65ea0704bb40ccc68fc14b38190862d45845d56171c48aec1c3ccb7b14b1e78b5eb65e237a8df6f2
SSDEEP

3072:CEGh0oAl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG2ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F995F3F-3042-42dd-8D3D-B71944E4F24E}\stubpath = "C:\\Windows\\{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe"	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{233827EE-BA44-4956-8262-C702DAE336B4}\stubpath = "C:\\Windows\\{233827EE-BA44-4956-8262-C702DAE336B4}.exe"	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}	{233827EE-BA44-4956-8262-C702DAE336B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A2E9EC-7805-4a81-A9EA-5B87814302FF}\stubpath = "C:\\Windows\\{34A2E9EC-7805-4a81-A9EA-5B87814302FF}.exe"	{49C6FA54-1508-40fc-8B22-7903B645994C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{233827EE-BA44-4956-8262-C702DAE336B4}	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F7C2CEE-3117-4e87-993E-81F47AC762DC}	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{567ED056-5AB0-42c5-A27D-D8B9E3198E01}\stubpath = "C:\\Windows\\{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe"	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A2E9EC-7805-4a81-A9EA-5B87814302FF}	{49C6FA54-1508-40fc-8B22-7903B645994C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}\stubpath = "C:\\Windows\\{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe"	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03B2DB92-0C58-4c91-A193-FDA094253342}\stubpath = "C:\\Windows\\{03B2DB92-0C58-4c91-A193-FDA094253342}.exe"	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}	2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F995F3F-3042-42dd-8D3D-B71944E4F24E}	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}\stubpath = "C:\\Windows\\{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe"	{233827EE-BA44-4956-8262-C702DAE336B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F7C2CEE-3117-4e87-993E-81F47AC762DC}\stubpath = "C:\\Windows\\{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe"	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}\stubpath = "C:\\Windows\\{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe"	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C6FA54-1508-40fc-8B22-7903B645994C}	{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49C6FA54-1508-40fc-8B22-7903B645994C}\stubpath = "C:\\Windows\\{49C6FA54-1508-40fc-8B22-7903B645994C}.exe"	{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}\stubpath = "C:\\Windows\\{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe"	2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}\stubpath = "C:\\Windows\\{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe"	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{567ED056-5AB0-42c5-A27D-D8B9E3198E01}	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03B2DB92-0C58-4c91-A193-FDA094253342}	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe

Executes dropped EXE 12 IoCs

pid	Process
4204	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe
3628	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe
4356	{233827EE-BA44-4956-8262-C702DAE336B4}.exe
4168	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe
4460	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe
2756	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe
4708	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe
3504	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe
1088	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe
4384	{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe
220	{49C6FA54-1508-40fc-8B22-7903B645994C}.exe
1108	{34A2E9EC-7805-4a81-A9EA-5B87814302FF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe
File created	C:\Windows\{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe	{233827EE-BA44-4956-8262-C702DAE336B4}.exe
File created	C:\Windows\{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe
File created	C:\Windows\{03B2DB92-0C58-4c91-A193-FDA094253342}.exe	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe
File created	C:\Windows\{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe	2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe
File created	C:\Windows\{233827EE-BA44-4956-8262-C702DAE336B4}.exe	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe
File created	C:\Windows\{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe
File created	C:\Windows\{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe
File created	C:\Windows\{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe
File created	C:\Windows\{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe
File created	C:\Windows\{49C6FA54-1508-40fc-8B22-7903B645994C}.exe	{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe
File created	C:\Windows\{34A2E9EC-7805-4a81-A9EA-5B87814302FF}.exe	{49C6FA54-1508-40fc-8B22-7903B645994C}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{233827EE-BA44-4956-8262-C702DAE336B4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34A2E9EC-7805-4a81-A9EA-5B87814302FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{49C6FA54-1508-40fc-8B22-7903B645994C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	664	2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4204	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe
Token: SeIncBasePriorityPrivilege	3628	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe
Token: SeIncBasePriorityPrivilege	4356	{233827EE-BA44-4956-8262-C702DAE336B4}.exe
Token: SeIncBasePriorityPrivilege	4168	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe
Token: SeIncBasePriorityPrivilege	4460	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe
Token: SeIncBasePriorityPrivilege	2756	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe
Token: SeIncBasePriorityPrivilege	4708	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe
Token: SeIncBasePriorityPrivilege	3504	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe
Token: SeIncBasePriorityPrivilege	1088	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe
Token: SeIncBasePriorityPrivilege	4384	{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe
Token: SeIncBasePriorityPrivilege	220	{49C6FA54-1508-40fc-8B22-7903B645994C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 4204	664	2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe	89
PID 664 wrote to memory of 4204	664	2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe	89
PID 664 wrote to memory of 4204	664	2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe	89
PID 664 wrote to memory of 4992	664	2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe	90
PID 664 wrote to memory of 4992	664	2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe	90
PID 664 wrote to memory of 4992	664	2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe	90
PID 4204 wrote to memory of 3628	4204	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe	91
PID 4204 wrote to memory of 3628	4204	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe	91
PID 4204 wrote to memory of 3628	4204	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe	91
PID 4204 wrote to memory of 1340	4204	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe	92
PID 4204 wrote to memory of 1340	4204	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe	92
PID 4204 wrote to memory of 1340	4204	{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe	92
PID 3628 wrote to memory of 4356	3628	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe	105
PID 3628 wrote to memory of 4356	3628	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe	105
PID 3628 wrote to memory of 4356	3628	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe	105
PID 3628 wrote to memory of 2060	3628	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe	106
PID 3628 wrote to memory of 2060	3628	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe	106
PID 3628 wrote to memory of 2060	3628	{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe	106
PID 4356 wrote to memory of 4168	4356	{233827EE-BA44-4956-8262-C702DAE336B4}.exe	110
PID 4356 wrote to memory of 4168	4356	{233827EE-BA44-4956-8262-C702DAE336B4}.exe	110
PID 4356 wrote to memory of 4168	4356	{233827EE-BA44-4956-8262-C702DAE336B4}.exe	110
PID 4356 wrote to memory of 3552	4356	{233827EE-BA44-4956-8262-C702DAE336B4}.exe	111
PID 4356 wrote to memory of 3552	4356	{233827EE-BA44-4956-8262-C702DAE336B4}.exe	111
PID 4356 wrote to memory of 3552	4356	{233827EE-BA44-4956-8262-C702DAE336B4}.exe	111
PID 4168 wrote to memory of 4460	4168	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe	113
PID 4168 wrote to memory of 4460	4168	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe	113
PID 4168 wrote to memory of 4460	4168	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe	113
PID 4168 wrote to memory of 4448	4168	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe	114
PID 4168 wrote to memory of 4448	4168	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe	114
PID 4168 wrote to memory of 4448	4168	{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe	114
PID 4460 wrote to memory of 2756	4460	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe	115
PID 4460 wrote to memory of 2756	4460	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe	115
PID 4460 wrote to memory of 2756	4460	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe	115
PID 4460 wrote to memory of 1608	4460	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe	116
PID 4460 wrote to memory of 1608	4460	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe	116
PID 4460 wrote to memory of 1608	4460	{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe	116
PID 2756 wrote to memory of 4708	2756	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe	119
PID 2756 wrote to memory of 4708	2756	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe	119
PID 2756 wrote to memory of 4708	2756	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe	119
PID 2756 wrote to memory of 3152	2756	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe	120
PID 2756 wrote to memory of 3152	2756	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe	120
PID 2756 wrote to memory of 3152	2756	{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe	120
PID 4708 wrote to memory of 3504	4708	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe	121
PID 4708 wrote to memory of 3504	4708	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe	121
PID 4708 wrote to memory of 3504	4708	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe	121
PID 4708 wrote to memory of 2328	4708	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe	122
PID 4708 wrote to memory of 2328	4708	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe	122
PID 4708 wrote to memory of 2328	4708	{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe	122
PID 3504 wrote to memory of 1088	3504	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe	123
PID 3504 wrote to memory of 1088	3504	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe	123
PID 3504 wrote to memory of 1088	3504	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe	123
PID 3504 wrote to memory of 4876	3504	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe	124
PID 3504 wrote to memory of 4876	3504	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe	124
PID 3504 wrote to memory of 4876	3504	{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe	124
PID 1088 wrote to memory of 4384	1088	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe	136
PID 1088 wrote to memory of 4384	1088	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe	136
PID 1088 wrote to memory of 4384	1088	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe	136
PID 1088 wrote to memory of 2472	1088	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe	137
PID 1088 wrote to memory of 2472	1088	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe	137
PID 1088 wrote to memory of 2472	1088	{03B2DB92-0C58-4c91-A193-FDA094253342}.exe	137
PID 4384 wrote to memory of 220	4384	{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe	138
PID 4384 wrote to memory of 220	4384	{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe	138
PID 4384 wrote to memory of 220	4384	{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe	138
PID 4384 wrote to memory of 3436	4384	{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe	139

C:\Users\Admin\AppData\Local\Temp\2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-14_a46f44d83e516aa5529d86db755e7cb9_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe
  C:\Windows\{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe
    C:\Windows\{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\{233827EE-BA44-4956-8262-C702DAE336B4}.exe
      C:\Windows\{233827EE-BA44-4956-8262-C702DAE336B4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe
        
        C:\Windows\{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
      - C:\Windows\{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe
        
        C:\Windows\{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe
        
        C:\Windows\{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe
        
        C:\Windows\{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe
        
        C:\Windows\{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\{03B2DB92-0C58-4c91-A193-FDA094253342}.exe
        
        C:\Windows\{03B2DB92-0C58-4c91-A193-FDA094253342}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe
        
        C:\Windows\{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{49C6FA54-1508-40fc-8B22-7903B645994C}.exe
        
        C:\Windows\{49C6FA54-1508-40fc-8B22-7903B645994C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Windows\{34A2E9EC-7805-4a81-A9EA-5B87814302FF}.exe
        
        C:\Windows\{34A2E9EC-7805-4a81-A9EA-5B87814302FF}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49C6F~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB85A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03B2D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4C5C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{567ED~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F7C2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F037~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{561B4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23382~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1F995~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B990~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03B2DB92-0C58-4c91-A193-FDA094253342}.exe

Filesize
408KB

MD5
ae9f8684381c2a6d05c08a67b41660b7

SHA1
761997b2eda8809a7df0a6f470105e89708b1ee4

SHA256
142374b12ab7175ee236560b03821c61e230541567a1a06ab2d58e6742202cb1

SHA512
d90907678d57a8945844d0f94cff296f2ce5cd6c8a721a3da34a03455dbddad6a8af195dfe75c98b411996f2366429c9ea31ed9e2832c6b9474e698ba8480f1d

Download Submit
C:\Windows\{1F995F3F-3042-42dd-8D3D-B71944E4F24E}.exe

Filesize
408KB

MD5
8931ee96135fc4402afbd4e728ea4aba

SHA1
57fcd939a39493c7677ace135cb59834c4c96a8a

SHA256
e8e41f1db038022291a7fb4dbc02005069b0e66cc0c945ac1a5be6ac6958f3d3

SHA512
552e43f08a31d7113f83f5aa4d113aa4828e03b41c8404b7e27d5d0b384b654a87bedf609643f0218ecf94532030a5e419d10b31e2e2e516b3101ec904a7825f

Download Submit
C:\Windows\{233827EE-BA44-4956-8262-C702DAE336B4}.exe

Filesize
408KB

MD5
9dd3a15c4697b681f870844d4804765f

SHA1
093292a95189db6341bac30e2f736deac19d7f8b

SHA256
72a4da6586fc2d07a090039c043e4cacee64fb8b842f58608134b14153cf9a86

SHA512
5cf118c086a62cc9be366bb49e2b01707ea19ce275bb5242279f6cc15db3a1c541698b82b09a07087a7537c2fc149896e9e38457e70aac8a291e165ef16158d3

Download Submit
C:\Windows\{2B9903DA-8024-4d9f-A80B-2533DF82E0B3}.exe

Filesize
408KB

MD5
f7c7c334f679c8b09adccee581995280

SHA1
8026f6d37b4bc04aedd896388753317845323663

SHA256
5c45094995b8155bebce5a894d66439d0baf510ffbc1cc3328ef158c9228b393

SHA512
01d35d247fc12dd1ba9341e62650223f84c27bd7ff0889da1a55f62639f09ce7e61f1ec86b8f420fbd3e3e70b8a3725c0ecd46f19af3dd61f0adba79ab34db36

Download Submit
C:\Windows\{34A2E9EC-7805-4a81-A9EA-5B87814302FF}.exe

Filesize
408KB

MD5
1d97d57a95a6fac17ef6fc053c9bf99c

SHA1
58ab10b499ae3e50fee00117e62cec6201b14f83

SHA256
7b4787df624bf07506df3f095e27a4138adb1b799fe51c6458fd644e4852192b

SHA512
8595b3114529761589b36267ac0ffcc847f7a82ac18e7a34634ec86ce7b3b597070ab1ab12eaef20ea0a6e4656e8c8526fe81960a532e7238a415ed72fdf9108

Download Submit
C:\Windows\{49C6FA54-1508-40fc-8B22-7903B645994C}.exe

Filesize
408KB

MD5
7cde6160f12aab9280a342194b17b237

SHA1
eb3e12de5d7ca3cfa5d7ddd0e2f368849eacbb20

SHA256
d5b69ab33022f1117a997b327a8d2d0f3a4af6f46779c733b69554ae6a765c72

SHA512
4446352324cc42773b731f42b39f0319e2ce824005bef83cd6edda752ee5b4d26c791c927cc3b5b0a87ff414f02d671c24fe8e9be995b4d0f23c9d80362d02a2

Download Submit
C:\Windows\{561B4E9D-7DFA-4d91-941E-4104C6DDE31B}.exe

Filesize
408KB

MD5
e4e6058dbb58d0ebe22f5963c2ed4c89

SHA1
ff0951f99a018bd48ffabd64da525547df69079e

SHA256
c7024cd284aa9cfcc988b77d546ec8446045f6d535ed50288c394ddf26362fd2

SHA512
eedab7a78f59a8fb1ff3460f27cce673686a8d9628552312c5c0a7c0b0ca4af194cef0ed88f07c4cdccc1011b096de7618bd75d63c2bd203e1e3df9deef7ab69

Download Submit
C:\Windows\{567ED056-5AB0-42c5-A27D-D8B9E3198E01}.exe

Filesize
408KB

MD5
8363878103d0229371221d70ea450974

SHA1
ada9124aaf150da91620e95e4802ebdb99adc6bc

SHA256
48dbfccb18bf5a20ca9147c91812dfd2c9a1574a0d3edf8693640db3b83479fd

SHA512
4b9bf5244884384ea6d6cc8b0061d8c60ccf03f4b69920324f0b27bc8c5201631e660b71b167a0fb609558641f9051acda4d922c94c53fcd05f2e4359e99e2e4

Download Submit
C:\Windows\{8F037BC1-1D02-4c07-8611-F673A3DA7A9B}.exe

Filesize
408KB

MD5
4626fe97e0eef704f4d1fe2ccc887f81

SHA1
8d1809f30e47522c22cc25a0391e26f30145f312

SHA256
f36d9c7d7ce588bcb401f2888d8c3bdf6c0373a315994e9383d4706bda31893f

SHA512
5c2f001288c0b9c5aab9a09eeefbeac429ae09eaa1fe466d6019756020c6138878f226129377c08a78a55a3536dd4d8435383293f818efbd72914237c570b14d

Download Submit
C:\Windows\{9F7C2CEE-3117-4e87-993E-81F47AC762DC}.exe

Filesize
408KB

MD5
c1a7585d685f15c6f2c5372edb6658cc

SHA1
aad7f34fd88c0cd2e68757b4c0f6fe474c474f71

SHA256
bf41b1219399ab6efd6d1405000507176135d823f02a11acf51992e38ddd71fd

SHA512
d278d44db23c097f2aaa660ec36dc541530b1e619025ea2752d3859783a1e4ff48a183e302c45853b4d5d0bba36f59ef918fe528bb503af18dddbd39b6e71b32

Download Submit
C:\Windows\{A4C5C8C6-0227-4a36-93C5-A1B5231BFDE1}.exe

Filesize
408KB

MD5
5790d5e68e1d98cc2829e268217b84ed

SHA1
d88d94fafd6ca9c0153b2df18dddb70f346e5614

SHA256
f410d31a7c73c725f417adc82fa750c4fd7c04e6110a1cec976bf5053b11be2b

SHA512
7f78f18cab7221595c4a2a20121689135753de404aa95b5353afdfa805e70239da77f2a4695273da85eabfeda4dded490b475cba9d9ad8dbd851a452f4fb9b82

Download Submit
C:\Windows\{FB85A9DF-AB56-4dd7-8033-A858A6B7A901}.exe

Filesize
408KB

MD5
f77f477228d7fad3c8e6cde5cec2e0f9

SHA1
7a4957a67a2f94508184b9263b3eba661f9d57e9

SHA256
ef737d7edc02744c3bae7ea93ebcfd217faa9f08297230b3d1ec1540b8cada46

SHA512
2354ee7336d7ec43e54af33549d830554036489141e9c780a090bee01d804192e88106c3f1c0ed71467e7cc6c63f87039c056b7d608421571c08e5fa1e33d90a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads